CMMC and NIST SP 800-171 are closely related but they are not the same thing. Treating them as interchangeable creates compliance gaps that can derail an assessment.
Understanding the relationship, the differences, and specifically where CMMC adds requirements beyond NIST 800-171 is essential for anyone building a CMMC Level 2 compliance program.
NIST SP 800-171 is the security requirements catalog. CMMC Level 2 is the verification and certification program built on top of it.
If you implement all 110 NIST SP 800-171 Revision 2 requirements and can demonstrate that implementation to a C3PAO assessor, you will pass a CMMC Level 2 assessment. But "NIST 800-171 compliant" — said without more — means nothing in the CMMC context. What matters is your CMMC certification level and your SPRS submission.
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," was first published by NIST in 2015 and revised in December 2020 (Revision 2). It provides security requirements for protecting CUI in nonfederal systems and organizations.
The 110 requirements in Revision 2 are organized into 14 families:
FamilyAbbreviationRequirementsAccess ControlAC22Awareness and TrainingAT3Audit and AccountabilityAU9Configuration ManagementCM9Identification and AuthenticationIA11Incident ResponseIR3MaintenanceMA6Media ProtectionMP9Personnel SecurityPS2Physical ProtectionPE6Risk AssessmentRA3Security AssessmentCA4System and Communications ProtectionSC16System and Information IntegritySI7
These 110 requirements form the complete technical baseline for CMMC Level 2.
CMMC Level 2 uses the same 110 technical requirements as NIST 800-171 Rev 2. But CMMC adds several elements that NIST 800-171 alone does not have:
NIST 800-171 is a publication describing security requirements. It has no built-in certification or assessment program. Before CMMC, contractors self-reported compliance under DFARS 252.204-7012 with no independent verification.
CMMC adds:
- C3PAO third-party assessment for contracts requiring independent verification
- DIBCAC government assessment for Level 3
- Formal certification status (Final or Conditional) with defined validity periods
- eMASS as the official platform for recording assessment results
- Cyber AB as the accreditation body for assessors and RPOs
NIST 800-171 does not have a scoring system. The DoD's scoring methodology for CMMC (32 CFR § 170.24) assigns point values to each requirement:
- 5 points for high-impact requirements
- 3 points for medium-impact requirements
- 1 point for standard requirements
This creates a numerical score out of 110 points that can be tracked, reported in SPRS, and used to determine certification eligibility (minimum 88 points for Conditional status).
NIST 800-171 does not define rules for Plan of Actions and Milestones. CMMC specifies:
- Six prohibited controls that cannot be on a POA&M
- The 180-day Conditional certification window for organizations above 88 points with open POA&M items
- The one-shot closeout rule for the Conditional window
CMMC requires a senior official affirmation at the time of assessment and annually thereafter. NIST 800-171 has no affirmation requirement. The affirmation creates personal legal liability for the signing official under the False Claims Act.
CMMC codifies specific flow-down obligations at 32 CFR § 170.23. NIST 800-171 is silent on supply chain compliance requirements. CMMC establishes that primes must verify subcontractor compliance before sharing covered data.
NIST published Revision 3 of SP 800-171 in May 2024. Rev 3 represents the most significant restructuring of the publication since its original release. Understanding the difference between Rev 2 and Rev 3 is critical because Rev 2 is the current CMMC assessment standard, not Rev 3.
New families: Rev 3 added three new security families not present in Rev 2:
- Planning (PL): 2 requirements covering system security plan development and insider threat
- System and Services Acquisition (SA): 2 requirements covering security engineering and acquisition
- Supply Chain Risk Management (SR): 2 requirements covering supply chain risk assessment and integrity
Renumbering: Rev 3 changed the requirement numbering format. Rev 2 uses the format "3.X.X" derived from the NIST 800-53 control numbering. Rev 3 uses a new format that is not backward-compatible.
Organization-Defined Parameters (ODPs): Rev 3 introduces organization-defined parameters that allow organizations to tailor specific control values. The DoD published specific ODP values that must be used for CUI protection in an April 2025 memo.
Consolidated requirements: Some Rev 2 requirements were combined or restructured in Rev 3. The total number of requirements in Rev 3 is 17 families with a modified structure, not simply the 14 Rev 2 families plus 3 new ones.
A DoD class deviation keeps CMMC assessments locked to NIST SP 800-171 Revision 2 until new rulemaking formally incorporates Rev 3. This class deviation was issued to prevent the assessment standard from shifting during an active rollout.
What this means for contractors:
If you are in a current C3PAO assessment: Your assessment is against Rev 2. Period.
If you are preparing for a C3PAO assessment: Implement Rev 2 fully. Building your program around Rev 3 creates risk of gaps relative to the assessment standard.
If you want to adopt Rev 3 now: You can, using the DoD's published ODPs from the April 2025 memo. But you must also address any requirements that exist in Rev 2 but do not have direct equivalents in Rev 3. The DoD FAQ (B-Q4) addresses this specifically: organizations implementing Rev 3 must identify and address Rev 2 requirements without direct Rev 3 equivalents.
If you are planning for the future: Rev 3 will eventually become the assessment standard through rulemaking. Organizations with long-horizon compliance programs should begin transitioning to Rev 3 implementation now, while maintaining Rev 2 compliance for current assessments.
CMMC Level 2 practice identifiers map directly to NIST 800-171 Rev 2 requirement numbers. The format is:
[Domain].[Level]-[NIST requirement number]
For example:
- AC.L2-3.1.1 = Access Control, Level 2, NIST SP 800-171 requirement 3.1.1
- IA.L2-3.5.3 = Identification and Authentication, Level 2, NIST SP 800-171 requirement 3.5.3
- SC.L2-3.13.11 = System and Communications Protection, Level 2, NIST SP 800-171 requirement 3.13.11
This one-to-one mapping means that every CMMC Level 2 practice corresponds directly to a NIST 800-171 Rev 2 requirement. There is no CMMC Level 2 practice that does not have a NIST 800-171 Rev 2 counterpart.
NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information," is a separate publication from NIST 800-171. It contains 35 enhanced security requirements designed to defend against Advanced Persistent Threat (APT) actors.
CMMC Level 3 builds on Level 2 by adding 24 requirements selected from NIST 800-172, for a total of 134 requirements. The 24 selected requirements are a subset of the full 35 in NIST 800-172.
If your contract does not require Level 3, NIST 800-172 is not in scope for your compliance program.
DFARS 252.204-7012 is the existing DFARS clause that requires contractors to implement NIST SP 800-171 and report cyber incidents. It has been in effect since 2017. CMMC does not replace 252.204-7012; it adds to it.
Under the current regulatory framework:
- 252.204-7012 requires implementation of NIST 800-171 and incident reporting for CUI contracts
- 252.204-7021 adds the CMMC certification requirement for applicable contracts
Both clauses can appear in the same contract. Meeting CMMC Level 2 requirements satisfies the 252.204-7012 implementation requirement, but the incident reporting obligation in 252.204-7012 remains independently in effect.
This is worth stating plainly: claiming to be "NIST 800-171 compliant" without a valid SPRS submission and an appropriate CMMC certification does not satisfy CMMC requirements.
Contractors who have built security programs against NIST 800-171 have done much of the underlying technical work. But compliance with the CMMC program requires:
- A current SPRS submission with a scored self-assessment
- A senior official affirmation
- For C3PAO contracts: a valid C3PAO certification on file in eMASS
Having strong security controls without the formal documentation, assessment, and submission is not CMMC compliance. The program requires both.
Building a CMMC program and want to make sure you are aligned to the right standard? NR Labs builds CMMC programs against Rev 2 while designing for Rev 3 transition, ensuring you meet today's assessment standard and are positioned for tomorrow's. Contact us to discuss your program.
No. NIST 800-171 compliance means implementing the 110 security requirements from NIST SP 800-171. CMMC certification adds a verification layer on top: formal assessment by a C3PAO, SPRS scoring, senior official affirmation, and flow-down requirements to subcontractors. An organization can claim NIST 800-171 compliance through self-assessment, but CMMC Level 2 certification requires independent third-party verification.
NIST 800-171 Revision 3, published in May 2024, reorganized control families, added new requirements, and removed some existing ones. However, CMMC Level 2 is currently mapped to Revision 2. The DoD has stated it will update CMMC to align with Revision 3 in a future rulemaking, but has not published a timeline. Organizations should implement Revision 2 for current CMMC compliance while tracking Revision 3 changes for future readiness.
CMMC Level 3 maps to the enhanced security requirements in NIST SP 800-172, which provides additional protections beyond the 110 requirements of NIST 800-171. Level 3 is required for contractors handling the most sensitive CUI and is assessed by DIBCAC (the government assessment body), not by commercial C3PAOs. Level 3 adds approximately 24 additional requirements focused on advanced threat protection.
