NIST 800-171A Assessment Objectives: The 320 Checks That Actually Decide Your CMMC Score
NIST 800-171A assessment objectives are the individual “determine if” statements — NIST calls them determination statements— that an assessor uses to decide whether you actually meet each NIST SP 800-171 security requirement. Here’s the part that ambushes most teams: for CMMC Level 2, the 110 security requirements are assessed through 320 assessment objectives, even though your score is tallied at the requirement level. A requirement is MET only when every applicable objective is satisfied with final evidence.
That single fact — 110 requirements, 320 objectives — is why a checklist that looked “done” can still fail a real assessment. And sitting underneath it is a version trap we’ll unpack in a minute: the exact 800-171A document CMMC uses was officially withdrawn by NIST, yet it’s still the one that governs your Level 2 assessment. We’ll show you why, with the primary sources, so you don’t build to the wrong standard.
This page is for the people doing the actual work — CISOs, IT directors, compliance managers, FSOs, contracts officers, and small-DIB owners preparing a NIST 800-171 self-assessment, an SPRS score, a CMMC Level 2 gap assessment, or a C3PAO-readiness package. See also our CMMC Level 2 requirements guide and the CMMC CAP (Assessment Process) overview.
NIST 800-171A assessment objectives in one screen
| Question | Direct answer |
|---|---|
| What is NIST SP 800-171? | The 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems — the technical baseline for CMMC Level 2. |
| What is NIST SP 800-171A? | The companion publication that tells you how those 110 requirements are assessed — the objectives, methods, and evidence sources. |
| What is an assessment objective? | A single determination statement (e.g., “authorized users are identified”) that must be satisfied by evidence. Requirements are built from one or more of them. |
| How many are there? | 320 assessment objectives across the 110 requirements for CMMC Level 2. |
| What are the assessment methods? | Examine, Interview, and Test. |
| How does it affect scoring? | A requirement scores MET only when all applicable objectives are satisfied with final evidence. One unmet applicable objective makes the whole requirement NOT MET. |
| Which version applies to CMMC? | The original NIST SP 800-171A (June 2018), aligned to NIST SP 800-171 Revision 2 — even though NIST has since withdrawn it. Rev. 3 does not apply to CMMC yet. |
Find My CMMC Path
The right CMMC provider isn't the same for every contractor. The category you need — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. (The contract clause sets your level, not a checklist.) Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
- What it asks: your required CMMC level, FCI vs CUI handling, assessment type, IT/cloud environment, and contract timeline
- What you get: the provider category that fits your situation and the readiness steps to get there, with the questions to ask before requesting quotes
- Educational triage only: free · 2-minute assessment · no obligation · do not submit CUI, drawings, or sensitive contract details
What are NIST 800-171A assessment objectives?
NIST 800-171A assessment objectives are the specific determination statements used to judge whether each NIST SP 800-171 security requirement is satisfied.They turn a broad requirement into smaller, checkable conditions an assessor can examine, discuss, and test — and each one has to be backed by real evidence. NIST SP 800-171A is the assessment-methodology companion to NIST SP 800-171; it provides the assessment procedures, objectives, methods, and objects for evaluating whether your system is compliant (NIST CSRC, SP 800-171A).
Think of the two documents as a test and its answer key. NIST SP 800-171 says “limit system access to authorized users.” NIST SP 800-171A breaks that into six separate things an assessor has to verify: are authorized users identified, are processes acting on their behalf identified, are authorized devices identified, is access actually limited to those users, to those processes, to those devices? Every one of those six is a separate objective with its own evidence requirement.
Your score lands on the requirement. But the assessor gets there by working through the objectives. That distinction is the whole game, and it’s the thing a “110-item checklist” quietly skips.
One honest admission before we go further
We’re a trade publication, not your assessor and not your lawyer. We can’t scope your environment, assign your SPRS score, or tell you which objectives are Not Applicable to you— because that’s decided entirely by your system boundary and how CUI actually flows through it. Only your System Security Plan (SSP) and a qualified Registered Practitioner or federal-contracts attorney can nail that down. What we can do is make all 320 objectives make sense, show you the kind of evidence each one needs, and point you to the right kind of help before you spend six figures.
What is the difference between NIST 800-171 and NIST 800-171A?
NIST SP 800-171 is the list of security requirements; NIST SP 800-171A is the guide for assessing them.One tells you what to implement, the other tells you how it’s verified. For CMMC Level 2 today, the rule points to NIST SP 800-171 Revision 2 for the requirements and the original NIST SP 800-171A for the assessment procedures (32 CFR Part 170).
| NIST SP 800-171 Rev. 2 | NIST SP 800-171A (June 2018) | |
|---|---|---|
| Answers | “What must I do to protect CUI?” | “How is each requirement assessed?” |
| Contains | 110 requirements across 14 families | The assessment objectives, methods, and objects behind those requirements |
| Unit | The requirement | The objective (there are 320 of them) |
| CMMC role | The Level 2 technical baseline | The Level 2 assessment methodology |
A common mistake worth stopping on: NIST 800-171A is not“the 110 controls.” It’s the assessment companion. If someone hands you 800-171A expecting a control list, they’ve mixed up the two documents — and that confusion tends to travel straight into a weak evidence plan. See our CMMC vs. NIST 800-171 comparison for a broader breakdown of how the two sets of documents relate.
Why 320 objectives instead of 110 controls — and what happens if you miss one
For CMMC Level 2, the 110 NIST SP 800-171 Rev. 2 requirements are assessed through 320 objective-level determinations, and a requirement is only scored MET when every applicable objective is satisfied with final evidence.If one applicable objective is not satisfied, the requirement is NOT MET — there is no partial credit at the objective level for most requirements (CMMC Level 2 Assessment Guide; NIST SP 800-171A).
This is the single most expensive misunderstanding we see. A team spends months confirming they’ve “addressed” all 110 requirements, walks in feeling ready, and discovers the assessor is working from a much longer list — and that a policy sitting next to requirement 3.4.1 doesn’t automatically satisfy the objectives buried inside it.
Take the very first requirement, 3.1.1 (Access Control). On paper it’s one line about limiting system access to authorized users, processes, and devices. In NIST SP 800-171A it becomes six separate objectives (NIST SP 800-171A, PDF):
| Objective | The determination the assessor makes | Typical method |
|---|---|---|
| 3.1.1[a] | Authorized users are identified | Examine, Interview |
| 3.1.1[b] | Processes acting on behalf of authorized users are identified | Examine |
| 3.1.1[c] | Devices (and other systems) authorized to connect are identified | Examine |
| 3.1.1[d] | System access is limited to authorized users | Examine, Test |
| 3.1.1[e] | System access is limited to authorized processes | Examine, Test |
| 3.1.1[f] | System access is limited to authorized devices/systems | Examine, Test |
One requirement. Six things you have to prove. Multiply that logic across all 110, and you land at 320.
The 110 requirements are built unevenly. Here’s the verified family-level structure from NIST SP 800-171 Rev. 2, so you can see where the weight sits before you plan your evidence:
| NIST SP 800-171 Rev. 2 family | Requirements | What its objectives mostly test |
|---|---|---|
| 3.1 Access Control | 22 | Who and what can connect, and whether access is actually limited — the largest family. |
| 3.2 Awareness and Training | 3 | Role-based awareness, proven by more than a generic annual slide deck. |
| 3.3 Audit and Accountability | 9 | Logging, retention, review process, and the people who run it. |
| 3.4 Configuration Management | 9 | Baselines, change control, least functionality, allow/deny lists. |
| 3.5 Identification and Authentication | 11 | Identity, multifactor authentication (MFA), and where exceptions apply. |
| 3.6 Incident Response | 3 | Plan, testing, reporting, tracking, and roles — all have to connect. |
| 3.7 Maintenance | 6 | Maintenance records and remote-maintenance controls. |
| 3.8 Media Protection | 9 | Removable media, marking, transport, sanitization, encryption. |
| 3.9 Personnel Security | 2 | Screening and, critically, access termination when people leave. |
| 3.10 Physical Protection | 6 | Physical access control tied to a clearly defined facility scope. |
| 3.11 Risk Assessment | 3 | Vulnerability-scan cadence, risk review, and remediation. |
| 3.12 Security Assessment | 4 | SSP and Plan of Action & Milestones (POA&M) — the documents that shape scope. |
| 3.13 System and Communications Protection | 16 | Boundary protection, encryption, architecture, CUI flow. |
| 3.14 System and Information Integrity | 7 | Flaw remediation, monitoring, and alerting — proven in operation. |
| Total | 110 | Expanding to 320 assessment objectives. |
In our reading of the assessment guides and practitioner reporting, five families carry most of the assessment weight: Access Control, System and Communications Protection, Audit and Accountability, Identification and Authentication, and Incident Response.They’re the most heavily enforced, the most evidence-driven, and the most closely tied to real breach paths — which is why they generate a disproportionate share of findings. That’s our editorial read of where to focus first, grounded in the verified structure above.
How many assessment objectives are there at each CMMC level?
CMMC Level 1 covers 15 requirements, Level 2 has 320 assessment objectives, and Level 3 adds enhanced objectives from NIST SP 800-172A on top of the Level 2 set. The number climbs with the sensitivity of the information you handle and the assessment type your contract requires (CMMC assessment guides, DoD CIO).
| CMMC Level | Applies to | Requirements | Assessment objectives | Who assesses it |
|---|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) only | 15 (FAR 52.204-21) | A smaller set defined in the CMMC Level 1 Assessment Guide | Annual self-assessment |
| Level 2 | CUI | 110 (NIST SP 800-171 Rev. 2) | 320 | Self-assessment or a C3PAO, depending on the contract |
| Level 3 | The most sensitive CUI | 110 + 24 enhanced requirements from NIST SP 800-172 | 320 + the NIST SP 800-172A objectives for those 24 | DCMA DIBCAC, and only after you hold Final Level 2 (C3PAO) |
Two clarifications that trip up even experienced teams:
- Level 3 is not a standalone track. You must first achieve Final Level 2 (C3PAO) for the same or a larger scope, and then DIBCAC assesses the 24 selected enhanced requirements from NIST SP 800-172 using the NIST SP 800-172A objectives (32 CFR Part 170).
- Basic / Medium / High ≠ Level 1 / 2 / 3.The DoD Assessment Methodology’s confidence levels — Basic (a contractor self-assessment, low confidence), Medium, and High (a government assessment using NIST SP 800-171A) — describe how much confidence the government has in a score (DFARS 252.204-7020). CMMC Levels describe the certification tier your contract requires. Different axes.
Which version of 800-171A does CMMC use — and why a “withdrawn” document still governs your assessment
CMMC Level 2 uses the original NIST SP 800-171A (June 2018), aligned to NIST SP 800-171 Revision 2 — even though NIST withdrew that document in May 2024 and replaced it with Revision 3. A DoD class deviation ties CMMC and DFARS 252.204-7012 to Revision 2, and CMMC assessors are not authorized to grade against Revision 3 (NIST CSRC, SP 800-171A; 32 CFR Part 170).
This is the section that saves people the most money, so we’ll be precise. When we pulled up NIST’s own page for SP 800-171A, it carries a “Withdrawn” banner — the original was withdrawn on May 14, 2024and superseded by SP 800-171A Rev. 3. Land on that page cold, and it’s easy to panic, download Rev. 3, and start building to the wrong standard. Don’t. Here’s the reality:
| What CMMC uses today | What NIST currently publishes | |
|---|---|---|
| Document | Original NIST SP 800-171A (June 2018), aligned to 800-171 Rev. 2 | NIST SP 800-171A Rev. 3 (May 2024) |
| Status at NIST | Withdrawn (May 14, 2024) | Current |
| Assessment objectives | 320 | Substantially more (Rev. 3 restructured and expanded the set) |
| Used for CMMC Level 2? | Yes | No — not the CMMC baseline unless DoD amends the rule |
| Why | A DoD class deviation ties DFARS 252.204-7012 (and therefore CMMC) to Rev. 2 | It’s the current NIST publication, but the CMMC rule still points to Rev. 2 |
DoD issued the class deviation in May 2024, and it has no announced end date. DoD has been consistent that it will move CMMC to Rev. 3 only through future rulemaking — not automatically (DoD, CMMC alignment to NIST standards).
The red flag to watch for: if a tool, template, or consultant is quoting you Rev. 3 objective counts or Rev. 3 control language for a CMMC Level 2engagement right now, stop and verify. Build your Level 2 evidence against the original 800-171A / 800-171 Rev. 2 unless your specific contract clause says otherwise. It’s smart to readRev. 3 to see where things are heading. It is not smart to be assessed against a standard your contract doesn’t reference.
You now know you’re building to the right standard. The next question is how big the job actually is.
Our free CMMC Readiness Checklist maps the 14 control families to what an assessor looks for — the fastest way to see where your evidence already exists and where it doesn’t, before you commit to anything. If you’d rather have us point you to the right kind of help, that’s a couple of sections down.
Get the CMMC Readiness Checklist →What a single assessment objective actually looks like: Examine, Interview, Test
Every assessment objective comes as a small procedure: the determination statement, the methods used to check it, and the objects those methods are applied to.NIST SP 800-171A defines three assessment methods — Examine, Interview, and Test — and four types of assessment objects. There’s no expectation that an assessor uses every method or every object for every objective (NIST SP 800-171A, PDF).
| Method | What NIST means | What it looks like in the room | Example evidence |
|---|---|---|---|
| Examine | Review, inspect, observe, study, or analyze objects | Look at the artifact | SSP, policy, procedure, configuration export, access list, audit log, ticket |
| Interview | Hold discussions with individuals or groups | Ask the people who run the control | Admin interview, HR interview, incident-response owner interview |
| Test | Exercise mechanisms or activities under specified conditions | Prove the thing actually works | MFA demo, access-revocation test, live log query, scan validation |
The four object types the methods point at — the “where does the evidence come from” categories (NIST SP 800-171A, PDF):
- Specifications — document-based artifacts: policies, procedures, security plans, requirements, functional specs, architecture diagrams.
- Mechanisms — the specific hardware, software, or firmware safeguards doing the work.
- Activities — protection-related actions people perform: running backups, exercising a contingency plan, monitoring traffic.
- Individuals — the people who apply the specifications, mechanisms, and activities.
The reassurance most pages leave out
The lists of potential objects in NIST SP 800-171A are nota mandatory screenshot list. NIST is explicit that organizations aren’t expected to use every method and object on every objective; the objects are candidate evidence sources, not a required artifact checklist. Your job is to show enoughfinal evidence, at the right depth and coverage for your scope, to satisfy each applicable objective. That’s a meaningfully smaller task than “collect one of everything,” and it’s why a tightly scoped environment is so much cheaper to assess than a sprawling one.
What evidence do you need for each assessment objective?
Map each applicable objective to final evidence, an SSP reference, an owner, the method, and a status. Good evidence doesn’t just state intent — it shows the safeguard is implemented, operating, and tied to the boundary that handles CUI. A policy title alone rarely satisfies an objective; assessors want proof the control runs in reality (NIST SP 800-171A, PDF).
The fastest way to read an objective is to look at its verb. NIST’s objectives lean on a small set of them, and each verb points at a different kind of proof:
| When the objective says… | The assessor wants to confirm… | Weak evidence | Stronger evidence |
|---|---|---|---|
| Identified | You know the specific users, systems, roles, assets, or data flows | “We know who has access” | Current access list, asset inventory, data-flow diagram, role mapping |
| Defined | The rule, parameter, or authorization is documented | A generic policy line | Approved policy/procedure with owner, scope, and the system boundary named |
| Enforced | A mechanism actually applies the rule | “The policy says to” | Configuration output, access-control setting, screenshot, test result |
| Monitored | Someone or something watches activity over time | “We have a tool” | Log-source list, alert workflow, a review ticket, a sample event |
| Reviewed | Evidence is periodically evaluated | “Reviewed annually” | Review calendar, signed approval, meeting record, reviewer identity |
| Protected | A system or data set has real safeguards | An “it’s encrypted” claim | Config output, architecture diagram, key-management procedure, test result |
For a tracker that survives an actual assessment, capture these fields per objective:
| Field | Why it matters |
|---|---|
| Requirement ID | Keeps scoring tied to the 110 Rev. 2 requirements |
| Assessment objective ID | Stops one broad control from hiding multiple gaps |
| Method | Examine, Interview, Test, or a mix |
| SSP reference | Shows where the implementation claim lives |
| Evidence link | Points to final, approved evidence |
| Owner | Assigns accountability |
| Status | MET / NOT MET / N/A / remediation in progress |
| POA&M candidate? | Separates your internal backlog from what CMMC actually allows on a POA&M |
| Validation date | Flags stale evidence before an assessor does |
One rule that quietly sinks assessments: evidence has to be final.Under CMMC’s assessment approach, all evidence must be final and not draft — working papers, drafts, and unofficial or unapproved policies are unacceptable evidence for a MET finding (32 CFR Part 170; CMMC Level 2 Assessment Guide). If your SSP says a control is implemented but the supporting policy is still in draft, that objective is not safely evidence-ready — no matter how good the draft is.
A safety note that matters:don’t turn your evidence folder into an uncontrolled CUI repository. Reference evidence, redact where appropriate, and keep sensitive contract data out of general-purpose trackers and web forms.
Seeing the size of the evidence job is the moment most teams realize they need help — the question is what kind.
Before you request a single quote, map your situation to the right provider category. Tell us your level, CUI/FCI scope, environment, and timeline, and Find My CMMC Path points you to the category that fits — not a sales list.
Find My CMMC Path →How assessment objectives drive your CMMC Level 2 result and SPRS score
Your CMMC Level 2 result and your SPRS score both depend on objective-level findings, but the score itself is calculated at the requirement level. Each of the 110 requirements is scored MET, NOT MET, or Not Applicable based on whether its objectives are satisfied; the SPRS score starts at 110 and drops when requirements go unmet (32 CFR Part 170; DoD Assessment Methodology).
| Finding | What it means | Consequence |
|---|---|---|
| MET | All applicable objectives for the requirement are satisfied with final evidence | Requirement gets credit |
| NOT MET | One or more applicable objectives are not satisfied | Requirement loses its points under the scoring method |
| N/A | The requirement (or objective) genuinely doesn’t apply to your scope | Treated as MET for scoring |
The scoring math you should know before an assessment:
- The DoD Assessment Methodology weights each requirement by impact — a 1-, 3-, or 5-point deduction when it’s NOT MET. Start at a perfect 110; the full range runs down to −203.
- For a Conditional Level 2 status, you generally need a score of at least 88 of 110 (80%), plus a POA&M for the remaining eligible gaps that you close within 180 days.
- Certain high-weight requirements cannot go on a POA&M at all. If those aren’t fully met on assessment day, you don’t certify regardless of your total score. See our CMMC CAP guide for the six barred requirements by name.
Where the results go depends on the assessment type:
- Level 2 self-assessment: your organization performs it, submits the score plus an executive affirmation to SPRS, and re-affirms annually.
- Level 2 C3PAO assessment: an accredited C3PAO conducts it and enters results into CMMC eMASS(DoD’s system of record for CMMC), which then flows to your CMMC status (DoD CIO, CMMC).
The obligation to have a current NIST SP 800-171 score in SPRS predates CMMC. DFARS 252.204-7019 requires a current assessment — not more than three years old — with summary-level scores posted in SPRS for covered systems relevant to the offer. CMMC then adds a required CMMC status on top, that the contracting officer inserts in DFARS 252.204-7021, which took effect November 10, 2025.
Where can you download the NIST 800-171A assessment objectives spreadsheet?
NIST publishes the 800-171A assessment objectives for free as a PDF, a CSV, and an XLSX spreadsheet; the PDF is the authoritative version if the files ever disagree.For CMMC-specific guidance on each objective, use the DoD’s CMMC Level 2 Assessment Guide alongside it (NIST CSRC, SP 800-171A).
- NIST SP 800-171A — full text (PDF): nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf
- NIST SP 800-171A — publication page (PDF, CSV, XLSX): csrc.nist.gov/pubs/sp/800/171/a/final
- DoD CMMC Level 2 Assessment Guide: dodcio.defense.gov/cmmc
The spreadsheet gives you every requirement and its objectives in rows. What it doesn’t give you is a place to track your evidence. That’s the work our CMMC Readiness Checklist is built for — it maps the families to what an assessor asks for, so you can turn the official objective list into an evidence plan with owners and status instead of a static reference. Download the official file first; use the checklist to make it actionable.
How to build a NIST 800-171A objective-level evidence tracker (without blowing your scope)
Start with scope, not the spreadsheet.Define the CUI system boundary in your SSP first, then map each applicable objective to final evidence, separate true remediation from documentation gaps, and validate the tracker before you rely on it for SPRS or a C3PAO. NIST is clear that assessments using SP 800-171A are guided and informed by the SSP — the plan describes your boundary, environment, and implementations, which is what makes an assessment scopeable (NIST SP 800-171A, PDF).
- Step 1 — Confirm CUI scope and your contract path.FCI vs. CUI changes your level. The contract clause and how you handle CUI set the level — not a checklist. If you’re a subcontractor, flow-down matters; 32 CFR Part 170 sets the minimum status a subcontractor needs based on what the prime requires. See our FCI vs. CUI guide.
- Step 2 — Anchor to the SSP.Every implementation claim in the tracker should point to a section of your SSP. If the SSP doesn’t describe how a requirement is met and where the evidence lives, that’s your first gap.
- Step 3 — Build the tracker at the objective level.All 110 requirements, all 320 objectives, each with method, SSP reference, owner, status, POA&M eligibility, and validation date. This is where the 110-item checklist mindset dies and readiness begins.
- Step 4 — Mark every piece of evidence as final, draft, missing, or stale. Remember: drafts don’t count for MET. This one column tells you honestly how ready you are.
- Step 5 — Run a mock assessment.Not for status — for truth. Have someone who didn’t build the evidence try to break it. Interviews and tests expose the gap between “the policy says” and “the system does.” Our NIST 800-171 gap analysis guide covers the format and scope.
- Step 6 — Diagnose the type of problem.Is it a scope problem, a documentation problem, an implementation problem, or an assessment-readiness problem? Each points to a different kind of help — which is the next section.
Which CMMC provider category helps with NIST 800-171A assessment objectives?
If your problem is objective-level evidence, the right provider category depends on whether you need implementation help, evidence workflow, secure CUI architecture, or a formal assessment — and readiness help must stay separate from the assessment itself. A C3PAO conducts your Level 2 certification assessment; if you still need remediation, documentation, or environment design, you need a readiness category before you engage a C3PAO (32 CFR Part 170).
| Your real problem | Better-fit category | Not the best first step |
|---|---|---|
| You don’t know your CUI boundary | RP/RPO (Registered Practitioner / Registered Provider Organization) or federal-contracts counsel for scope and legal interpretation | Buying a tool before scope is defined |
| Your SSP and evidence are incomplete | RPO/RP, vCISO, or a CMMC readiness provider. See our NIST 800-171 consultant guide | Scheduling a C3PAO assessment too early |
| Your technical controls aren’t implemented | A CMMC-focused MSSP or a Microsoft GCC High / AWS GovCloud implementer | Policy templates alone |
| Your evidence is scattered across teams | A GRC platform for evidence workflow | Rebuilding the whole environment |
| Your environment is too broad to secure affordably | A CUI enclave (a walled-off environment scoped to just your CUI work) | Trying to make every company system in-scope |
| You’re assessment-ready and the contract requires Level 2 C3PAO | An authorized C3PAO | A readiness consultant acting as your assessor |
The independence rule you can’t ignore: the firm that prepares you generally cannotalso be the C3PAO that conducts your Level 2 certification assessment. 32 CFR Part 170 requires the Accreditation Body’s Code of Professional Conduct to prohibit CMMC Ecosystem members from participating in a Level 2 certification assessment when they previously served as a consultant to prepare that organization for a CMMC assessment within the prior three years (32 CFR Part 170). Treat any provider that offers to “remediate and then certify” the same engagement as a conflict, and slow down.
A quick, important disqualifier: not every CMMC problem is a C3PAO problem. If your gaps are really scope, implementation, documentation, or workflow issues, hiring a C3PAO first wastes money and time. Sort the problem type before you sort the vendor.
Not sure whether you need an RPO, an MSSP, a GRC platform, a CUI enclave, or a C3PAO?
That’s exactly what Find My CMMC Path is for. Give us your level, scope, environment, and timeline, and we’ll get you matched with source-checked provider options in the right category — before you request quotes.
Find My CMMC Path →Common mistakes that turn applicable objectives into NOT MET
Most objective-level failures come from treating NIST SP 800-171A like a paperwork exercise instead of an evidence exercise. The fix is to connect each objective to final evidence, to people who can explain the control, and to proof it actually runs.
| Mistake | Why it fails | Do this instead |
|---|---|---|
| Preparing only against the 110 requirement titles | One requirement can hold five or six objectives | Track and evidence the objective-level statements |
| Treating policy as proof of implementation | A policy shows intent, not operation | Pair policy with configs, logs, tickets, tests, and interviews |
| Relying on draft SSPs or unapproved policies | Draft/unapproved evidence isn’t acceptable for MET | Finalize and approve evidence before you rely on it |
| Building to NIST 800-171A Rev. 3 for CMMC | Rev. 3 isn’t the CMMC Level 2 baseline yet | Build to the original 800-171A / 800-171 Rev. 2 unless your contract says otherwise |
| No SSP-to-evidence mapping | The SSP guides assessment scope; assessors trace claims to it | Put SSP section references in your tracker |
| Storing raw CUI in the evidence folder | Creates a new, uncontrolled CUI repository | Reference evidence safely; redact where appropriate |
| Asking a C3PAO to remediate your gaps | Creates a conflict-of-interest and independence problem | Keep readiness help and formal assessment separate |
What we actually verified
We built this page from primary and authoritative sources, and we checked the version status ourselves because it’s the fact most likely to cost a contractor money. The 320-objective figure is the count NIST SP 800-171A defines across the 110 requirements, applied under the CMMC Level 2 Assessment Guide and the DoD Assessment Methodology.
| What we verified | Where we verified it |
|---|---|
| NIST SP 800-171A’s purpose and role as the assessment companion | NIST CSRC, SP 800-171A |
| That the original 800-171A was withdrawn May 14, 2024 and superseded by Rev. 3 | NIST CSRC, SP 800-171A; SP 800-171A Rev. 3 |
| Assessment objectives, methods (Examine/Interview/Test), and object types | NIST SP 800-171A, PDF |
| CMMC Level 2 maps to NIST SP 800-171 Rev. 2; MET/NOT MET/N/A findings; final-evidence rule | 32 CFR Part 170; CMMC Level 2 Assessment Guide |
| That a DoD class deviation keeps CMMC on Rev. 2, with adoption of Rev. 3 left to future rulemaking | DoD, CMMC alignment to NIST standards |
| SPRS score obligations, assessment confidence levels, and the CMMC clause | DFARS 252.204-7019; 252.204-7020; 252.204-7021 |
| Phase timing (Phase 1: Nov 10, 2025 – Nov 9, 2026; Phase 2 begins Nov 10, 2026) | DoD CIO, CMMC |
What to do next
If you’re just learning, get the concepts straight first. If you’re preparing for a score or an assessment, build the objective-level tracker before you request quotes or schedule a C3PAO.
- Still learning the landscape? Start with our plain-language explainers on what CMMC Level 2 requires, FCI vs. CUI, and the NIST 800-171 requirements checklist.
- Need to post or defend an SPRS score? Build the objective-level tracker, confirm your SSP scope, validate that your evidence is final, and understand your DFARS 252.204-7019/-7020 obligations.
- Preparing for a C3PAO assessment? Confirm your contract actually requires Level 2 C3PAO, keep readiness help separate from the assessor, validate objective-level evidence, and check for any independence conflict before you sign. Read our CMMC Level 2 assessment preparation guide and the CMMC CAP (Assessment Process) overview.
- Not sure what kind of help you need?That’s the most common place to be, and it’s the whole reason we built the matching tool.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Find My CMMC Path →Frequently asked questions
What are NIST 800-171A assessment objectives?
NIST 800-171A assessment objectives are the determination statements used to assess whether a NIST SP 800-171 security requirement is satisfied. Each objective is part of an assessment procedure that also includes potential methods (Examine, Interview, Test) and objects (specifications, mechanisms, activities, individuals). Requirements are built from one or more objectives.
Are assessment objectives the same as controls?
No. For CMMC Level 2, the 110 NIST SP 800-171 Rev. 2 requirements (sometimes called controls) are what get scored, while the assessment objectives are the smaller, evidence-level determinations behind each requirement. There are 110 requirements but 320 objectives.
How many NIST 800-171A assessment objectives are there?
There are 320 assessment objectives across the 110 requirements for CMMC Level 2. CMMC Level 1 covers 15 basic safeguarding requirements from FAR 52.204-21, with its own smaller objective set defined in the CMMC Level 1 Assessment Guide. Level 3 adds the objectives for 24 enhanced requirements from NIST SP 800-172, assessed with NIST SP 800-172A.
What are Examine, Interview, and Test?
Examine means reviewing assessment objects such as documents, configurations, or logs. Interview means discussing a control with the people responsible for it. Test means exercising a mechanism or activity under specified conditions to compare actual behavior with expected behavior. An assessor selects the methods needed to reach a finding — not every method is used for every objective.
Does CMMC Level 2 use NIST 800-171 Rev. 2 or Rev. 3?
CMMC Level 2 currently uses NIST SP 800-171 Revision 2 and the original NIST SP 800-171A. NIST has published SP 800-171A Rev. 3, but a DoD class deviation keeps CMMC tied to Rev. 2, and assessors are not authorized to grade against Rev. 3 until DoD amends the rule.
Is NIST 800-171A withdrawn?
The original NIST SP 800-171A was withdrawn by NIST on May 14, 2024 and superseded by Rev. 3. It remains the assessment guide used for CMMC Level 2, because a DoD class deviation keeps CMMC aligned to NIST SP 800-171 Revision 2.
Do I have to satisfy every assessment objective?
For scoring, a requirement is MET only when all of its applicable objectives are satisfied with final evidence. If one applicable objective is not satisfied, the requirement is NOT MET. Objectives that genuinely don’t apply to your scope are marked Not Applicable, which counts as MET for that item.
Can draft policies count as evidence?
No. Under CMMC’s assessment approach, evidence used to support a MET finding must be final. Working papers, drafts, and unofficial or unapproved policies are not acceptable evidence.
Does my SSP need to address the assessment objectives?
Your System Security Plan should describe your system boundary, environment, and how each requirement is implemented, and NIST states that assessments using 800-171A are guided by the SSP. Your SSP and objective-level evidence tracker should connect clearly enough for an assessor to trace each claim to its proof.
Should I hire a C3PAO to fix my assessment objectives?
Not for implementation or remediation on the same engagement. A C3PAO is the formal assessment category, and independence rules keep the firm that prepares you separate from the firm that conducts your Level 2 certification assessment. If you need to fix gaps, use a readiness category (RPO/RP, MSSP, GRC platform, or CUI enclave) first.