CMMC vs NIST 800-171: What’s the Difference, and Do You Need Both?

By The Defense Compliance Report Editorial Team · Last reviewed June 2026 · Primary sources: 32 CFR Part 170 · NIST CSRC · Acquisition.gov (DFARS) · Corrections policy

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance — the independent CMMC decision layer for defense contractors. This article is educational, not legal or contractual advice.

CMMC vs NIST 800-171 is not a choice between two security standards — it’s the difference between the rules and the referee. NIST SP 800-171 is the set of 110 security requirements you implement to protect Controlled Unclassified Information (CUI). CMMC (the Cybersecurity Maturity Model Certification) is the U.S. Department of Defense program that verifies you actually did it. For CMMC Level 2 — the level for contractors that handle CUI — the requirements are identical to NIST SP 800-171 Revision 2 (32 CFR § 170.14(c)(3)). Which one applies to you depends on three things: whether you handle FCI or CUI, the clause in your contract (DFARS 252.204-7021), and the assessment type that clause specifies.

So no, you’re not being charged twice for the same thing. But here’s the line that trips up almost every contractor — and the one we’ve watched cost real money: there isa difference between “we implemented NIST 800-171” and “we can pass a CMMC assessment.” The controls can be identical and the outcome still different. We’ll show you exactly where that line sits, what evidence moves you across it, and — the part most comparison pages skip — what each side actually costs.

Use this page ifyou handle (or might handle) CUI, you saw NIST 800-171 or CMMC in a solicitation, a prime sent you a flow-down notice or an SPRS data call, you need to explain the difference to your leadership, or you’re staring at two vendor quotes that separate “NIST compliance” from “CMMC readiness” and wondering why.

Don’t use this page aslegal advice, a contract interpretation, or a substitute for a CMMC Registered Practitioner (RP/RPO) or a federal-contracts attorney — and please don’t paste CUI, drawings, or sensitive contract details anywhere on the web, including here.

Last reviewed June 2026

In short: NIST SP 800-171 is the 110 security requirements you implement to protect CUI; CMMC Level 2 uses that same set and adds the verification, status, annual affirmation, and flow-down mechanics. You need both if your contract requires CMMC and you handle CUI. Which provider category fits your situation depends on your level, scope, and assessment type — use Find My CMMC Path to map it before requesting quotes.

The five fastest answers

→ Not sure which row is you? Find My CMMC Path maps your situation to the right provider category before you ask for quotes — no CUI, drawings, or sensitive contract details required.
Use Find My CMMC Path →

Is CMMC the same as NIST 800-171?

No. NIST SP 800-171 is the security requirement set for protecting CUI in nonfederal systems; CMMC is the Department of Defense program that verifies a contractor has implemented the required controls at the required level. The clean shorthand: NIST 800-171 is the “what,” CMMC is the “prove it.” For CMMC Level 2, the two share the exact same 110 requirements.

We didn’t paraphrase that from a competitor — we read the rule. 32 CFR § 170.14(c)(3), the regulation that defines the CMMC model, states in plain language that the Level 2 security requirements are “identical to the requirements in NIST SP 800-171 R2.” That single sentence settles most of the confusion. CMMC did not invent a new catalog of controls for Level 2. It pointed at the catalog that already existed and added a way to check your work.

Think of it as a licensing exam. NIST SP 800-171 is the body of knowledge — the 110 things you’re expected to do, organized into 14 control families covering access control, audit and accountability, incident response, system and information integrity, and the rest. CMMC is the proctored exam built on top of that knowledge. Same material. The difference is whether someone confirms you know it, who does the confirming, where the result gets recorded, and what happens if you can’t prove it.

There’s a second piece that ties them together legally. NIST itself is the National Institute of Standards and Technology — a standards body, not an enforcement agency. On its own, SP 800-171 is a publication. What makes it binding for defense contractors is a contract clause: DFARS 252.204-7012 (the Defense Federal Acquisition Regulation Supplement clause on safeguarding covered defense information and cyber-incident reporting), which requires covered contractor information systems handling covered defense information to implement NIST SP 800-171, and has done so since December 31, 2017. CMMC adds a third layer on top — the verification and contracting mechanics that make your CMMC status a condition of getting the award.

Why so many contractors confuse the two

You’re not the only one. The questions we see over and over, in almost these exact words: “If I’m 100% NIST compliant, am I basically CMMC certified?” “Why is a vendor charging me for both?” “Do I need a C3PAO, or just an SPRS score?” “What do I tell management this is going to cost?” One contractor on a federal forum summed up the whole anxiety in a sentence — they wanted a first step that showed “value, cost and compatibility” with “no surprise costs.”

That confusion is reasonable, because “NIST implementation” and “CMMC readiness” overlap heavily — they’re just not the same workstream. Implementing the controls is the engineering and documentation work. CMMC readiness is making that work assessable: scoped correctly, evidenced, operating as written, and affirmable by a senior official. The next sections separate the two cleanly, starting with the question that actually changes your budget.

CMMC vs NIST 800-171: do you need one, or both?

For most DoD contractors who handle CUI, the practical answer is both: you implement NIST SP 800-171 because it’s the Level 2 baseline, and you satisfy CMMC because your contract requires a current CMMC status, an assessment, an annual affirmation, and flow-down to subcontractors. If you handle only Federal Contract Information (FCI) and no CUI, Level 1 may apply instead — and Level 1 does not use NIST 800-171 at all.

This is where a single table does more than five paragraphs. We built the matrix below by reading the CMMC Program Rule (32 CFR Part 170), the DFARS clauses on Acquisition.gov, the SPRS documentation, and the Cyber AB’s CMMC Assessment Process, then assembling what those sources say into one decision view. You’d otherwise need five or six tabs and a spreadsheet to reconstruct it. This is The CMMC Path Framework — the logic that maps your situation to a provider category, not a named provider, and it is not a score, a ranking, or compliance advice.

The CMMC vs NIST 800-171 decision matrix

Source spine: CMMC level baselines and status rules — 32 CFR Part 170. NIST purpose and revision status — NIST CSRC. Level 2 self/third-party reporting — 32 CFR §§ 170.16–170.17. Level 3 / DIBCAC / eMASS — § 170.18. SPRS fields — SPRS official documentation. C3PAO process and independence — Cyber AB CMMC Assessment Process.

Find yourself in one row:

• You handle only FCI (no CUI).You’re likely Level 1. That uses FAR 52.204-21’s 15 basic safeguards —notNIST 800-171’s 110 requirements. Don’t let anyone sell you a Level 2 program you don’t need.
• You handle CUI.You’re in Level 2 territory. You implement all 110 NIST 800-171 Rev. 2 requirements, and the contract tells you whether you self-assess or bring in a C3PAO.
• Your prime is flowing down CUI to you.Your subcontract language sets the level, and it has to match the information you’ll actually process, store, or transmit. A prime’s Level 3 requirement does not automatically make you Level 3.
• You genuinely don’t know whether you have CUI. You’re in good company — public comments on the CMMC rule specifically flagged confusion over CUI marking, mismarked data, and small businesses that can’t say for certain whether CUI is even in their possession. Resolving that is step one, and it’s not a checkbox.

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.
Map your clause before you request quotes →
Do not submit CUI, drawings, export-controlled data, or sensitive contract details.

FCI vs CUI: the fork that decides Level 1 vs Level 2

The single distinction that determines whether you’re looking at CMMC Level 1 or Level 2 is the kind of information your contract puts on your systems. FCI (Federal Contract Information) means Level 1 and the 15 FAR 52.204-21 safeguards. CUI (Controlled Unclassified Information) means NIST SP 800-171’s 110 requirements and CMMC Level 2 (or 3).

The trap is assuming you’re “just FCI” when CUI is quietly in scope — a marked drawing in an email, a spec on a shared drive, technical data a prime sent you. If CUI touches a system, that system is in Level 2 territory, and the cost and effort jump accordingly. When you’re unsure, treat the CUI determination as its own first project; a Registered Practitioner or a federal-contracts attorney can help you read the contract and the markings. (We keep a deeper FCI vs CUI breakdown for that step.)

Which CMMC level maps to NIST 800-171?

CMMC Level 2 maps directly to NIST SP 800-171 Revision 2 — the full 110 requirements. Level 1 is built on 15 basic safeguards from FAR 52.204-21 for FCI, not on NIST 800-171. Level 3 requires you to first reach Final Level 2 (C3PAO), then implement 24 selected enhanced requirements from NIST SP 800-172, assessed by the government.

A few corrections worth making, because we see them repeated on otherwise-decent pages:

Level 1 is not “a small version of NIST 800-171.” It draws from a different source — FAR 52.204-21’s basic safeguarding requirements for FCI — and tops out at 15 requirements. If you only touch FCI, mapping yourself against all 110 NIST controls is wasted effort and wasted budget.

Level 2 is where NIST 800-171 and CMMC genuinely overlap. Here, “CMMC vs NIST 800-171” is almost entirely an implementation-versus-verification distinction. Same controls; CMMC adds the proof.

Level 3 is not just “more NIST 800-171.” It layers on selected requirements from a different publication — NIST SP 800-172, the enhanced-security supplement — which applies when CUI is tied to a critical program or high-value asset. It’s assessed by the government’s DIBCAC, not a commercial C3PAO, and it requires you to clear Final Level 2 (C3PAO) first.

Rev. 2 or Rev. 3? Get this one right

This is the most expensive piece of misinformation in the category, so we’ll be blunt. NIST published SP 800-171 Revision 3 in May 2024, and in NIST’s own publication library Rev. 3 supersedes Rev. 2. But CMMC Level 2 still uses Revision 2, because 32 CFR Part 170 incorporates Rev. 2 by reference, and the DoD has said it would adopt a later version only through future rulemaking. As of this writing, that rulemaking has not changed the CMMC baseline.

Translation: if a vendor or article tells you to “align to Rev. 3 for your CMMC Level 2 assessment,” ask them to cite the rule section that requires it. They can’t, because it isn’t there yet. Planning ahead for Rev. 3 is smart. Treating it as today’s assessment baseline is wrong — and it can send you implementing controls you don’t yet need.

What does CMMC add that NIST 800-171 doesn’t?

CMMC adds the verification and contracting layer on top of the NIST 800-171 controls: it sets your required level, decides whether you self-assess or face a third-party assessment, requires a senior official’s annual affirmation, limits how you can use a Plan of Action and Milestones (POA&M), and routes your result into SPRS or eMASS. It does not create a separate Level 2 control catalog — the controls stay identical to NIST SP 800-171 Rev. 2.

Four additions matter most:

Level selection. NIST 800-171 is one baseline. CMMC sorts contractors into Level 1 (FCI), Level 2 (CUI), or Level 3 (CUI on critical programs) based on the information in your contract.

Assessment type. NIST 800-171 historically relied on your own self-assessment. CMMC formalizes it: Level 1 is a self-assessment, Level 2 is either a self-assessment or a C3PAO certification assessment depending on the contract, and Level 3 is a government DIBCAC assessment.

Status and affirmation. Under DFARS 252.204-7021, you must hold a current CMMC status at the level your contract requires, and a senior company official — the Affirming Official — must affirm continuous compliance in SPRS every year. Miss the affirmation and the status lapses.

POA&M limits.A POA&M is a documented plan to close specific gaps by a deadline. NIST self-assessment scoring let contractors carry plenty of open items. CMMC tightens that hard: Level 1 allows noPOA&Ms, and at Level 2 only lower-value (one-point) requirements can sit on a POA&M, which must be closed within 180 days to move from “Conditional” to “Final” status (32 CFR §§ 170.16, 170.21).

Is being “NIST 800-171 compliant” enough to pass CMMC?

Implementing NIST SP 800-171 is necessary for CMMC Level 2, but it isn’t automatically sufficient. CMMC requires that each requirement is implemented, correctly scoped, operating as documented, backed by evidence, and affirmable by a senior official. You can self-report a perfect SPRS score and still fail a C3PAO assessment if you can’t prove it.

Here’s the scoring reality most pages gloss over. Your NIST 800-171 score lives in SPRS — the Supplier Performance Risk System, the DoD’s database of contractor performance and cybersecurity scores. It runs on a points scale that surprises people the first time they see it:

• The maximum is +110. The minimum is −203. First-time scores are frequently negative.
• Each of the 110 requirements is weighted 1, 3, or 5 points, based on its security impact.
• For almost every requirement, scoring is all-or-nothing: meet it fully and you keep the points; miss it and you lose its full value. The rule allows partial credit in only two narrow cases — multi-factor authentication (IA.L2-3.5.3) and CUI encryption (SC.L2-3.13.11) (32 CFR § 170.24). For everything else, “we’ve mostly got it” earns nothing.
• To qualify for a Conditional Level 2 and a POA&M, your score divided by the total number of requirements must be at least 0.8 (88 of 110), no POA&M item may be worth more than 1 point — with one exception, CUI encryption (SC.L2-3.13.11), which can sit on a POA&M at 3 points if you’re using encryption that isn’t yet FIPS-validated — and a short list of specific requirements can’t be deferred at all (32 CFR §§ 170.16, 170.21).

That last point is the trap. A lot of contractors assumed they could “POA&M their way” to a number. Under CMMC scoring you generally can’t park a 3- or 5-point control on a POA&M; outside the encryption exception, you have to actually finish the high-value items first.

And a score is a self-report. A C3PAO— a Certified Third-Party Assessment Organization, authorized or accredited to conduct Level 2 certification assessments — doesn’t take your word for it. Assessors examine artifacts, interview the people who run the controls, and testthat the controls work. They check that your System Security Plan (SSP) matches reality, that your asset scope is right, and that your customer-responsibility matrix lines up with how your cloud services actually operate. The artifacts you submit are even hashed and retained for six years (32 CFR § 170.17).

This is the difference between saying and showing. The controls are identical to NIST 800-171. The burden of proof is not. A draft policy isn’t evidence. A tool you bought isn’t a configured control. “We can do it” isn’t “it’s implemented for the in-scope users and systems, and here are the logs.” That gap — between a contractor who understands NIST 800-171 and one who is assessment-ready — is where most of the real cost and most of the failed first attempts live.

→ See the evidence checklist before you call an assessor.
The CMMC Readiness Checklist maps the evidence to all 14 NIST 800-171 control families — the same map a C3PAO works from — so “showing” doesn’t catch you off guard.
Get the readiness checklist →

Where do SPRS and CMMC eMASS fit in?

SPRS stores results; it does not perform the assessment. For a Level 2 self-assessment, you (the contractor) submit your results and affirmation directly in SPRS. For a Level 2 C3PAO assessment or a Level 3 DIBCAC assessment, the assessor submits results into CMMC eMASS, which then transmits them to SPRS.

It’s worth knowing what flows where, because the wording on a vendor’s quote often hides which one they mean.

For a NIST 800-171 / Level 2 self-assessment, SPRS captures: your assessment date, your score, the scope, your projected POA&M completion date, your CAGE code(s), and your SSP name, version, and date.

For a Level 2 C3PAO assessment,the workflow shifts: the C3PAO records its findings — including the assessment’s unique identifier, assessor information, and the names and hash values of your evidence artifacts — into CMMC eMASS(the Enterprise Mission Assurance Support Service, the DoD’s system for managing this assessment data), and eMASS transmits the result to SPRS automatically.

Why this matters for your wallet: when a provider says “we ’ll get your SPRS done,” that phrase can mean three very different scopes — a quick gap review, full support for a Level 2 self-assessment, or preparation for a C3PAO assessment. Those aren’t interchangeable, and they aren’t priced the same. Pin down which one before you sign.

How CMMC, NIST 800-171, and the DFARS clauses fit together (2026 update)

Three contract clauses connect NIST 800-171 to CMMC. DFARS 252.204-7012 makes NIST SP 800-171 contractually required for systems handling covered defense information. DFARS 252.204-7021 makes a current CMMC status a condition of award and requires annual affirmations. DFARS 252.204-7025 is the solicitation provision that names the required level and makes an offeror ineligible without the required status. A 2026 regulatory overhaul renumbered or removed several older clauses — but 7012, 7021, and 7025 are intact, and self-assessment reporting in SPRS still exists under CMMC. See our DFARS 7019 & 7020 explainer for the 2026 clause crosswalk.

DFARS 252.204-7012 — the safeguarding-and-incident-reporting clause. It requires “adequate security” on covered contractor information systems handling covered defense information, points those systems to NIST SP 800-171, mandates 72-hour cyber-incident reporting, and requires cloud services handling that information to meet a FedRAMP Moderate-equivalent baseline. This is the clause that has quietly made NIST 800-171 mandatory since 2017.

DFARS 252.204-7021 — the CMMC clause. It requires you to have and maintain the CMMC status your contract specifies, complete an annual affirmation in SPRS, only process FCI/CUI on systems that hold the required status, and flow the correct level down to subcontractors. This clause is what turns CMMC from a recommendation into an eligibility gate.

DFARS 252.204-7025 — the solicitation provision (the companion to 7021). It gives notice of the required CMMC level before award and makes an offeror ineligible for award if it lacks the required CMMC status and affirmation for the applicable systems.

What changed on February 1, 2026 (and what didn’t)

A government-wide effort to streamline federal acquisition regulations — the Revolutionary FAR Overhaul, published as a set of class deviations effective February 1, 2026 — reorganized several long-standing cybersecurity clauses. Here’s the accurate breakdown:

Read this part carefully, because it’s where contractors get misled. “DFARS 7019 is gone” does notmean “SPRS self-assessment reporting is gone.” Under the CMMC rule, Level 1 (Self) and applicable Level 2 (Self) results and annual affirmations still go into SPRS (32 CFR §§ 170.15–170.16). What changed is that the old parallelDFARS “basic self-assessment” track was consolidated into CMMC, and several clause numbers were renumbered. These are class deviations— interim text — not yet finalized through rulemaking, which is why Acquisition.gov still publishes the legacy 7019 and 7020 pages and you’ll see old and new numbers at the same time. Bottom line: NIST 800-171 (via 7012) is still the controls; CMMC (via 7021/7025) is how the DoD verifies them; and you still post self-assessment scores to SPRS when your contract calls for a self-assessment. Before you rely on any clause number, read the actual clause text in your solicitation.

What does CMMC cost that NIST 800-171 didn’t?

Because NIST SP 800-171 has been contractually required since 2017, the DoD treats implementing it as a cost you already owe. The newmoney under CMMC is the verification layer — the assessment, the reporting, and the annual affirmation. In its CMMC rulemaking, the DoD estimated a small contractor’s initial Level 2 (C3PAO) certification at about $101,752, and roughly $104,670 over the three-year cycle — figures that deliberately exclude NIST 800-171 implementation.

This is the cleanest answer to “am I paying twice?,” and it comes straight from the rule. When the DoD modeled CMMC’s cost in the CMMC Program rulemaking (32 CFR Part 170), it drew a sharp line. It treated NIST 800-171 implementation — the controls, the tooling, the SSP — as a sunk cost, already owed under DFARS 7012 since 2017. Then it counted only the verification work as new. Here are the DoD’s per-entity small-business estimates:

The point most pages miss:the DoD’s own number for a small contractor’s Level 2 certification — about $104,670 over three years — does not includeimplementing NIST 800-171, because the Department treats that as a cost you’ve owed since 2017. In plain terms: you are not paying for CMMC and NIST 800-171 as two separate bills. You pay for the controls (NIST 800-171), then you pay for the proof (CMMC). The proof is the new line item. (Larger and more complex organizations are modeled higher — the C3PAO engagement line alone is estimated at roughly $52,056 for other-than-small entities.)

Real-world market pricing is wider than the DoD’s modeled figure, and it depends heavily on how mature your security already is and how big your CUI footprint is. The ranges below are compiled from 2026 provider and industry pricing we reviewed — planning ranges, not quotes:

• Level 1: roughly $5,000–$15,000.
• Level 2 self-assessment track: commonly around $37,000–$49,000 across a three-year cycle.
• Level 2 (C3PAO) track: commonly $50,000–$300,000+all-in, with the C3PAO’s assessment fee alone often in the $30,000–$80,000 range and the bulk of the spend in preparation and remediation.
• Level 3: from the low six figures into the millions, depending on scope.

Your number depends on your scope — which is exactly why scope reduction (for example, isolating CUI in an enclave) is the biggest lever on cost.

One genuine, schedule-driven reason not to wait: there are fewer than 100 authorized C3PAOs nationwide (you can confirm the live count on the Cyber AB Marketplace) serving tens of thousands of contractors that will need certification. That bottleneck pushes scheduling out and prices up, and rushing the timeline tends to raise costs and the odds of a failed first attempt. The cheapest version of this is the one you start early and scope tightly.

→ See what a Level 2 readiness program actually involves.
Before you call an assessor, get the CMMC Readiness Checklist mapped to all 14 NIST 800-171 control families — the same map a C3PAO works from.
Get the readiness checklist →
Only handle FCI? You’re likely Level 1 and don’t need the full NIST 800-171 program — here’s the Level 1 path instead.

Why would a vendor charge you for both NIST 800-171 and CMMC?

A vendor shouldn’t charge you twice for the same control work — but it’s legitimate to pay separately for NIST implementation, CMMC readiness, evidence preparation, managed security operations, GRC tooling, a CUI enclave, and a formal C3PAO assessment, because those are genuinely different deliverables. The problem on most quotes isn’t the phrase “NIST + CMMC.” It’s unclear scope.

So before you assume you’re being double-billed, separate the legitimate line items from the red flags:

Then ask these questions before you sign anything:

• Which requirement set is this mapped to — the 110 NIST 800-171 Rev. 2 controls, or something else?
• Which systems and assets are in scope?
• Are you preparing us, operating our controls, selling us software, or assessing us? (These should not be blurred.)
• Will you write and update the SSP and POA&M?
• Who owns the evidence after the engagement ends?
• Are you an RPO, RP, MSP/MSSP, GRC vendor, enclave provider, or a C3PAO?
• What do you not do?

And run any too-good promise through this quick sanity check:

The one admission that will save you money

Here’s the honest part, and it’s the kind that puts cash back in your budget: a C3PAO may be the wrong first call.If you don’t yet have a mature SSP, a defined scope, and real evidence, bringing in an assessor first means paying assessment-rate fees to discoverreadiness gaps — gaps a readiness provider would have found for far less. And the C3PAO can’t fix them for you mid-engagement without disqualifying itself from assessing you.

That’s not us talking down the assessment process. It’s the structure of the program. Cyber AB rules keep readiness and assessment separate on purpose: a firm that provided you consulting, advisory, or implementation services generally can’t also be the C3PAO that assesses that same work — the restriction runs across the three-year certification cycle, and it’s codified in 32 CFR Part 170 and the Cyber AB’s conflict-of-interest rules. The independence that makes a certification credibleis the same independence that makes “one vendor does everything” a warning sign. (Registered Provider Organizations and Registered Practitioners exist specifically to provide readiness help without creating that assessment conflict.)

So if you’re early, the money-saving sequence is: get ready first (readiness, evidence, SSP), then engage an independent assessor when the contract requires one.

Who should you hire first for NIST 800-171 vs CMMC?

If you’re still scoping CUI, writing your SSP, remediating controls, or building evidence, start with readiness help — an RPO/RP, a CMMC-focused MSP/MSSP, a GRC platform, or a CUI enclave — not a C3PAO. Engage a C3PAO only when your solicitation requires a Level 2 certification assessment and your evidence is mature, and verify that assessor’s status on the Cyber AB Marketplace first.

The right first call depends on where you actually are:

• You don’t know your scope or whether you have CUI. Start with an RPO/RP or a CMMC readiness consultant who can run a gap assessment and a CUI determination.
• You handle CUI but your environment is messy. Look at an MSP/MSSP, a CUI enclave, or a secure-cloud/GCC High implementer to shrink and stabilize your boundary before you spend on an assessment.
• You need evidence and control tracking.A GRC platform helps you manage SSP, POA&M, and evidence workflows — as a supporting layer, not the whole CMMC solution. Software alone doesn’t make you compliant.
• You’re assessment-ready and the contract requires Level 2 (C3PAO). Now a C3PAO is the right call. Verify the firm’s authorization on the Cyber AB Marketplace, confirm there’s no conflict from prior consulting, and check that your evidence is genuinely mature. (See our guide to choosing and verifying a C3PAO.)

These are provider categories, not endorsements — which category fits depends on your level, scope, environment, and timeline, and the contract clause sets your level, not a checklist.

→ Get matched with the right provider category.
Find My CMMC Pathseparates implementation help from formal assessment, so you don’t pay a C3PAO to do work it can’t do for your assessment scope.
Get matched with a provider category →
Do not submit CUI, drawings, or sensitive contract details.

What should you do first if you just discovered CMMC or NIST 800-171?

Don’t start with software, a C3PAO call, or a generic checklist. Start by reading the clause or flow-down in front of you, confirming whether you handle FCI or CUI, defining the boundary of the system that touches that information, checking your current SPRS status, and documenting it. Scope first, spend second.

1. Read the actual clause. Look for DFARS 252.204-7012, 252.204-7021, and 252.204-7025 (and any 7019/7020 or new Part 240 deviation language). Note the stated CMMC level, whether the assessment is self or C3PAO, and the flow-down wording.
2. Confirm FCI vs CUI.This single distinction decides whether you’re looking at Level 1 (FCI) or Level 2 (CUI). If you’re not sure what’s CUI, treat that as the first project — it changes everything downstream.
3. Define your scope before buying tools.Decide what’s in the boundary: whole enterprise versus an enclave, your cloud tenant, email and file sharing, endpoints, on-prem servers, external service providers, which users touch CUI, and which controls are inherited, shared, or your responsibility. Scope reduction is the biggest lever on cost.
4. Build or update the SSP and evidence. The System Security Plan and supporting artifacts are what an assessor actually evaluates. (Our Level 2 checklist maps the evidence to each control family.)
5. Choose the right provider category. Once you know your level, scope, and timeline, match to a category — readiness/RPO, MSP/MSSP, GRC, enclave, or assessment — instead of guessing.

Before you request quotes, gather these:the solicitation clause and any flow-down language; your FCI/CUI determination (or a note on the uncertainty); a system-boundary sketch; your current SSP (version and date); your SPRS status; your POA&M status; and a list of your cloud services and external service providers. Walking into a vendor conversation with those in hand is the difference between an accurate quote and a guess.

What changes in Phase 1 and Phase 2?

CMMC requirements are phasing into DoD solicitations and contracts over four implementation phases. Phase 1 began November 10, 2025 and runs through November 9, 2026, focused mainly on Level 1 and Level 2 self-assessments. Phase 2 begins November 10, 2026 and brings Level 2 C3PAO certification assessments into solicitations. The right answer for you depends on the clause — and the date — in front of you.

The timeline matters even though “CMMC vs NIST 800-171” isn’t a timing query, because it’s the very next question contractors ask. The short version: the CMMC Program Rule (32 CFR Part 170) took effect December 16, 2024; the DFARS acquisition rule that put clause 252.204-7021 into contracts took effect November 10, 2025, starting Phase 1; Phase 2 (Level 2 C3PAO) begins November 10, 2026; Phase 3 (Level 3 DIBCAC) begins November 10, 2027; and a final phase folds in the remaining requirements, with full implementation about three years after the acquisition rule’s effective date.

What we won’t tell you: that “everyone needs a C3PAO right now,” or that “CMMC is optional until Phase 2.” Neither is true. The solicitation governs. During Phase 1, the DoD may choose to require a Level 2 (C3PAO) assessment in place of a self-assessment at its discretion (32 CFR § 170.3(e)), and primes can impose their own requirements on subs through flow-down — so verify the actual solicitation or subcontract language. Your obligation is whatever your contract says. (For the full phase-by-phase breakdown, see our CMMC certification process guide.)

Why the DoD built CMMC on top of NIST 800-171

CMMC exists because self-attestation failed. The DoD moved away from a self-reporting model after documented concerns that contractors weren’t consistently implementing NIST SP 800-171 — even though the requirement was already in their contracts. CMMC adds independent, evidence-based verification to close that trust gap.

This isn’t a vendor talking point; it’s the documented basis for the program. By the late 2010s, the DoD had required NIST SP 800-171 for years under DFARS 7012 but had limited insight into whether contractors were truly meeting it. A 2019 DoD Inspector General audit found contractors did not consistently implement DoD-mandated security controls, and that the Department hadn’t established processes to verify implementation before award. The Department concluded that a “trust but verify” model built on self-reporting wasn’t enough against nation-state threats, and built CMMC as the response: add third-party verification through authorized or accredited C3PAOs, and condition contract eligibility on it.

The scale is real, too. In the 2025 DFARS acquisition final rule, the DoD estimated the program would affect 337,968 prime contractors and subcontractors, of which roughly 229,818 are small businesses— which is exactly why the cost and confusion land hardest on smaller suppliers. And the stakes for getting your reporting wrong have risen: the Department of Justice’s Civil Cyber-Fraud Initiative has pursued contractors for misrepresenting their cybersecurity posture — including a settlement involving a false summary-level NIST SP 800-171 score submitted to the DoD — meaning an inaccurate SPRS score or a false affirmation can carry False Claims Act exposure, not just a lost bid.

How we built this comparison

This page separates three kinds of claims: regulatory facts (cited to primary sources), source-checked operational facts (verified against official documentation), and our editorial conclusions (framed as provider-category guidance, never as legal, contractual, or certification advice).

Our source hierarchy, in order: 32 CFR Part 170 (eCFR and the Federal Register); NIST CSRC for the publications and their revision status; Acquisition.gov and the Federal Register for the DFARS clauses; SPRS official documentation for scoring and submission mechanics; the Cyber AB CMMC Assessment Process for the assessment workflow and independence rules; and practitioner forums only for how contractors describe the problem — never as evidence for a regulatory claim. Market cost ranges are compiled from 2026 provider and industry pricing and are presented as planning ranges, not quotes.

What we did notdo: publish star ratings, fake reviews, named-provider rankings, or “best provider” awards; guarantee any certification outcome; claim any affiliation with the Cyber AB, the DoD, DIBCAC, or NIST; or give legal advice. This is educational research and provider-category routing. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Frequently asked questions about CMMC vs NIST 800-171

Does CMMC replace NIST 800-171?

No. CMMC does not replace NIST 800-171. Under current 32 CFR Part 170, CMMC Level 2’s security requirements are identical to NIST SP 800-171 Revision 2; CMMC adds the assessment, status, affirmation, POA&M, reporting, and flow-down mechanics on top.

Is CMMC Level 2 the same as NIST 800-171?

The control baseline is the same — Level 2 uses the 110 NIST SP 800-171 Rev. 2 requirements. The compliance program is not the same: CMMC determines whether your path is self-assessment or a C3PAO assessment, and how the result is recorded and maintained.

Do I need a C3PAO for NIST 800-171?

Not automatically. A C3PAO (Certified Third-Party Assessment Organization) becomes relevant when your solicitation requires a CMMC Level 2 certification assessment and you’re assessment-ready. If you’re still scoping CUI, remediating controls, or building evidence, readiness support usually comes first.

Does NIST SP 800-171 Rev. 3 apply to CMMC Level 2?

Not under the current rule. NIST published Rev. 3 in May 2024, but 32 CFR Part 170 incorporates Rev. 2 for CMMC Level 2. The DoD has said it would adopt a later version only through future rulemaking, which has not yet changed the baseline.

Is an SPRS score the same as CMMC certification?

No. SPRS stores assessment scores and CMMC status/affirmation data — it doesn’t perform the assessment. Self-assessment results are submitted in SPRS by the contractor; Level 2 C3PAO results are submitted into CMMC eMASS by the assessor and transmitted to SPRS.

Can the same company prepare me and assess me for CMMC?

No. A C3PAO cannot conduct your Level 2 certification assessment if it provided you consulting, advisory, or implementation services — the restriction runs across the certification cycle and is codified in 32 CFR Part 170 and the Cyber AB’s conflict-of-interest rules. Use separate providers for readiness and for the formal assessment.

Am I being charged twice if a vendor quotes both NIST 800-171 and CMMC?

Not necessarily. You should not pay twice for the same control work, but NIST implementation, CMMC readiness, managed security operations, GRC tooling, an enclave, and a formal assessment are different deliverables. Require each line item to name its specific scope and deliverable.

What’s the fastest way to figure out what applies to us?

Read the solicitation or flow-down, confirm FCI vs CUI, identify the required CMMC level and assessment type, define your information-system scope, then map your situation to the right provider category before requesting quotes.

Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →
Do not submit CUI, drawings, export-controlled technical data, or sensitive contract details. This is educational research and provider-category routing — not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney; the contract clause and your CUI handling set your level, not a checklist.

Keep going

• CMMC vs FedRAMP: Which One Applies to You (and When You Need Both)
• FCI vs CUI: what’s the difference and which applies
• NIST 800-171 requirements checklist — all 110 Rev. 2 controls + evidence
• CMMC levels explained (1, 2, and 3)
• CMMC Level 2 checklist: evidence and SPRS
• CMMC self-assessment vs C3PAO: which Level 2 path applies
• CMMC certification cost: what you actually pay
• CMMC certification process, timeline, and phases
• How to choose (and verify) a C3PAO

Sources (primary first)

• 32 CFR Part 170 — CMMC Program Rule (eCFR): ecfr.gov/current/title-32/…/part-170
• 32 CFR § 170.14 — CMMC Model (“Level 2 identical to NIST SP 800-171 R2”): ecfr.gov/…/section-170.14
• NIST SP 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems and Organizations: csrc.nist.gov/publications/detail/sp/800/171/rev-2/final
• DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting: acquisition.gov/dfars/252.204-7012
• DFARS 252.204-7021 — Contractor Compliance with Cybersecurity Maturity Model Certification Level Requirements: acquisition.gov/dfars/252.204-7021
• 32 CFR §§ 170.16, 170.21, 170.24 — Level 2 (Self) status, Level 2 (C3PAO) status, scoring: ecfr.gov/current/title-32/…/part-170
• SPRS — Supplier Performance Risk System official documentation: sprs.csd.disa.mil
• Cyber AB Marketplace — authorized C3PAO listings and conflict-of-interest rules: cyberab.org/Catalog
• Federal Register — CMMC Program Final Rule (Vol. 89, No. 187) and DFARS Acquisition Final Rule: federalregister.gov/…/2024-21621
• NIST SP 800-172 — Enhanced Security Requirements for Protecting CUI: csrc.nist.gov/publications/detail/sp/800/172/final