The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

NIST 800-171A Assessment Objectives: The 320 Checks That Actually Decide Your CMMC Score

By The Defense Compliance Report Editorial Team— an independent trade publication on CMMC 2.0 and DIB compliance.

Last reviewed:

Educational research, not legal, contractual, cybersecurity, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

NIST 800-171A assessment objectives are the individual “determine if” statements — NIST calls them determination statements— that an assessor uses to decide whether you actually meet each NIST SP 800-171 security requirement. Here’s the part that ambushes most teams: for CMMC Level 2, the 110 security requirements are assessed through 320 assessment objectives, even though your score is tallied at the requirement level. A requirement is MET only when every applicable objective is satisfied with final evidence.

That single fact — 110 requirements, 320 objectives — is why a checklist that looked “done” can still fail a real assessment. And sitting underneath it is a version trap we’ll unpack in a minute: the exact 800-171A document CMMC uses was officially withdrawn by NIST, yet it’s still the one that governs your Level 2 assessment. We’ll show you why, with the primary sources, so you don’t build to the wrong standard.

This page is for the people doing the actual work — CISOs, IT directors, compliance managers, FSOs, contracts officers, and small-DIB owners preparing a NIST 800-171 self-assessment, an SPRS score, a CMMC Level 2 gap assessment, or a C3PAO-readiness package. See also our CMMC Level 2 requirements guide and the CMMC CAP (Assessment Process) overview.

Best for:anyone past “what is CMMC” who now needs to know what the assessor really grades, what evidence each objective needs, and what to do with all 320.

Not for:anyone hunting a shortcut around scoping or a substitute for legal interpretation. Your contract clause and how you handle CUI set your level — not a checklist.

NIST 800-171A assessment objectives in one screen

QuestionDirect answer
What is NIST SP 800-171?The 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems — the technical baseline for CMMC Level 2.
What is NIST SP 800-171A?The companion publication that tells you how those 110 requirements are assessed — the objectives, methods, and evidence sources.
What is an assessment objective?A single determination statement (e.g., “authorized users are identified”) that must be satisfied by evidence. Requirements are built from one or more of them.
How many are there?320 assessment objectives across the 110 requirements for CMMC Level 2.
What are the assessment methods?Examine, Interview, and Test.
How does it affect scoring?A requirement scores MET only when all applicable objectives are satisfied with final evidence. One unmet applicable objective makes the whole requirement NOT MET.
Which version applies to CMMC?The original NIST SP 800-171A (June 2018), aligned to NIST SP 800-171 Revision 2 — even though NIST has since withdrawn it. Rev. 3 does not apply to CMMC yet.

Your situation changes the answer

Find My CMMC Path

The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.

  • What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
  • What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
  • Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
Find My CMMC Path →

What are NIST 800-171A assessment objectives?

NIST 800-171A assessment objectives are the specific determination statements used to judge whether each NIST SP 800-171 security requirement is satisfied.They turn a broad requirement into smaller, checkable conditions an assessor can examine, discuss, and test — and each one has to be backed by real evidence. NIST SP 800-171A is the assessment-methodology companion to NIST SP 800-171; it provides the assessment procedures, objectives, methods, and objects for evaluating whether your system is compliant (NIST CSRC, SP 800-171A).

Think of the two documents as a test and its answer key. NIST SP 800-171 says “limit system access to authorized users.” NIST SP 800-171A breaks that into six separate things an assessor has to verify: are authorized users identified, are processes acting on their behalf identified, are authorized devices identified, is access actually limited to those users, to those processes, to those devices? Every one of those six is a separate objective with its own evidence requirement.

Your score lands on the requirement. But the assessor gets there by working through the objectives. That distinction is the whole game, and it’s the thing a “110-item checklist” quietly skips.

One honest admission before we go further

We’re a trade publication, not your assessor and not your lawyer. We can’t scope your environment, assign your SPRS score, or tell you which objectives are Not Applicable to you— because that’s decided entirely by your system boundary and how CUI actually flows through it. Only your System Security Plan (SSP) and a qualified Registered Practitioner or federal-contracts attorney can nail that down. What we can do is make all 320 objectives make sense, show you the kind of evidence each one needs, and point you to the right kind of help before you spend six figures.

What is the difference between NIST 800-171 and NIST 800-171A?

NIST SP 800-171 is the list of security requirements; NIST SP 800-171A is the guide for assessing them.One tells you what to implement, the other tells you how it’s verified. For CMMC Level 2 today, the rule points to NIST SP 800-171 Revision 2 for the requirements and the original NIST SP 800-171A for the assessment procedures (32 CFR Part 170).

NIST SP 800-171 Rev. 2NIST SP 800-171A (June 2018)
Answers“What must I do to protect CUI?”“How is each requirement assessed?”
Contains110 requirements across 14 familiesThe assessment objectives, methods, and objects behind those requirements
UnitThe requirementThe objective (there are 320 of them)
CMMC roleThe Level 2 technical baselineThe Level 2 assessment methodology

A common mistake worth stopping on: NIST 800-171A is not“the 110 controls.” It’s the assessment companion. If someone hands you 800-171A expecting a control list, they’ve mixed up the two documents — and that confusion tends to travel straight into a weak evidence plan. See our CMMC vs. NIST 800-171 comparison for a broader breakdown of how the two sets of documents relate.

Why 320 objectives instead of 110 controls — and what happens if you miss one

For CMMC Level 2, the 110 NIST SP 800-171 Rev. 2 requirements are assessed through 320 objective-level determinations, and a requirement is only scored MET when every applicable objective is satisfied with final evidence.If one applicable objective is not satisfied, the requirement is NOT MET — there is no partial credit at the objective level for most requirements (CMMC Level 2 Assessment Guide; NIST SP 800-171A).

This is the single most expensive misunderstanding we see. A team spends months confirming they’ve “addressed” all 110 requirements, walks in feeling ready, and discovers the assessor is working from a much longer list — and that a policy sitting next to requirement 3.4.1 doesn’t automatically satisfy the objectives buried inside it.

Take the very first requirement, 3.1.1 (Access Control). On paper it’s one line about limiting system access to authorized users, processes, and devices. In NIST SP 800-171A it becomes six separate objectives (NIST SP 800-171A, PDF):

ObjectiveThe determination the assessor makesTypical method
3.1.1[a]Authorized users are identifiedExamine, Interview
3.1.1[b]Processes acting on behalf of authorized users are identifiedExamine
3.1.1[c]Devices (and other systems) authorized to connect are identifiedExamine
3.1.1[d]System access is limited to authorized usersExamine, Test
3.1.1[e]System access is limited to authorized processesExamine, Test
3.1.1[f]System access is limited to authorized devices/systemsExamine, Test

One requirement. Six things you have to prove. Multiply that logic across all 110, and you land at 320.

The 110 requirements are built unevenly. Here’s the verified family-level structure from NIST SP 800-171 Rev. 2, so you can see where the weight sits before you plan your evidence:

NIST SP 800-171 Rev. 2 familyRequirementsWhat its objectives mostly test
3.1 Access Control22Who and what can connect, and whether access is actually limited — the largest family.
3.2 Awareness and Training3Role-based awareness, proven by more than a generic annual slide deck.
3.3 Audit and Accountability9Logging, retention, review process, and the people who run it.
3.4 Configuration Management9Baselines, change control, least functionality, allow/deny lists.
3.5 Identification and Authentication11Identity, multifactor authentication (MFA), and where exceptions apply.
3.6 Incident Response3Plan, testing, reporting, tracking, and roles — all have to connect.
3.7 Maintenance6Maintenance records and remote-maintenance controls.
3.8 Media Protection9Removable media, marking, transport, sanitization, encryption.
3.9 Personnel Security2Screening and, critically, access termination when people leave.
3.10 Physical Protection6Physical access control tied to a clearly defined facility scope.
3.11 Risk Assessment3Vulnerability-scan cadence, risk review, and remediation.
3.12 Security Assessment4SSP and Plan of Action & Milestones (POA&M) — the documents that shape scope.
3.13 System and Communications Protection16Boundary protection, encryption, architecture, CUI flow.
3.14 System and Information Integrity7Flaw remediation, monitoring, and alerting — proven in operation.
Total110Expanding to 320 assessment objectives.

Family requirement counts per NIST SP 800-171 Rev. 2. Objective counts vary by requirement; the complete objective-by-objective breakdown lives in NIST’s official assessment-procedures file, linked further down.

In our reading of the assessment guides and practitioner reporting, five families carry most of the assessment weight: Access Control, System and Communications Protection, Audit and Accountability, Identification and Authentication, and Incident Response.They’re the most heavily enforced, the most evidence-driven, and the most closely tied to real breach paths — which is why they generate a disproportionate share of findings. That’s our editorial read of where to focus first, grounded in the verified structure above.

How many assessment objectives are there at each CMMC level?

CMMC Level 1 covers 15 requirements, Level 2 has 320 assessment objectives, and Level 3 adds enhanced objectives from NIST SP 800-172A on top of the Level 2 set. The number climbs with the sensitivity of the information you handle and the assessment type your contract requires (CMMC assessment guides, DoD CIO).

CMMC LevelApplies toRequirementsAssessment objectivesWho assesses it
Level 1Federal Contract Information (FCI) only15 (FAR 52.204-21)A smaller set defined in the CMMC Level 1 Assessment GuideAnnual self-assessment
Level 2CUI110 (NIST SP 800-171 Rev. 2)320Self-assessment or a C3PAO, depending on the contract
Level 3The most sensitive CUI110 + 24 enhanced requirements from NIST SP 800-172320 + the NIST SP 800-172A objectives for those 24DCMA DIBCAC, and only after you hold Final Level 2 (C3PAO)

Two clarifications that trip up even experienced teams:

Which version of 800-171A does CMMC use — and why a “withdrawn” document still governs your assessment

CMMC Level 2 uses the original NIST SP 800-171A (June 2018), aligned to NIST SP 800-171 Revision 2 — even though NIST withdrew that document in May 2024 and replaced it with Revision 3. A DoD class deviation ties CMMC and DFARS 252.204-7012 to Revision 2, and CMMC assessors are not authorized to grade against Revision 3 (NIST CSRC, SP 800-171A; 32 CFR Part 170).

This is the section that saves people the most money, so we’ll be precise. When we pulled up NIST’s own page for SP 800-171A, it carries a “Withdrawn” banner — the original was withdrawn on May 14, 2024and superseded by SP 800-171A Rev. 3. Land on that page cold, and it’s easy to panic, download Rev. 3, and start building to the wrong standard. Don’t. Here’s the reality:

What CMMC uses todayWhat NIST currently publishes
DocumentOriginal NIST SP 800-171A (June 2018), aligned to 800-171 Rev. 2NIST SP 800-171A Rev. 3 (May 2024)
Status at NISTWithdrawn (May 14, 2024)Current
Assessment objectives320Substantially more (Rev. 3 restructured and expanded the set)
Used for CMMC Level 2?YesNo — not the CMMC baseline unless DoD amends the rule
WhyA DoD class deviation ties DFARS 252.204-7012 (and therefore CMMC) to Rev. 2It’s the current NIST publication, but the CMMC rule still points to Rev. 2

DoD issued the class deviation in May 2024, and it has no announced end date. DoD has been consistent that it will move CMMC to Rev. 3 only through future rulemaking — not automatically (DoD, CMMC alignment to NIST standards).

The red flag to watch for: if a tool, template, or consultant is quoting you Rev. 3 objective counts or Rev. 3 control language for a CMMC Level 2engagement right now, stop and verify. Build your Level 2 evidence against the original 800-171A / 800-171 Rev. 2 unless your specific contract clause says otherwise. It’s smart to readRev. 3 to see where things are heading. It is not smart to be assessed against a standard your contract doesn’t reference.

You now know you’re building to the right standard. The next question is how big the job actually is.

Our free CMMC Readiness Checklist maps the 14 control families to what an assessor looks for — the fastest way to see where your evidence already exists and where it doesn’t, before you commit to anything. If you’d rather have us point you to the right kind of help, that’s a couple of sections down.

Get the CMMC Readiness Checklist →

What a single assessment objective actually looks like: Examine, Interview, Test

Every assessment objective comes as a small procedure: the determination statement, the methods used to check it, and the objects those methods are applied to.NIST SP 800-171A defines three assessment methods — Examine, Interview, and Test — and four types of assessment objects. There’s no expectation that an assessor uses every method or every object for every objective (NIST SP 800-171A, PDF).

MethodWhat NIST meansWhat it looks like in the roomExample evidence
ExamineReview, inspect, observe, study, or analyze objectsLook at the artifactSSP, policy, procedure, configuration export, access list, audit log, ticket
InterviewHold discussions with individuals or groupsAsk the people who run the controlAdmin interview, HR interview, incident-response owner interview
TestExercise mechanisms or activities under specified conditionsProve the thing actually worksMFA demo, access-revocation test, live log query, scan validation

The four object types the methods point at — the “where does the evidence come from” categories (NIST SP 800-171A, PDF):

The reassurance most pages leave out

The lists of potential objects in NIST SP 800-171A are nota mandatory screenshot list. NIST is explicit that organizations aren’t expected to use every method and object on every objective; the objects are candidate evidence sources, not a required artifact checklist. Your job is to show enoughfinal evidence, at the right depth and coverage for your scope, to satisfy each applicable objective. That’s a meaningfully smaller task than “collect one of everything,” and it’s why a tightly scoped environment is so much cheaper to assess than a sprawling one.

What evidence do you need for each assessment objective?

Map each applicable objective to final evidence, an SSP reference, an owner, the method, and a status. Good evidence doesn’t just state intent — it shows the safeguard is implemented, operating, and tied to the boundary that handles CUI. A policy title alone rarely satisfies an objective; assessors want proof the control runs in reality (NIST SP 800-171A, PDF).

The fastest way to read an objective is to look at its verb. NIST’s objectives lean on a small set of them, and each verb points at a different kind of proof:

When the objective says…The assessor wants to confirm…Weak evidenceStronger evidence
IdentifiedYou know the specific users, systems, roles, assets, or data flows“We know who has access”Current access list, asset inventory, data-flow diagram, role mapping
DefinedThe rule, parameter, or authorization is documentedA generic policy lineApproved policy/procedure with owner, scope, and the system boundary named
EnforcedA mechanism actually applies the rule“The policy says to”Configuration output, access-control setting, screenshot, test result
MonitoredSomeone or something watches activity over time“We have a tool”Log-source list, alert workflow, a review ticket, a sample event
ReviewedEvidence is periodically evaluated“Reviewed annually”Review calendar, signed approval, meeting record, reviewer identity
ProtectedA system or data set has real safeguardsAn “it’s encrypted” claimConfig output, architecture diagram, key-management procedure, test result

For a tracker that survives an actual assessment, capture these fields per objective:

FieldWhy it matters
Requirement IDKeeps scoring tied to the 110 Rev. 2 requirements
Assessment objective IDStops one broad control from hiding multiple gaps
MethodExamine, Interview, Test, or a mix
SSP referenceShows where the implementation claim lives
Evidence linkPoints to final, approved evidence
OwnerAssigns accountability
StatusMET / NOT MET / N/A / remediation in progress
POA&M candidate?Separates your internal backlog from what CMMC actually allows on a POA&M
Validation dateFlags stale evidence before an assessor does

One rule that quietly sinks assessments: evidence has to be final.Under CMMC’s assessment approach, all evidence must be final and not draft — working papers, drafts, and unofficial or unapproved policies are unacceptable evidence for a MET finding (32 CFR Part 170; CMMC Level 2 Assessment Guide). If your SSP says a control is implemented but the supporting policy is still in draft, that objective is not safely evidence-ready — no matter how good the draft is.

A safety note that matters:don’t turn your evidence folder into an uncontrolled CUI repository. Reference evidence, redact where appropriate, and keep sensitive contract data out of general-purpose trackers and web forms.

Seeing the size of the evidence job is the moment most teams realize they need help — the question is what kind.

Before you request a single quote, map your situation to the right provider category. Tell us your level, CUI/FCI scope, environment, and timeline, and Find My CMMC Path points you to the category that fits — not a sales list.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

How assessment objectives drive your CMMC Level 2 result and SPRS score

Your CMMC Level 2 result and your SPRS score both depend on objective-level findings, but the score itself is calculated at the requirement level. Each of the 110 requirements is scored MET, NOT MET, or Not Applicable based on whether its objectives are satisfied; the SPRS score starts at 110 and drops when requirements go unmet (32 CFR Part 170; DoD Assessment Methodology).

FindingWhat it meansConsequence
METAll applicable objectives for the requirement are satisfied with final evidenceRequirement gets credit
NOT METOne or more applicable objectives are not satisfiedRequirement loses its points under the scoring method
N/AThe requirement (or objective) genuinely doesn’t apply to your scopeTreated as MET for scoring

The scoring math you should know before an assessment:

Where the results go depends on the assessment type:

The obligation to have a current NIST SP 800-171 score in SPRS predates CMMC. DFARS 252.204-7019 requires a current assessment — not more than three years old — with summary-level scores posted in SPRS for covered systems relevant to the offer. CMMC then adds a required CMMC status on top, that the contracting officer inserts in DFARS 252.204-7021, which took effect November 10, 2025.

Where can you download the NIST 800-171A assessment objectives spreadsheet?

NIST publishes the 800-171A assessment objectives for free as a PDF, a CSV, and an XLSX spreadsheet; the PDF is the authoritative version if the files ever disagree.For CMMC-specific guidance on each objective, use the DoD’s CMMC Level 2 Assessment Guide alongside it (NIST CSRC, SP 800-171A).

The spreadsheet gives you every requirement and its objectives in rows. What it doesn’t give you is a place to track your evidence. That’s the work our CMMC Readiness Checklist is built for — it maps the families to what an assessor asks for, so you can turn the official objective list into an evidence plan with owners and status instead of a static reference. Download the official file first; use the checklist to make it actionable.

How to build a NIST 800-171A objective-level evidence tracker (without blowing your scope)

Start with scope, not the spreadsheet.Define the CUI system boundary in your SSP first, then map each applicable objective to final evidence, separate true remediation from documentation gaps, and validate the tracker before you rely on it for SPRS or a C3PAO. NIST is clear that assessments using SP 800-171A are guided and informed by the SSP — the plan describes your boundary, environment, and implementations, which is what makes an assessment scopeable (NIST SP 800-171A, PDF).

  1. Step 1 — Confirm CUI scope and your contract path.FCI vs. CUI changes your level. The contract clause and how you handle CUI set the level — not a checklist. If you’re a subcontractor, flow-down matters; 32 CFR Part 170 sets the minimum status a subcontractor needs based on what the prime requires. See our FCI vs. CUI guide.
  2. Step 2 — Anchor to the SSP.Every implementation claim in the tracker should point to a section of your SSP. If the SSP doesn’t describe how a requirement is met and where the evidence lives, that’s your first gap.
  3. Step 3 — Build the tracker at the objective level.All 110 requirements, all 320 objectives, each with method, SSP reference, owner, status, POA&M eligibility, and validation date. This is where the 110-item checklist mindset dies and readiness begins.
  4. Step 4 — Mark every piece of evidence as final, draft, missing, or stale. Remember: drafts don’t count for MET. This one column tells you honestly how ready you are.
  5. Step 5 — Run a mock assessment.Not for status — for truth. Have someone who didn’t build the evidence try to break it. Interviews and tests expose the gap between “the policy says” and “the system does.” Our NIST 800-171 gap analysis guide covers the format and scope.
  6. Step 6 — Diagnose the type of problem.Is it a scope problem, a documentation problem, an implementation problem, or an assessment-readiness problem? Each points to a different kind of help — which is the next section.

Which CMMC provider category helps with NIST 800-171A assessment objectives?

If your problem is objective-level evidence, the right provider category depends on whether you need implementation help, evidence workflow, secure CUI architecture, or a formal assessment — and readiness help must stay separate from the assessment itself. A C3PAO conducts your Level 2 certification assessment; if you still need remediation, documentation, or environment design, you need a readiness category before you engage a C3PAO (32 CFR Part 170).

Your real problemBetter-fit categoryNot the best first step
You don’t know your CUI boundaryRP/RPO (Registered Practitioner / Registered Provider Organization) or federal-contracts counsel for scope and legal interpretationBuying a tool before scope is defined
Your SSP and evidence are incompleteRPO/RP, vCISO, or a CMMC readiness provider. See our NIST 800-171 consultant guideScheduling a C3PAO assessment too early
Your technical controls aren’t implementedA CMMC-focused MSSP or a Microsoft GCC High / AWS GovCloud implementerPolicy templates alone
Your evidence is scattered across teamsA GRC platform for evidence workflowRebuilding the whole environment
Your environment is too broad to secure affordablyA CUI enclave (a walled-off environment scoped to just your CUI work)Trying to make every company system in-scope
You’re assessment-ready and the contract requires Level 2 C3PAOAn authorized C3PAOA readiness consultant acting as your assessor

This table is our editorial guidance based on the regulatory separation between readiness work, evidence workflow, secure architecture, and formal assessment. It is not a CMMC score, a legal opinion, or a named-provider ranking.

The independence rule you can’t ignore: the firm that prepares you generally cannotalso be the C3PAO that conducts your Level 2 certification assessment. 32 CFR Part 170 requires the Accreditation Body’s Code of Professional Conduct to prohibit CMMC Ecosystem members from participating in a Level 2 certification assessment when they previously served as a consultant to prepare that organization for a CMMC assessment within the prior three years (32 CFR Part 170). Treat any provider that offers to “remediate and then certify” the same engagement as a conflict, and slow down.

A quick, important disqualifier: not every CMMC problem is a C3PAO problem. If your gaps are really scope, implementation, documentation, or workflow issues, hiring a C3PAO first wastes money and time. Sort the problem type before you sort the vendor.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Not sure whether you need an RPO, an MSSP, a GRC platform, a CUI enclave, or a C3PAO?

That’s exactly what Find My CMMC Path is for. Give us your level, scope, environment, and timeline, and we’ll get you matched with source-checked provider options in the right category — before you request quotes.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Common mistakes that turn applicable objectives into NOT MET

Most objective-level failures come from treating NIST SP 800-171A like a paperwork exercise instead of an evidence exercise. The fix is to connect each objective to final evidence, to people who can explain the control, and to proof it actually runs.

MistakeWhy it failsDo this instead
Preparing only against the 110 requirement titlesOne requirement can hold five or six objectivesTrack and evidence the objective-level statements
Treating policy as proof of implementationA policy shows intent, not operationPair policy with configs, logs, tickets, tests, and interviews
Relying on draft SSPs or unapproved policiesDraft/unapproved evidence isn’t acceptable for METFinalize and approve evidence before you rely on it
Building to NIST 800-171A Rev. 3 for CMMCRev. 3 isn’t the CMMC Level 2 baseline yetBuild to the original 800-171A / 800-171 Rev. 2 unless your contract says otherwise
No SSP-to-evidence mappingThe SSP guides assessment scope; assessors trace claims to itPut SSP section references in your tracker
Storing raw CUI in the evidence folderCreates a new, uncontrolled CUI repositoryReference evidence safely; redact where appropriate
Asking a C3PAO to remediate your gapsCreates a conflict-of-interest and independence problemKeep readiness help and formal assessment separate

What we actually verified

We built this page from primary and authoritative sources, and we checked the version status ourselves because it’s the fact most likely to cost a contractor money. The 320-objective figure is the count NIST SP 800-171A defines across the 110 requirements, applied under the CMMC Level 2 Assessment Guide and the DoD Assessment Methodology.

What we verifiedWhere we verified it
NIST SP 800-171A’s purpose and role as the assessment companionNIST CSRC, SP 800-171A
That the original 800-171A was withdrawn May 14, 2024 and superseded by Rev. 3NIST CSRC, SP 800-171A; SP 800-171A Rev. 3
Assessment objectives, methods (Examine/Interview/Test), and object typesNIST SP 800-171A, PDF
CMMC Level 2 maps to NIST SP 800-171 Rev. 2; MET/NOT MET/N/A findings; final-evidence rule32 CFR Part 170; CMMC Level 2 Assessment Guide
That a DoD class deviation keeps CMMC on Rev. 2, with adoption of Rev. 3 left to future rulemakingDoD, CMMC alignment to NIST standards
SPRS score obligations, assessment confidence levels, and the CMMC clauseDFARS 252.204-7019; 252.204-7020; 252.204-7021
Phase timing (Phase 1: Nov 10, 2025 – Nov 9, 2026; Phase 2 begins Nov 10, 2026)DoD CIO, CMMC

Last verified: July 1, 2026.Regulatory facts change — the class-deviation status and the eventual move to Rev. 3 are the items we re-check most often. If you’re reading this well after the date above, confirm the current rule status before you act.

What to do next

If you’re just learning, get the concepts straight first. If you’re preparing for a score or an assessment, build the objective-level tracker before you request quotes or schedule a C3PAO.

Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before you make an assessment decision. The contract clause and your CUI handling set the level — not a checklist.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

Frequently asked questions

What are NIST 800-171A assessment objectives?

NIST 800-171A assessment objectives are the determination statements used to assess whether a NIST SP 800-171 security requirement is satisfied. Each objective is part of an assessment procedure that also includes potential methods (Examine, Interview, Test) and objects (specifications, mechanisms, activities, individuals). Requirements are built from one or more objectives.

Are assessment objectives the same as controls?

No. For CMMC Level 2, the 110 NIST SP 800-171 Rev. 2 requirements (sometimes called controls) are what get scored, while the assessment objectives are the smaller, evidence-level determinations behind each requirement. There are 110 requirements but 320 objectives.

How many NIST 800-171A assessment objectives are there?

There are 320 assessment objectives across the 110 requirements for CMMC Level 2. CMMC Level 1 covers 15 basic safeguarding requirements from FAR 52.204-21, with its own smaller objective set defined in the CMMC Level 1 Assessment Guide. Level 3 adds the objectives for 24 enhanced requirements from NIST SP 800-172, assessed with NIST SP 800-172A.

What are Examine, Interview, and Test?

Examine means reviewing assessment objects such as documents, configurations, or logs. Interview means discussing a control with the people responsible for it. Test means exercising a mechanism or activity under specified conditions to compare actual behavior with expected behavior. An assessor selects the methods needed to reach a finding — not every method is used for every objective.

Does CMMC Level 2 use NIST 800-171 Rev. 2 or Rev. 3?

CMMC Level 2 currently uses NIST SP 800-171 Revision 2 and the original NIST SP 800-171A. NIST has published SP 800-171A Rev. 3, but a DoD class deviation keeps CMMC tied to Rev. 2, and assessors are not authorized to grade against Rev. 3 until DoD amends the rule.

Is NIST 800-171A withdrawn?

The original NIST SP 800-171A was withdrawn by NIST on May 14, 2024 and superseded by Rev. 3. It remains the assessment guide used for CMMC Level 2, because a DoD class deviation keeps CMMC aligned to NIST SP 800-171 Revision 2.

Do I have to satisfy every assessment objective?

For scoring, a requirement is MET only when all of its applicable objectives are satisfied with final evidence. If one applicable objective is not satisfied, the requirement is NOT MET. Objectives that genuinely don’t apply to your scope are marked Not Applicable, which counts as MET for that item.

Can draft policies count as evidence?

No. Under CMMC’s assessment approach, evidence used to support a MET finding must be final. Working papers, drafts, and unofficial or unapproved policies are not acceptable evidence.

Does my SSP need to address the assessment objectives?

Your System Security Plan should describe your system boundary, environment, and how each requirement is implemented, and NIST states that assessments using 800-171A are guided by the SSP. Your SSP and objective-level evidence tracker should connect clearly enough for an assessor to trace each claim to its proof.

Should I hire a C3PAO to fix my assessment objectives?

Not for implementation or remediation on the same engagement. A C3PAO is the formal assessment category, and independence rules keep the firm that prepares you separate from the firm that conducts your Level 2 certification assessment. If you need to fix gaps, use a readiness category (RPO/RP, MSSP, GRC platform, or CUI enclave) first.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This article is educational research, not legal, contractual, or compliance advice. Confirm your CMMC level, scope, and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation.