The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Standards & NIST Requirements

NIST 800-171 vs 800-172: What’s the Difference, and Which One Applies to You?

By The Defense Compliance Report Editorial Team

Last reviewed: · Last verified:

Educational research, not legal, contractual, or compliance advice.

NIST SP 800-171 is the baseline. NIST SP 800-172 is a supplement — and applicability comes from your governing agreement, not from your company size. SP 800-171 provides the baseline security requirements for the components of a nonfederal system that process, store, or transmit CUI, or that protect those components, when a contract, subcontract, grant, or other agreement requires them. SP 800-172 is a set of enhancedrequirements a federal agency selects from — and only when the CUI is tied to a critical program or high value asset, and only when the agency conveys those requirements in an agreement. The February 2021 edition, the one CMMC uses, contains 35 of them. You do not grow into 800-172. You get assigned it.

That’s the clean answer. Here’s the part almost nobody has caught up to: NIST withdrew the exact edition of SP 800-172 that CMMC requires on May 13, 2026— and the requirement didn’t change. Meanwhile, the only CMMC pathway that makes 800-172 binding was suspended on July 13, 2026. Both things are true at once, and neither means what most pages currently say it means. We’ll put the regulation and the standard side by side so you can see exactly why.


The 30-second verdict

NIST SP 800-171 vs NIST SP 800-172 at a glance
The question you’re actually askingNIST SP 800-171NIST SP 800-172
What is it?Baseline security requirements for protecting CUI in nonfederal systemsEnhanced requirements that supplement 800-171
What threat is it built for?Foundational protection of CUI confidentialityThe advanced persistent threat (APT) — a well-resourced adversary, often a nation-state
Does it replace the other?No. It's the foundation.No. It stacks on top.
When does it apply to you?A governing contract, subcontract, grant, agreement, or agency direction requires it for systems handling CUIAn agency selects specific requirements, ties them to a critical program or high value asset, and conveys them in an agreement
Can you adopt it voluntarily?Yes — but voluntary adoption doesn't create or remove a contractual obligationYes — but you cannot create a CMMC obligation or CMMC status by electing it yourself
Edition CMMC requiresRevision 2 (Feb 2020, updates through Jan 28, 2021)The February 2021 edition
Current edition at NISTRevision 3 (May 2024)Revision 3 (May 2026)
Requirement count, CMMC-cited edition110, across 14 families35 total; DoD selected 24 for CMMC Level 3
Where it lives in CMMCLevel 2 (Level 1 uses a separate FAR set)Level 3 only
Who assesses it under CMMCCodified model: self-assessment or a C3PAO. Current rule: Level 2 (Self) onlyDCMA DIBCAC — the government, never a C3PAO
Status as of July 18, 2026Active. Level 1 (Self) and Level 2 (Self) can still be requiredLevel 3 designation suspended since July 13, 2026

Definitions, once: CUIis Controlled Unclassified Information — government information that isn’t classified but still requires safeguarding. FCI is Federal Contract Information, a lower tier. C3PAO is a CMMC Third-Party Assessment Organization, a private firm authorized to conduct certification assessments. DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center, the government assessment arm inside the Defense Contract Management Agency (DCMA). APT is an advanced persistent threat. ODPis an organization-defined parameter — a value the standard deliberately leaves blank for the requiring authority to fill in.


Should you keep reading?

Read on if:a clause, statement of work, or prime’s questionnaire mentioned 800-172 or “enhanced security requirements”; you saw an identifier ending in a lowercase “e” (like SI.L3-3.14.3e) and want to know what it is; a vendor pitched you a Level 3 readiness program; or you’re trying to work out whether NIST publishing Revision 3 broke your System Security Plan.

You can stop here if: nothing in your governing contract or its incorporated documents names 800-172, enhanced security requirements, or CMMC Level 3. In that case 800-172 is not a current obligation for you, and the rest of this page is background rather than a to-do list. Your time is better spent on the 110 requirements CMMC Level 2 is scored against. We’d rather send you to the right page than keep you on this one.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures. We are not affiliated with the Cyber AB, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.


What is the difference between NIST 800-171 and NIST 800-172?

NIST SP 800-171 establishes the baseline security requirements for protecting Controlled Unclassified Information in nonfederal systems. NIST SP 800-172 provides enhanced requirements that supplement that baseline, aimed at the advanced persistent threat. It is a supplement, not a successor — NIST’s design assumption is that the 800-171 requirements are already in place before any enhanced requirement is applied.

The difference people usually reach for is difficulty. That’s the wrong axis, and it leads to expensive mistakes.

The real difference is what triggers each one. SP 800-171 follows the data: when CUI lands in a system covered by an agreement that requires safeguarding, the baseline follows it in. SP 800-172 follows a decision: a federal agency has to look at a specific program, determine it warrants more than the baseline, select which enhanced requirements apply, and convey them in an agreement. No selection, no 800-172. (NIST SP 800-172 Rev. 3)

The one-sentence version

800-171 asks whether you’re protecting CUI. 800-172 asks whether selected penetration-resistant, damage-limiting, and cyber-resiliency capabilities are needed to protect critical-program or high-value-asset CUI against an adversary who is well-resourced, patient, and specifically interested in you.

What 800-172 actually adds

The enhanced requirements organize around three protection strategies:

Many of these require standing technical or operational capability. Others require training, risk analysis, documentation, supply-chain process, or governance. The mix matters, because it determines whether a given requirement is a project or a payroll line — and that’s the distinction that should shape your budget before anyone quotes you a price.

“800-172 is the advanced version of 800-171” is a costly mental model

Nearly every explainer currently ranking for this term frames 800-172 as a higher tier you graduate into as you handle more sensitive work. That framing is wrong, and it’s wrong in a direction that costs money — it implies you should be preparing for 800-172 as a natural maturity step.

NIST is explicit that enhanced requirements apply when selected and required by a federal agency, and states plainly that “there is no expectation that all of the enhanced security requirements will be selected.” Not “most organizations will phase in.” Not “all of them eventually.” Selection is the mechanism, and partial selection is the expectation. (NIST SP 800-172 Rev. 3)

Practically: any claim of “800-172 compliance” is incomplete unless it names the edition, the selected requirement set, the system scope, the assessment method, and the governing authority.You can voluntarily implement a defined set of enhanced safeguards — that’s legitimate, and sometimes smart. What doesn’t exist is a general, scope-free state of being 800-172 compliant.

One naming point that will save you an argument

The February 2021 publication is officially NIST SP 800-172— full stop, no revision number. It is not “Revision 1” and it is not “Revision 2,” though you’ll find both errors in circulation, including on pages currently ranking for this search. The first numbered revision of this document is Revision 3, published May 2026.

This matters because 32 CFR Part 170 cites the February 2021 edition by date. If you go looking for “800-172 Rev. 2” to satisfy a CMMC requirement, you won’t find it, because it doesn’t exist.


Does NIST 800-172 apply to my company?

NIST SP 800-172 is not mandatory by default for defense contractors, and applicability has nothing to do with company size or security maturity. It applies when a federal agency determines that CUI is associated with a critical program or high value asset and selects specific enhanced requirements in a contract, grant, or other agreement. If no governing document — including incorporated attachments, flow-downs, and modifications — selects enhanced requirements or establishes an applicable Level 3 requirement, it is not a current obligation for you.

The three conditions — all three, not any one

For SP 800-172 to reach you, every one of these has to be true:

  1. The system processes, stores, or transmits CUI— or provides security protection for components that do; and
  2. A federal agency has determined that the CUI is associated with a critical program or high value asset; and
  3. That agency has selected specific enhanced requirements and conveyed them in a contract, grant, or other agreement.

Miss any one and 800-172 doesn’t apply. Note what is not on that list: your headcount, your revenue, your industry, your NAICS code, how sensitive you personally believe your work to be, or how many gaps a vendor found in your environment.

What this page can’t tell you

Here’s our limitation, stated plainly: we can’t tell you whether 800-172 applies to your company. And neither can any consultant, platform, assessor, or AI tool that hasn’t read your contract.800-172 isn’t a standard you qualify for on the merits. It’s a set of requirements a federal agency selects and conveys in an agreement. If your governing documents don’t select them, no maturity model, gap assessment, or vendor scorecard can make them apply — and none can make them go away if they do.

Now here’s why that limitation is working in your favor.

It means the single most valuable thing you can do this week costs nothing: pull your governing agreement and its incorporated documents and read them. And it hands you a clean disqualifying test for anyone selling to you.

The three questions that separate a real advisor from a scope you don’t need:

  1. “Which clause, provision, or incorporated document creates this obligation for us?” A real answer cites a document you can open. A vague answer about industry direction is a sales position, not a requirement.
  2. “Which specific enhanced requirements were selected, and under what authority?” If the answer is all 35, ask for the selection instrument and the rationale. NIST says there’s no expectation that all enhanced requirements will be selected — that isn’t a prohibition on an agency selecting all of them, but it does mean the claim needs a source.
  3. “Is this a government requirement or your own recommendation?” Both can be legitimate. Only one is mandatory. You’re entitled to know which you’re being billed for.

Anyone quoting you an 800-172 program before reading your clause is pricing a scope they haven’t verified. Asking costs you one email.

The four routes 800-172 can actually reach you

This is the applicability answer the rest of the search results are missing. Three of these are real ways an obligation can reach you. The fourth is a theory that keeps getting sold.

Four routes NIST SP 800-172 can reach a contractor
RouteWhat it looks like in practiceLive today?Governing authority
CMMC Level 3 (DIBCAC)Level 3 named in your solicitation or contract; the 24 selected requirements; government-conducted assessmentNo — designation suspended. Requiring activities may not designate Level 3 (DIBCAC) or Level 2 (C3PAO). Existing requirements are to be removed by amendment or modification, but the text stands until that written action issues32 CFR 170.14, §170.18; DoW implementing memorandum, Attachment 1
Direct contract, grant, or agreement termsA federal agency selects enhanced requirements and conveys them directly — with or without CMMC involvedYes. The suspension expressly preserves the ability of requiring activities to impose additional cybersecurity protections consistent with law and regulationNIST SP 800-172 Rev. 3; DoW CIO memorandum
Flow-down through a subcontractEither a government requirement properly flowed down, ora prime’s own additional security termYes — but which one matters. DFARS 252.204-7021 requires the substance of the CMMC clause to flow into covered subcontracts. A prime-imposed term that isn’t a CMMC requirement is still contractually binding once executedDFARS 252.204-7021; 32 CFR 170.23; your subcontract
A “maturity tier” you grow intoNo. This route doesn’t exist. Enhanced requirements apply only when selected and requiredNIST SP 800-172 Rev. 3

That third row is where most confusion in the current market lives, and it splits two ways that people constantly merge. A properly flowed-down CMMC requirement is part of the CMMC mechanism. A prime layering on its own security terms is a negotiation between two companies. Both can bind you. They have very different answers right now, and you should know which one you’re looking at.

“Our prime says enhanced requirements are coming”

Take it seriously, then get specific. A prime may be flowing down a genuine government requirement, anticipating one, or applying its own supply-chain security policy. All three produce the same email. Only the first is a regulatory obligation.

Ask for the clause. Ask whether it flows from a government requirement or from prime policy. If it’s prime policy rather than a flowed-down requirement, it may be negotiable beforeyou accept or modify — but once it’s in an executed subcontract it binds you until it’s changed. That timing is the whole leverage window. Don’t budget a program off an email, and don’t sign one either.

What “critical program” and “high value asset” actually mean

Both are federal government determinations, not self-assessments. A high value asset is, broadly, an information system or dataset whose loss would cause serious harm to agency mission or national security. A critical program is one the agency has identified as warranting protection beyond the baseline.

Notice what NIST does notdo: define which specific programs qualify. That determination belongs to the agency, and it arrives through your agreement. You can’t reason your way into the answer from the outside, and neither can a vendor. (For the separate question of whether your data is FCI, CUI, or CDI in the first place, see whether your data is CDI, CUI, or FCI.)


Which version of NIST 800-171 and 800-172 applies right now?

CMMC still requires NIST SP 800-171 Revision 2 and the February 2021 edition of NIST SP 800-172 — even though NIST has withdrawn both. The CMMC Program Rule incorporates those specific editions by reference, which freezes them in place until DoD amends the rule. Publishing a new revision is something NIST does; changing a legal requirement takes rulemaking. The two are not the same event.

This is the section we built this page for, because it’s the question nobody currently ranking answers — and getting it wrong sends contractors into remediation projects they don’t owe.

Our publication currency audit

On , we checked each NIST publication that supplies CMMC’s Level 2 and Level 3 requirements and assessment procedures, one at a time, against the NIST Computer Security Resource Center. Here’s the result.

What CMMC requires vs. what NIST currently publishes — verified

CMMC required publications vs. current NIST status, verified July 18, 2026
PublicationWhere the rule uses itStatus at NIST todaySuperseded by
NIST SP 800-171 Rev. 2 (Feb 2020, updates through Jan 28, 2021)§170.14(a)(2), (c)(3) — the 110 Level 2 requirementsWithdrawn May 14, 2024SP 800-171 Rev. 3 (May 2024)
NIST SP 800-171A (June 2018)§170.14(d) — Level 2 assessment proceduresSupersededSP 800-171A Rev. 3 (May 2024)
NIST SP 800-172 (Feb 2021)§170.14(a)(3), (c)(4) — the 24 Level 3 requirementsWithdrawn May 13, 2026SP 800-172 Rev. 3 (May 2026)
NIST SP 800-172A (March 2022)§170.14(d), §170.18 — Level 3 assessment proceduresSuperseded May 13, 2026SP 800-172A Rev. 3 (May 2026)

Read that column again. All four.Every NIST publication that supplies CMMC’s Level 2 and Level 3 requirements and assessment procedures has been withdrawn or superseded in NIST’s library — and not one of those events changed a single thing about what the rule requires you to do.

That’s not a loophole, a gotcha, or an oversight. It’s how the mechanism is designed to work.

Why a withdrawn publication is still the legal requirement

The concept is incorporation by reference. When a regulation incorporates an outside document, it doesn’t say “follow whatever NIST publishes.” It names a specific edition, by revision and date, and that named edition becomes part of the regulation. From that moment the standard is frozen inside the rule. NIST can revise, withdraw, or retire the underlying publication; the regulation keeps pointing at the edition it named until the agency completes rulemaking to point somewhere else. The CMMC final rule states this directly — the incorporation by reference of the material listed in the rule was approved by the Director of the Federal Register as of December 16, 2024. (89 FR 83092)

So there are two entirely separate clocks running:

Once you see those as two clocks, every contradictory answer you’ve gotten on this topic resolves. The consultant saying “Rev. 2” and the NIST website saying “Rev. 3” are both correct. They’re answering different questions.

Practical translation:if your CMMC Level 2 self-assessment is scored against 110 requirements from SP 800-171 Rev. 2, that’s still true today. If your System Security Plan cites the withdrawn edition that your governing requirement actually uses, withdrawal alone doesn’t make that citation wrong.

What actually changed in SP 800-172 Rev. 3

Revision 3 is a substantial rewrite:

Worth stating plainly, because someone will otherwise sell you the opposite: publication of Revision 3 does not by itself create a CMMC obligation. CMMC remains tied to the incorporated editions. A separate agency, contract, or agreement can independently require Revision 3 — but that would be a distinct requirement with its own authority, not an automatic consequence of NIST publishing.

If you built to 800-172 between 2022 and 2024

Your work is very likely still relevant, because CMMC is pinned to the February 2021 edition. But don’t treat “we implemented 800-172” as equivalent to “we’re assessment-ready.” Before you rely on it, verify three things: that you covered the specific 24 requirements CMMC selected rather than a different subset, that you met the DoD-assigned parameters rather than your own, and that your scope and evidence would hold up to examination.

Don’t renumber your SSP for Revision 3, and don’t start a Revision 3 gap project on your own initiative. What is worth doing is noting which of your controls would shift if DoD later adopts Revision 3, so a future rulemaking becomes a mapping task rather than a discovery project.

The same thing is happening to DFARS 252.204-7012

Worth one paragraph, because it’s the same mechanic in a different instrument. DFARS 252.204-7012 — the safeguarding and cyber incident reporting clause that predates CMMC and survives it — as codified points to the version of NIST SP 800-171 in effect at the time the solicitation is issued. Read literally after May 2024, that would have pulled contractors onto Revision 3. DoD issued a class deviation directing the use of Revision 2 instead. Same phenomenon: the written instrument pointed forward, and the agency had to act deliberately to hold the line at the edition everyone was actually building to.


How do NIST 800-171 and 800-172 map to CMMC levels?

CMMC Level 1 uses 15 basic safeguarding requirements drawn from the FAR, not from NIST SP 800-171. CMMC Level 2 uses the 110 requirements of NIST SP 800-171 Revision 2. CMMC Level 3 adds 24 requirements selected from the February 2021 edition of NIST SP 800-172, for a codified model total of 134. Level 3 is the only CMMC level that touches SP 800-172 at all.

NIST 800-171 and 800-172 mapped to CMMC levels
CMMC levelSecurity requirements come fromHow manyAssessment type in the codified model
Level 148 CFR 52.204-21(b)(1)(i)–(xv) — basic safeguarding for FCI15Self-assessment, annual
Level 2NIST SP 800-171 Rev. 2110Self-assessment or C3PAO certification, triennial
Level 3Level 2’s 110 plus 24 selected from NIST SP 800-172 (Feb 2021)134DCMA DIBCAC certification, triennial

The 134-requirement total is a CMMC number, not a NIST number. No single NIST publication contains 134 requirements. It’s the sum of two documents’ selected contents, and it exists only inside the CMMC model. See the CMMC Level 3 requirements page for the full list of the 24 selected SP 800-172 requirements, and the CMMC level comparison for the broader overview of all three levels.


How many requirements are in NIST 800-171 and 800-172?

The answer depends on which edition you mean and whether you’re asking about a full NIST publication or CMMC’s selected subset. The February 2021 edition of SP 800-172 contains 35 enhanced security requirements across 14 families; CMMC Level 3 uses 24 of them. NIST SP 800-171 Rev. 2 contains 110 requirements across 14 families. The current Rev. 3 editions contain 97 and 103 active requirements respectively, across 17 families each, under the counting method described below.

If you’ve been getting different numbers from different sources, you weren’t being misled. You were getting correct answers to questions you didn’t ask.

Why 15, 24, 35, 97, 103, 110, and 134 can all be right

Explanation of NIST requirement count numbers
NumberWhat it actually counts
15CMMC Level 1 basic safeguarding requirements, from 48 CFR 52.204-21(b)(1)(i)–(xv) — FAR-derived, not NIST
24Enhanced requirements DoD selected from SP 800-172 (Feb 2021) for the CMMC Level 3 model
35Total enhanced requirements in the complete February 2021 edition of SP 800-172
97Active requirements in SP 800-171 Rev. 3 (130 numbered identifiers, 33 withdrawn) — our count
103Active enhanced requirements in SP 800-172 Rev. 3 (115 numbered identifiers, 12 withdrawn) — our count
110Requirements in SP 800-171 Rev. 2 — and the CMMC Level 2 requirement set
134The codified CMMC Level 3 model total: 110 + 24

Two of those deserve a flag, because they’re where misquotes come from.

35 is not 24.The publication has 35; CMMC selected 24. A page claiming “CMMC Level 3 requires all of NIST 800-172” is wrong by eleven requirements.

134 is a CMMC number, not a NIST number.No NIST publication contains 134 requirements. It’s the sum of two documents’ selected contents, and it exists only inside the CMMC model.

The five-baseline family census

Below is the comparison we assembled from the cited primary materials: all five requirement sets, broken out by family, side by side.

The Rev. 3 columns are our own counts, taken from NIST’s machine-readable OSCAL catalogsrather than from secondary summaries. That’s why we can state a firm number where published sources disagree with each other — and why we label them as our calculation rather than as a NIST-published headline total.

Five-baseline family census: requirement counts by family across all five NIST/CMMC sets
Requirement family800-171 Rev. 2800-172 Feb 2021CMMC L3 selection800-171 Rev. 3 (active)800-172 Rev. 3 (active)
Access Control22321616
Awareness and Training32224
Audit and Accountability90084
Configuration Management933107
Identification and Authentication113287
Incident Response32254
Maintenance60031
Media Protection90074
Personnel Security22122
Physical Protection60052
Risk Assessment37738
Security Assessment and Monitoring41144
System and Communications Protection16511016
System and Information Integrity773515
Planning33
System and Services Acquisition31
Supply Chain Risk Management35
Total110352497103

Methodology:The Rev. 3 figures were counted from NIST’s official OSCAL catalogs in the usnistgov/oscal-content repository on , by counting numbered requirement identifiers within each family group and excluding those NIST marks as withdrawn. The catalogs carried version 1.1.0 (SP 800-171 Rev. 3) and 1.0.0 (SP 800-172 Rev. 3), both last modified May 12, 2026. NIST’s guidance is that where machine-readable formats and the published PDF differ, the PDF is normative — so treat these as our disclosed calculation, not as a figure NIST publishes as a headline total. The Rev. 2, February 2021, and CMMC columns come from the published documents and from Table 1 to 32 CFR 170.14(c)(4).

Four things this table shows that prose can’t

1. Four families in the February 2021 edition contain no enhanced requirements at all.Audit and Accountability, Maintenance, Media Protection, and Physical Protection are empty. If you’re reading a page that describes 800-172 as covering all 14 families uniformly, that page hasn’t opened the document.

2. Risk Assessment is where Level 3 concentrates.All seven enhanced Risk Assessment requirements were selected — the only family where DoD took everything available. That’s threat intelligence, threat hunting, advanced analytics, solution rationale, and both supply chain requirements.

3. System and Communications Protection had five enhanced requirements available. DoD took one.Contrast that with Risk Assessment’s seven-for-seven. Our interpretation: the selected distribution places heavier numerical weight on operational risk, threat intelligence, and supply-chain capability than on taking every available architectural enhancement. The distribution is a fact; the reasoning behind it is our reading, not a stated DoD rationale.

4. A lower count doesn’t mean a lighter standard.SP 800-171 Rev. 3 has 97 active requirements against Rev. 2’s 110 — while adding three entirely new families and introducing organization-defined parameters throughout. Counting requirements tells you about document architecture, not workload or cost.

For a full treatment of the Rev. 2 to Rev. 3 transition — the authority-to-revision map and what changes for civilian-agency versus DoD contracts — see our NIST 800-171 Rev 2 vs Rev 3 page.


Is CMMC Level 3 suspended — and what does that mean for 800-172?

Yes.On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II along with the pending Phase III and Phase IV milestones. During the suspension, requiring activities may designate only CMMC Level 1 (Self) or Level 2 (Self) — not Level 2 (C3PAO) and not Level 3 (DIBCAC). Because Level 3 is the only CMMC level that incorporates NIST SP 800-172, the CMMC route to 800-172 is paused. DFARS 252.204-7012 and the NIST SP 800-171 Rev. 2 baseline remain in effect.

We read both memoranda in full. Here’s what they actually direct, separated from what commentary has made of them.

Two documents, not one

This distinction matters, and most coverage collapses it:

Both were released July 13, 2026 under publication case 26-P-1023. When you see “the memo” cited generically, check which one — the policy and the instructions live in different documents.

What the implementing memorandum directs

Read that fourth bullet carefully, because it’s where contractors get into trouble: the direction runs to the government’s contracting workforce, not to you.Until the amendment or modification is actually issued in writing, your contract says what it says. Don’t self-execute a change the government hasn’t made yet.

What is not suspended

This is where careless reading gets expensive:

A consequence worth sitting with: with third-party certification paused, the government is relying on self-assessments and select government-led assessments. That doesn’t lower your risk. It relocates it. What you submit about your own posture is information provided to the government, and it can carry contractual and legal consequences if it’s inaccurate.

The mechanism: the rule is unchanged, the designation authority is paused

32 CFR Part 170 has not been amended. Level 3 still exists in the regulation. The 24 requirements are still in Table 1 to §170.14(c)(4). The eCFR change timeline still shows a single entry. Nothing was repealed.

What changed is at the acquisition layer— what a requiring activity is permitted to put into a solicitation. The regulation says one thing; the Department has instructed its own people not to invoke part of it while the program is reviewed.

That’s the difference between “Level 3 is dead” and “Level 3 cannot currently be designated.” Only one of those is accurate, and only one survives contact with the next policy memo.

What can and cannot be required of you today

CMMC requirement status as of July 18, 2026
RequirementStatus as of
CMMC Level 1 (Self) — 15 FAR safeguards for FCICan be designated
CMMC Level 2 (Self) — 110 SP 800-171 Rev. 2 requirements for CUICan be designated
CMMC Level 2 (C3PAO)Cannot be designated — existing ones to be removed by amendment or modification
CMMC Level 3 (DIBCAC)Cannot be designated — existing ones to be removed by amendment or modification
DFARS 252.204-7012 safeguarding and incident reportingIn effect, unchanged where the clause applies
NIST SP 800-171 DoD Assessment score in SPRS (DFARS 252.204-7019/-7020)In effect where those clauses apply
CMMC result and annual affirmation (32 CFR 170.22, DFARS 252.204-7021)In effect where an applicable CMMC requirement exists
Select government-led NIST SP 800-171 assessmentsContinue
SP 800-172 enhanced requirements via direct agreement termsStill possible — expressly preserved

What happens next — and the one public deadline

A CMMC Reform Task Force is conducting a top-to-bottom review and is directed to report to the Department CIO within 60 days. The memorandum establishes the review period and promises further guidance; it does not commit to a public release date for the report.

Feeding that review is a public Request for Information, Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base, with responses due at 12:00 p.m. ET on Friday, August 14, 2026.Confirm the current deadline and submission instructions on the official SAM.gov notice before you rely on it — dates on open solicitations do move.

The Department’s own stated rationale was cost and capacity: its announcement cited more than $7 billion a year in aggregate compliance cost for small and mid-sized businesses, against roughly 100 authorized C3PAOs available to assess a population north of 100,000 businesses.

If assessment bottlenecks, duplicative controls, unclear flow-down, or the cost of continuous monitoring have cost your company real money, the Task Force is explicitly chartered to synthesize industry feedback. Comment windows close. This one closes in August.


What actually changes when 800-172 requirements are added?

Selected 800-172 requirements move an environment from documented safeguarding toward threat-informed architecture and standing operational capability. What changes depends entirely on which requirements were selected and which parameters apply, which is why no generic implementation package fits every contractor.

Operational changes when 800-172 enhanced requirements are selected
Operational domainThe 800-171 baseline questionWhat enhanced requirements addEvidence that will matterProvider category that usually owns it
ArchitectureIs CUI flow controlled?Physical or logical isolation; secure transfer between security domains; authenticating systems, not just usersNetwork diagrams, configurations, test resultsCUI enclave architect, MSSP
MonitoringAre logs generated and reviewed?24/7 SOC capability; threat hunting; analytics supporting human analystsSOC records, alert handling, hunt reportsMSSP / managed SOC
Incident responseDo you have an IR capability?A team deployable within 24 hoursRosters, exercise records, response timingMSSP, incident response provider
Supply chainAre risks assessed?Assess, respond to, and monitor supply chain risk; maintain a plan, updated at least annuallySupplier inventory, risk records, the plan itselfRPO, GRC platform
IntegrityAre flaws and malicious code addressed?Root-of-trust or cryptographic signature verification for security-critical softwareTechnical validation recordsSecurity engineering provider
Specialized assetsAt Level 2, they're in the asset inventory, SSP, and network diagram with their treatment documented — but not assessed against the other Level 2 requirementsSI.L3-3.14.3e brings them into the enhanced-requirement scope, or requires segregationAsset inventory, segmentation evidenceEnclave architect, OT security specialist

Provider-category mappings are our editorial conclusions based on the requirements above, not regulatory assignments. No provider is named on this page, and no provider paid for placement here.

That last row is the one manufacturers should read twice. “Not assessed against the other requirements” is not the same as “out of scope” — and the gap between those two readings is where Level 3 scoping surprises come from.

Why published cost figures won’t answer your question

You’ll find dollar figures for CMMC Level 3 across the web. We looked at the ones in circulation and chose not to reprint them. DoD’s regulatory estimates cover contractor assessment-support and affirmation costs, under assumptions stated in the rule. They are not an estimate of what it costs to build and operate the capabilities being assessed. Reprinting either as “the cost of Level 3” would be a category error.

What we can point at is the Department’s own arithmetic: more than $7 billion a year in aggregate compliance cost for small and mid-sized businesses, and roughly 100 authorized C3PAOs for a population above 100,000 businesses. That’s the government describing its own program’s cost and capacity problem.

The four cost centers to model

Four cost centers for CMMC Level 3 implementation
Cost centerWhat drives itWhy it gets underestimatedCategory that usually owns it
24/7 monitoring capabilityThe SOC parameter — continuous coverage, remote or on-call staffing permittedPriced as a tool when it's a staffing modelMSSP / managed SOC
Incident response readinessThe 24-hour deployment parameterA written IR plan is not a deployable teamMSSP, IR retainer provider
Scope and enclave designLevel 3 scope ⊆ Level 2 scope; specialized assets in scopeScope is set early and re-litigated expensively laterCUI enclave architect, MSP
Evidence, SSP, and assessment supportDocumenting solution rationale and risk determinations; DIBCAC evidence expectationsTreated as paperwork when it's where several non-deferrable requirements liveRPO, GRC platform

Several of these can become recurring operating expense rather than project cost. Scope is the lever worth pulling first. Because Level 3 scope must be equal to or a subset of Level 2 scope, a well-drawn enclave affects implementation, monitoring, evidence, and assessment cost at the same time. Scope drawn badly in month one gets paid for every subsequent year.


Who assesses NIST 800-171 vs NIST 800-172?

NIST publishes companion assessment documents — SP 800-171A for the baseline requirements and SP 800-172A for the enhanced ones — but neither creates a certification. Under CMMC, Level 2 is assessed either by the contractor or by a C3PAO in the codified model, while Level 3 is assessed by DCMA DIBCAC, a government organization. A C3PAO cannot perform a Level 3 assessment.

NIST writes assessment procedures, not certifications

SP 800-171A and SP 800-172A tell an assessor howto determine whether a requirement is satisfied — what to examine, who to interview, what to test. They’re methodology, not a credential.

NIST does not certify contractors under SP 800-171 or SP 800-172. There’s no NIST registry of compliant companies and no NIST-issued contractor credential. If a vendor advertises being “NIST certified,” ask them to name the actual certification body, the standard, the scope, the assessment method, and the result behind the claim. Sometimes there’s a real accredited certification underneath imprecise marketing. Sometimes there isn’t.

What does exist: a CMMC status, awarded under 32 CFR Part 170 through a defined assessment process and recorded in government systems.

The companion documents have their own version split

Assessment document version split — NIST current vs. CMMC incorporated
Requirements publicationCurrent edition at NISTEdition CMMC incorporates
SP 800-171800-171A Rev. 3800-171A, June 2018
SP 800-172800-172A Rev. 3800-172A, March 2022

Download the current assessment guide from NIST and you’ll be preparing against determination statements that don’t match the ones a CMMC assessment uses. Check the edition before you build your evidence package.

Assessment routes, side by side

Assessment routes comparison — NIST publication vs. CMMC
QuestionUnder the NIST publication aloneUnder CMMC
Who assesses?Whoever the governing agreement specifiesLevel 1: self · Level 2: self or C3PAO in the codified model · Level 3: DIBCAC
What's evaluated?The applicable requirements and assessment objectivesThe incorporated requirements within your CMMC assessment scope
Is there a certification?No general NIST contractor certification existsCMMC status — a separate DoD program concept
Where is the result recorded?Depends on the agreementSPRS and the CMMC enterprise system, depending on the mechanism
Can it be self-performed?Depends on the agreementLevels 1 and 2 yes; Level 3 no
Available today?Depends on the agreementLevel 1 (Self) and Level 2 (Self) only

One consequence worth naming: because Level 3 is government-assessed, a C3PAO cannot certify you at Level 3, and any provider positioning itself that way has misunderstood the program.

Independence matters at Level 2 as well. Under the Cyber AB Code of Professional Conduct, a C3PAO organization and its assessment team may not conduct a certification assessment of an organization they served as consultants preparing for any CMMC assessment within the preceding three years. If you’re choosing a readiness partner now, that three-year window is worth knowing before you sign — it constrains who can assess you later.


What to do when a solicitation, flow-down, or questionnaire names either standard

Don’t start buying tools from a publication number.Identify the controlling authority, the exact edition named, the instrument that creates the obligation, your CUI scope, the assessment type, and — if 800-172 is involved — which specific enhanced requirements were selected. Where those conflict or are missing, get written clarification before you price anything.

Six steps, in order

  1. Identify who is imposing it.A contracting officer, a requiring activity, a prime, a customer questionnaire, your insurer, and a technology vendor don’t carry the same authority. Some create obligations. Some express a preference.
  2. Extract the exact language.Record the clause or provision number, publication title, revision, publication date, CMMC level, assessment type, effective date, flow-down language, and any list of selected requirements. If a document names “NIST 800-171” with no revision, that ambiguity is itself the finding.
  3. Confirm your information type.FCI, CUI, covered defense information, export-controlled data, or proprietary information that isn’t automatically CUI — these carry different obligations. See whether your data is CDI, CUI, or FCI.
  4. Define the boundary. Where is the information created, stored, transmitted? Who can reach it? Which security protection assets support it? Which external service providers touch it? Can the boundary be narrowed without breaking operations?
  5. Establish the current assessment status. Account for the July 2026 suspension, any amendment or modification issued or promised, your self-assessment obligations, SPRS posting, and affirmation requirements where they apply.
  6. Get it in writing. Then keep it in the contract file.

The ten questions to send your contracting officer or prime

Copy these. Each one is written to be answerable, and the right-hand column tells you what the answer actually controls.

Ten questions to send your contracting officer or prime
#Question to sendWhat the answer controls
1Which NIST publication, revision, and publication date are contractually required?Which edition you build and are scored against
2Which clause, provision, or incorporated document establishes that requirement?Whether an obligation exists at all
3Are any NIST SP 800-172 enhanced security requirements selected for this effort?Whether 800-172 reaches you
4If so, where is the complete list of selected requirements?Your actual scope — not all 35, not a vendor's guess
5Which organization-defined parameter values apply?Whether you need a 24/7 capability or an annual one
6What system boundary is expected for assessment?Your single largest cost driver
7Which CMMC level and assessment type are required?Self, C3PAO, or DIBCAC — and what's available today
8Has the July 13, 2026 suspension changed this solicitation or contract?Whether what you're reading is still operative
9Will an amendment or modification be issued, and on what timeline?When you can safely change your own plans
10What must flow down to our subcontractors, and in what form?Your exposure through your own supply chain

If a prime can’t answer questions 2, 3, and 4, you’ve learned that the requirement isn’t yet defined — which is a fact worth having before you commit budget to it.

Saying accurate things about your own posture

Getting this language right protects you, because these statements can become representations to the government.

Accurate language for describing your SP 800-172 posture
Your actual situationWhat you can accurately say
You've voluntarily implemented enhanced safeguards"We have implemented practices aligned with SP 800-172"
An agreement selects specific requirements"These selected SP 800-172 requirements apply under [the identified clause]"
CMMC Level 3 is validly designated (not currently possible)"The CMMC Level 3 requirement set applies, subject to then-current rules"
A vendor calls its product "800-172 compliant"Ask which requirements, which scope, which evidence, under which authority

The line to never cross: describing voluntary alignment as compliance, or compliance as certification.


Seven mistakes that put contractors on the wrong baseline

The expensive errors here are predictable: assuming the newest NIST edition automatically governs, treating 800-172 as a replacement for 800-171, implementing enhanced requirements with no selection basis, or letting company size drive the decision. Each produces unnecessary scope, mismatched evidence, or an inaccurate representation.

Seven contractor mistakes on NIST 800-171 and 800-172 baseline
The mistaken assumptionWhat disproves itWhat to obtain
1. “Rev. 3 is newer, so Rev. 2 doesn’t matter”Incorporation by reference freezes the cited edition until DoD amends the rule (32 CFR 170.14)The edition named in your governing clause
2. “800-172 is the next certification after 800-171”It’s a supplemental requirements publication; NIST issues no contractor certificationThe authority that creates any certification you’re told you need
3. “We should implement all 35 enhanced requirements”NIST states there’s no expectation all enhanced requirements will be selected; DoD selected 24 for Level 3The written list of selected requirements and its source
4. “We’re a small subcontractor, so 800-172 can’t apply”Applicability turns on agency selection tied to a critical program or high value asset — not sizeThe agency determination and selection instrument
5. “The prime’s questionnaire is the same as a clause”DFARS 252.204-7021 flow-downs and prime-imposed policy terms are different instruments with different answersThe subcontract clause and whether it traces to a government requirement
6. “Our product supports that control, so we’ve implemented it”Assessment evaluates configured, operating, evidenced implementation — not capabilityConfiguration evidence, operating records, and the SSP entry
7. “The July suspension deleted our contract language”The memoranda direct government contracting personnel to amend and modify; the text stands until they doThe issued amendment or modification, in writing

Mistake 7 is the one currently costing people money in both directions — companies standing down work that’s still contractually required, and companies continuing to fund readiness for a designation that can’t be made. Both are avoidable with one email to your contracting officer.


What we actually verified

You should know exactly what we checked, what we calculated, and what we couldn’t confirm. That’s the basis on which you should decide whether to trust anything above.

What we did, on :

What we did not do:

Where we’d want a second look: requirement counts drawn from machine-readable catalogs can differ from the published PDF, and NIST’s guidance is that the PDF is normativewhere they diverge. Our counts are a disclosed calculation, not a NIST headline figure. If you reproduce a different result, we want to hear about it and we’ll correct the page with a dated note.

Where dates may move:the RFI deadline is a live government submission window — confirm it on SAM.gov before relying on it.

How this page gets maintained. Suspension status and Task Force developments: monthly until resolved. NIST publication status and counts: quarterly, or immediately on any withdrawal or new revision. The amendment status of Part 170: monthly while the review is open.


NIST 800-171 vs 800-172: frequently asked questions

Regulatory answers below were verified against the sources listed at the end of this page.

Is NIST 800-172 mandatory?
Only when a federal agency selects specific enhanced requirements and conveys them in a contract, grant, or other agreement — and only when the CUI involved is associated with a critical program or high value asset. It is not mandatory by default for CUI handlers, and it is not triggered by company size or maturity.
Does NIST 800-172 replace NIST 800-171?
No. It supplements it. The enhanced requirements are designed to be applied on top of an implemented 800-171 baseline, not instead of it. If you have unresolved 800-171 gaps, 800-172 work doesn't substitute for closing them.
How many controls are in NIST 800-172?
The February 2021 edition — the one CMMC cites — contains 35 enhanced security requirements across 14 families, four of which contain none. CMMC Level 3 selects 24 of the 35. The current edition, Revision 3 (May 2026), contains 103 active enhanced requirements across 17 families under our counting method.
Is NIST 800-172 the same thing as CMMC Level 3?
No. CMMC Level 3 is a DoD program level that incorporates 24 selected requirements from SP 800-172, layered on Level 2's 110, for 134 total. SP 800-172 is a NIST publication any federal agency can draw from through ordinary contract terms, with no CMMC involvement at all.
What is the current version of NIST 800-172?
NIST SP 800-172 Revision 3, published May 2026. It superseded the February 2021 edition, which NIST withdrew on May 13, 2026.
NIST withdrew the February 2021 edition. Do I have to move to Revision 3?
Not for CMMC purposes. 32 CFR Part 170 incorporates the February 2021 edition by reference, and that remains the CMMC requirement until DoD amends the rule. A separate agency or agreement could independently require Revision 3 — but that would be its own requirement with its own authority.
Which revision of 800-171 does CMMC require — Rev. 2 or Rev. 3?
Revision 2. NIST withdrew Rev. 2 on May 14, 2024 when it published Rev. 3, but the CMMC Program Rule still incorporates Rev. 2, and DoD separately issued a class deviation holding DFARS 252.204-7012 to Rev. 2 as well.
Can I self-assess against NIST 800-172?
You can conduct an internal assessment for your own purposes at any time. But under CMMC, Level 3 is assessed by DCMA DIBCAC — not by you and not by a C3PAO. Outside CMMC, the assessment method is whatever the governing agreement specifies.
Who performs a CMMC Level 3 assessment?
DCMA DIBCAC, a government organization. That's a structural difference from Level 2, where the codified model allows either a self-assessment or a C3PAO certification. Level 3 designations are currently suspended.
Can any Level 3 requirements go on a POA&M?
Seventeen of the 24 can. Seven cannot, under 32 CFR 170.21(a)(3)(ii): the 24/7 SOC, the 24-hour deployable response team, threat-informed risk assessment, documented security solution rationale, both supply chain requirements, and specialized asset security. A Conditional Level 3 status requires at least 20 of 24 points with none of those seven deferred, closed out within 180 days.
Does NIST 800-172 flow down to subcontractors?
It can, two different ways. A government requirement can flow down through the subcontract — DFARS 252.204-7021 requires the substance of the CMMC clause to flow into covered subcontracts at the appropriate level. Separately, a prime can impose its own additional security terms, which bind you once executed but are not themselves a CMMC requirement. Ask which one you're looking at.
Has CMMC Level 3 been cancelled?
No. Level 3 remains in 32 CFR Part 170 and the rule has not been amended. What changed on July 13, 2026 is that requiring activities may not currently designate Level 3 (DIBCAC) or Level 2 (C3PAO) while a 60-day reform review runs. Suspension of designation authority is not repeal of the regulation.
What is a “critical program” or “high value asset”?
Both are federal government determinations. A high value asset is broadly a system or dataset whose loss would cause serious harm to agency mission or national security; a critical program is one the agency has designated as warranting protection beyond the baseline. NIST doesn't define which specific programs qualify — the agency decides, and the determination reaches you through your agreement.
Do I need a 24/7 SOC for NIST 800-172?
Only if IR.L3-3.6.1e is among the requirements selected for you. It's one of the 24 CMMC Level 3 selected, and DoD assigned it a 24/7 parameter with remote or on-call staffing permitted. It's also one of the seven that can't be deferred to a POA&M. If enhanced requirements haven't been selected for your contract, this isn't your obligation.
Does the CMMC suspension mean I can stop my NIST 800-171 work?
No, and this is the most consequential misreading in circulation. DFARS 252.204-7012 and the NIST SP 800-171 Rev. 2 baseline remain in effect, enforced through self-assessments and select government-led assessments. Third-party certification is paused; the underlying requirement is not.
Why does the CMMC rule say “Department of Defense” when the announcements say “Department of War”?
32 CFR Part 170 was published in October 2024 and uses “Department of Defense (DoD)” throughout, because that was the department’s name at the time. The department is now styled the Department of War. The rule text is unchanged; only the name in current announcements differs.

The bottom line

NIST SP 800-171 is the CUI protection baseline. NIST SP 800-172 adds enhanced requirements for a more capable adversary, and it reaches you only when a federal agency selects specific requirements and conveys them in an agreement. Neither the newest publication date nor your company’s size settles which one governs your work.

For CMMC purposes, the model still points to NIST SP 800-171 Revision 2 and the February 2021 edition of SP 800-172 — both of which NIST has withdrawn, and neither of which stopped being the requirement when it happened. That’s incorporation by reference doing exactly what it’s designed to do. And the July 2026 suspension changed which assessment requirements can currently be designated — not the obligation to protect CUI, not DFARS 252.204-7012, and not the 110 requirements you’re still scored against.

So here’s the honest next step. Pull your governing agreement and its incorporated attachments, flow-downs, and modifications, and search them for NIST SP 800-172, enhanced security requirements, and identifiers ending in a lowercase “e.” That’s an afternoon of work and it costs nothing. Treat an empty result as a strong screening answer rather than a final legal conclusion — but a strong screening answer is enough to stop you buying a scope nobody assigned you.

And if it comes back with something, you now know exactly which questions to ask, which sources to cite, and which category of help you’re actually shopping for.


Primary sources

Every regulatory claim on this page traces to one of these.


Disclosures and limitations

This is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) and, where contract interpretation is material, a qualified federal-contracts attorney.

Independence. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Commercial disclosure. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. No provider is named or recommended on this page. The CMMC Path Framework routes to a category— an RPO, an MSSP, a GRC platform, a CUI enclave — never to a ranked or endorsed vendor.

Corrections. If you find an error, tell us. We date our corrections and note what changed and why.

Last reviewed July 2026 · Last verified · By The Defense Compliance Report Editorial Team