CMMC vs NIST 800-171: What Defense Contractors Need to Know

We have worked with dozens of defense contractors who believed their NIST 800-171 self-assessment meant they were ready for CMMC. In nearly every case, the gap between self-assessed compliance and assessment-ready compliance was larger than expected — sometimes dramatically so.

If you are a defense contractor or subcontractor handling Controlled Unclassified Information (CUI), you have probably heard CMMC and NIST 800-171 discussed interchangeably. On the surface, this makes sense — CMMC Level 2 is built on the same 110 security controls as NIST SP 800-171. But treating them as identical frameworks is a mistake that can leave your organization unprepared when a C3PAO assessor arrives.

This article provides a focused comparison of CMMC and NIST 800-171: where they overlap, where they diverge, and what the practical differences mean for your compliance program. For the broader context of how DFARS fits into this picture, see our three-way comparison of CMMC, NIST 800-171, and DFARS.

A Brief History of Both Frameworks

NIST 800-171: The Control Standard

NIST Special Publication 800-171 was first published in June 2015 by the National Institute of Standards and Technology. Its purpose was straightforward: define the security requirements for protecting CUI in nonfederal systems and organizations. The publication established 110 security controls organized across 14 control families, covering everything from access control and incident response to system integrity and communications protection.

In December 2017, DFARS clause 252.204-7012 made NIST 800-171 implementation a contractual requirement for defense contractors handling CUI. Contractors were required to self-assess their implementation, calculate a score out of 110, and submit that score to the Supplier Performance Risk System (SPRS).

The critical limitation was enforcement. Self-attestation meant contractors reported their own compliance status with no independent verification. A contractor could submit a perfect 110 score to SPRS while having significant implementation gaps — and many did.

CMMC: The Verification Mechanism

The Cybersecurity Maturity Model Certification emerged directly from the failure of the self-attestation model. After DoD assessments revealed widespread non-compliance despite positive SPRS scores, the Department of Defense developed CMMC to add a verification layer on top of existing NIST 800-171 requirements.

CMMC 1.0 was introduced in January 2020 with five maturity levels. Following industry feedback about complexity and cost, CMMC 2.0 streamlined the framework to three levels in November 2021. The CMMC final rule (32 CFR Part 170) was published in October 2024, with phased implementation beginning in 2025.

Side-by-Side Comparison

Dimension	NIST SP 800-171 (Rev 2)	CMMC Level 2
Published By	NIST	DoD with Cyber AB
Purpose	Define security controls for CUI	Verify controls are implemented
Controls	110 across 14 families	Same 110 controls
Assessment Method	Self-assessment	Third-party C3PAO assessment
Assessment Frequency	Continuous (update as needed)	Triennial
Scoring	-203 to 110 (SPRS score)	110 objectives: MET or NOT MET
Verification	None (self-attested)	Independent third-party
POA&Ms	Allowed (no time limit)	Allowed with 180-day closure requirement
Documentation Required	SSP, POA&M	SSP, POA&M, policies, procedures, evidence artifacts
Enforcement	Contract compliance, False Claims Act risk	Certification required for contract award
Cost of Assessment	Internal labor only	C3PAO assessment fee — contact providers for current pricing
Active Since	2017 (DFARS requirement)	Phased rollout starting 2025
Result	SPRS score	Certification (valid 3 years)

The Same Controls, Different Accountability

The most important thing to understand about CMMC vs NIST 800-171 is that CMMC Level 2 does not add new security controls. The 110 controls are identical. What CMMC adds is accountability — a structured mechanism to verify that those controls are not just documented but genuinely implemented and operating effectively.

Self-Attestation vs Third-Party Assessment

Under NIST 800-171 alone, your organization calculates its own SPRS score and submits it. No one independently verifies whether your score is accurate. This self-assessment model has several inherent weaknesses:

• Subjective interpretation — Organizations may interpret control requirements more favorably than an independent assessor would
• Lack of evidence standards — No defined requirements for what constitutes sufficient evidence of implementation
• No operational verification — No one checks whether documented controls are actually functioning
• Inconsistent rigor — Assessment thoroughness varies widely between organizations

CMMC addresses every one of these gaps. A C3PAO assessment involves trained assessors who review documentation, interview personnel, observe processes, and examine technical implementations against a standardized assessment methodology. Each of the 110 controls is evaluated as MET or NOT MET based on objective criteria.

Scoring Differences

The NIST 800-171 SPRS scoring methodology assigns weighted values to each control, producing a score between -203 and 110. Organizations can have negative scores and still report them — the score is informational, not pass/fail.

CMMC scoring is binary for each control objective: MET or NOT MET. To achieve certification, an organization must have all 110 objectives scored as MET, with limited exceptions for controls addressed through Plans of Action and Milestones (POA&Ms). Even then, POA&Ms must be closed within 180 days, and certain controls cannot be placed on a POA&M at all.

POA&M Treatment

Both frameworks allow Plans of Action and Milestones for controls that are not fully implemented. However, CMMC imposes significantly stricter constraints:

POA&M Aspect	NIST 800-171	CMMC Level 2
Allowed	Yes, for any control	Yes, with restrictions
Time Limit	No fixed deadline	Must close within 180 days
Score Impact	Reduces SPRS score	Must still achieve minimum overall score
Certain Controls Excluded	No	Yes — some controls cannot be on POA&M
Verification	Self-monitored	C3PAO verifies closure

For detailed guidance on managing POA&Ms under CMMC, see our CMMC POA&M guide.

Documentation Requirements: A Major Gap

In our experience, the documentation gap is where most organizations discover the real difference between NIST 800-171 self-assessment and CMMC readiness.

NIST 800-171 requires a System Security Plan (SSP) and POA&M. Many organizations have these documents, but the level of detail varies enormously. Some SSPs are comprehensive, multi-hundred-page documents with detailed control descriptions and evidence references. Others are checklists with a single sentence per control.

CMMC assessors expect:

• Detailed SSP — Each control mapped to specific implementations, technologies, and responsible roles
• Policies and procedures — Formal, approved documents covering each control family
• Evidence artifacts — Screenshots, configuration exports, logs, training records, and other proof that controls are operating
• Organizational charts — Showing security roles, responsibilities, and reporting structures
• Network diagrams — Depicting CUI data flows and system boundaries
• Asset inventories — Comprehensive lists of all systems, devices, and applications within the CUI boundary

What we tell clients is that if your SSP cannot withstand scrutiny from someone who has never seen your environment, it is not ready for CMMC. An assessor should be able to read your SSP and understand exactly how each control is implemented, by whom, on which systems, and how you verify it is working.

NIST 800-171 Revision 3: What Changes

NIST published Revision 3 of SP 800-171 in May 2024, introducing significant structural and content changes. While CMMC 2.0 is currently based on Revision 2, the eventual transition to Rev 3 will affect CMMC requirements.

Key Changes in Rev 3

• Control reorganization — Controls are restructured around a new organization derived from NIST SP 800-53, changing the numbering and grouping
• New controls added — Several controls were added to address emerging threats and align with updated federal standards
• Control consolidation — Some Rev 2 controls were merged or restructured
• Enhanced specificity — Control language is more precise, reducing ambiguity in interpretation
• Outcome-based language — Greater emphasis on security outcomes rather than prescriptive implementation methods

Impact on CMMC

The DoD has indicated that future CMMC updates will incorporate NIST 800-171 Rev 3 requirements. However, the transition timeline is not yet defined. In practical terms, this means:

• Organizations pursuing CMMC Level 2 certification now should focus on Rev 2 controls, as that is what current assessments evaluate
• Organizations that achieve certification under Rev 2 should plan for potential reassessment when CMMC incorporates Rev 3
• Monitoring the Rev 3 changes now can help you anticipate future requirements and avoid rework

Our recommendation is to implement Rev 2 controls for your CMMC assessment while tracking Rev 3 changes for your roadmap. Where Rev 3 adds new controls that align with security best practices, consider implementing them proactively — it reduces your future compliance burden and improves your actual security posture.

Common Misunderstandings

"We are NIST 800-171 compliant, so we are CMMC ready"

This is the most dangerous assumption in the defense contracting compliance space. Self-assessed NIST 800-171 compliance and CMMC assessment readiness are different standards of proof. In our experience, organizations that self-assessed a score of 90+ on SPRS frequently score significantly lower when subjected to third-party assessment rigor.

The gap typically manifests in three areas:

1. Controls that exist in policy but not in practice — Your access control policy says you conduct quarterly reviews, but there are no records of reviews being performed
2. Controls that lack evidence — You encrypt CUI in transit, but you cannot produce configuration documentation or test results demonstrating it
3. Controls with incomplete scope — You implemented multi-factor authentication on your primary systems but missed several in-scope endpoints

"CMMC is a new set of requirements"

CMMC Level 2 does not introduce new security controls beyond NIST 800-171. If you are genuinely implementing all 110 NIST 800-171 controls with documentation and evidence, you are substantively ready for CMMC. The additional burden is the assessment process itself and the documentation standards it requires — not new security implementations.

"NIST 800-171 is going away"

NIST 800-171 remains the foundational control set. CMMC is a verification mechanism layered on top of it. Even with CMMC in place, DFARS clause 252.204-7012 continues to reference NIST 800-171 as the security standard. The frameworks are complementary, not competing.

Practical Implications for Your Compliance Program

If your organization currently self-attests to NIST 800-171 and needs to prepare for CMMC, here is what we recommend:

Conduct an Honest Gap Assessment

Have an independent party — not the team that built your SSP — evaluate your NIST 800-171 implementation against CMMC assessment standards. The goal is to identify controls that would score NOT MET under third-party scrutiny.

Invest in Documentation

Upgrade your SSP from a compliance checklist to a comprehensive security document. For each control, document the specific implementation, responsible personnel, supporting technologies, and evidence of ongoing operation.

Build an Evidence Library

Create a centralized repository of evidence artifacts organized by control family. Include configuration screenshots, log samples, training records, policy approval records, and test results. Update this library continuously — assessors will look for evidence of ongoing operation, not a one-time snapshot.

Define and Defend Your CUI Boundary

CMMC assessments are scoped to your CUI environment. The more precisely you define which systems, networks, and personnel are in scope, the more focused and manageable your assessment becomes. This boundary definition should be reflected in your network diagrams, asset inventory, and SSP.

Plan for Timelines

CMMC assessments require scheduling with a C3PAO, which means lead times. Assessment readiness typically takes 12-18 months from an initial gap assessment. Factor in C3PAO availability, which is constrained by the limited number of accredited organizations and assessors.

For a comprehensive step-by-step preparation approach, see our CMMC compliance checklist. For the full picture of how DFARS fits into this comparison, read our CMMC vs NIST 800-171 vs DFARS analysis.

The Bottom Line

CMMC and NIST 800-171 are two sides of the same coin. NIST 800-171 tells you what to do. CMMC verifies that you did it. The 110 security controls are the same, but the standard of proof is fundamentally different. If your organization has been self-attesting to NIST 800-171 compliance, the transition to CMMC means moving from "we believe we are compliant" to "we can prove we are compliant to an independent assessor."

The organizations that approach this transition most successfully are those that treat CMMC not as a new regulatory burden but as the enforcement mechanism for requirements they were already supposed to be meeting. If your NIST 800-171 implementation is genuinely solid, CMMC is a validation exercise. If it is not, CMMC is the accountability mechanism that will surface the gaps.