NIST SP 800-171 and CMMC: Related, But Not the Same

In the first article, we separated FAR 52.204-21 from DFARS 252.204-7012. This time, we need to separate another pair that gets blended together all the time: NIST SP 800-171 and CMMC.

They are closely related. They are not the same thing.

What NIST SP 800-171 does

NIST SP 800-171 is a publication for protecting Controlled Unclassified Information in nonfederal systems and organizations. In plain language, it tells contractors what security requirements are expected when CUI lives outside the government's own systems.

NIST published Revision 3 in May 2024. That is the current NIST version, and it reorganizes and updates the CUI security requirements.

For many defense contractors, though, current CMMC Level 2 expectations still point to NIST SP 800-171 Revision 2. That creates a practical split: build for today's assessment expectations, but do not ignore the direction Rev. 3 is taking the baseline.

What CMMC does

CMMC is the Department of Defense program for verifying that contractors and subcontractors are meeting cybersecurity requirements tied to FCI and CUI.

Current CMMC has three levels:

• Level 1 focuses on basic safeguarding for FCI.
• Level 2 focuses on protecting CUI using NIST SP 800-171 Revision 2.
• Level 3 is intended for more advanced protection requirements.

Depending on the level and contract, an organization may self-assess or need a third-party assessment. That assessment path matters, but it should not distract from the real work: building a security program that is scoped, implemented, documented, and maintained.

Why the difference matters

NIST SP 800-171 is the requirement set. CMMC is the verification program.

A company can read 800-171 and still have no useful evidence. A company can talk about CMMC and still not know which systems are in scope. Neither one works without practical implementation.

This is why the system security plan matters. This is why asset inventory matters. This is why access control, logging, incident response, vendor review, and policy ownership matter. The assessment is not supposed to be a scavenger hunt. It should be a review of a program that already exists.

Scoring and evidence

The DoD assessment methodology for NIST SP 800-171 created the familiar score conversation many contractors know through SPRS. CMMC adds a separate certification or self-assessment pathway depending on the level and contract requirement.

Do not assume one score, one upload, or one document automatically satisfies everything. Contract language still matters. Data type still matters. Assessment path still matters.

Summary

NIST SP 800-171 tells you what CUI safeguards are expected. CMMC is how the Department verifies implementation for defense work.

If you are preparing for CMMC, do not start with logos, badges, or panic. Start with scope. Then build the system security plan, identify gaps, assign owners, collect evidence, and work the program like something the business actually depends on.