[{"data":1,"prerenderedAt":182},["ShallowReactive",2],{"blog-differences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1":3,"mdc--7yucdc-key":48},{"id":4,"title":5,"author":6,"blogbody":7,"body":8,"category":15,"ctaLabel":16,"ctaUrl":17,"date":18,"description":19,"extension":20,"featured":21,"image":22,"lastReviewed":23,"meta":24,"navigation":25,"outboundlinks":26,"path":27,"reviewStatus":28,"seo":29,"seoTitle":30,"sources":31,"stem":41,"tags":42,"videos":26,"youtubelinks":26,"__hash__":47},"blog\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1.md","NIST SP 800-171 and CMMC: Related, But Not the Same","Nick DiVito","In the first article, we separated FAR 52.204-21 from DFARS 252.204-7012. This time, we need to separate another pair that gets blended together all the time: NIST SP 800-171 and CMMC.\n\nThey are closely related. They are not the same thing.\n\n## What NIST SP 800-171 does\n\nNIST SP 800-171 is a publication for protecting Controlled Unclassified Information in nonfederal systems and organizations. In plain language, it tells contractors what security requirements are expected when CUI lives outside the government's own systems.\n\nNIST published Revision 3 in May 2024. That is the current NIST version, and it reorganizes and updates the CUI security requirements.\n\nFor many defense contractors, though, current CMMC Level 2 expectations still point to NIST SP 800-171 Revision 2. That creates a practical split: build for today's assessment expectations, but do not ignore the direction Rev. 3 is taking the baseline.\n\n## What CMMC does\n\nCMMC is the Department of Defense program for verifying that contractors and subcontractors are meeting cybersecurity requirements tied to FCI and CUI.\n\nCurrent CMMC has three levels:\n\n- Level 1 focuses on basic safeguarding for FCI.\n- Level 2 focuses on protecting CUI using NIST SP 800-171 Revision 2.\n- Level 3 is intended for more advanced protection requirements.\n\nDepending on the level and contract, an organization may self-assess or need a third-party assessment. That assessment path matters, but it should not distract from the real work: building a security program that is scoped, implemented, documented, and maintained.\n\n## Why the difference matters\n\nNIST SP 800-171 is the requirement set. CMMC is the verification program.\n\nA company can read 800-171 and still have no useful evidence. A company can talk about CMMC and still not know which systems are in scope. Neither one works without practical implementation.\n\nThis is why the system security plan matters. This is why asset inventory matters. This is why access control, logging, incident response, vendor review, and policy ownership matter. The assessment is not supposed to be a scavenger hunt. It should be a review of a program that already exists.\n\n## Scoring and evidence\n\nThe DoD assessment methodology for NIST SP 800-171 created the familiar score conversation many contractors know through SPRS. CMMC adds a separate certification or self-assessment pathway depending on the level and contract requirement.\n\nDo not assume one score, one upload, or one document automatically satisfies everything. Contract language still matters. Data type still matters. Assessment path still matters.\n\n## Summary\n\nNIST SP 800-171 tells you what CUI safeguards are expected. CMMC is how the Department verifies implementation for defense work.\n\nIf you are preparing for CMMC, do not start with logos, badges, or panic. Start with scope. Then build the system security plan, identify gaps, assign owners, collect evidence, and work the program like something the business actually depends on.",{"type":9,"value":10,"toc":11},"minimark",[],{"title":12,"searchDepth":13,"depth":13,"links":14},"",2,[],"CMMC Readiness","Map your CMMC readiness path","\u002Fcontact","2021-04-21","NIST SP 800-171 tells contractors what CUI safeguards are expected. CMMC is the DoD program for verifying those safeguards.","md",false,"\u002Fimg\u002Fcmmc.gif","2026-06-06",{},true,null,"\u002Fblog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1","Current",{"title":5,"description":19},"NIST SP 800-171 vs CMMC",[32,35,38],{"label":33,"url":34},"DoD CMMC overview","https:\u002F\u002Fdodcio.defense.gov\u002FCMMC\u002FAbout\u002F",{"label":36,"url":37},"NIST SP 800-171 Revision 3","https:\u002F\u002Fcsrc.nist.gov\u002Fpubs\u002Fsp\u002F800\u002F171\u002Fr3\u002Ffinal",{"label":39,"url":40},"CMMC program final rule","https:\u002F\u002Fwww.federalregister.gov\u002Fdocuments\u002F2024\u002F10\u002F15\u002F2024-22905\u002Fcybersecurity-maturity-model-certification-cmmc-program","blog\u002Fdifferences-between-nist-800-171-cmmc-dfars-252-204-7012-and-far-52-204-21-part-1",[43,44,45,46],"CMMC","NIST 800-171","CUI","Compliance","3IkGkxCU4VgCdfpyLOZS71QQYaLWPzk_6u0L1YrikuU",{"data":49,"body":50},{},{"type":51,"children":52},"root",[53,61,66,73,78,83,88,94,99,104,124,129,135,140,145,150,156,161,166,172,177],{"type":54,"tag":55,"props":56,"children":57},"element","p",{},[58],{"type":59,"value":60},"text","In the first article, we separated FAR 52.204-21 from DFARS 252.204-7012. This time, we need to separate another pair that gets blended together all the time: NIST SP 800-171 and CMMC.",{"type":54,"tag":55,"props":62,"children":63},{},[64],{"type":59,"value":65},"They are closely related. They are not the same thing.",{"type":54,"tag":67,"props":68,"children":70},"h2",{"id":69},"what-nist-sp-800-171-does",[71],{"type":59,"value":72},"What NIST SP 800-171 does",{"type":54,"tag":55,"props":74,"children":75},{},[76],{"type":59,"value":77},"NIST SP 800-171 is a publication for protecting Controlled Unclassified Information in nonfederal systems and organizations. In plain language, it tells contractors what security requirements are expected when CUI lives outside the government's own systems.",{"type":54,"tag":55,"props":79,"children":80},{},[81],{"type":59,"value":82},"NIST published Revision 3 in May 2024. That is the current NIST version, and it reorganizes and updates the CUI security requirements.",{"type":54,"tag":55,"props":84,"children":85},{},[86],{"type":59,"value":87},"For many defense contractors, though, current CMMC Level 2 expectations still point to NIST SP 800-171 Revision 2. That creates a practical split: build for today's assessment expectations, but do not ignore the direction Rev. 3 is taking the baseline.",{"type":54,"tag":67,"props":89,"children":91},{"id":90},"what-cmmc-does",[92],{"type":59,"value":93},"What CMMC does",{"type":54,"tag":55,"props":95,"children":96},{},[97],{"type":59,"value":98},"CMMC is the Department of Defense program for verifying that contractors and subcontractors are meeting cybersecurity requirements tied to FCI and CUI.",{"type":54,"tag":55,"props":100,"children":101},{},[102],{"type":59,"value":103},"Current CMMC has three levels:",{"type":54,"tag":105,"props":106,"children":107},"ul",{},[108,114,119],{"type":54,"tag":109,"props":110,"children":111},"li",{},[112],{"type":59,"value":113},"Level 1 focuses on basic safeguarding for FCI.",{"type":54,"tag":109,"props":115,"children":116},{},[117],{"type":59,"value":118},"Level 2 focuses on protecting CUI using NIST SP 800-171 Revision 2.",{"type":54,"tag":109,"props":120,"children":121},{},[122],{"type":59,"value":123},"Level 3 is intended for more advanced protection requirements.",{"type":54,"tag":55,"props":125,"children":126},{},[127],{"type":59,"value":128},"Depending on the level and contract, an organization may self-assess or need a third-party assessment. That assessment path matters, but it should not distract from the real work: building a security program that is scoped, implemented, documented, and maintained.",{"type":54,"tag":67,"props":130,"children":132},{"id":131},"why-the-difference-matters",[133],{"type":59,"value":134},"Why the difference matters",{"type":54,"tag":55,"props":136,"children":137},{},[138],{"type":59,"value":139},"NIST SP 800-171 is the requirement set. CMMC is the verification program.",{"type":54,"tag":55,"props":141,"children":142},{},[143],{"type":59,"value":144},"A company can read 800-171 and still have no useful evidence. A company can talk about CMMC and still not know which systems are in scope. Neither one works without practical implementation.",{"type":54,"tag":55,"props":146,"children":147},{},[148],{"type":59,"value":149},"This is why the system security plan matters. This is why asset inventory matters. This is why access control, logging, incident response, vendor review, and policy ownership matter. The assessment is not supposed to be a scavenger hunt. It should be a review of a program that already exists.",{"type":54,"tag":67,"props":151,"children":153},{"id":152},"scoring-and-evidence",[154],{"type":59,"value":155},"Scoring and evidence",{"type":54,"tag":55,"props":157,"children":158},{},[159],{"type":59,"value":160},"The DoD assessment methodology for NIST SP 800-171 created the familiar score conversation many contractors know through SPRS. CMMC adds a separate certification or self-assessment pathway depending on the level and contract requirement.",{"type":54,"tag":55,"props":162,"children":163},{},[164],{"type":59,"value":165},"Do not assume one score, one upload, or one document automatically satisfies everything. Contract language still matters. Data type still matters. Assessment path still matters.",{"type":54,"tag":67,"props":167,"children":169},{"id":168},"summary",[170],{"type":59,"value":171},"Summary",{"type":54,"tag":55,"props":173,"children":174},{},[175],{"type":59,"value":176},"NIST SP 800-171 tells you what CUI safeguards are expected. CMMC is how the Department verifies implementation for defense work.",{"type":54,"tag":55,"props":178,"children":179},{},[180],{"type":59,"value":181},"If you are preparing for CMMC, do not start with logos, badges, or panic. Start with scope. Then build the system security plan, identify gaps, assign owners, collect evidence, and work the program like something the business actually depends on.",1781885365983]