NIST 800-171 & CMMC Implementation
NIST 800-171 Implementation Services: What They Include, What They Cost, and Who to Hire First (2026)
The most expensive mistake in a NIST 800-171 project usually isn’t the six-figure price tag. It’s hiring the wrong kind of help first.
NIST 800-171 implementation services are the hands-on work of turning the 110 security requirements in NIST SP 800-171 Revision 2— the standard for protecting Controlled Unclassified Information (CUI) on contractor systems — into controls that actually run, evidence an assessor will accept, a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a defensible score in the Supplier Performance Risk System (SPRS).
What you need first depends on your situation: an RPO or readiness advisor to scope and document, an MSP or MSSP to build and operate the technical controls, a GRC platform to organize evidence, or a CUI enclave to shrink the problem before you spend on anything else. For a 25-to-100-person contractor starting with no mature security program, first-year cost typically lands between $75,000 and $250,000(industry-reported ranges compiled from IBSSCORP, Cybrvault, Paramify, TestPros, and PreVeil — planning estimates, not quotes).
Which category fits — and which doesn’t
- You handle CUI and your systems are weak?You need implementation muscle first — an MSP/MSSP or a CUI enclave — not a certifier.
- Your policies exist but evidence is scattered?A GRC platform plus a readiness advisor.
- You only handle FCI (non-public information provided or generated under a contract), not CUI?You’re likely looking at CMMC Level 1, not this. Start with our CMMC levels guide instead.
- You're genuinely assessment-ready?Now a C3PAO belongs — and only now.
- Not sure which of these is you?That's normal. Start neutral (see below).
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the provider category and SOW items that fit. No CUI required.
What are NIST 800-171 implementation services?
NIST 800-171 implementation services are the practical work of applying NIST SP 800-171 Revision 2’s 110 security requirements — organized into 14 control families — to the systems, people, policies, and evidence that protect CUI. A complete engagement leaves you with a scoped environment, configured controls, an SSP, a POA&M where the rule allows one, an evidence library, and a defensible SPRS score. It is not a certification, and it is not a single product you can buy off a shelf.
Think of implementation as six phases. Most vendors are strong in two or three of them and vague about the rest — which is why “we do CMMC” tells you almost nothing until you break it apart.
Table A — The NIST 800-171 implementation services map (the six phases)
| Phase | What actually happens | What you should walk away with | Provider category that usually owns it | Typical 2026 cost band (industry-reported) | The mistake to avoid |
|---|---|---|---|---|---|
| 1. Scope the boundary | Find every system, person, and process that touches FCI/CUI; decide whether to build a smaller enclave | CUI data-flow diagram, system boundary, asset inventory | RPO / readiness advisor; enclave provider if enclaving | $3,500–$15,000 (often folded into the gap assessment) | Drawing the boundary too wide — every later phase then costs more |
| 2. Gap assessment | Test current state against all 110 requirements and their assessment objectives | Gap report + honest SPRS baseline score | RPO / independent assessor; a GRC platform to structure it | $5,000–$20,000 | A “green” self-score that collapses under a real assessment |
| 3. Remediate the controls | Deploy MFA, FIPS-validated encryption, logging, endpoint protection, access control, patching; fix the process gaps | Configured controls that produce evidence | MSP / MSSP for the technical work; a CUI enclave (GCC High or AWS GovCloud) for the environment | $20,000–$150,000 one-time; tooling $25k–$80k/yr; enclave $40–$70/user/mo | Buying tools that never get configured to actually satisfy the requirement |
| 4. Document (SSP + POA&M) | Write the SSP describing how each control works in your environment; log open gaps with owners and dates | An SSP specific to your system boundary, with diagrams and evidence references, plus a POA&M | RPO / readiness advisor; a GRC or documentation platform | $30,000–$120,000 one-time (consulting + docs) | A thin template SSP that doesn’t describe your real boundary, environment, and control implementation |
| 5. Score, post, affirm | Calculate the SPRS score, post it, and have your affirming official affirm it | Posted SPRS score + annual affirmation | Your internal affirming official (accountable); RPO advises | Internal staff time: 200–600 hours in year one | An inflated or stale score — this is where legal exposure lives (see the $4.6M case below) |
| 6. Sustain | Monitor, patch, retrain, refresh evidence, and prepare for the triennial assessment | A living evidence library, monitoring, a mock assessment | MSSP (managed); GRC platform; RPO for a mock | ~20–30% of implementation cost per year | Treating compliance as one-and-done; evidence rots before the assessment |
What implementation is not
- Not a “NIST certification.” There is no such thing. NIST publishes the standard; it does not certify anyone.
- Not a guaranteed CMMC pass.No provider can promise a certification outcome. Anyone who does is telling you something the rules don’t allow.
- Not just a binder of policies.A policy that describes controls you haven’t actually implemented is the fastest way to fail — or worse.
- Not a C3PAO assessment.A C3PAO (Certified Third-Party Assessment Organization — a firm authorized by the Cyber AB to conduct CMMC Level 2 assessments) checks your work. It doesn’t do the work.
- Not a software subscription by itself. A GRC platform organizes evidence; it does not configure your identity, logging, or endpoints.
Implementation help doesn’t transfer accountability. A great partner will configure systems, build evidence, and guide remediation — but youstill own how controls operate day to day, how your people behave, and the accuracy of what your affirming official signs in SPRS. The right engagement leaves you with named owners, evidence, and repeatable processes — not just a polished report.
Ready to see which of the six phases you still need?
The Defense Compliance Report’s Find My CMMC Path tool maps your level, CUI scope, and environment to the provider category that fits — before you take a single sales call. No CUI required.
Find My CMMC Path →What do NIST 800-171 implementation services cost in 2026?
Industry-reported first-year cost for a 25-to-100-person contractor with no mature security program typically runs $75,000 to $250,000, plus roughly 20–30% per year to maintain. That splits across remediation, SSP/POA&M work, security tooling, and a CUI enclave, plus 200–600 hours of internal staff time. A separate CMMC Level 2 C3PAO assessment runs about $40,000 to $150,000 every three years and is not an implementation cost.
Cost estimates for this work are all over the map — you’ll see “$10,000 to $50,000” on one vendor’s page and “$250,000” on another’s, and both can be telling the truth. The difference is almost always scope. A $12,000 engagement is usually documentation and advisory only. A $200,000 engagement includes remediation labor, tooling, and a compliant cloud environment. The second is not five times more expensive — it’s doing five times more work.
Table B — The DCR 2026 implementation-cost synthesis (source-by-source)
| Source (industry-reported) | What it covers | Reported figure | One-time / recurring |
|---|---|---|---|
| IBSSCORP | First-year NIST 800-171 Rev. 2 implementation, small–mid contractor | $75,000–$250,000; maintenance +20–30%/yr | Both |
| Cybrvault | 25–100-person contractor, no mature program: tooling, enclave, docs, consulting | Tooling $25k–$80k/yr; enclave $40–$70/user/mo; SSP/POA&M + consulting $30k–$120k; C3PAO $40k–$150k/3yr | Both |
| Paramify / CMMC.com | Remediation to meet controls; readiness assessment | Remediation $20k–$150k; readiness assessment $5k–$20k | One-time |
| PreVeil | 2026 C3PAO Level 2 assessment fees (assessment only) | ~$75k–$150k | Every 3 yrs |
| TestPros | “Whole compliance package” (gap + policy + support), scope-dependent | $10k–$50k+; timeline ~3–6 months | One-time |
| DCR normalization | Blended first-year for a 25–100-person firm, low starting maturity, including remediation + tooling + enclave + docs | $75,000–$250,000 | Blended |
Table C — What a first-year budget actually contains
| Cost component | Typical range | Nature |
|---|---|---|
| Optional independent gap / readiness assessment | $3,500–$20,000 | One-time |
| Remediation to meet the controls | $20,000–$150,000 | One-time (driven by starting maturity) |
| Consulting + SSP/POA&M development | $30,000–$120,000 | One-time |
| Security tooling (EDR, logging/SIEM, MFA, encryption, vulnerability scanning, GRC) | $25,000–$80,000 | Per year |
| CUI enclave (Microsoft 365 GCC High or AWS GovCloud) | $40–$70 per user / month | Per user / month |
| Internal staff time | 200–600 hours | Year one |
| Typical first-year total (blended) | $75,000–$250,000 | Blended |
| Ongoing maintenance | ~20–30% of implementation | Per year |
| CMMC Level 2 C3PAO assessment (separate from implementation) | $40,000–$150,000 | Every 3 years |
What drives your number up or down:how much CUI you touch and where it lives; whether you enclave or secure the whole environment; how many endpoints, users, and sites are in scope; whether you already have an MSP; and how mature your evidence already is. Headcount alone is a weak predictor — a 30-person shop with CUI scattered across commercial email can cost more than a 90-person firm that already runs a tight enclave. Our full CMMC Level 2 cost breakdown goes deeper by level and environment.
The one uncomfortable truth to take into every sales call:no honest provider can give you a firm, all-in price before scoping your CUI boundary — and a suspiciously low quote usually means the expensive parts (remediation labor, the enclave, real evidence work) were quietly left out, waiting to reappear as a change order. Scope first, then buy.
Want a realistic budget band for your scope? Get matched to the provider categories that fit your situation, then request comparable quotes.
Get matched with source-checked provider options →Who should you hire — and which provider category comes first?
Five provider categories deliver NIST 800-171 implementation, and they don’t overlap cleanly. An RPO or Registered Practitioner scopes and documents; an MSP or MSSP builds and runs the technical controls; a GRC platform manages evidence; a CUI enclave provides the compliant environment; and a C3PAO performs the formal assessment when you’re ready. The right first hire depends on what’s actually unresolved — scope, systems, evidence, or assessment readiness.
- RPO / RP — Registered Provider Organization / Registered Practitioner. Advisory: scoping, gap assessment, SSP/POA&M, assessment prep.
- MSP — Managed Service Provider. Runs your IT: endpoints, identity, backups, patching, configuration.
- MSSP — Managed Security Service Provider. Runs your security: monitoring, logging, alerting, incident response, vulnerability management.
- GRC platform — Governance, risk, and compliance software. Maps controls to evidence, manages the SSP/POA&M workflow, tracks owners.
- CUI enclave — A walled-off, compliant environment (commonly Microsoft 365 GCC High or AWS GovCloud) that keeps CUI in one controlled place so you don't have to secure everything.
- C3PAO — The accredited assessor. Assessment only. Not an implementer.
Table D — Provider category comparison
| Provider category | Best used for | Not best for | What to verify before you hire |
|---|---|---|---|
| RPO / RP | Scoping, readiness, SSP/POA&M, assessment prep | Full technical implementation on its own | Listing in the Cyber AB Marketplace if they claim one; the named practitioner assigned; sanitized sample deliverables |
| MSP | Endpoints, identity, backups, patching, configuration | Independent assessment | DIB/CUI experience; whether they can export your evidence if you leave; that the MSP itself can meet its in-scope obligations |
| MSSP | Logging, SIEM, alerting, incident response, vulnerability management | Policy-only “compliance” work | Log sources, retention period, response SLAs, fit with a CUI environment |
| GRC platform | Evidence mapping, SSP/POA&M workflow, control ownership | Making weak systems compliant by itself | NIST 800-171 Rev. 2 mapping; evidence export format; who owns the data |
| CUI enclave | Shrinking CUI scope; secure email/file collaboration | Solving every company-wide control automatically | What stays inside the enclave vs. what controls remain outside it |
| C3PAO | The formal Level 2 assessment, when ready | Remediation-first work on the same engagement it will assess | Current authorization on the Cyber AB Marketplace; conflict-of-interest handling; assessment scope |
Table E — Which category fits your situation
| If this is you… | Consider this category first | Do not start with |
|---|---|---|
| You don’t yet know whether you handle FCI or CUI | RPO/RP or a qualified federal-contracts attorney | An MSP, MSSP, or C3PAO |
| You handle CUI in email/file sharing on commercial Microsoft 365 | CUI enclave + managed readiness (MSSP/RPO) | A paper-only consultant |
| Your policies exist but your systems are weak | CMMC-focused MSP/MSSP | A C3PAO |
| Your systems are decent but evidence is scattered | GRC platform + RPO/readiness advisor | A software-only purchase with no owner |
| You need an accurate self-assessment / SPRS score | RPO/RP or an 800-171 assessment advisor | Guessing your score |
| You believe you’re assessment-ready | An authorized C3PAO | A readiness firm acting as your assessor |
| Not sure which of these is you | Start neutral | Any six-figure commitment |
Still not sure whether you need an RPO, an MSP, a GRC platform, or an enclave first?The Defense Compliance Report’s Find My CMMC Path tool turns your answers about level, scope, and environment into a provider category and a short list of questions to ask.
Find My CMMC Path →When is a C3PAO the wrong first call?
A C3PAO is the wrong first call whenever you still need scoping, remediation, evidence buildout, or SSP/POA&M work — which is most contractors. A C3PAO conducts the formal CMMC Level 2 certification assessment; it does not build or operate the controls that get assessed. And under 32 CFR § 170.9, a C3PAO must follow the Cyber AB’s conflict-of-interest and impartiality rules, which mean it generally cannot assess an organization it consulted or helped prepare for that assessment.
Here’s the sequence that actually works:
- Scope unclear? Start with an RPO/RP or federal-contracts counsel.
- Systems weak? Start with an MSP/MSSP or a CUI enclave to implement.
- Evidence weak? Start with a GRC platform plus a readiness advisor.
- Genuinely ready? Now engage a C3PAO for the assessment.
The conflict-of-interest point isn’t a technicality — it’s structural to how the program keeps assessments honest. Keep your readiness/implementation help and your certifying assessor in separate, unrelated firms — and if a provider offers to “do both,” ask exactly how they firewall the two, and confirm the assessor’s current status yourself on the Cyber AB Marketplace.
Before you call a C3PAO, confirm you actually need one yet.
Check which category fits your stage →What should a real NIST 800-171 implementation engagement produce?
A real engagement produces far more than a gap report. At minimum, you should walk away with a scoped environment, a prioritized remediation backlog, implemented controls, an evidence library, an SSP, a POA&M for whatever the rule allows to remain open, named control owners, and a readiness path tied to your SPRS and CMMC obligations. If the only deliverable is a PDF of findings, you bought an assessment of your problem — not a solution to it.
Table F — The implementation deliverables ledger
| Deliverable | Why it matters | Who usually produces it | What “good” looks like |
|---|---|---|---|
| Contract/clause review summary | Prevents wrong-level assumptions | RPO/RP, counsel | Names the actual DFARS/CMMC clause and its applicability assumptions |
| CUI data-flow diagram | Prevents scope creep and missed systems | RPO, MSP, enclave provider | Shows where CUI is received, stored, processed, transmitted, and archived |
| System boundary | Defines what must be protected and assessed | RPO, MSP, enclave provider | Names systems, users, sites, cloud services, endpoints |
| Gap assessment | Shows what isn't implemented | RPO/RP, readiness advisor | Maps findings to NIST 800-171 Rev. 2 and 800-171A assessment objectives |
| Remediation backlog | Turns findings into scheduled work | MSP/MSSP, implementation partner | Prioritized by risk, dependency, cost, and timeline |
| SSP | Describes how each requirement is met | RPO/RP, GRC, internal owner | Current, system-specific, and linked to evidence |
| POA&M | Tracks unresolved items the rule allows | RPO/RP, GRC | Owners, dates, milestones, and only POA&M-eligible requirements |
| Evidence library | Supports assessment and daily operations | MSP/MSSP, GRC, internal owners | Screenshots, configs, logs, policies, tickets, approvals |
| SPRS support package | Supports an accurate score record | RPO/RP, advisor | Score rationale, SSP references, affirming-official package |
| Readiness handoff | Prevents a premature, failed assessment | RPO/RP, readiness advisor | Clearly states what remains before a C3PAO engagement |
What belongs in your NIST 800-171 implementation SOW?
A statement of work worth signing spells out exactly which systems are in scope, which control families are being remediated, what deliverables will be produced, who owns each task, what evidence you’ll receive, and — critically — what’s excluded. If the SOW says “help achieve compliance” without a control-by-control scope and a deliverable list, it isn’t specific enough to compare against another quote or to hold anyone accountable.
A tight SOW is how you turn three wildly different proposals into an apples-to-apples decision — and how you avoid the change-order surprise.
Table G — The implementation SOW normalization checklist
| SOW item | It must specify | Red flag |
|---|---|---|
| Scope | Systems, users, locations, cloud services, CUI data flows | "All systems" with no defined boundary |
| Baseline | NIST SP 800-171 Rev. 2 for CMMC Level 2 | An unexplained switch to Rev. 3 |
| Deliverables | SSP, POA&M, evidence, diagrams, config records | "Documentation" with no artifact list |
| Technical remediation | Identity, endpoint, logging, backup, vulnerability, network, email/file sharing | "Included" with no control-to-work mapping |
| Managed operations | Monitoring, patching, alerting, ticketing, review cadence | No recurring responsibilities named |
| Evidence ownership | Export rights, where evidence lives, retention, owner map | Evidence trapped inside the vendor's portal |
| SPRS handling | Support, score rationale, affirming-official package | The vendor posting or affirming for you with no governance |
| Assessment boundary | Whether the provider is readiness-only or assessment-only | The same firm blurring remediation and assessment |
| CUI handling | No CUI submitted through sales forms or unsecured intake | Requests for drawings or contracts inside a quote form |
| Exclusions | What the provider will not do | No exclusions listed at all |
Take these line items into every quote.The Defense Compliance Report’s Find My CMMC Path tool helps you compare provider categories and assemble the request — so the quotes you get back are actually comparable.
Compare provider categories →Which NIST 800-171 control families need hands-on work?
Most of your implementation cost isn’t in writing policies — it’s in the technical and operational work across access control, identity, logging, configuration, incident response, vulnerability management, communications protection, and system integrity. The policy layer matters, but it has to describe controls that actually run. Of the 14 families in NIST SP 800-171 Revision 2, the ones below are where budget and effort concentrate — and the last column tells you the evidence to demand so you can prove each one.
Table H — Control family → implementation work → evidence to ask for
| NIST SP 800-171 Rev. 2 family | What it means as real work | Hands-on technical work? | Evidence a buyer should ask for |
|---|---|---|---|
| Access Control | Who can reach CUI, from where, under what conditions | Yes | Access-control matrix; user access review export |
| Awareness and Training | Role-based security training for your people | Sometimes | Training completion records |
| Audit and Accountability | Logging, log review, retention, alerting | Yes | Log retention config; sample log-review records |
| Configuration Management | Secure baselines, change control, hardening | Yes | Baseline documents; change tickets |
| Identification and Authentication | MFA, account lifecycle, session and password controls | Yes | MFA enforcement config; account lifecycle records |
| Incident Response | Incident plan, reporting workflow, tabletop exercises | Yes | IR plan; tabletop/exercise records; reporting workflow |
| Maintenance | Controlled and remote maintenance, vendor records | Sometimes | Maintenance logs; remote-maintenance approvals |
| Media Protection | Removable media, backups, destruction, marking | Sometimes | Media handling/destruction records; backup config |
| Physical Protection | Facility access and physical safeguards | Sometimes | Facility access/badge records |
| Personnel Security | Screening, onboarding/offboarding, access termination | Sometimes | Screening records; termination/offboarding records |
| Risk Assessment | Vulnerability scanning, risk register, remediation tracking | Yes | Vulnerability scan reports; risk register |
| Security Assessment | SSP, POA&M, control assessment, monitoring | Yes | SSP; POA&M; control assessment results |
| System and Communications Protection | Segmentation, encryption, email/file protection | Yes | Network/segmentation diagram; encryption config |
| System and Information Integrity | Patching, malware protection, flaw remediation | Yes | Patch/vulnerability remediation reports; AV/EDR config |
The mistake to avoid:don’t let a vendor quote you policy writing when your known gaps are identity, logging, endpoints, backups, or CUI workflow. Policies are the cheap part. The controls are the expensive part — and the part an assessor actually tests.
How long does NIST 800-171 implementation take?
Industry-reported timelines put a defensible NIST 800-171 implementation for a small or mid-sized contractor at roughly 90 to 180 days when scope is narrow, leadership is engaged, and remediation isn’t severe — about 30 days to scope and gap-assess, 30 to 60 to remediate and document, and the rest to validate and post an accurate SPRS score. The real deadline isn’t a timeline on a blog; it’s your contract clause and the CMMC phase schedule.
CMMC’s requirements are rolling out in phases tied to the DFARS acquisition rule, which took effect (Federal Register; phasing at 32 CFR § 170.3):
- –Phase 1. Contracting officers can require Level 1 and Level 2 (Self) assessments, and can require a Level 2 (C3PAO) certification at their discretion.
- Phase 2 begins. DoD intends to include Level 2 (C3PAO) certification as a condition of award for applicable CUI contracts. Level 2 (Self) remains a valid status for some contracts — confirm what your specific contract requires. See our Phase 2 deadline guide.
- Phase 3. Level 3 requirements added.
- Phase 4. CMMC applies to all applicable contracts.
Assessment scheduling can take months, and you can’t credibly book a C3PAO until you’re implemented. A contractor who waits for a Phase 2 solicitation to appear before starting is choosing to bid with a gap they can’t close in time. And “we’ll get you compliant in 30 days” is a red flag for anything beyond a narrow enclave in an already-mature shop.
Should you implement NIST SP 800-171 Rev. 2 or Rev. 3?
For CMMC Level 2, implement against NIST SP 800-171 Revision 2 — the 110 requirements — unless your contract or a future DoD rule says otherwise. 32 CFR Part 170 incorporates Rev. 2 by reference for CMMC, and assessors grade against Rev. 2. NIST published Revision 3 in May 2024, and it supersedes Rev. 2 in NIST’s own library, but it does not yet apply to CMMC.
Rev. 3 reorganizes requirements into 17 families(up from 14 in Rev. 2), adds families such as Planning, System and Services Acquisition, and Supply Chain Risk Management, and introduces organization-defined parameters. Security leadership sees the newer version and assumes newer is required. It isn’t — not for CMMC, not yet. In May 2024, DoD issued a class deviation directing contractors under DFARS 252.204-7012 to keep complying with Rev. 2.
What we’d do:implement to Rev. 2 for your Level 2 assessment. Track Rev. 3 so you’re not surprised later. If a provider tries to sell you a Rev. 3-only “CMMC readiness” package, ask them to explain exactly how it maps to the current Level 2 requirement. A good vetting question: “Which baseline are you implementing for CMMC Level 2, and how do you monitor Rev. 3 without confusing the current assessment path?”
Did the February 2026 FAR overhaul change your obligations?
No — the February 2026 Revolutionary FAR Overhaul renumbered and reorganized the cybersecurity clauses, but it did not reduce the technical work. Effective , DoD’s class deviation stood up a new DFARS Part 240 and clause DFARS 252.240-7997, removed the standalone “Basic” NIST SP 800-171 self-assessment requirement associated with DFARS 252.204-7019, and carried the Medium/High DoD assessment mechanics of DFARS 252.204-7020 into 252.240-7997. Your obligation to implement all 110 NIST SP 800-171 requirements, maintain an SSP, report incidents, and obtain a CMMC status when required is fully intact — DFARS 252.204-7012 and DFARS 252.204-7021 are unchanged.
These are class deviations— interim regulatory text that applies to solicitations using the new structure — not final rulemaking. A class deviation doesn’t strike the codified DFARS. So the legacy clause numbers still appear in the DFARS and in existing contracts, and you should expect to see both the old numbers and the new ones during the transition.
Table I — Clause-number transition (what you’ll actually see)
| Requirement | Legacy number (still in the codified DFARS) | Under the Feb 2026 RFO class deviation | What it means when you buy services |
|---|---|---|---|
| FCI safeguarding (15 controls) | FAR 52.204-21 | Renumbered to FAR 52.240-93; same 15 controls; new FAR Part 40 | Level 1 work is unchanged; a current vendor should recognize both numbers |
| “Basic” 800-171 self-assessment | DFARS 252.204-7019 | Standalone Basic self-assessment requirement removed; assessment now runs through CMMC | The old “just post a Basic score” path is gone; a vendor citing 7019 as your driver is working from stale material |
| DoD assessment requirements (Medium/High) | DFARS 252.204-7020 | Mechanics carried into DFARS 252.240-7997; new DFARS Part 240 | Medium/High are government assessments; your day-to-day obligation is unchanged |
| Safeguarding + incident reporting | DFARS 252.204-7012 | Unchanged | 110 controls, 72-hour incident reporting, and FedRAMP Moderate (or equivalency) for cloud CUI still apply in full |
| CMMC clause + solicitation notice | DFARS 252.204-7021 / -7025 | Unchanged | CMMC status, annual affirmation, and flow-down to subcontractors still govern eligibility |
The one-line version: the clause numbers moved; the controls didn’t. If anyone uses “the rules changed” as a reason to re-scope or upsell your implementation, slow the conversation down. It’s the same 110 requirements.
The $4.6 million lesson: why “paper compliance” fails
In March 2025, the U.S. Department of Justice announced a $4.6 million False Claims Act settlement with defense contractor MORSECORP Inc. The company had posted an SPRS score of 104 — near the top of the −203 to 110 scoring range — while a third-party cybersecurity consultant later found its actual score was −142.
We read the DoJ’s own announcement. The facts DoJ published: from January 2018 to September 2022, MORSECORP used a third-party email host without ensuring it met FedRAMP Moderate-equivalent requirements; it had not fully implemented the NIST SP 800-171 controls its contracts required; it lacked a consolidated written system security plan; and it did not correct its inflated SPRS score until June 2023 — three months afterit received a federal subpoena. The whistleblower, the company’s own head of security, received $851,000.
This is not presented as a typical outcome. But the pattern is the cautionary tale:
- A score that reflects intent instead of evidence is a liability, not an asset.
- An SSP that describes an ideal state instead of your real environment is the gap an assessor — or a whistleblower — finds.
- The independent third party is what surfaced the truth. An honest gap assessment early is cheap insurance against a very expensive discovery later.
DoJ’s Civil Cyber-Fraud Initiative remains active. The lesson isn’t fear — it’s that the entire point of real implementation services is to make your SPRS score and your SSP true. For more on scoring, see our SPRS score guide.
If your current score or SSP was built on hope rather than evidence, get an independent read before you post it.
Get matched to a readiness category →What to ask before you sign
Ask each provider for proof that matches the role they’re claiming. An RPO should show a Cyber AB Marketplace listing if they claim one and sanitized sample deliverables; an MSP/MSSP should show evidence and logging practices; a GRC platform should show exportable workflows and its Rev. 2 mapping; a C3PAO should show current authorization if assessment is what you’re buying. Match the proof to the promise, and vague answers become easy to spot.
For an RPO / readiness advisor
- Are you listed in the Cyber AB Marketplace?
- Which specific practitioner is assigned to us?
- Can we see a sanitized SSP and POA&M you've produced?
- How do you handle conflict of interest if we later need an assessment?
For an MSP / MSSP
- What DIB or CUI environments have you supported?
- What are your logging sources, retention, and incident-response SLAs?
- What's your configuration-baseline approach?
- If we leave, how does our evidence export?
For a GRC platform
- How do you map to NIST 800-171 Rev. 2?
- Do you support SSP/POA&M generation?
- Can we export our evidence? Who owns the data?
- What does it integrate with — ticketing, cloud, identity, endpoint?
For a CUI enclave provider
- What stays inside the enclave, and what controls remain our responsibility outside it?
- What does the user workflow look like?
- What are the data-migration and identity/logging assumptions?
For a C3PAO
- What's your current authorization status on the Cyber AB Marketplace?
- What scope are you assuming?
- What's the scheduling timeline?
- What readiness artifacts do you require before we pay for an assessment?
- How do you handle independence?
Before you request quotes: the pre-quote checklist
The more precise your non-sensitive scope is, the less likely you are to get vague or inflated proposals. Have these ready — and remember, none of this belongs in a vendor’s sales form:
Required CMMC level, if known · the contract clause or solicitation language · FCI vs. CUI status · where CUI is received, stored, processed, transmitted, and archived · number of users, endpoints, and physical locations · your cloud platforms (Microsoft 365 Commercial, GCC, GCC High, AWS, Azure, on-prem, mixed) · whether you already have an MSP/MSSP · whether you have an SSP and a POA&M · your current SPRS score and its date, if any · your solicitation or assessment deadline · whether you’ve already contacted a C3PAO · and your internal owners for executive, IT, and contracts/compliance. Our NIST 800-171 requirements checklist walks the same ground as a self-serve worksheet.
You’ve done the hard part — now turn it into a next step. The Defense Compliance Report’s Find My CMMC Path tool organizes your level, CUI scope, environment, and timeline into the provider category and SOW items you should request.
Build my CMMC path →How we built this guide — and what we verified
What we verified for this page (as of ):
- Read 32 CFR Part 170 (the CMMC Program Rule) on the eCFR to confirm that Level 2 maps to the 110 NIST SP 800-171 Rev. 2 requirements, and that Level 3 adds 24 enhanced requirements selected from NIST SP 800-172 — not 35, a number some competing pages get wrong.
- Read 32 CFR § 170.21 to confirm the POA&M rules: Level 1 allows no POA&M; a Conditional Level 2 status requires a score of at least 80% (88 of 110); only requirements worth 1 point are POA&M-eligible; and POA&Ms must be closed within 180 days.
- Read 32 CFR § 170.9 to confirm the C3PAO conflict-of-interest and impartiality requirements.
- Confirmed the CMMC Program Rule effective date (December 16, 2024) and the DFARS CMMC final rule effective date (November 10, 2025) in the Federal Register.
- Verified the February 1, 2026 Revolutionary FAR Overhaul clause changes (new DFARS Part 240 and clause 252.240-7997; removal of the standalone Basic self-assessment; FAR 52.204-21 renumbered to 52.240-93) against the DoD class-deviation text.
- Confirmed the MORSECORP $4.6 million False Claims Act settlement, including the 104-versus-(−142) score facts, against the U.S. Department of Justice announcement.
- Compiled the 2026 cost ranges from industry pricing reports (IBSSCORP, Cybrvault, PreVeil, Paramify, TestPros) and labeled them as industry-reported planning estimates, not government figures.
What this page does not do
It does not provide legal advice. It does not determine your contractual obligation. It does not certify compliance. It does not rank named providers. It does not imply any affiliation with the Cyber AB, DoD, DIBCAC, NIST, or any U.S. government agency. And it does not collect CUI. This is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.
NIST 800-171 implementation services: frequently asked questions
Are NIST 800-171 implementation services the same as CMMC consulting?
No. NIST 800-171 implementation services focus on putting the controls, evidence, SSP, POA&M, and operating processes in place. CMMC consulting may include readiness planning, scoping, assessment prep, and provider-category guidance, but full implementation usually also requires technical remediation and managed operations. If you’re mainly choosing an advisor, see our NIST 800-171 consultant guide.
Is NIST 800-171 the same as CMMC Level 2?
No. NIST SP 800-171 is the 110-requirement security standard; CMMC Level 2 is the DoD program that verifies it. Under 32 CFR Part 170, CMMC Level 2 maps to NIST SP 800-171 Revision 2 — not Revision 3 — until DoD amends the rule.
Do I need NIST SP 800-171 Rev. 2 or Rev. 3 for CMMC Level 2?
Implement to Revision 2 for your CMMC Level 2 assessment. NIST published Revision 3 in May 2024, but the CMMC rule still points Level 2 to Rev. 2, and assessors grade against Rev. 2. Track Rev. 3 for the future; don't build only to it today.
Can the same company implement my controls and then certify me?
Generally no. Under 32 CFR § 170.9 and the Cyber AB's conflict-of-interest rules, a C3PAO cannot conduct a certification assessment of an organization it consulted or helped prepare for that assessment. Keep your readiness/implementation help and your certifying assessor in separate, unrelated firms.
How much do NIST 800-171 implementation services cost?
For a 25-to-100-person contractor with no mature program, industry-reported first-year cost typically runs $75,000 to $250,000, plus roughly 20–30% per year to maintain. A separate C3PAO assessment runs about $40,000 to $150,000 every three years. Validate any range against scoped quotes.
Can I store CUI in commercial Microsoft 365 or Google Workspace?
Not in a standard commercial cloud. Under DFARS 252.204-7012, any cloud service that stores, processes, or transmits CUI must meet the FedRAMP Moderate baseline (or DoD-approved equivalency) and support the clause's cyber-incident, malicious-software, media-preservation, and forensic-access obligations, documented in your SSP and customer responsibility matrix. Commercial Microsoft 365 and commercial Google Workspace don't meet that; Microsoft 365 GCC High and AWS GovCloud are common environments buyers evaluate — but verify the specific offering, not the brand name.
How long does POA&M remediation take, and what can't be deferred?
Under 32 CFR § 170.21, POA&M items must be closed within 180 days of a Conditional CMMC status. Not everything can be deferred: Level 1 allows no POA&M at all, and at Level 2 only requirements worth 1 point in the scoring methodology are POA&M-eligible — higher-weighted controls such as multi-factor authentication and FIPS-validated encryption must be met at the time of assessment.
Is a GRC platform enough for NIST 800-171 implementation?
Usually not. A GRC platform maps controls, organizes evidence, and manages the SSP/POA&M workflow, but it does not configure your identity, logging, endpoints, backups, incident response, or CUI protection. It's a supporting layer, not the whole solution.
Did the February 2026 FAR overhaul reduce my obligations?
No. The overhaul renumbered and reorganized clauses effective February 1, 2026 — a new DFARS Part 240 and clause 252.240-7997, removal of the standalone Basic self-assessment, and FAR 52.204-21 renumbered to 52.240-93 — but it did not change the requirement to implement all 110 NIST SP 800-171 controls, maintain an SSP, report incidents, or obtain a CMMC status. Because these are class deviations, the legacy clause numbers still appear in the codified DFARS during the transition.
What if a prime tells us we need NIST 800-171 compliance immediately?
Ask what clause, level, and CUI flow-down they're requiring, and by when. Then scope where your CUI lives and identify whether you need scoping, implementation, managed security, an enclave, GRC support, or assessment readiness first. Don't buy before you scope.
Get matched to the right CMMC provider category
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Keep reading
- CMMC levels overview: requirements and what applies to you
- NIST 800-171 consultant guide: advisory vs. implementation
- CMMC Level 2 implementation services: who to hire
- RPO vs. C3PAO: roles, boundaries, and who to hire when
- CMMC scoping guide: CUI, FCI, and asset categories
- CMMC Level 2 cost breakdown
- CUI enclave providers: GCC High and AWS GovCloud options
- NIST 800-171 gap analysis: what to expect
- SSP and POA&M services guide
- Find My CMMC Path