The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

NIST 800-171 & CMMC Implementation

NIST 800-171 Implementation Services: What They Include, What They Cost, and Who to Hire First (2026)

By The Defense Compliance Report Editorial Team · Last reviewed: · Regulatory facts verified:

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

The most expensive mistake in a NIST 800-171 project usually isn’t the six-figure price tag. It’s hiring the wrong kind of help first.

NIST 800-171 implementation services are the hands-on work of turning the 110 security requirements in NIST SP 800-171 Revision 2— the standard for protecting Controlled Unclassified Information (CUI) on contractor systems — into controls that actually run, evidence an assessor will accept, a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a defensible score in the Supplier Performance Risk System (SPRS).

What you need first depends on your situation: an RPO or readiness advisor to scope and document, an MSP or MSSP to build and operate the technical controls, a GRC platform to organize evidence, or a CUI enclave to shrink the problem before you spend on anything else. For a 25-to-100-person contractor starting with no mature security program, first-year cost typically lands between $75,000 and $250,000(industry-reported ranges compiled from IBSSCORP, Cybrvault, Paramify, TestPros, and PreVeil — planning estimates, not quotes).

Which category fits — and which doesn’t

  • You handle CUI and your systems are weak?You need implementation muscle first — an MSP/MSSP or a CUI enclave — not a certifier.
  • Your policies exist but evidence is scattered?A GRC platform plus a readiness advisor.
  • You only handle FCI (non-public information provided or generated under a contract), not CUI?You’re likely looking at CMMC Level 1, not this. Start with our CMMC levels guide instead.
  • You're genuinely assessment-ready?Now a C3PAO belongs — and only now.
  • Not sure which of these is you?That's normal. Start neutral (see below).

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the provider category and SOW items that fit. No CUI required.

Provider matching may involve referral or partner compensation, disclosed when it applies; it does not control our regulatory analysis or provider-category recommendations.

What are NIST 800-171 implementation services?

NIST 800-171 implementation services are the practical work of applying NIST SP 800-171 Revision 2’s 110 security requirements — organized into 14 control families — to the systems, people, policies, and evidence that protect CUI. A complete engagement leaves you with a scoped environment, configured controls, an SSP, a POA&M where the rule allows one, an evidence library, and a defensible SPRS score. It is not a certification, and it is not a single product you can buy off a shelf.

Think of implementation as six phases. Most vendors are strong in two or three of them and vague about the rest — which is why “we do CMMC” tells you almost nothing until you break it apart.

We built the table below from the CMMC Program Rule (32 CFR Part 170), NIST SP 800-171 Revision 2, and its companion assessment guide NIST SP 800-171A, mapped against the provider categories that actually deliver each phase. Cost cells are industry-reported planning ranges.

Table A — The NIST 800-171 implementation services map (the six phases)

NIST 800-171 implementation services: the six phases, deliverables, provider categories, cost bands, and mistakes to avoid
PhaseWhat actually happensWhat you should walk away withProvider category that usually owns itTypical 2026 cost band (industry-reported)The mistake to avoid
1. Scope the boundaryFind every system, person, and process that touches FCI/CUI; decide whether to build a smaller enclaveCUI data-flow diagram, system boundary, asset inventoryRPO / readiness advisor; enclave provider if enclaving$3,500–$15,000 (often folded into the gap assessment)Drawing the boundary too wide — every later phase then costs more
2. Gap assessmentTest current state against all 110 requirements and their assessment objectivesGap report + honest SPRS baseline scoreRPO / independent assessor; a GRC platform to structure it$5,000–$20,000A “green” self-score that collapses under a real assessment
3. Remediate the controlsDeploy MFA, FIPS-validated encryption, logging, endpoint protection, access control, patching; fix the process gapsConfigured controls that produce evidenceMSP / MSSP for the technical work; a CUI enclave (GCC High or AWS GovCloud) for the environment$20,000–$150,000 one-time; tooling $25k–$80k/yr; enclave $40–$70/user/moBuying tools that never get configured to actually satisfy the requirement
4. Document (SSP + POA&M)Write the SSP describing how each control works in your environment; log open gaps with owners and datesAn SSP specific to your system boundary, with diagrams and evidence references, plus a POA&MRPO / readiness advisor; a GRC or documentation platform$30,000–$120,000 one-time (consulting + docs)A thin template SSP that doesn’t describe your real boundary, environment, and control implementation
5. Score, post, affirmCalculate the SPRS score, post it, and have your affirming official affirm itPosted SPRS score + annual affirmationYour internal affirming official (accountable); RPO advisesInternal staff time: 200–600 hours in year oneAn inflated or stale score — this is where legal exposure lives (see the $4.6M case below)
6. SustainMonitor, patch, retrain, refresh evidence, and prepare for the triennial assessmentA living evidence library, monitoring, a mock assessmentMSSP (managed); GRC platform; RPO for a mock~20–30% of implementation cost per yearTreating compliance as one-and-done; evidence rots before the assessment

What implementation is not

  • Not a “NIST certification.” There is no such thing. NIST publishes the standard; it does not certify anyone.
  • Not a guaranteed CMMC pass.No provider can promise a certification outcome. Anyone who does is telling you something the rules don’t allow.
  • Not just a binder of policies.A policy that describes controls you haven’t actually implemented is the fastest way to fail — or worse.
  • Not a C3PAO assessment.A C3PAO (Certified Third-Party Assessment Organization — a firm authorized by the Cyber AB to conduct CMMC Level 2 assessments) checks your work. It doesn’t do the work.
  • Not a software subscription by itself. A GRC platform organizes evidence; it does not configure your identity, logging, or endpoints.

Implementation help doesn’t transfer accountability. A great partner will configure systems, build evidence, and guide remediation — but youstill own how controls operate day to day, how your people behave, and the accuracy of what your affirming official signs in SPRS. The right engagement leaves you with named owners, evidence, and repeatable processes — not just a polished report.

Ready to see which of the six phases you still need?

The Defense Compliance Report’s Find My CMMC Path tool maps your level, CUI scope, and environment to the provider category that fits — before you take a single sales call. No CUI required.

Find My CMMC Path →

Do not submit CUI, drawings, export-controlled files, or sensitive contract details.

What do NIST 800-171 implementation services cost in 2026?

Industry-reported first-year cost for a 25-to-100-person contractor with no mature security program typically runs $75,000 to $250,000, plus roughly 20–30% per year to maintain. That splits across remediation, SSP/POA&M work, security tooling, and a CUI enclave, plus 200–600 hours of internal staff time. A separate CMMC Level 2 C3PAO assessment runs about $40,000 to $150,000 every three years and is not an implementation cost.

Cost estimates for this work are all over the map — you’ll see “$10,000 to $50,000” on one vendor’s page and “$250,000” on another’s, and both can be telling the truth. The difference is almost always scope. A $12,000 engagement is usually documentation and advisory only. A $200,000 engagement includes remediation labor, tooling, and a compliant cloud environment. The second is not five times more expensive — it’s doing five times more work.

Table B — The DCR 2026 implementation-cost synthesis (source-by-source)

Compiled from public 2024–2026 pricing analyses and provider guidance. Planning estimates, not quotes. DoD published its own cost estimates in the 32 CFR Part 170 economic analysis (Federal Register).

DCR 2026 NIST 800-171 implementation cost synthesis by source
Source (industry-reported)What it coversReported figureOne-time / recurring
IBSSCORPFirst-year NIST 800-171 Rev. 2 implementation, small–mid contractor$75,000–$250,000; maintenance +20–30%/yrBoth
Cybrvault25–100-person contractor, no mature program: tooling, enclave, docs, consultingTooling $25k–$80k/yr; enclave $40–$70/user/mo; SSP/POA&M + consulting $30k–$120k; C3PAO $40k–$150k/3yrBoth
Paramify / CMMC.comRemediation to meet controls; readiness assessmentRemediation $20k–$150k; readiness assessment $5k–$20kOne-time
PreVeil2026 C3PAO Level 2 assessment fees (assessment only)~$75k–$150kEvery 3 yrs
TestPros“Whole compliance package” (gap + policy + support), scope-dependent$10k–$50k+; timeline ~3–6 monthsOne-time
DCR normalizationBlended first-year for a 25–100-person firm, low starting maturity, including remediation + tooling + enclave + docs$75,000–$250,000Blended

Table C — What a first-year budget actually contains

NIST 800-171 first-year implementation budget components
Cost componentTypical rangeNature
Optional independent gap / readiness assessment$3,500–$20,000One-time
Remediation to meet the controls$20,000–$150,000One-time (driven by starting maturity)
Consulting + SSP/POA&M development$30,000–$120,000One-time
Security tooling (EDR, logging/SIEM, MFA, encryption, vulnerability scanning, GRC)$25,000–$80,000Per year
CUI enclave (Microsoft 365 GCC High or AWS GovCloud)$40–$70 per user / monthPer user / month
Internal staff time200–600 hoursYear one
Typical first-year total (blended)$75,000–$250,000Blended
Ongoing maintenance~20–30% of implementationPer year
CMMC Level 2 C3PAO assessment (separate from implementation)$40,000–$150,000Every 3 years

What drives your number up or down:how much CUI you touch and where it lives; whether you enclave or secure the whole environment; how many endpoints, users, and sites are in scope; whether you already have an MSP; and how mature your evidence already is. Headcount alone is a weak predictor — a 30-person shop with CUI scattered across commercial email can cost more than a 90-person firm that already runs a tight enclave. Our full CMMC Level 2 cost breakdown goes deeper by level and environment.

The one uncomfortable truth to take into every sales call:no honest provider can give you a firm, all-in price before scoping your CUI boundary — and a suspiciously low quote usually means the expensive parts (remediation labor, the enclave, real evidence work) were quietly left out, waiting to reappear as a change order. Scope first, then buy.

Want a realistic budget band for your scope? Get matched to the provider categories that fit your situation, then request comparable quotes.

Get matched with source-checked provider options →

Who should you hire — and which provider category comes first?

Five provider categories deliver NIST 800-171 implementation, and they don’t overlap cleanly. An RPO or Registered Practitioner scopes and documents; an MSP or MSSP builds and runs the technical controls; a GRC platform manages evidence; a CUI enclave provides the compliant environment; and a C3PAO performs the formal assessment when you’re ready. The right first hire depends on what’s actually unresolved — scope, systems, evidence, or assessment readiness.

  • RPO / RP Registered Provider Organization / Registered Practitioner. Advisory: scoping, gap assessment, SSP/POA&M, assessment prep.
  • MSP Managed Service Provider. Runs your IT: endpoints, identity, backups, patching, configuration.
  • MSSP Managed Security Service Provider. Runs your security: monitoring, logging, alerting, incident response, vulnerability management.
  • GRC platform Governance, risk, and compliance software. Maps controls to evidence, manages the SSP/POA&M workflow, tracks owners.
  • CUI enclave A walled-off, compliant environment (commonly Microsoft 365 GCC High or AWS GovCloud) that keeps CUI in one controlled place so you don't have to secure everything.
  • C3PAO The accredited assessor. Assessment only. Not an implementer.

Table D — Provider category comparison

NIST 800-171 implementation provider category comparison
Provider categoryBest used forNot best forWhat to verify before you hire
RPO / RPScoping, readiness, SSP/POA&M, assessment prepFull technical implementation on its ownListing in the Cyber AB Marketplace if they claim one; the named practitioner assigned; sanitized sample deliverables
MSPEndpoints, identity, backups, patching, configurationIndependent assessmentDIB/CUI experience; whether they can export your evidence if you leave; that the MSP itself can meet its in-scope obligations
MSSPLogging, SIEM, alerting, incident response, vulnerability managementPolicy-only “compliance” workLog sources, retention period, response SLAs, fit with a CUI environment
GRC platformEvidence mapping, SSP/POA&M workflow, control ownershipMaking weak systems compliant by itselfNIST 800-171 Rev. 2 mapping; evidence export format; who owns the data
CUI enclaveShrinking CUI scope; secure email/file collaborationSolving every company-wide control automaticallyWhat stays inside the enclave vs. what controls remain outside it
C3PAOThe formal Level 2 assessment, when readyRemediation-first work on the same engagement it will assessCurrent authorization on the Cyber AB Marketplace; conflict-of-interest handling; assessment scope

This mapping is part of The CMMC Path Framework— our logic for matching a contractor’s required CMMC level, FCI vs. CUI handling, assessment type, IT/cloud environment, and contract timeline to the provider category they need. It routes to a category, not a named provider. If you’re weighing categories head-to-head, our RPO vs. C3PAO comparison goes deeper.

Table E — Which category fits your situation

Which NIST 800-171 implementation provider category fits your situation
If this is you…Consider this category firstDo not start with
You don’t yet know whether you handle FCI or CUIRPO/RP or a qualified federal-contracts attorneyAn MSP, MSSP, or C3PAO
You handle CUI in email/file sharing on commercial Microsoft 365CUI enclave + managed readiness (MSSP/RPO)A paper-only consultant
Your policies exist but your systems are weakCMMC-focused MSP/MSSPA C3PAO
Your systems are decent but evidence is scatteredGRC platform + RPO/readiness advisorA software-only purchase with no owner
You need an accurate self-assessment / SPRS scoreRPO/RP or an 800-171 assessment advisorGuessing your score
You believe you’re assessment-readyAn authorized C3PAOA readiness firm acting as your assessor
Not sure which of these is youStart neutralAny six-figure commitment

Still not sure whether you need an RPO, an MSP, a GRC platform, or an enclave first?The Defense Compliance Report’s Find My CMMC Path tool turns your answers about level, scope, and environment into a provider category and a short list of questions to ask.

Find My CMMC Path →

When is a C3PAO the wrong first call?

A C3PAO is the wrong first call whenever you still need scoping, remediation, evidence buildout, or SSP/POA&M work — which is most contractors. A C3PAO conducts the formal CMMC Level 2 certification assessment; it does not build or operate the controls that get assessed. And under 32 CFR § 170.9, a C3PAO must follow the Cyber AB’s conflict-of-interest and impartiality rules, which mean it generally cannot assess an organization it consulted or helped prepare for that assessment.

Here’s the sequence that actually works:

  • Scope unclear? Start with an RPO/RP or federal-contracts counsel.
  • Systems weak? Start with an MSP/MSSP or a CUI enclave to implement.
  • Evidence weak? Start with a GRC platform plus a readiness advisor.
  • Genuinely ready? Now engage a C3PAO for the assessment.

The conflict-of-interest point isn’t a technicality — it’s structural to how the program keeps assessments honest. Keep your readiness/implementation help and your certifying assessor in separate, unrelated firms — and if a provider offers to “do both,” ask exactly how they firewall the two, and confirm the assessor’s current status yourself on the Cyber AB Marketplace.

Before you call a C3PAO, confirm you actually need one yet.

Check which category fits your stage →

What should a real NIST 800-171 implementation engagement produce?

A real engagement produces far more than a gap report. At minimum, you should walk away with a scoped environment, a prioritized remediation backlog, implemented controls, an evidence library, an SSP, a POA&M for whatever the rule allows to remain open, named control owners, and a readiness path tied to your SPRS and CMMC obligations. If the only deliverable is a PDF of findings, you bought an assessment of your problem — not a solution to it.

Use this deliverables ledger to hold any proposal accountable. For a deeper look at the two documents assessors scrutinize most, see our guide to the SSP and POA&M.

Table F — The implementation deliverables ledger

NIST 800-171 implementation deliverables: what each is, why it matters, who produces it, and what good looks like
DeliverableWhy it mattersWho usually produces itWhat “good” looks like
Contract/clause review summaryPrevents wrong-level assumptionsRPO/RP, counselNames the actual DFARS/CMMC clause and its applicability assumptions
CUI data-flow diagramPrevents scope creep and missed systemsRPO, MSP, enclave providerShows where CUI is received, stored, processed, transmitted, and archived
System boundaryDefines what must be protected and assessedRPO, MSP, enclave providerNames systems, users, sites, cloud services, endpoints
Gap assessmentShows what isn't implementedRPO/RP, readiness advisorMaps findings to NIST 800-171 Rev. 2 and 800-171A assessment objectives
Remediation backlogTurns findings into scheduled workMSP/MSSP, implementation partnerPrioritized by risk, dependency, cost, and timeline
SSPDescribes how each requirement is metRPO/RP, GRC, internal ownerCurrent, system-specific, and linked to evidence
POA&MTracks unresolved items the rule allowsRPO/RP, GRCOwners, dates, milestones, and only POA&M-eligible requirements
Evidence librarySupports assessment and daily operationsMSP/MSSP, GRC, internal ownersScreenshots, configs, logs, policies, tickets, approvals
SPRS support packageSupports an accurate score recordRPO/RP, advisorScore rationale, SSP references, affirming-official package
Readiness handoffPrevents a premature, failed assessmentRPO/RP, readiness advisorClearly states what remains before a C3PAO engagement

What belongs in your NIST 800-171 implementation SOW?

A statement of work worth signing spells out exactly which systems are in scope, which control families are being remediated, what deliverables will be produced, who owns each task, what evidence you’ll receive, and — critically — what’s excluded. If the SOW says “help achieve compliance” without a control-by-control scope and a deliverable list, it isn’t specific enough to compare against another quote or to hold anyone accountable.

A tight SOW is how you turn three wildly different proposals into an apples-to-apples decision — and how you avoid the change-order surprise.

Table G — The implementation SOW normalization checklist

NIST 800-171 implementation SOW normalization checklist
SOW itemIt must specifyRed flag
ScopeSystems, users, locations, cloud services, CUI data flows"All systems" with no defined boundary
BaselineNIST SP 800-171 Rev. 2 for CMMC Level 2An unexplained switch to Rev. 3
DeliverablesSSP, POA&M, evidence, diagrams, config records"Documentation" with no artifact list
Technical remediationIdentity, endpoint, logging, backup, vulnerability, network, email/file sharing"Included" with no control-to-work mapping
Managed operationsMonitoring, patching, alerting, ticketing, review cadenceNo recurring responsibilities named
Evidence ownershipExport rights, where evidence lives, retention, owner mapEvidence trapped inside the vendor's portal
SPRS handlingSupport, score rationale, affirming-official packageThe vendor posting or affirming for you with no governance
Assessment boundaryWhether the provider is readiness-only or assessment-onlyThe same firm blurring remediation and assessment
CUI handlingNo CUI submitted through sales forms or unsecured intakeRequests for drawings or contracts inside a quote form
ExclusionsWhat the provider will not doNo exclusions listed at all

Take these line items into every quote.The Defense Compliance Report’s Find My CMMC Path tool helps you compare provider categories and assemble the request — so the quotes you get back are actually comparable.

Compare provider categories →

Which NIST 800-171 control families need hands-on work?

Most of your implementation cost isn’t in writing policies — it’s in the technical and operational work across access control, identity, logging, configuration, incident response, vulnerability management, communications protection, and system integrity. The policy layer matters, but it has to describe controls that actually run. Of the 14 families in NIST SP 800-171 Revision 2, the ones below are where budget and effort concentrate — and the last column tells you the evidence to demand so you can prove each one.

Table H — Control family → implementation work → evidence to ask for

See our NIST 800-171A assessment objectives guide for the full 320 assessment objectives.

NIST SP 800-171 Rev. 2 control families: implementation work, hands-on requirement, and evidence a buyer should request
NIST SP 800-171 Rev. 2 familyWhat it means as real workHands-on technical work?Evidence a buyer should ask for
Access ControlWho can reach CUI, from where, under what conditionsYesAccess-control matrix; user access review export
Awareness and TrainingRole-based security training for your peopleSometimesTraining completion records
Audit and AccountabilityLogging, log review, retention, alertingYesLog retention config; sample log-review records
Configuration ManagementSecure baselines, change control, hardeningYesBaseline documents; change tickets
Identification and AuthenticationMFA, account lifecycle, session and password controlsYesMFA enforcement config; account lifecycle records
Incident ResponseIncident plan, reporting workflow, tabletop exercisesYesIR plan; tabletop/exercise records; reporting workflow
MaintenanceControlled and remote maintenance, vendor recordsSometimesMaintenance logs; remote-maintenance approvals
Media ProtectionRemovable media, backups, destruction, markingSometimesMedia handling/destruction records; backup config
Physical ProtectionFacility access and physical safeguardsSometimesFacility access/badge records
Personnel SecurityScreening, onboarding/offboarding, access terminationSometimesScreening records; termination/offboarding records
Risk AssessmentVulnerability scanning, risk register, remediation trackingYesVulnerability scan reports; risk register
Security AssessmentSSP, POA&M, control assessment, monitoringYesSSP; POA&M; control assessment results
System and Communications ProtectionSegmentation, encryption, email/file protectionYesNetwork/segmentation diagram; encryption config
System and Information IntegrityPatching, malware protection, flaw remediationYesPatch/vulnerability remediation reports; AV/EDR config

The mistake to avoid:don’t let a vendor quote you policy writing when your known gaps are identity, logging, endpoints, backups, or CUI workflow. Policies are the cheap part. The controls are the expensive part — and the part an assessor actually tests.

How long does NIST 800-171 implementation take?

Industry-reported timelines put a defensible NIST 800-171 implementation for a small or mid-sized contractor at roughly 90 to 180 days when scope is narrow, leadership is engaged, and remediation isn’t severe — about 30 days to scope and gap-assess, 30 to 60 to remediate and document, and the rest to validate and post an accurate SPRS score. The real deadline isn’t a timeline on a blog; it’s your contract clause and the CMMC phase schedule.

CMMC’s requirements are rolling out in phases tied to the DFARS acquisition rule, which took effect (Federal Register; phasing at 32 CFR § 170.3):

  • Phase 1. Contracting officers can require Level 1 and Level 2 (Self) assessments, and can require a Level 2 (C3PAO) certification at their discretion.
  • Phase 2 begins. DoD intends to include Level 2 (C3PAO) certification as a condition of award for applicable CUI contracts. Level 2 (Self) remains a valid status for some contracts — confirm what your specific contract requires. See our Phase 2 deadline guide.
  • Phase 3. Level 3 requirements added.
  • Phase 4. CMMC applies to all applicable contracts.

Assessment scheduling can take months, and you can’t credibly book a C3PAO until you’re implemented. A contractor who waits for a Phase 2 solicitation to appear before starting is choosing to bid with a gap they can’t close in time. And “we’ll get you compliant in 30 days” is a red flag for anything beyond a narrow enclave in an already-mature shop.

Should you implement NIST SP 800-171 Rev. 2 or Rev. 3?

For CMMC Level 2, implement against NIST SP 800-171 Revision 2 — the 110 requirements — unless your contract or a future DoD rule says otherwise. 32 CFR Part 170 incorporates Rev. 2 by reference for CMMC, and assessors grade against Rev. 2. NIST published Revision 3 in May 2024, and it supersedes Rev. 2 in NIST’s own library, but it does not yet apply to CMMC.

Rev. 3 reorganizes requirements into 17 families(up from 14 in Rev. 2), adds families such as Planning, System and Services Acquisition, and Supply Chain Risk Management, and introduces organization-defined parameters. Security leadership sees the newer version and assumes newer is required. It isn’t — not for CMMC, not yet. In May 2024, DoD issued a class deviation directing contractors under DFARS 252.204-7012 to keep complying with Rev. 2.

What we’d do:implement to Rev. 2 for your Level 2 assessment. Track Rev. 3 so you’re not surprised later. If a provider tries to sell you a Rev. 3-only “CMMC readiness” package, ask them to explain exactly how it maps to the current Level 2 requirement. A good vetting question: “Which baseline are you implementing for CMMC Level 2, and how do you monitor Rev. 3 without confusing the current assessment path?”

Did the February 2026 FAR overhaul change your obligations?

No — the February 2026 Revolutionary FAR Overhaul renumbered and reorganized the cybersecurity clauses, but it did not reduce the technical work. Effective , DoD’s class deviation stood up a new DFARS Part 240 and clause DFARS 252.240-7997, removed the standalone “Basic” NIST SP 800-171 self-assessment requirement associated with DFARS 252.204-7019, and carried the Medium/High DoD assessment mechanics of DFARS 252.204-7020 into 252.240-7997. Your obligation to implement all 110 NIST SP 800-171 requirements, maintain an SSP, report incidents, and obtain a CMMC status when required is fully intact — DFARS 252.204-7012 and DFARS 252.204-7021 are unchanged.

These are class deviations— interim regulatory text that applies to solicitations using the new structure — not final rulemaking. A class deviation doesn’t strike the codified DFARS. So the legacy clause numbers still appear in the DFARS and in existing contracts, and you should expect to see both the old numbers and the new ones during the transition.

Table I — Clause-number transition (what you’ll actually see)

DFARS clause-number transition from legacy numbers to February 2026 RFO class deviation numbers
RequirementLegacy number (still in the codified DFARS)Under the Feb 2026 RFO class deviationWhat it means when you buy services
FCI safeguarding (15 controls)FAR 52.204-21Renumbered to FAR 52.240-93; same 15 controls; new FAR Part 40Level 1 work is unchanged; a current vendor should recognize both numbers
“Basic” 800-171 self-assessmentDFARS 252.204-7019Standalone Basic self-assessment requirement removed; assessment now runs through CMMCThe old “just post a Basic score” path is gone; a vendor citing 7019 as your driver is working from stale material
DoD assessment requirements (Medium/High)DFARS 252.204-7020Mechanics carried into DFARS 252.240-7997; new DFARS Part 240Medium/High are government assessments; your day-to-day obligation is unchanged
Safeguarding + incident reportingDFARS 252.204-7012Unchanged110 controls, 72-hour incident reporting, and FedRAMP Moderate (or equivalency) for cloud CUI still apply in full
CMMC clause + solicitation noticeDFARS 252.204-7021 / -7025UnchangedCMMC status, annual affirmation, and flow-down to subcontractors still govern eligibility

The one-line version: the clause numbers moved; the controls didn’t. If anyone uses “the rules changed” as a reason to re-scope or upsell your implementation, slow the conversation down. It’s the same 110 requirements.

The $4.6 million lesson: why “paper compliance” fails

In March 2025, the U.S. Department of Justice announced a $4.6 million False Claims Act settlement with defense contractor MORSECORP Inc. The company had posted an SPRS score of 104 — near the top of the −203 to 110 scoring range — while a third-party cybersecurity consultant later found its actual score was −142.

We read the DoJ’s own announcement. The facts DoJ published: from January 2018 to September 2022, MORSECORP used a third-party email host without ensuring it met FedRAMP Moderate-equivalent requirements; it had not fully implemented the NIST SP 800-171 controls its contracts required; it lacked a consolidated written system security plan; and it did not correct its inflated SPRS score until June 2023 — three months afterit received a federal subpoena. The whistleblower, the company’s own head of security, received $851,000.

This is not presented as a typical outcome. But the pattern is the cautionary tale:

  • A score that reflects intent instead of evidence is a liability, not an asset.
  • An SSP that describes an ideal state instead of your real environment is the gap an assessor — or a whistleblower — finds.
  • The independent third party is what surfaced the truth. An honest gap assessment early is cheap insurance against a very expensive discovery later.

DoJ’s Civil Cyber-Fraud Initiative remains active. The lesson isn’t fear — it’s that the entire point of real implementation services is to make your SPRS score and your SSP true. For more on scoring, see our SPRS score guide.

If your current score or SSP was built on hope rather than evidence, get an independent read before you post it.

Get matched to a readiness category →

What to ask before you sign

Ask each provider for proof that matches the role they’re claiming. An RPO should show a Cyber AB Marketplace listing if they claim one and sanitized sample deliverables; an MSP/MSSP should show evidence and logging practices; a GRC platform should show exportable workflows and its Rev. 2 mapping; a C3PAO should show current authorization if assessment is what you’re buying. Match the proof to the promise, and vague answers become easy to spot.

For an RPO / readiness advisor

  • Are you listed in the Cyber AB Marketplace?
  • Which specific practitioner is assigned to us?
  • Can we see a sanitized SSP and POA&M you've produced?
  • How do you handle conflict of interest if we later need an assessment?

For an MSP / MSSP

  • What DIB or CUI environments have you supported?
  • What are your logging sources, retention, and incident-response SLAs?
  • What's your configuration-baseline approach?
  • If we leave, how does our evidence export?

For a GRC platform

  • How do you map to NIST 800-171 Rev. 2?
  • Do you support SSP/POA&M generation?
  • Can we export our evidence? Who owns the data?
  • What does it integrate with — ticketing, cloud, identity, endpoint?

For a CUI enclave provider

  • What stays inside the enclave, and what controls remain our responsibility outside it?
  • What does the user workflow look like?
  • What are the data-migration and identity/logging assumptions?

For a C3PAO

  • What's your current authorization status on the Cyber AB Marketplace?
  • What scope are you assuming?
  • What's the scheduling timeline?
  • What readiness artifacts do you require before we pay for an assessment?
  • How do you handle independence?

Before you request quotes: the pre-quote checklist

The more precise your non-sensitive scope is, the less likely you are to get vague or inflated proposals. Have these ready — and remember, none of this belongs in a vendor’s sales form:

Required CMMC level, if known · the contract clause or solicitation language · FCI vs. CUI status · where CUI is received, stored, processed, transmitted, and archived · number of users, endpoints, and physical locations · your cloud platforms (Microsoft 365 Commercial, GCC, GCC High, AWS, Azure, on-prem, mixed) · whether you already have an MSP/MSSP · whether you have an SSP and a POA&M · your current SPRS score and its date, if any · your solicitation or assessment deadline · whether you’ve already contacted a C3PAO · and your internal owners for executive, IT, and contracts/compliance. Our NIST 800-171 requirements checklist walks the same ground as a self-serve worksheet.

You’ve done the hard part — now turn it into a next step. The Defense Compliance Report’s Find My CMMC Path tool organizes your level, CUI scope, environment, and timeline into the provider category and SOW items you should request.

Build my CMMC path →

How we built this guide — and what we verified

What we verified for this page (as of ):

  • Read 32 CFR Part 170 (the CMMC Program Rule) on the eCFR to confirm that Level 2 maps to the 110 NIST SP 800-171 Rev. 2 requirements, and that Level 3 adds 24 enhanced requirements selected from NIST SP 800-172 — not 35, a number some competing pages get wrong.
  • Read 32 CFR § 170.21 to confirm the POA&M rules: Level 1 allows no POA&M; a Conditional Level 2 status requires a score of at least 80% (88 of 110); only requirements worth 1 point are POA&M-eligible; and POA&Ms must be closed within 180 days.
  • Read 32 CFR § 170.9 to confirm the C3PAO conflict-of-interest and impartiality requirements.
  • Confirmed the CMMC Program Rule effective date (December 16, 2024) and the DFARS CMMC final rule effective date (November 10, 2025) in the Federal Register.
  • Verified the February 1, 2026 Revolutionary FAR Overhaul clause changes (new DFARS Part 240 and clause 252.240-7997; removal of the standalone Basic self-assessment; FAR 52.204-21 renumbered to 52.240-93) against the DoD class-deviation text.
  • Confirmed the MORSECORP $4.6 million False Claims Act settlement, including the 104-versus-(−142) score facts, against the U.S. Department of Justice announcement.
  • Compiled the 2026 cost ranges from industry pricing reports (IBSSCORP, Cybrvault, PreVeil, Paramify, TestPros) and labeled them as industry-reported planning estimates, not government figures.

What this page does not do

It does not provide legal advice. It does not determine your contractual obligation. It does not certify compliance. It does not rank named providers. It does not imply any affiliation with the Cyber AB, DoD, DIBCAC, NIST, or any U.S. government agency. And it does not collect CUI. This is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Editorial standards · Corrections policy · Methodology

NIST 800-171 implementation services: frequently asked questions

Are NIST 800-171 implementation services the same as CMMC consulting?

No. NIST 800-171 implementation services focus on putting the controls, evidence, SSP, POA&M, and operating processes in place. CMMC consulting may include readiness planning, scoping, assessment prep, and provider-category guidance, but full implementation usually also requires technical remediation and managed operations. If you’re mainly choosing an advisor, see our NIST 800-171 consultant guide.

Is NIST 800-171 the same as CMMC Level 2?

No. NIST SP 800-171 is the 110-requirement security standard; CMMC Level 2 is the DoD program that verifies it. Under 32 CFR Part 170, CMMC Level 2 maps to NIST SP 800-171 Revision 2 — not Revision 3 — until DoD amends the rule.

Do I need NIST SP 800-171 Rev. 2 or Rev. 3 for CMMC Level 2?

Implement to Revision 2 for your CMMC Level 2 assessment. NIST published Revision 3 in May 2024, but the CMMC rule still points Level 2 to Rev. 2, and assessors grade against Rev. 2. Track Rev. 3 for the future; don't build only to it today.

Can the same company implement my controls and then certify me?

Generally no. Under 32 CFR § 170.9 and the Cyber AB's conflict-of-interest rules, a C3PAO cannot conduct a certification assessment of an organization it consulted or helped prepare for that assessment. Keep your readiness/implementation help and your certifying assessor in separate, unrelated firms.

How much do NIST 800-171 implementation services cost?

For a 25-to-100-person contractor with no mature program, industry-reported first-year cost typically runs $75,000 to $250,000, plus roughly 20–30% per year to maintain. A separate C3PAO assessment runs about $40,000 to $150,000 every three years. Validate any range against scoped quotes.

Can I store CUI in commercial Microsoft 365 or Google Workspace?

Not in a standard commercial cloud. Under DFARS 252.204-7012, any cloud service that stores, processes, or transmits CUI must meet the FedRAMP Moderate baseline (or DoD-approved equivalency) and support the clause's cyber-incident, malicious-software, media-preservation, and forensic-access obligations, documented in your SSP and customer responsibility matrix. Commercial Microsoft 365 and commercial Google Workspace don't meet that; Microsoft 365 GCC High and AWS GovCloud are common environments buyers evaluate — but verify the specific offering, not the brand name.

How long does POA&M remediation take, and what can't be deferred?

Under 32 CFR § 170.21, POA&M items must be closed within 180 days of a Conditional CMMC status. Not everything can be deferred: Level 1 allows no POA&M at all, and at Level 2 only requirements worth 1 point in the scoring methodology are POA&M-eligible — higher-weighted controls such as multi-factor authentication and FIPS-validated encryption must be met at the time of assessment.

Is a GRC platform enough for NIST 800-171 implementation?

Usually not. A GRC platform maps controls, organizes evidence, and manages the SSP/POA&M workflow, but it does not configure your identity, logging, endpoints, backups, incident response, or CUI protection. It's a supporting layer, not the whole solution.

Did the February 2026 FAR overhaul reduce my obligations?

No. The overhaul renumbered and reorganized clauses effective February 1, 2026 — a new DFARS Part 240 and clause 252.240-7997, removal of the standalone Basic self-assessment, and FAR 52.204-21 renumbered to 52.240-93 — but it did not change the requirement to implement all 110 NIST SP 800-171 controls, maintain an SSP, report incidents, or obtain a CMMC status. Because these are class deviations, the legacy clause numbers still appear in the codified DFARS during the transition.

What if a prime tells us we need NIST 800-171 compliance immediately?

Ask what clause, level, and CUI flow-down they're requiring, and by when. Then scope where your CUI lives and identify whether you need scoping, implementation, managed security, an enclave, GRC support, or assessment readiness first. Don't buy before you scope.

Get matched to the right CMMC provider category

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Find My CMMC Path →

Do not submit CUI, drawings, export-controlled files, or sensitive contract details through any form.

Keep reading

By The Defense Compliance Report Editorial Team · Last reviewed: · Regulatory facts verified:

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. Editorial Standards · Methodology · Corrections Policy