CMMC vs. NIST 800-171 vs. DFARS: How These Frameworks Fit Together

The most common question we hear from defense contractors is some variation of: "Do I need CMMC, NIST 800-171, or DFARS?" The answer is all three — but understanding why requires understanding how these frameworks layer on top of each other.

Understanding how DFARS vs CMMC vs NIST 800-171 fit together is essential for any organization in the defense supply chain. These are not competing frameworks — they are layered requirements that evolved over time to solve the same problem: protecting Controlled Unclassified Information (CUI) in defense contractor systems. DFARS creates the contractual obligation, NIST 800-171 defines the security controls, and CMMC verifies those controls through independent assessment.

This guide explains the relationship between all three, provides a side-by-side comparison, helps you determine which requirements apply to your organization, outlines the migration path for organizations already compliant with one framework, and offers guidance on which to prioritize.

The Relationship Explained

How We Got Here

The story begins with DFARS clause 252.204-7012, introduced in 2017 as a contractual requirement for defense contractors handling CUI. The clause mandated that contractors implement the 110 security controls in NIST Special Publication 800-171 and report cyber incidents to the DoD within 72 hours.

The problem was enforcement. Under DFARS, contractors self-attested to NIST 800-171 compliance with no independent verification. A DoD Inspector General report found widespread non-compliance despite self-attestation — contractors were claiming compliance without actually implementing the required controls.

CMMC was the DoD's response. Rather than trusting self-attestation, CMMC requires independent assessment by accredited third parties (C3PAOs) for organizations handling CUI. The framework adds verification teeth to the existing DFARS/NIST 800-171 requirements.

The Layered Model

Think of it as three layers:

1. DFARS (Contract Layer) — The legal/contractual obligation. Your DoD contract contains DFARS clause 252.204-7012, which obligates you to protect CUI
2. NIST 800-171 (Control Layer) — The technical standard. Defines the 110 specific security controls you must implement to meet the DFARS obligation
3. CMMC (Verification Layer) — The assessment mechanism. Verifies through independent assessment that you have actually implemented the NIST 800-171 controls

Each layer depends on the one below it. You cannot be CMMC certified without implementing NIST 800-171 controls. You cannot satisfy DFARS without either CMMC certification or NIST 800-171 self-assessment (depending on contract requirements).

Side-by-Side Comparison Table

Dimension	DFARS 252.204-7012	NIST SP 800-171	CMMC 2.0
Type	Contract clause	Security control framework	Certification program
Published By	DoD (OUSD(A&S))	NIST	DoD with Cyber AB
Purpose	Contractual obligation to protect CUI	Define specific security controls	Verify control implementation
Scope	All DoD contractors handling CUI/CDI	Organizations processing, storing, or transmitting CUI	Same scope as DFARS, with level-based requirements
Controls	References NIST 800-171	110 controls across 14 families	Level 1: 17 practices; Level 2: 110 NIST 800-171; Level 3: 800-171 + 800-172
Assessment Method	Self-attestation + SPRS score	Self-assessment with SPRS score	Level 1: self; Level 2: C3PAO; Level 3: DIBCAC
Enforcement	Contract compliance (False Claims Act risk)	Score reporting via SPRS	Certification required for contract award
Incident Reporting	72-hour reporting to DoD	Not specified (covered by DFARS)	Follows DFARS requirements
Timeline	Active since 2017	Active since 2017	Phased implementation starting 2025
Recurring Requirement	Continuous (contract duration)	Continuous (update SPRS score)	Level 1: annual; Levels 2-3: triennial
Relative Investment	N/A (absorbed into compliance costs)	Moderate (implementation)	Higher (implementation + third-party assessment)

Do You Need All Three?

The short answer: if you handle CUI as a defense contractor or subcontractor, yes.

Scenario-Based Guidance

You are a prime contractor handling CUI: All three apply. Your contract contains DFARS 252.204-7012. You must implement NIST 800-171 controls. You will need CMMC Level 2 certification (C3PAO assessment) once CMMC requirements appear in your contracts.

You are a subcontractor and CUI flows to your systems: Same as above. The prime contractor is obligated to flow down DFARS requirements to subcontractors who handle CUI.

You are a subcontractor handling only FCI (not CUI): DFARS applies, NIST 800-171 does not (those controls are specifically for CUI), and CMMC Level 1 (17 basic practices, self-assessment) is required.

You provide commercial-off-the-shelf (COTS) products: Generally exempt from DFARS cybersecurity requirements, unless the COTS product is modified or CUI flows through your systems during delivery.

You are an MSP serving defense contractors: If CUI resides in or transits your systems, all three apply to you as well. See our MSP compliance guide for MSP-specific considerations.

Migration Path

If you are already compliant with one of these frameworks, here is what additional work each combination requires:

Already NIST 800-171 Compliant → Adding CMMC Level 2

If your SPRS score is 110 (all controls implemented), the incremental work for CMMC Level 2 is primarily:

• Formalizing documentation to meet C3PAO expectations
• Engaging a C3PAO for the assessment
• Preparing evidence packages for each control
• Addressing any gaps between self-assessed implementation and assessor-verified implementation

Estimated additional effort: 2-4 months for C3PAO assessment preparation and execution.

Starting from Scratch

If you have no formal compliance program, the recommended sequence is:

1. Build your security program aligned to NIST 800-171 controls (this satisfies DFARS)
2. Calculate and submit your SPRS score
3. Prepare for and undergo CMMC assessment

This consolidated approach is more efficient than treating each framework separately. See our CMMC requirements guide for the full implementation roadmap.

Already SOC 2 or ISO 27001 Certified

Organizations with existing SOC 2 or ISO 27001 certifications have a head start. Approximately 60-70% of controls overlap with NIST 800-171, though the remaining 30-40% include CUI-specific requirements (marking, controlled distribution, export control awareness) that commercial frameworks do not address. For a broader perspective on managing multiple frameworks, see our multi-framework compliance strategy.

Which Framework First?

For organizations new to defense contracting, the practical sequence is:

1. DFARS compliance awareness — Understand your contractual obligations
2. NIST 800-171 implementation — Build the technical control foundation
3. SPRS score submission — Report your self-assessed compliance
4. CMMC certification — Engage a C3PAO when contract requirements mandate it

Do not wait for CMMC contract requirements to begin NIST 800-171 implementation. DFARS already requires these controls, and the ramp-up time for full implementation is 6-18 months for most organizations. Starting now means you are ready when CMMC clauses appear in your contracts.

This decision framework mirrors the approach we recommend for organizations choosing between SOC 2 and ISO 27001 — start with the framework that addresses your most immediate business need and build from there.

Need help navigating CMMC, NIST 800-171, and DFARS requirements? Contact Agency for a compliance assessment that addresses all three frameworks.