CMMC Standards & NIST Requirements
NIST 800-171 vs 800-172: What’s the Difference, and Which One Applies to You?
NIST SP 800-171 is the baseline. NIST SP 800-172 is a supplement — and applicability comes from your governing agreement, not from your company size. SP 800-171 provides the baseline security requirements for the components of a nonfederal system that process, store, or transmit CUI, or that protect those components, when a contract, subcontract, grant, or other agreement requires them. SP 800-172 is a set of enhancedrequirements a federal agency selects from — and only when the CUI is tied to a critical program or high value asset, and only when the agency conveys those requirements in an agreement. The February 2021 edition, the one CMMC uses, contains 35 of them. You do not grow into 800-172. You get assigned it.
That’s the clean answer. Here’s the part almost nobody has caught up to: NIST withdrew the exact edition of SP 800-172 that CMMC requires on May 13, 2026— and the requirement didn’t change. Meanwhile, the only CMMC pathway that makes 800-172 binding was suspended on July 13, 2026. Both things are true at once, and neither means what most pages currently say it means. We’ll put the regulation and the standard side by side so you can see exactly why.
The 30-second verdict
| The question you’re actually asking | NIST SP 800-171 | NIST SP 800-172 |
|---|---|---|
| What is it? | Baseline security requirements for protecting CUI in nonfederal systems | Enhanced requirements that supplement 800-171 |
| What threat is it built for? | Foundational protection of CUI confidentiality | The advanced persistent threat (APT) — a well-resourced adversary, often a nation-state |
| Does it replace the other? | No. It's the foundation. | No. It stacks on top. |
| When does it apply to you? | A governing contract, subcontract, grant, agreement, or agency direction requires it for systems handling CUI | An agency selects specific requirements, ties them to a critical program or high value asset, and conveys them in an agreement |
| Can you adopt it voluntarily? | Yes — but voluntary adoption doesn't create or remove a contractual obligation | Yes — but you cannot create a CMMC obligation or CMMC status by electing it yourself |
| Edition CMMC requires | Revision 2 (Feb 2020, updates through Jan 28, 2021) | The February 2021 edition |
| Current edition at NIST | Revision 3 (May 2024) | Revision 3 (May 2026) |
| Requirement count, CMMC-cited edition | 110, across 14 families | 35 total; DoD selected 24 for CMMC Level 3 |
| Where it lives in CMMC | Level 2 (Level 1 uses a separate FAR set) | Level 3 only |
| Who assesses it under CMMC | Codified model: self-assessment or a C3PAO. Current rule: Level 2 (Self) only | DCMA DIBCAC — the government, never a C3PAO |
| Status as of July 18, 2026 | Active. Level 1 (Self) and Level 2 (Self) can still be required | Level 3 designation suspended since July 13, 2026 |
Should you keep reading?
Read on if:a clause, statement of work, or prime’s questionnaire mentioned 800-172 or “enhanced security requirements”; you saw an identifier ending in a lowercase “e” (like SI.L3-3.14.3e) and want to know what it is; a vendor pitched you a Level 3 readiness program; or you’re trying to work out whether NIST publishing Revision 3 broke your System Security Plan.
You can stop here if: nothing in your governing contract or its incorporated documents names 800-172, enhanced security requirements, or CMMC Level 3. In that case 800-172 is not a current obligation for you, and the rest of this page is background rather than a to-do list. Your time is better spent on the 110 requirements CMMC Level 2 is scored against. We’d rather send you to the right page than keep you on this one.
What is the difference between NIST 800-171 and NIST 800-172?
NIST SP 800-171 establishes the baseline security requirements for protecting Controlled Unclassified Information in nonfederal systems. NIST SP 800-172 provides enhanced requirements that supplement that baseline, aimed at the advanced persistent threat. It is a supplement, not a successor — NIST’s design assumption is that the 800-171 requirements are already in place before any enhanced requirement is applied.
The difference people usually reach for is difficulty. That’s the wrong axis, and it leads to expensive mistakes.
The real difference is what triggers each one. SP 800-171 follows the data: when CUI lands in a system covered by an agreement that requires safeguarding, the baseline follows it in. SP 800-172 follows a decision: a federal agency has to look at a specific program, determine it warrants more than the baseline, select which enhanced requirements apply, and convey them in an agreement. No selection, no 800-172. (NIST SP 800-172 Rev. 3)
The one-sentence version
800-171 asks whether you’re protecting CUI. 800-172 asks whether selected penetration-resistant, damage-limiting, and cyber-resiliency capabilities are needed to protect critical-program or high-value-asset CUI against an adversary who is well-resourced, patient, and specifically interested in you.
What 800-172 actually adds
The enhanced requirements organize around three protection strategies:
- Penetration-resistant architecture— making initial access and lateral movement genuinely hard: isolation, secure transfer between security domains, authenticating systems and not just people, restricting what hardware can connect at all.
- Damage-limiting operations— assuming compromise and shortening the adversary’s dwell time: continuous monitoring, threat hunting, a response capability that can actually deploy.
- Cyber resiliency and survivability— continuing the mission through a compromise: integrity verification, trusted sources, and dealing with the equipment that normally gets waved through.
Many of these require standing technical or operational capability. Others require training, risk analysis, documentation, supply-chain process, or governance. The mix matters, because it determines whether a given requirement is a project or a payroll line — and that’s the distinction that should shape your budget before anyone quotes you a price.
“800-172 is the advanced version of 800-171” is a costly mental model
Nearly every explainer currently ranking for this term frames 800-172 as a higher tier you graduate into as you handle more sensitive work. That framing is wrong, and it’s wrong in a direction that costs money — it implies you should be preparing for 800-172 as a natural maturity step.
NIST is explicit that enhanced requirements apply when selected and required by a federal agency, and states plainly that “there is no expectation that all of the enhanced security requirements will be selected.” Not “most organizations will phase in.” Not “all of them eventually.” Selection is the mechanism, and partial selection is the expectation. (NIST SP 800-172 Rev. 3)
Practically: any claim of “800-172 compliance” is incomplete unless it names the edition, the selected requirement set, the system scope, the assessment method, and the governing authority.You can voluntarily implement a defined set of enhanced safeguards — that’s legitimate, and sometimes smart. What doesn’t exist is a general, scope-free state of being 800-172 compliant.
One naming point that will save you an argument
The February 2021 publication is officially NIST SP 800-172— full stop, no revision number. It is not “Revision 1” and it is not “Revision 2,” though you’ll find both errors in circulation, including on pages currently ranking for this search. The first numbered revision of this document is Revision 3, published May 2026.
This matters because 32 CFR Part 170 cites the February 2021 edition by date. If you go looking for “800-172 Rev. 2” to satisfy a CMMC requirement, you won’t find it, because it doesn’t exist.
Does NIST 800-172 apply to my company?
NIST SP 800-172 is not mandatory by default for defense contractors, and applicability has nothing to do with company size or security maturity. It applies when a federal agency determines that CUI is associated with a critical program or high value asset and selects specific enhanced requirements in a contract, grant, or other agreement. If no governing document — including incorporated attachments, flow-downs, and modifications — selects enhanced requirements or establishes an applicable Level 3 requirement, it is not a current obligation for you.
The three conditions — all three, not any one
For SP 800-172 to reach you, every one of these has to be true:
- The system processes, stores, or transmits CUI— or provides security protection for components that do; and
- A federal agency has determined that the CUI is associated with a critical program or high value asset; and
- That agency has selected specific enhanced requirements and conveyed them in a contract, grant, or other agreement.
Miss any one and 800-172 doesn’t apply. Note what is not on that list: your headcount, your revenue, your industry, your NAICS code, how sensitive you personally believe your work to be, or how many gaps a vendor found in your environment.
What this page can’t tell you
Here’s our limitation, stated plainly: we can’t tell you whether 800-172 applies to your company. And neither can any consultant, platform, assessor, or AI tool that hasn’t read your contract.800-172 isn’t a standard you qualify for on the merits. It’s a set of requirements a federal agency selects and conveys in an agreement. If your governing documents don’t select them, no maturity model, gap assessment, or vendor scorecard can make them apply — and none can make them go away if they do.
Now here’s why that limitation is working in your favor.
It means the single most valuable thing you can do this week costs nothing: pull your governing agreement and its incorporated documents and read them. And it hands you a clean disqualifying test for anyone selling to you.
The three questions that separate a real advisor from a scope you don’t need:
- “Which clause, provision, or incorporated document creates this obligation for us?” A real answer cites a document you can open. A vague answer about industry direction is a sales position, not a requirement.
- “Which specific enhanced requirements were selected, and under what authority?” If the answer is all 35, ask for the selection instrument and the rationale. NIST says there’s no expectation that all enhanced requirements will be selected — that isn’t a prohibition on an agency selecting all of them, but it does mean the claim needs a source.
- “Is this a government requirement or your own recommendation?” Both can be legitimate. Only one is mandatory. You’re entitled to know which you’re being billed for.
Anyone quoting you an 800-172 program before reading your clause is pricing a scope they haven’t verified. Asking costs you one email.
The four routes 800-172 can actually reach you
This is the applicability answer the rest of the search results are missing. Three of these are real ways an obligation can reach you. The fourth is a theory that keeps getting sold.
| Route | What it looks like in practice | Live today? | Governing authority |
|---|---|---|---|
| CMMC Level 3 (DIBCAC) | Level 3 named in your solicitation or contract; the 24 selected requirements; government-conducted assessment | No — designation suspended. Requiring activities may not designate Level 3 (DIBCAC) or Level 2 (C3PAO). Existing requirements are to be removed by amendment or modification, but the text stands until that written action issues | 32 CFR 170.14, §170.18; DoW implementing memorandum, Attachment 1 |
| Direct contract, grant, or agreement terms | A federal agency selects enhanced requirements and conveys them directly — with or without CMMC involved | Yes. The suspension expressly preserves the ability of requiring activities to impose additional cybersecurity protections consistent with law and regulation | NIST SP 800-172 Rev. 3; DoW CIO memorandum |
| Flow-down through a subcontract | Either a government requirement properly flowed down, ora prime’s own additional security term | Yes — but which one matters. DFARS 252.204-7021 requires the substance of the CMMC clause to flow into covered subcontracts. A prime-imposed term that isn’t a CMMC requirement is still contractually binding once executed | DFARS 252.204-7021; 32 CFR 170.23; your subcontract |
| A “maturity tier” you grow into | — | No. This route doesn’t exist. Enhanced requirements apply only when selected and required | NIST SP 800-172 Rev. 3 |
That third row is where most confusion in the current market lives, and it splits two ways that people constantly merge. A properly flowed-down CMMC requirement is part of the CMMC mechanism. A prime layering on its own security terms is a negotiation between two companies. Both can bind you. They have very different answers right now, and you should know which one you’re looking at.
“Our prime says enhanced requirements are coming”
Take it seriously, then get specific. A prime may be flowing down a genuine government requirement, anticipating one, or applying its own supply-chain security policy. All three produce the same email. Only the first is a regulatory obligation.
Ask for the clause. Ask whether it flows from a government requirement or from prime policy. If it’s prime policy rather than a flowed-down requirement, it may be negotiable beforeyou accept or modify — but once it’s in an executed subcontract it binds you until it’s changed. That timing is the whole leverage window. Don’t budget a program off an email, and don’t sign one either.
What “critical program” and “high value asset” actually mean
Both are federal government determinations, not self-assessments. A high value asset is, broadly, an information system or dataset whose loss would cause serious harm to agency mission or national security. A critical program is one the agency has identified as warranting protection beyond the baseline.
Notice what NIST does notdo: define which specific programs qualify. That determination belongs to the agency, and it arrives through your agreement. You can’t reason your way into the answer from the outside, and neither can a vendor. (For the separate question of whether your data is FCI, CUI, or CDI in the first place, see whether your data is CDI, CUI, or FCI.)
Which version of NIST 800-171 and 800-172 applies right now?
CMMC still requires NIST SP 800-171 Revision 2 and the February 2021 edition of NIST SP 800-172 — even though NIST has withdrawn both. The CMMC Program Rule incorporates those specific editions by reference, which freezes them in place until DoD amends the rule. Publishing a new revision is something NIST does; changing a legal requirement takes rulemaking. The two are not the same event.
This is the section we built this page for, because it’s the question nobody currently ranking answers — and getting it wrong sends contractors into remediation projects they don’t owe.
Our publication currency audit
On , we checked each NIST publication that supplies CMMC’s Level 2 and Level 3 requirements and assessment procedures, one at a time, against the NIST Computer Security Resource Center. Here’s the result.
What CMMC requires vs. what NIST currently publishes — verified
| Publication | Where the rule uses it | Status at NIST today | Superseded by |
|---|---|---|---|
| NIST SP 800-171 Rev. 2 (Feb 2020, updates through Jan 28, 2021) | §170.14(a)(2), (c)(3) — the 110 Level 2 requirements | Withdrawn May 14, 2024 | SP 800-171 Rev. 3 (May 2024) |
| NIST SP 800-171A (June 2018) | §170.14(d) — Level 2 assessment procedures | Superseded | SP 800-171A Rev. 3 (May 2024) |
| NIST SP 800-172 (Feb 2021) | §170.14(a)(3), (c)(4) — the 24 Level 3 requirements | Withdrawn May 13, 2026 | SP 800-172 Rev. 3 (May 2026) |
| NIST SP 800-172A (March 2022) | §170.14(d), §170.18 — Level 3 assessment procedures | Superseded May 13, 2026 | SP 800-172A Rev. 3 (May 2026) |
Read that column again. All four.Every NIST publication that supplies CMMC’s Level 2 and Level 3 requirements and assessment procedures has been withdrawn or superseded in NIST’s library — and not one of those events changed a single thing about what the rule requires you to do.
That’s not a loophole, a gotcha, or an oversight. It’s how the mechanism is designed to work.
Why a withdrawn publication is still the legal requirement
The concept is incorporation by reference. When a regulation incorporates an outside document, it doesn’t say “follow whatever NIST publishes.” It names a specific edition, by revision and date, and that named edition becomes part of the regulation. From that moment the standard is frozen inside the rule. NIST can revise, withdraw, or retire the underlying publication; the regulation keeps pointing at the edition it named until the agency completes rulemaking to point somewhere else. The CMMC final rule states this directly — the incorporation by reference of the material listed in the rule was approved by the Director of the Federal Register as of December 16, 2024. (89 FR 83092)
So there are two entirely separate clocks running:
- NIST’s clock moves whenever NIST publishes. It moved in May 2024 (800-171 Rev. 3) and again in May 2026 (800-172 Rev. 3).
- The regulation’s clockmoves only when DoD amends 32 CFR Part 170. As of our verification, the eCFR change timeline for the relevant sections still shows a single entry — December 16, 2024, the rule’s effective date.
Once you see those as two clocks, every contradictory answer you’ve gotten on this topic resolves. The consultant saying “Rev. 2” and the NIST website saying “Rev. 3” are both correct. They’re answering different questions.
Practical translation:if your CMMC Level 2 self-assessment is scored against 110 requirements from SP 800-171 Rev. 2, that’s still true today. If your System Security Plan cites the withdrawn edition that your governing requirement actually uses, withdrawal alone doesn’t make that citation wrong.
What actually changed in SP 800-172 Rev. 3
Revision 3 is a substantial rewrite:
- 17 families, up from 14 in the February 2021 edition. Planning, System and Services Acquisition, and Supply Chain Risk Management were added, matching the structure of SP 800-171 Rev. 3.
- 103 active enhanced requirementsunder our counting method (115 numbered identifiers, 12 of them withdrawn) — up from 35.
- A new identifier format. Requirements now read like
03.01.01einstead of3.1.1e. If you’re diffing documents, this alone will make them look unrelated. - The four previously empty families are now populated. In the February 2021 edition, Audit and Accountability, Maintenance, Media Protection, and Physical Protection contained no enhanced requirements at all. In Revision 3, all four do.
Worth stating plainly, because someone will otherwise sell you the opposite: publication of Revision 3 does not by itself create a CMMC obligation. CMMC remains tied to the incorporated editions. A separate agency, contract, or agreement can independently require Revision 3 — but that would be a distinct requirement with its own authority, not an automatic consequence of NIST publishing.
If you built to 800-172 between 2022 and 2024
Your work is very likely still relevant, because CMMC is pinned to the February 2021 edition. But don’t treat “we implemented 800-172” as equivalent to “we’re assessment-ready.” Before you rely on it, verify three things: that you covered the specific 24 requirements CMMC selected rather than a different subset, that you met the DoD-assigned parameters rather than your own, and that your scope and evidence would hold up to examination.
Don’t renumber your SSP for Revision 3, and don’t start a Revision 3 gap project on your own initiative. What is worth doing is noting which of your controls would shift if DoD later adopts Revision 3, so a future rulemaking becomes a mapping task rather than a discovery project.
The same thing is happening to DFARS 252.204-7012
Worth one paragraph, because it’s the same mechanic in a different instrument. DFARS 252.204-7012 — the safeguarding and cyber incident reporting clause that predates CMMC and survives it — as codified points to the version of NIST SP 800-171 in effect at the time the solicitation is issued. Read literally after May 2024, that would have pulled contractors onto Revision 3. DoD issued a class deviation directing the use of Revision 2 instead. Same phenomenon: the written instrument pointed forward, and the agency had to act deliberately to hold the line at the edition everyone was actually building to.
How do NIST 800-171 and 800-172 map to CMMC levels?
CMMC Level 1 uses 15 basic safeguarding requirements drawn from the FAR, not from NIST SP 800-171. CMMC Level 2 uses the 110 requirements of NIST SP 800-171 Revision 2. CMMC Level 3 adds 24 requirements selected from the February 2021 edition of NIST SP 800-172, for a codified model total of 134. Level 3 is the only CMMC level that touches SP 800-172 at all.
| CMMC level | Security requirements come from | How many | Assessment type in the codified model |
|---|---|---|---|
| Level 1 | 48 CFR 52.204-21(b)(1)(i)–(xv) — basic safeguarding for FCI | 15 | Self-assessment, annual |
| Level 2 | NIST SP 800-171 Rev. 2 | 110 | Self-assessment or C3PAO certification, triennial |
| Level 3 | Level 2’s 110 plus 24 selected from NIST SP 800-172 (Feb 2021) | 134 | DCMA DIBCAC certification, triennial |
How many requirements are in NIST 800-171 and 800-172?
The answer depends on which edition you mean and whether you’re asking about a full NIST publication or CMMC’s selected subset. The February 2021 edition of SP 800-172 contains 35 enhanced security requirements across 14 families; CMMC Level 3 uses 24 of them. NIST SP 800-171 Rev. 2 contains 110 requirements across 14 families. The current Rev. 3 editions contain 97 and 103 active requirements respectively, across 17 families each, under the counting method described below.
If you’ve been getting different numbers from different sources, you weren’t being misled. You were getting correct answers to questions you didn’t ask.
Why 15, 24, 35, 97, 103, 110, and 134 can all be right
| Number | What it actually counts |
|---|---|
| 15 | CMMC Level 1 basic safeguarding requirements, from 48 CFR 52.204-21(b)(1)(i)–(xv) — FAR-derived, not NIST |
| 24 | Enhanced requirements DoD selected from SP 800-172 (Feb 2021) for the CMMC Level 3 model |
| 35 | Total enhanced requirements in the complete February 2021 edition of SP 800-172 |
| 97 | Active requirements in SP 800-171 Rev. 3 (130 numbered identifiers, 33 withdrawn) — our count |
| 103 | Active enhanced requirements in SP 800-172 Rev. 3 (115 numbered identifiers, 12 withdrawn) — our count |
| 110 | Requirements in SP 800-171 Rev. 2 — and the CMMC Level 2 requirement set |
| 134 | The codified CMMC Level 3 model total: 110 + 24 |
Two of those deserve a flag, because they’re where misquotes come from.
35 is not 24.The publication has 35; CMMC selected 24. A page claiming “CMMC Level 3 requires all of NIST 800-172” is wrong by eleven requirements.
134 is a CMMC number, not a NIST number.No NIST publication contains 134 requirements. It’s the sum of two documents’ selected contents, and it exists only inside the CMMC model.
The five-baseline family census
Below is the comparison we assembled from the cited primary materials: all five requirement sets, broken out by family, side by side.
| Requirement family | 800-171 Rev. 2 | 800-172 Feb 2021 | CMMC L3 selection | 800-171 Rev. 3 (active) | 800-172 Rev. 3 (active) |
|---|---|---|---|---|---|
| Access Control | 22 | 3 | 2 | 16 | 16 |
| Awareness and Training | 3 | 2 | 2 | 2 | 4 |
| Audit and Accountability | 9 | 0 | 0 | 8 | 4 |
| Configuration Management | 9 | 3 | 3 | 10 | 7 |
| Identification and Authentication | 11 | 3 | 2 | 8 | 7 |
| Incident Response | 3 | 2 | 2 | 5 | 4 |
| Maintenance | 6 | 0 | 0 | 3 | 1 |
| Media Protection | 9 | 0 | 0 | 7 | 4 |
| Personnel Security | 2 | 2 | 1 | 2 | 2 |
| Physical Protection | 6 | 0 | 0 | 5 | 2 |
| Risk Assessment | 3 | 7 | 7 | 3 | 8 |
| Security Assessment and Monitoring | 4 | 1 | 1 | 4 | 4 |
| System and Communications Protection | 16 | 5 | 1 | 10 | 16 |
| System and Information Integrity | 7 | 7 | 3 | 5 | 15 |
| Planning | — | — | — | 3 | 3 |
| System and Services Acquisition | — | — | — | 3 | 1 |
| Supply Chain Risk Management | — | — | — | 3 | 5 |
| Total | 110 | 35 | 24 | 97 | 103 |
Four things this table shows that prose can’t
1. Four families in the February 2021 edition contain no enhanced requirements at all.Audit and Accountability, Maintenance, Media Protection, and Physical Protection are empty. If you’re reading a page that describes 800-172 as covering all 14 families uniformly, that page hasn’t opened the document.
2. Risk Assessment is where Level 3 concentrates.All seven enhanced Risk Assessment requirements were selected — the only family where DoD took everything available. That’s threat intelligence, threat hunting, advanced analytics, solution rationale, and both supply chain requirements.
3. System and Communications Protection had five enhanced requirements available. DoD took one.Contrast that with Risk Assessment’s seven-for-seven. Our interpretation: the selected distribution places heavier numerical weight on operational risk, threat intelligence, and supply-chain capability than on taking every available architectural enhancement. The distribution is a fact; the reasoning behind it is our reading, not a stated DoD rationale.
4. A lower count doesn’t mean a lighter standard.SP 800-171 Rev. 3 has 97 active requirements against Rev. 2’s 110 — while adding three entirely new families and introducing organization-defined parameters throughout. Counting requirements tells you about document architecture, not workload or cost.
Is CMMC Level 3 suspended — and what does that mean for 800-172?
Yes.On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II along with the pending Phase III and Phase IV milestones. During the suspension, requiring activities may designate only CMMC Level 1 (Self) or Level 2 (Self) — not Level 2 (C3PAO) and not Level 3 (DIBCAC). Because Level 3 is the only CMMC level that incorporates NIST SP 800-172, the CMMC route to 800-172 is paused. DFARS 252.204-7012 and the NIST SP 800-171 Rev. 2 baseline remain in effect.
We read both memoranda in full. Here’s what they actually direct, separated from what commentary has made of them.
Two documents, not one
This distinction matters, and most coverage collapses it:
- The CIO Memorandum, signed by Department of War Chief Information Officer Kirsten A. Davies, is the policy decision. It suspends the Phase II transition and pending milestones, establishes the 60-day CMMC Reform Task Force, and defines the interim posture: enforcement of NIST SP 800-171 Rev. 2 through self-assessments and select government-led assessments. It states that DFARS 252.204-7012 remains in effect. (CIO memorandum)
- The Acquisition and Sustainment Memorandum, signed by Under Secretary of War for Acquisition and Sustainment Michael P. Duffey, is the implementation order to the contracting workforce. Its Attachment 1 is what restricts designations, directs amendments and modifications, and suspends waivers. (Implementing memorandum)
Both were released July 13, 2026 under publication case 26-P-1023. When you see “the memo” cited generically, check which one — the policy and the instructions live in different documents.
What the implementing memorandum directs
- Requiring activities may designate only Level 1 (Self) or Level 2 (Self).
- They may not designate Level 2 (C3PAO) or Level 3 (DIBCAC).
- Active solicitations carrying those requirements are to be amended to remove them as soon as practicable.
- Existing contracts are to be modified— before the next option exercise, or at the next scheduled administrative modification.
- No waivers are issued during the review period.
Read that fourth bullet carefully, because it’s where contractors get into trouble: the direction runs to the government’s contracting workforce, not to you.Until the amendment or modification is actually issued in writing, your contract says what it says. Don’t self-execute a change the government hasn’t made yet.
What is not suspended
This is where careless reading gets expensive:
- DFARS 252.204-7012 is untouched. Safeguarding and 72-hour cyber incident reporting obligations continue exactly as before.
- NIST SP 800-171 Rev. 2 remains the enforced standard for CUI, through Level 2 self-assessment and select government-led assessments.
- Reporting obligations continue where they apply. Two distinct mechanisms: your NIST SP 800-171 DoD Assessment summary score posted in SPRS under DFARS 252.204-7019 and -7020, and your CMMC assessment result and annual affirmation under 32 CFR 170.22 and DFARS 252.204-7021 where an applicable CMMC requirement exists. One submission does not satisfy the other.
- The underlying duty to protect CUI hasn’t moved an inch.
- Enhanced requirements can still reach you outside CMMC. Requiring activities may still impose additional cybersecurity protections consistent with law and regulation.
A consequence worth sitting with: with third-party certification paused, the government is relying on self-assessments and select government-led assessments. That doesn’t lower your risk. It relocates it. What you submit about your own posture is information provided to the government, and it can carry contractual and legal consequences if it’s inaccurate.
The mechanism: the rule is unchanged, the designation authority is paused
32 CFR Part 170 has not been amended. Level 3 still exists in the regulation. The 24 requirements are still in Table 1 to §170.14(c)(4). The eCFR change timeline still shows a single entry. Nothing was repealed.
What changed is at the acquisition layer— what a requiring activity is permitted to put into a solicitation. The regulation says one thing; the Department has instructed its own people not to invoke part of it while the program is reviewed.
That’s the difference between “Level 3 is dead” and “Level 3 cannot currently be designated.” Only one of those is accurate, and only one survives contact with the next policy memo.
What can and cannot be required of you today
| Requirement | Status as of |
|---|---|
| CMMC Level 1 (Self) — 15 FAR safeguards for FCI | Can be designated |
| CMMC Level 2 (Self) — 110 SP 800-171 Rev. 2 requirements for CUI | Can be designated |
| CMMC Level 2 (C3PAO) | Cannot be designated — existing ones to be removed by amendment or modification |
| CMMC Level 3 (DIBCAC) | Cannot be designated — existing ones to be removed by amendment or modification |
| DFARS 252.204-7012 safeguarding and incident reporting | In effect, unchanged where the clause applies |
| NIST SP 800-171 DoD Assessment score in SPRS (DFARS 252.204-7019/-7020) | In effect where those clauses apply |
| CMMC result and annual affirmation (32 CFR 170.22, DFARS 252.204-7021) | In effect where an applicable CMMC requirement exists |
| Select government-led NIST SP 800-171 assessments | Continue |
| SP 800-172 enhanced requirements via direct agreement terms | Still possible — expressly preserved |
What happens next — and the one public deadline
A CMMC Reform Task Force is conducting a top-to-bottom review and is directed to report to the Department CIO within 60 days. The memorandum establishes the review period and promises further guidance; it does not commit to a public release date for the report.
Feeding that review is a public Request for Information, Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base, with responses due at 12:00 p.m. ET on Friday, August 14, 2026.Confirm the current deadline and submission instructions on the official SAM.gov notice before you rely on it — dates on open solicitations do move.
The Department’s own stated rationale was cost and capacity: its announcement cited more than $7 billion a year in aggregate compliance cost for small and mid-sized businesses, against roughly 100 authorized C3PAOs available to assess a population north of 100,000 businesses.
If assessment bottlenecks, duplicative controls, unclear flow-down, or the cost of continuous monitoring have cost your company real money, the Task Force is explicitly chartered to synthesize industry feedback. Comment windows close. This one closes in August.
What actually changes when 800-172 requirements are added?
Selected 800-172 requirements move an environment from documented safeguarding toward threat-informed architecture and standing operational capability. What changes depends entirely on which requirements were selected and which parameters apply, which is why no generic implementation package fits every contractor.
| Operational domain | The 800-171 baseline question | What enhanced requirements add | Evidence that will matter | Provider category that usually owns it |
|---|---|---|---|---|
| Architecture | Is CUI flow controlled? | Physical or logical isolation; secure transfer between security domains; authenticating systems, not just users | Network diagrams, configurations, test results | CUI enclave architect, MSSP |
| Monitoring | Are logs generated and reviewed? | 24/7 SOC capability; threat hunting; analytics supporting human analysts | SOC records, alert handling, hunt reports | MSSP / managed SOC |
| Incident response | Do you have an IR capability? | A team deployable within 24 hours | Rosters, exercise records, response timing | MSSP, incident response provider |
| Supply chain | Are risks assessed? | Assess, respond to, and monitor supply chain risk; maintain a plan, updated at least annually | Supplier inventory, risk records, the plan itself | RPO, GRC platform |
| Integrity | Are flaws and malicious code addressed? | Root-of-trust or cryptographic signature verification for security-critical software | Technical validation records | Security engineering provider |
| Specialized assets | At Level 2, they're in the asset inventory, SSP, and network diagram with their treatment documented — but not assessed against the other Level 2 requirements | SI.L3-3.14.3e brings them into the enhanced-requirement scope, or requires segregation | Asset inventory, segmentation evidence | Enclave architect, OT security specialist |
That last row is the one manufacturers should read twice. “Not assessed against the other requirements” is not the same as “out of scope” — and the gap between those two readings is where Level 3 scoping surprises come from.
Why published cost figures won’t answer your question
You’ll find dollar figures for CMMC Level 3 across the web. We looked at the ones in circulation and chose not to reprint them. DoD’s regulatory estimates cover contractor assessment-support and affirmation costs, under assumptions stated in the rule. They are not an estimate of what it costs to build and operate the capabilities being assessed. Reprinting either as “the cost of Level 3” would be a category error.
What we can point at is the Department’s own arithmetic: more than $7 billion a year in aggregate compliance cost for small and mid-sized businesses, and roughly 100 authorized C3PAOs for a population above 100,000 businesses. That’s the government describing its own program’s cost and capacity problem.
The four cost centers to model
| Cost center | What drives it | Why it gets underestimated | Category that usually owns it |
|---|---|---|---|
| 24/7 monitoring capability | The SOC parameter — continuous coverage, remote or on-call staffing permitted | Priced as a tool when it's a staffing model | MSSP / managed SOC |
| Incident response readiness | The 24-hour deployment parameter | A written IR plan is not a deployable team | MSSP, IR retainer provider |
| Scope and enclave design | Level 3 scope ⊆ Level 2 scope; specialized assets in scope | Scope is set early and re-litigated expensively later | CUI enclave architect, MSP |
| Evidence, SSP, and assessment support | Documenting solution rationale and risk determinations; DIBCAC evidence expectations | Treated as paperwork when it's where several non-deferrable requirements live | RPO, GRC platform |
Several of these can become recurring operating expense rather than project cost. Scope is the lever worth pulling first. Because Level 3 scope must be equal to or a subset of Level 2 scope, a well-drawn enclave affects implementation, monitoring, evidence, and assessment cost at the same time. Scope drawn badly in month one gets paid for every subsequent year.
Who assesses NIST 800-171 vs NIST 800-172?
NIST publishes companion assessment documents — SP 800-171A for the baseline requirements and SP 800-172A for the enhanced ones — but neither creates a certification. Under CMMC, Level 2 is assessed either by the contractor or by a C3PAO in the codified model, while Level 3 is assessed by DCMA DIBCAC, a government organization. A C3PAO cannot perform a Level 3 assessment.
NIST writes assessment procedures, not certifications
SP 800-171A and SP 800-172A tell an assessor howto determine whether a requirement is satisfied — what to examine, who to interview, what to test. They’re methodology, not a credential.
NIST does not certify contractors under SP 800-171 or SP 800-172. There’s no NIST registry of compliant companies and no NIST-issued contractor credential. If a vendor advertises being “NIST certified,” ask them to name the actual certification body, the standard, the scope, the assessment method, and the result behind the claim. Sometimes there’s a real accredited certification underneath imprecise marketing. Sometimes there isn’t.
What does exist: a CMMC status, awarded under 32 CFR Part 170 through a defined assessment process and recorded in government systems.
The companion documents have their own version split
| Requirements publication | Current edition at NIST | Edition CMMC incorporates |
|---|---|---|
| SP 800-171 | 800-171A Rev. 3 | 800-171A, June 2018 |
| SP 800-172 | 800-172A Rev. 3 | 800-172A, March 2022 |
Download the current assessment guide from NIST and you’ll be preparing against determination statements that don’t match the ones a CMMC assessment uses. Check the edition before you build your evidence package.
Assessment routes, side by side
| Question | Under the NIST publication alone | Under CMMC |
|---|---|---|
| Who assesses? | Whoever the governing agreement specifies | Level 1: self · Level 2: self or C3PAO in the codified model · Level 3: DIBCAC |
| What's evaluated? | The applicable requirements and assessment objectives | The incorporated requirements within your CMMC assessment scope |
| Is there a certification? | No general NIST contractor certification exists | CMMC status — a separate DoD program concept |
| Where is the result recorded? | Depends on the agreement | SPRS and the CMMC enterprise system, depending on the mechanism |
| Can it be self-performed? | Depends on the agreement | Levels 1 and 2 yes; Level 3 no |
| Available today? | Depends on the agreement | Level 1 (Self) and Level 2 (Self) only |
One consequence worth naming: because Level 3 is government-assessed, a C3PAO cannot certify you at Level 3, and any provider positioning itself that way has misunderstood the program.
Independence matters at Level 2 as well. Under the Cyber AB Code of Professional Conduct, a C3PAO organization and its assessment team may not conduct a certification assessment of an organization they served as consultants preparing for any CMMC assessment within the preceding three years. If you’re choosing a readiness partner now, that three-year window is worth knowing before you sign — it constrains who can assess you later.
What to do when a solicitation, flow-down, or questionnaire names either standard
Don’t start buying tools from a publication number.Identify the controlling authority, the exact edition named, the instrument that creates the obligation, your CUI scope, the assessment type, and — if 800-172 is involved — which specific enhanced requirements were selected. Where those conflict or are missing, get written clarification before you price anything.
Six steps, in order
- Identify who is imposing it.A contracting officer, a requiring activity, a prime, a customer questionnaire, your insurer, and a technology vendor don’t carry the same authority. Some create obligations. Some express a preference.
- Extract the exact language.Record the clause or provision number, publication title, revision, publication date, CMMC level, assessment type, effective date, flow-down language, and any list of selected requirements. If a document names “NIST 800-171” with no revision, that ambiguity is itself the finding.
- Confirm your information type.FCI, CUI, covered defense information, export-controlled data, or proprietary information that isn’t automatically CUI — these carry different obligations. See whether your data is CDI, CUI, or FCI.
- Define the boundary. Where is the information created, stored, transmitted? Who can reach it? Which security protection assets support it? Which external service providers touch it? Can the boundary be narrowed without breaking operations?
- Establish the current assessment status. Account for the July 2026 suspension, any amendment or modification issued or promised, your self-assessment obligations, SPRS posting, and affirmation requirements where they apply.
- Get it in writing. Then keep it in the contract file.
The ten questions to send your contracting officer or prime
Copy these. Each one is written to be answerable, and the right-hand column tells you what the answer actually controls.
| # | Question to send | What the answer controls |
|---|---|---|
| 1 | Which NIST publication, revision, and publication date are contractually required? | Which edition you build and are scored against |
| 2 | Which clause, provision, or incorporated document establishes that requirement? | Whether an obligation exists at all |
| 3 | Are any NIST SP 800-172 enhanced security requirements selected for this effort? | Whether 800-172 reaches you |
| 4 | If so, where is the complete list of selected requirements? | Your actual scope — not all 35, not a vendor's guess |
| 5 | Which organization-defined parameter values apply? | Whether you need a 24/7 capability or an annual one |
| 6 | What system boundary is expected for assessment? | Your single largest cost driver |
| 7 | Which CMMC level and assessment type are required? | Self, C3PAO, or DIBCAC — and what's available today |
| 8 | Has the July 13, 2026 suspension changed this solicitation or contract? | Whether what you're reading is still operative |
| 9 | Will an amendment or modification be issued, and on what timeline? | When you can safely change your own plans |
| 10 | What must flow down to our subcontractors, and in what form? | Your exposure through your own supply chain |
If a prime can’t answer questions 2, 3, and 4, you’ve learned that the requirement isn’t yet defined — which is a fact worth having before you commit budget to it.
Saying accurate things about your own posture
Getting this language right protects you, because these statements can become representations to the government.
| Your actual situation | What you can accurately say |
|---|---|
| You've voluntarily implemented enhanced safeguards | "We have implemented practices aligned with SP 800-172" |
| An agreement selects specific requirements | "These selected SP 800-172 requirements apply under [the identified clause]" |
| CMMC Level 3 is validly designated (not currently possible) | "The CMMC Level 3 requirement set applies, subject to then-current rules" |
| A vendor calls its product "800-172 compliant" | Ask which requirements, which scope, which evidence, under which authority |
The line to never cross: describing voluntary alignment as compliance, or compliance as certification.
Seven mistakes that put contractors on the wrong baseline
The expensive errors here are predictable: assuming the newest NIST edition automatically governs, treating 800-172 as a replacement for 800-171, implementing enhanced requirements with no selection basis, or letting company size drive the decision. Each produces unnecessary scope, mismatched evidence, or an inaccurate representation.
| The mistaken assumption | What disproves it | What to obtain |
|---|---|---|
| 1. “Rev. 3 is newer, so Rev. 2 doesn’t matter” | Incorporation by reference freezes the cited edition until DoD amends the rule (32 CFR 170.14) | The edition named in your governing clause |
| 2. “800-172 is the next certification after 800-171” | It’s a supplemental requirements publication; NIST issues no contractor certification | The authority that creates any certification you’re told you need |
| 3. “We should implement all 35 enhanced requirements” | NIST states there’s no expectation all enhanced requirements will be selected; DoD selected 24 for Level 3 | The written list of selected requirements and its source |
| 4. “We’re a small subcontractor, so 800-172 can’t apply” | Applicability turns on agency selection tied to a critical program or high value asset — not size | The agency determination and selection instrument |
| 5. “The prime’s questionnaire is the same as a clause” | DFARS 252.204-7021 flow-downs and prime-imposed policy terms are different instruments with different answers | The subcontract clause and whether it traces to a government requirement |
| 6. “Our product supports that control, so we’ve implemented it” | Assessment evaluates configured, operating, evidenced implementation — not capability | Configuration evidence, operating records, and the SSP entry |
| 7. “The July suspension deleted our contract language” | The memoranda direct government contracting personnel to amend and modify; the text stands until they do | The issued amendment or modification, in writing |
Mistake 7 is the one currently costing people money in both directions — companies standing down work that’s still contractually required, and companies continuing to fund readiness for a designation that can’t be made. Both are avoidable with one email to your contracting officer.
What we actually verified
You should know exactly what we checked, what we calculated, and what we couldn’t confirm. That’s the basis on which you should decide whether to trust anything above.
What we did, on :
- Checked the publication status of each NIST document supplying CMMC’s Level 2 and Level 3 requirements and assessment procedures, individually, on the NIST Computer Security Resource Center, and recorded each withdrawal or supersession date.
- Counted the Rev. 3 requirement and family figures from NIST’s own machine-readable OSCAL catalogs rather than from secondary summaries, excluding identifiers NIST marks as withdrawn, and recorded the catalog versions, download date, and checksums.
- Read Table 1 to 32 CFR 170.14(c)(4) on the eCFR and reproduced the 24 Level 3 requirement identifiers from the rule text.
- Cross-referenced the POA&M exclusions at §170.21(a)(3)(ii) and the scoring rules at §170.24(b)(3) against that table.
- Checked the eCFR change timeline for the relevant sections to confirm the rule text has not been amended.
- Read both July 2026 memoranda in full — the CIO policy memorandum and the Acquisition and Sustainment implementing memorandum with its Attachment 1 — rather than relying on summaries.
- Confirmed the 35-requirement figure for the February 2021 edition against sources published contemporaneously with its release, and confirmed the four empty families against the document’s structure.
What we did not do:
- We did not review any contractor’s actual scope, contract, or system boundary.
- We did not test any product, and we did not evaluate, rank, or endorse any provider. No provider is named on this page.
- We reached no legal conclusion about any individual agreement.
- We publish no cost figure for Level 3, because the government’s estimates cover assessment support and affirmation rather than implementation, and market figures trace to industry rather than to primary sources.
Where we’d want a second look: requirement counts drawn from machine-readable catalogs can differ from the published PDF, and NIST’s guidance is that the PDF is normativewhere they diverge. Our counts are a disclosed calculation, not a NIST headline figure. If you reproduce a different result, we want to hear about it and we’ll correct the page with a dated note.
Where dates may move:the RFI deadline is a live government submission window — confirm it on SAM.gov before relying on it.
How this page gets maintained. Suspension status and Task Force developments: monthly until resolved. NIST publication status and counts: quarterly, or immediately on any withdrawal or new revision. The amendment status of Part 170: monthly while the review is open.
NIST 800-171 vs 800-172: frequently asked questions
- Is NIST 800-172 mandatory?
- Only when a federal agency selects specific enhanced requirements and conveys them in a contract, grant, or other agreement — and only when the CUI involved is associated with a critical program or high value asset. It is not mandatory by default for CUI handlers, and it is not triggered by company size or maturity.
- Does NIST 800-172 replace NIST 800-171?
- No. It supplements it. The enhanced requirements are designed to be applied on top of an implemented 800-171 baseline, not instead of it. If you have unresolved 800-171 gaps, 800-172 work doesn't substitute for closing them.
- How many controls are in NIST 800-172?
- The February 2021 edition — the one CMMC cites — contains 35 enhanced security requirements across 14 families, four of which contain none. CMMC Level 3 selects 24 of the 35. The current edition, Revision 3 (May 2026), contains 103 active enhanced requirements across 17 families under our counting method.
- Is NIST 800-172 the same thing as CMMC Level 3?
- No. CMMC Level 3 is a DoD program level that incorporates 24 selected requirements from SP 800-172, layered on Level 2's 110, for 134 total. SP 800-172 is a NIST publication any federal agency can draw from through ordinary contract terms, with no CMMC involvement at all.
- What is the current version of NIST 800-172?
- NIST SP 800-172 Revision 3, published May 2026. It superseded the February 2021 edition, which NIST withdrew on May 13, 2026.
- NIST withdrew the February 2021 edition. Do I have to move to Revision 3?
- Not for CMMC purposes. 32 CFR Part 170 incorporates the February 2021 edition by reference, and that remains the CMMC requirement until DoD amends the rule. A separate agency or agreement could independently require Revision 3 — but that would be its own requirement with its own authority.
- Which revision of 800-171 does CMMC require — Rev. 2 or Rev. 3?
- Revision 2. NIST withdrew Rev. 2 on May 14, 2024 when it published Rev. 3, but the CMMC Program Rule still incorporates Rev. 2, and DoD separately issued a class deviation holding DFARS 252.204-7012 to Rev. 2 as well.
- Can I self-assess against NIST 800-172?
- You can conduct an internal assessment for your own purposes at any time. But under CMMC, Level 3 is assessed by DCMA DIBCAC — not by you and not by a C3PAO. Outside CMMC, the assessment method is whatever the governing agreement specifies.
- Who performs a CMMC Level 3 assessment?
- DCMA DIBCAC, a government organization. That's a structural difference from Level 2, where the codified model allows either a self-assessment or a C3PAO certification. Level 3 designations are currently suspended.
- Can any Level 3 requirements go on a POA&M?
- Seventeen of the 24 can. Seven cannot, under 32 CFR 170.21(a)(3)(ii): the 24/7 SOC, the 24-hour deployable response team, threat-informed risk assessment, documented security solution rationale, both supply chain requirements, and specialized asset security. A Conditional Level 3 status requires at least 20 of 24 points with none of those seven deferred, closed out within 180 days.
- Does NIST 800-172 flow down to subcontractors?
- It can, two different ways. A government requirement can flow down through the subcontract — DFARS 252.204-7021 requires the substance of the CMMC clause to flow into covered subcontracts at the appropriate level. Separately, a prime can impose its own additional security terms, which bind you once executed but are not themselves a CMMC requirement. Ask which one you're looking at.
- Has CMMC Level 3 been cancelled?
- No. Level 3 remains in 32 CFR Part 170 and the rule has not been amended. What changed on July 13, 2026 is that requiring activities may not currently designate Level 3 (DIBCAC) or Level 2 (C3PAO) while a 60-day reform review runs. Suspension of designation authority is not repeal of the regulation.
- What is a “critical program” or “high value asset”?
- Both are federal government determinations. A high value asset is broadly a system or dataset whose loss would cause serious harm to agency mission or national security; a critical program is one the agency has designated as warranting protection beyond the baseline. NIST doesn't define which specific programs qualify — the agency decides, and the determination reaches you through your agreement.
- Do I need a 24/7 SOC for NIST 800-172?
- Only if IR.L3-3.6.1e is among the requirements selected for you. It's one of the 24 CMMC Level 3 selected, and DoD assigned it a 24/7 parameter with remote or on-call staffing permitted. It's also one of the seven that can't be deferred to a POA&M. If enhanced requirements haven't been selected for your contract, this isn't your obligation.
- Does the CMMC suspension mean I can stop my NIST 800-171 work?
- No, and this is the most consequential misreading in circulation. DFARS 252.204-7012 and the NIST SP 800-171 Rev. 2 baseline remain in effect, enforced through self-assessments and select government-led assessments. Third-party certification is paused; the underlying requirement is not.
- Why does the CMMC rule say “Department of Defense” when the announcements say “Department of War”?
- 32 CFR Part 170 was published in October 2024 and uses “Department of Defense (DoD)” throughout, because that was the department’s name at the time. The department is now styled the Department of War. The rule text is unchanged; only the name in current announcements differs.
The bottom line
NIST SP 800-171 is the CUI protection baseline. NIST SP 800-172 adds enhanced requirements for a more capable adversary, and it reaches you only when a federal agency selects specific requirements and conveys them in an agreement. Neither the newest publication date nor your company’s size settles which one governs your work.
For CMMC purposes, the model still points to NIST SP 800-171 Revision 2 and the February 2021 edition of SP 800-172 — both of which NIST has withdrawn, and neither of which stopped being the requirement when it happened. That’s incorporation by reference doing exactly what it’s designed to do. And the July 2026 suspension changed which assessment requirements can currently be designated — not the obligation to protect CUI, not DFARS 252.204-7012, and not the 110 requirements you’re still scored against.
So here’s the honest next step. Pull your governing agreement and its incorporated attachments, flow-downs, and modifications, and search them for NIST SP 800-172, enhanced security requirements, and identifiers ending in a lowercase “e.” That’s an afternoon of work and it costs nothing. Treat an empty result as a strong screening answer rather than a final legal conclusion — but a strong screening answer is enough to stop you buying a scope nobody assigned you.
And if it comes back with something, you now know exactly which questions to ask, which sources to cite, and which category of help you’re actually shopping for.
Primary sources
Every regulatory claim on this page traces to one of these.
- 32 CFR Part 170 — CMMC Program Rule: §170.2 (incorporation by reference), §170.4 (definitions), §170.14 and Table 1 to §170.14(c)(4) (model), §170.18 (Level 3 certification assessment), §170.19 (scoping), §170.21 (POA&M and conditional status), §170.22 (affirmation), §170.23 (subcontractors), §170.24 (scoring)
- 89 FR 83092 (October 15, 2024) — CMMC Program final rule
- 48 CFR 52.204-21 — basic safeguarding (the 15 Level 1 requirements)
- NIST SP 800-171 Rev. 2 (withdrawn May 14, 2024) and Rev. 3 (May 2024)
- NIST SP 800-171A (June 2018) and Rev. 3
- NIST SP 800-172 (February 2021, withdrawn May 13, 2026) and Rev. 3 (May 2026)
- NIST SP 800-172A (March 2022) and Rev. 3 (May 2026)
- NIST OSCAL catalogs,
usnistgov/oscal-content— SP 800-171 Rev. 3 catalog v1.1.0 and SP 800-172 Rev. 3 catalog v1.0.0, both last modified May 12, 2026 - DFARS 252.204-7012 (safeguarding and incident reporting), 252.204-7019 and -7020 (NIST SP 800-171 DoD Assessment and SPRS posting), 252.204-7021 (CMMC level requirements), 252.204-7025 (solicitation provision)
- Department of War CIO memorandum (Kirsten A. Davies) and implementing memorandum with Attachment 1 (Michael P. Duffey), released July 13, 2026 under publication case 26-P-1023; official CMMC program page
- Cyber AB— CMMC Assessment Process (CAP) and Code of Professional Conduct
- Request for Information, Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base — responses due 12:00 p.m. ET, August 14, 2026; confirm on SAM.gov
Disclosures and limitations
This is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) and, where contract interpretation is material, a qualified federal-contracts attorney.
Independence. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
Commercial disclosure. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. No provider is named or recommended on this page. The CMMC Path Framework routes to a category— an RPO, an MSSP, a GRC platform, a CUI enclave — never to a ranked or endorsed vendor.
Corrections. If you find an error, tell us. We date our corrections and note what changed and why.
Related research
- CMMC Level 1 vs Level 2 vs Level 3 →
- NIST 800-171 requirements checklist (all 110 Rev. 2 requirements) →
- CMMC Level 3 requirements: the 24 selected SP 800-172 controls →
- NIST 800-171 Rev 2 vs Rev 3 →
- NIST 800-171A assessment objectives →
- CDI vs CUI vs FCI: what type of data are you handling? →
- SPRS score: what it is and how it’s calculated →