Strike Graph security compliance blog

CMMC vs. NIST 800-171: Similarities, Differences & Mappings

Written by Stephen Ferrell, CISA, CRISC | Oct 24, 2025 7:38:22 PM

Compare NIST 800-171 and CMMC and download our control mapping. Discover how to save time, lower costs, and simplify compliance on your path to DoD contracts.

What are CMMC and NIST 800-171?

NIST 800-171 and the Cybersecurity Maturity Model Certification (CMMC) are U.S. government frameworks for protecting sensitive information. NIST 800-171 sets the security requirements. CMMC is the Department of Defense’s program for confirming that those requirements — and, in some cases, extra ones — are actually in place.

The two related frameworks aim to protect federal contract information (FCI) and controlled unclassified information (CUI). CUI refers to information that is not top secret or classified, but that still requires special handling and limited access. Examples include personally identifiable information (PII), financial data, legal documents, health information, and export-controlled technical data. 

When a federal contract, such as one with the DoD, includes the DFARS 252.204-7012 clause, following NIST SP 800-171 becomes mandatory for the contractor. Without such a clause, organizations may still choose to adopt it voluntarily as a best practice.

NIST, the National Institute of Standards and Technology, is a U.S. government agency that provides standards for private sector industries and risk management guidelines for many fields, including cybersecurity. NIST first published SP 800-171 in 2015 as a way to protect sensitive information and the U.S. supply chain, both of which are important for national security. It is intended for government contractors and non-federal organizations that handle CUI and is a companion to NIST 800-53, which addresses federal organizations. NIST 800-171 is distinct from the NIST Cybersecurity Framework (CSF), which is a voluntary, broad outline for improving cybersecurity. 

The DoD released CMMC in 2020 to ensure the nearly 400,000 contractors in the Defense Industrial Base (DIB) could protect the supply chain from cyber threats. 

CMMC was developed in response to a growing number of data compromises among DoD contractors and subcontractors. The DoD began enforcing adherence to NIST 800-171 in 2018, but still found significant compliance gaps. CMMC now requires anyone with a DoD contract to prove they meet the required safeguards, ranging from 15 basic practices at Level 1 to more than 110 at higher levels. 

CMMC 2.0 includes three levels, each building on the previous one. Contractors follow criteria for each level based on the data sensitivity of the projects they bid on. Level 1 includes basic cybersecurity practices. Level 2 aligns with all 110 requirements in NIST SP 800-171 Rev. 2 for protecting CUI. Level 3 adds selected enhanced requirements from NIST SP 800-172. Compliance is verified through self-assessments, third-party audits, or government-led reviews, depending on the level of certification required.

 

Does CMMC 2.0 replace NIST 800-171?

CMMC 2.0 does not replace NIST 800-171. Instead, it uses NIST 800-171 Rev. 2 as the basis for CMMC Level 2 and adds a formal verification process. For DoD contracts involving CUI, you must follow NIST 800-171 and meet the CMMC level specified in your contract.

CMMC 2.0 builds on the NIST 800-171 requirements by defining assessment types and reporting obligations, such as annual affirmation and restrictions on Plans of Action and Milestones (POA&Ms). These verification steps address the shortcomings of the old self-attestation system, which often overstated compliance.

If your contract calls for CMMC Level 2, the most common level, you will implement all 110 requirements in NIST 800-171 Rev. 2 and then verify them through the type of assessment — self, third-party, or government — required for your specific contract. CMMC Level 3 adds selected enhanced requirements from NIST SP 800-172 for the most sensitive CUI.

 

Which framework you need depends on your work and your contracts. If a federal contract,  such as one with the Department of Defense, includes the DFARS 252.204-7012 clause and involves CUI, you must follow NIST SP 800-171. For most DoD work involving CUI, you’ll also need CMMC to prove compliance.

So, if you need to meet government rules, start with NIST 800-171. If you want DoD contracts, you’ll also need CMMC. Following NIST 800-171 helps prepare you for CMMC, which confirms your company is ready for defense work. 

Consider these points to determine what you may need: 

  • If you work only with non-federal clients, you generally won’t need NIST 800-171 or CMMC unless a client voluntarily includes such requirements in your contract.
  • If you work with a federal agency (non-DoD) and your contract requires you to protect CUI, you may need only NIST 800-171. These situations can occur when agencies include a NIST 800-171 compliance clause without requiring CMMC.
  • If you work with the DoD and your contract involves CUI under DFARS 252.204-7012, you must comply with NIST 800-171 and also meet the CMMC level specified in your contract. The CMMC level determines whether you self-assess or undergo a third-party/government audit. 
  • Most CUI-related DoD contracts require CMMC Level 2, making it the most common level across the defense industrial base. Level 1, which covers only FCI, is less common in DoD contracts involving CUI, while Level 3 — designed for the most sensitive CUI — is rare. 

“Think of it this way,” says Kenneth Webb, Head of Cybersecurity Compliance Assessments at Strike Graph. “NIST SP 800-171 provides the ‘what’ or 110 security requirements to protect sensitive DoD data. CMMC provides the ‘how,’ the framework and certification process to verify those requirements are implemented.”

If a contractor is already NIST 800-171 compliant, they have a good foundation for achieving CMMC certification. Additionally, failing to follow the 800-171 standard when
required by contract can bring legal consequences. See our guide to learn more about NIST 800-171 controls and how they can benefit you.

However, even if you are already NIST 800-171 compliant, you still need to overcome a few potential obstacles.

Jerome Weston, Founder and Principal Consultant at Resilience Cyber Group, points to these three potential challenges:

  • Scope and boundary clarity
    “Many firms that ‘passed’ internal NIST 800-171 reviews haven’t gone through the CMMC scoping rigor,” Weston says. “Assessors will expect a clear definition of the CUI environment, supporting assets, and inherited/cloud controls — supported by diagrams and responsibility matrices.”

  • Objective evidence that matches policy

“Under CMMC, it’s not enough to say you’ve implemented a control,” he says. “You must show repeatable proof — system configurations, log exports, ticket history, or SOPs — that line up exactly with your SSP and procedures. This is where many self-attesting companies stumble.”

  • POA&M restrictions and minimum score

“Unlike 800-171 self-attestation, CMMC allows only limited Plans of Action and Milestones (POA&Ms),” Weston says. “You must achieve a minimum score and cannot defer high-value practices. Organizations accustomed to ‘paper compliance’ often discover gaps here late in the process.”

CMMC and NIST SP 800-171 are connected but not interchangeable. NIST 800-171 sets the requirements for protecting Controlled Unclassified Information (CUI) on nonfederal systems. CMMC confirms whether DoD contractors meet those requirements — and, in some cases, additional ones — through assessments tied to specific contract levels.

NIST 800-171 helps companies identify and close cybersecurity gaps before problems occur. It provides 110 requirements in 14 control families, which contractors implement to safeguard CUI.

CMMC builds on this foundation by introducing defined levels, assessment types, and verification steps. CMMC Level 1 covers 15 basic safeguards from FAR 52.204-21 for Federal Contract Information (FCI). CMMC Level 2 aligns with all 110 NIST 800-171 Rev. 2 requirements for CUI. CMMC Level 3 adds 24 selected enhanced requirements from NIST 800-172 for the most sensitive contracts.

Both frameworks strengthen security practices and help protect the confidentiality, integrity, and availability of CUI. For most DoD contracts involving CUI, NIST 800-171 compliance is part of the foundation, and CMMC provides the formal proof that those requirements are in place.

What do CMMC and NIST 800-171 have in common?

Both CMMC and NIST 800-171 aim to safeguard sensitive government information, especially Controlled Unclassified Information (CUI). NIST 800-171 defines the security requirements, while CMMC verifies they are in place. Each relies on documentation, governance, and evidence to manage risk and meet contractual obligations.

Both CMMC and NIST use process and system documentation, as well as governance and accountability, to manage security risk. 

Here’s a rundown of the similarities:

  • Control alignment: CMMC 2.0 Level 2 fully matches the 110 requirements in NIST SP 800-171 Rev. 2. Level 3 adds 24 selected enhanced requirements from NIST SP 800-172.
  • Governance: Both describe the roles that individuals play in an organization's cybersecurity program and how those roles interact.
  • Risk management: Both require a gap analysis before an organization creates a risk management plan.
  • Documentation: Each requires a System Security Plan (SSP) detailing the system, policies, and procedures, supported by evidence for audits. Results are recorded in the DoD’s Supplier Performance Risk System (SPRS) for self-assessments. For third-party or government-led assessments — required for CMMC Level 2 (third-party path) and Level 3 — results are recorded in eMASS. The Enterprise Mission Assurance Support Service is the DoD’s system for managing cybersecurity compliance data.
  • CUI protection: Both emphasize protecting CUI from unauthorized access and sharing, as required under applicable contracts.

Why did the DoD create CMMC if NIST already existed?

The DoD created CMMC to close gaps in how contractors implemented required security controls. NIST 800-171 compliance was often self-attested, and many contractors claimed compliance without fully meeting the requirements. CMMC adds independent verification to make sure practices are followed.

Originally, NIST 800-171 compliance was required but not audited. Contractors self-reported their compliance scores, often with inaccuracies. Meanwhile, cyber incidents among DoD contractors and subcontractors continued to rise.

To address these issues, the DoD developed the Cybersecurity Maturity Model Certification. CMMC introduces defined levels of security, clear assessment standards, and third-party or government-led audits for higher levels. This approach creates a consistent, enforceable way to confirm that contractors are protecting the defense supply chain against cyber threats.

Does CMMC Level 2 align with NIST 800-171?

Yes. CMMC Level 2 matches the 110 requirements in NIST SP 800-171 Rev. 2 for protecting CUI. The difference is that CMMC adds verification through either self-assessment or third-party audits, along with annual affirmation and limits on using Plans of Action and Milestones (POA&Ms).

NIST 800-171 allows organizations to self-assess compliance. Under CMMC, the assessment approach depends on the contract: some Level 2 contracts permit self-assessment, while others require a certified third-party assessment organization (C3PAO).

Both frameworks require documented steps to fix risks through a Plan of Action and Milestones (POA&M). CMMC limits the number of open POA&Ms allowed at contract award and requires closing them within 180 days.

NIST SP 800-171 Revision 3, released in 2024, adds new domains and changes requirement counts. However, CMMC Level 2 assessments are still conducted against Revision 2, and the DoD has stated it will transition to Revision 3 through future rulemaking. 

While Rev. 3 does not yet change CMMC requirements, it may influence how organizations prepare for future certification updates. 

Weston notes these changes in Revision 3 that could present challenges:

  • New control families
    “Rev. 3 introduces Planning (PL), System & Services Acquisition (SA), and Supply Chain Risk Management (SR). Standing up these families requires new documentation, supplier clauses, and cross-departmental processes — items rarely budgeted in advance,” Weston says.

  • More prescriptive assessments

“Rev. 3’s companion assessment guide increases the number of determination statements,” he says. “That means more artifacts, logging, and procedural evidence must be produced consistently, raising the bar beyond policy-only compliance.”

  • Organizationally Defined Parameters (ODPs)

“Many requirements now let the organization set thresholds (e.g., log review frequency, session timeout). While flexible, this forces governance work — risk justifications, leadership approval, and tracking — which in turn drives additional resource and tooling needs,” Weston says.

How are CMMC levels mapped to NIST 800-171?

CMMC levels map to federal security requirements. Level 1 uses 15 safeguards from FAR 52.204-21 for FCI. Level 2 matches all 110 requirements in NIST SP 800-171 Rev. 2 for CUI. Level 3 adds 24 enhanced requirements from NIST SP 800-172 for the most sensitive CUI.

Most CUI-related DoD contracts require CMMC Level 2, making it the most common level. Level 1 applies only when FCI is in scope, while Level 3 is reserved for high-priority national security programs.

The main differences between CMMC and NIST 800-171 involve scope, how compliance is verified, and the level of assessment required. NIST 800-171 defines security requirements for protecting CUI when required by contract, while CMMC confirms those requirements are met — and sometimes adds to them — through formal certification levels.

Here’s a rundown of the differences:

  • Applicability and enforcement: NIST 800-171 requirements are enforced through contract clauses (e.g., DFARS 252.204-7012). CMMC requirements are enforced through certification tied to the level specified in the DoD contract.
  • POA&M usage: Under NIST 800-171, contractors may begin work with an open Plan of Action and Milestones (POA&M) if allowed by the contract. Under CMMC, contractors must meet minimum score thresholds and close any remaining POA&Ms within 180 days.
  • Scope: NIST 800-171 applies to CUI on nonfederal systems for both DoD and non-DoD agencies. CMMC applies specifically to DoD contracts and incorporates NIST 800-171 Rev. 2 requirements at Level 2.
  • Number of controls: NIST 800-171 Rev. 2 contains 110 requirements. NIST SP 800-172 adds enhanced requirements for high-value programs. CMMC Level 1 includes 15 basic safeguards from FAR 52.204-21, Level 2 includes all 110 NIST 800-171 Rev. 2 requirements, and Level 3 adds 24 selected enhanced requirements from NIST SP 800-172.
  • Assessment: NIST 800-171 compliance is generally self-assessed. Under CMMC, some Level 2 contracts allow self-assessment while others require a certified third-party assessment organization (C3PAO), and Level 3 requires a government-led assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

 

See our guide to learn more about CMMC audits and how to prepare for them.

CMMC Level 1 vs. NIST 800-171

CMMC Level 1 is less rigorous than NIST 800-171; it covers only 15 basic safeguards for FCI, while NIST 800-171 requires 110 security requirements for protecting CUI.

Key differences include:

  • CMMC Level 1 draws from FAR 52.204-21 and applies only to contracts involving FCI. NIST 800-171 applies when CUI is in scope.
  • CMMC Level 1 has a narrower focus, while NIST 800-171 addresses the broader requirements needed to protect CUI.
  • Under CMMC Level 1, an annual self-assessment with affirmation in SPRS is required; NIST 800-171 self-assessment frequency depends on the contract.

CMMC Level 2 vs. NIST 800-171

CMMC Level 2 is essentially the same as NIST 800-171 in scope, but it adds a formal verification process — either a self-assessment or a third-party certification, depending on the contract.

Key differences include:

  • NIST 800-171 allows only self-assessment, while CMMC Level 2 may require a third-party certification by a Certified Third-Party Assessment Organization (C3PAO).
  • Some CMMC Level 2 contracts allow self-assessment only if no critical CUI is in scope, as defined in the solicitation.
  • CMMC Level 2 imposes limits on POA&Ms and requires closing any remaining items within 180 days; NIST 800-171 POA&M allowances are set by contract.

CMMC Level 3 vs. NIST 800-171

CMMC Level 3 includes NIST 800-171 and adds advanced controls from NIST 800-172. Unlike other levels, government teams do audits. Level 3 helps protect against complex threats like advanced persistent attacks on critical systems.

Differences between the two frameworks include:

  • NIST 800-171 contains 110 broad protection requirements for CUI. CMMC Level 3 adds controls from NIST 800-172. These address proactive practices to prepare for threats and monitor systems for effectiveness. 
  • Level 3 compliance certification is valid for three years, but yearly compliance attestation is required.

How NIST 800-171 compares to the 3 CMMC levels

 

NIST 800-171

CMMC Level 1

CMMC Level 2

CMMC Level 3

Scope 

110 requirements

15 safeguards from FAR 52.204-21 (subset of NIST)

Same 110 requirements as NIST 800-171 Rev. 2

110 NIST 800-171 + 24 enhanced requirements from NIST 800-172

Purpose

Protect CUI on nonfederal systems (includes FCI within CUI scope)

Protect FCI only

Protect CUI to NIST 800-171 standard

Protect CUI and defend against advanced persistent threats (APT)

Assessment Type

Self-assessment; score to SPRS

Self-assessment; score to SPRS

Self-assessment or C3PAO certification

Government-led DIBCAC certification

Frequency

Annual

Annual

3-year cycle + annual affirmation

3-year cycle + annual affirmation

POA&M Policy

No federal limit; set by contract

Not allowed

Limited; must close in 180 days

Limited; must close in 180 days

Contract Applicability

DoD and non-DoD contracts with CUI clause

DoD contracts with only FCI

Most CUI-related DoD contracts

Highest-sensitivity, national security DoD contracts

 

 

Mapping shows exactly how the security requirements in NIST SP 800-171 align with the practices in each CMMC level. It helps contractors identify overlap, plan efficient compliance steps, and avoid duplicate work.

NIST SP 800-171 Rev. 2 contains 110 security requirements across 14 control families. CMMC Level 2 matches these requirements exactly. Level 1 covers a subset of 15 basic safeguards from FAR 52.204-21. Level 3 includes all 110 NIST 800-171 requirements plus 24 enhanced requirements from NIST SP 800-172 for high-value programs.

Get the full mapping of NIST 800-171 to CMMC

Get our full NIST-CMMC mapping spreadsheet to see each control, its domain, and the specific evidence you’ll need for a CMMC assessment.

Time and cost vary widely depending on your organization’s size, systems, existing security posture, and the level of compliance required. CMMC and NIST 800-171 share the same core requirements at Level 2, so combining efforts can shorten timelines and reduce costs.

How long does it take to do CMMC or NIST 800-171?

If you are only implementing NIST 800-171, the scope is equivalent to CMMC Level 2 requirements but without the added certification process. Unless your contract specifies otherwise, NIST 800-171 compliance is self-assessed, which can make the process faster than achieving CMMC certification at the same requirement level.

If you are pursuing CMMC certification, the timeline depends on the level, your current cybersecurity maturity, and whether a third-party or government assessment is required. Certification adds time for formal assessments, remediation of any findings, and documentation review.

Typical timelines:

  • NIST 800-171 only: Three to nine months for most organizations, depending on size, complexity, and how much work is needed to close gaps. Timelines are shorter if you already have strong security controls and documentation in place.
  • CMMC Level 1: Weeks to a few months — requires only a self-assessment and remediation of 15 basic safeguards from FAR 52.204-21.
  • CMMC Level 2: Three months to a year — same 110 requirements as NIST 800-171 but may require a third-party (C3PAO) assessment, which adds preparation and scheduling time.
  • CMMC Level 3: 18 months or more — includes all Level 2 requirements plus 24 enhanced requirements from NIST SP 800-172 and requires a government-led assessment. Preparation is longer if moving up from Level 0 or 1.

How much does it cost to do CMMC or NIST 800-171?

If you are only implementing NIST 800-171, you avoid the cost of formal certification but still incur expenses for gap analysis, remediation, policy development, and ongoing compliance. The scope matches CMMC Level 2, but costs are generally lower because there’s no third-party or government audit unless a contract requires it.

If you are pursuing CMMC certification, costs increase with the level due to audit fees, more extensive evidence requirements, and added controls at Level 3. Certification costs recur on a three-year cycle, with ongoing expenses for annual affirmation and compliance maintenance.

Typical costs:

  • NIST 800-171 only: $5,000–$50,000+ depending on organization size, complexity, and current cybersecurity maturity. Lower if controls are already in place; higher if significant remediation is needed.
  • CMMC Level 1: $4,000–$6,000 for self-assessment support, plus any remediation costs.
  • CMMC Level 2: $34,000–$112,000 for a full C3PAO assessment, spread over the three-year certification cycle; less for self-assessment paths.
  • CMMC Level 3: Hundreds of thousands to millions of dollars, depending on size, system complexity, and the work needed to meet the 24 enhanced NIST SP 800-172 requirements.

To save time and cost, define the scope of your FCI and CUI first. Then combine NIST and CMMC efforts where possible. Meeting NIST 800-171 puts you most of the way toward meeting CMMC Level 2, the most common level sought.

“The most important takeaway is that you shouldn’t treat NIST 800-171 and CMMC compliance as separate, unrelated initiatives,” says Webb. “They are deeply interconnected, and in practical terms, if you comply with NIST 800-171, you have implemented virtually all the security controls needed for CMMC Level 2, since Level 2 is defined as implementing those 110 controls.”

Webb says an organization boosts its chances of a successful NIST 800-171 and CMMC implementation with these considerations:

  • Start with strong executive buy-in.
  • Correctly gauge the scope and complexity of such a project. 
  • Provide adequate resources for implementation.
  • Conduct a self-assessment.
  • Emphasize risk assessment. Don’t skip this.
  • Consider the security of your supply chain.
  • Adequately document your security system and processes.
  • Prioritize the human element in cybersecurity, such as risk awareness and preventive training.

Allocating mapping and tracking tasks to bespoke software takes the tedious, error-prone details of a compliance process out of human hands. Automated compliance tools not only expedite the process during an initial audit they also contribute to future audits.

CMMC is required for DoD work. NIST 800-171 helps protect sensitive data. Strike Graph’s platform speeds up both processes by helping you map controls, collect evidence, manage risks, and prepare audit-ready plans with AI-powered tools.

If you seek U.S. Department of Defense contracts, CMMC 2.0 compliance is a prerequisite. Existing compliance with NIST 800-171 creates a foundation for building a CMMC-compliant system. But even if you’re just beginning the compliance journey, you can still save time and money on NIST and CMMC by bundling efforts.

Strike Graph can help. Strike Graph’s new AI-powered compliance platform improves your security posture with optimized risk mitigation tools. Easily collect and store evidence, and map your existing controls to NIST-171 requirements. Use Strike Graph out-of-box self-assessments to gauge your compliance, then advance as our platform creates and tracks your PO&AM automatically details your SSP.

Strike Graph harnesses AI to help you monitor action items and update audit readiness for real-time visibility into authentication and file access controls, sharing polices, and overall data governance to save you time and money in your quest for NIST 800-171 and CMMC 2.0 certification. 

FAQs on CMMC 2.0 vs. NIST 800-171

Is NIST 800-171 required for CMMC certification?

Yes. CMMC certification for levels 2 and 3 requires adherence to NIST 800-171 controls.

Can I get CMMC certified without first meeting NIST 800-171?
No. CMMC aligns directly with NIST 800-171 controls, so there’s no escaping 800-171 requirements.

What happens if I fail a CMMC assessment?

If you fail a CMMC assessment, you may fail to attain certification and lose your current DoD contract and any future ability to work with CUI in the DoD. You may also suffer damage to your reputation. 

However, you have the chance to remediate your organization’s non-conformities. The auditor provides a PO&AM with a deadline (up to 180 days under CMMC 2.0) for closing any gaps. Your organization is re-audited after the deadline. 

How often do I need to renew my CMMC certification?

CMMC certification is valid for three years, and you must complete an annual affirmation of compliance.

Who can perform a CMMC assessment?
For CMMC level 1, you can self-assess. For CMMC Level 2, the contract will specify whether you can self-assess or must be evaluated by a Certified Third-Party Assessment Organization (C3PAO). For CMMC level 3, the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performs your audit.

Does CMMC apply to subcontractors?
CMMC applies to contractors and subcontractors. It’s critical that you consider who along your supply chain handles FCI or CUI, especially for DoD contracts. Data breaches have legal and financial implications and loss of reputation.

How does NIST 800-171 Rev. 3 affect CMMC?

NIST SP 800-171 Rev. 3 does not yet change CMMC requirements. Level 2 assessments still follow Rev. 2, but Rev. 3 may influence how organizations prepare for future updates, since it changes requirement counts, adds domains, and modifies implementation flexibility.

Released in 2024, Rev. 3 reduces the number of requirements from 110 to 97, introduces three new domains — Planning, System and Services Acquisition, and Supply Chain Risk Management — and adds flexibility through organizationally defined parameters (ODPs). While there are fewer requirements, it increases the number of determination statements or specific actions needed to fulfill each requirement.

Can I combine NIST 800-171 and CMMC implementation into one project?

You can combine NIST 800-171 and CMMC implementation. Certifying in tandem streamlines implementation, thereby shortening time to operationalize and reducing costs.