Framework comparison · Free audit on each

CMMC 2.0 vs NIST SP 800-171

These aren't competing frameworks — CMMC 2.0 is HOW you prove SP 800-171 compliance. NIST 800-171 defines the 110 controls; CMMC defines the assessment model (self vs C3PAO vs DIBCAC). If you're a DoD contractor, you need to understand both. Side-by-side + free audit.

Free CMMC 2.0 audit →Free NIST SP 800-171 Rev. 2 audit →

Side-by-side

DimensionCMMC 2.0NIST SP 800-171 Rev. 2
Full nameCybersecurity Maturity Model Certification 2.0 (DFARS 252.204-7021 / 32 CFR Part 170)NIST Special Publication 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems
JurisdictionUS DoD contractors + subcontractors handling FCI or CUIAll federal contractors handling CUI (DFARS 252.204-7012)
Who must complyAny company in the DIB receiving FCI (L1) or CUI (L2/L3)Any federal contractor (not just DoD) that processes/stores/transmits CUI
EnforcerDoD via Cyber AB-accredited C3PAOs (Level 2) + DIBCAC (Level 3)Contracting officer + DIBCAC + DoJ Civil Cyber-Fraud Initiative
Max fine / exposureFalse Claims Act treble damages ($2M–$11M+ settlements); contract ineligibilityFCA exposure on misrepresented SPRS score (e.g., Aerojet $9M, Verizon $4M)
Certification modelL1: self-assess annual + senior official affirmation. L2: triennial C3PAO (some self-assess). L3: triennial DIBCAC.Self-assessed SPRS score (max 110) reported under DFARS 252.204-7019
CadenceL1 annual self + senior official; L2/L3 triennial third-partyContinuous; SPRS score updated as controls change; POA&M maintained
Top required clauses
  • System Security Plan (SSP) — most-cited gap
  • CUI scoping + asset categorization (32 CFR 170.19)
  • L1: 17 practices (FAR 52.204-21)
  • L2: all 110 NIST SP 800-171 Rev. 2 practices
  • L3: 800-171 + selected 800-172 enhanced security
  • DFARS 252.204-7012 72-hour incident reporting via DIBNet
  • 110 controls across 14 families (AC, AU, AT, CM, IA, IR, MA, MP, PS, PE, RA, CA, SC, SI)
  • MFA for privileged + network access (3.5.3)
  • FIPS 140-validated cryptography (3.13.11)
  • 72-hour incident reporting (3.6.2 + DFARS 252.204-7012)
  • Periodic vulnerability scanning + remediation (3.11.2/3)
Deep diveFull CMMC 2.0 guide →Full NIST SP 800-171 Rev. 2 guide →

Where they overlap — ~100%

If you already implement these for one framework, ~100% of the work for the other is already done.

All 110 NIST SP 800-171 controls are CMMC Level 2 practices — 1:1 mapping
Same SSP + POA&M artefacts
Same SPRS scoring methodology
Same DFARS 252.204-7012 incident reporting (72h)
Same FIPS 140-validated crypto requirement
Same CUI scoping concepts

Where they diverge

Unique to CMMC 2.0

  • Adds Level 1 (17 practices = FAR 52.204-21) for FCI-only contractors
  • Adds Level 3 (800-171 + 35 selected 800-172 enhanced practices)
  • REQUIRES third-party C3PAO assessment for most Level 2 (no longer just self-assess)
  • Adds CUI asset categorization (CUI Assets, Security Protection Assets, CRMA, Specialized Assets, Out-of-Scope)
  • Triennial assessment cycle (not continuous)
  • External Service Providers (ESPs) handling CUI must themselves be CMMC L2 certified
  • Senior Official affirmation in SPRS — personal accountability for accuracy

Unique to NIST SP 800-171 Rev. 2

  • Pure control catalog — 110 controls, 14 families
  • Self-assessment model (SPRS score 1–110)
  • Applies to ALL federal CUI contractors, not just DoD
  • POA&M allowed for unmet controls (with deadlines)
  • No assessment body required (until CMMC kicks in for DoD)
  • Maps to NIST SP 800-53 Rev. 5 control families

Which one do I need?

Are you a DoD contractor handling CUI (CDI, CTI, etc.)?

CMMC 2.0

CMMC 2.0 Level 2 is required for most CUI contracts. C3PAO assessment now in effect via 48 CFR rule.

Are you a federal CIVILIAN contractor (GSA, HHS, etc.) handling CUI?

NIST SP 800-171 Rev. 2

800-171 still applies via FAR 52.204-21 and contract clauses, but no CMMC requirement (yet). Self-assess.

Are you a DoD contractor handling FCI only (no CUI)?

CMMC 2.0

CMMC Level 1 = 17 FAR 52.204-21 practices. Annual self-assessment + senior official affirmation.

Subcontractor to a DoD prime?

CMMC 2.0

Flow-down: primes MUST require CMMC of any sub touching FCI/CUI. Get certified at the level matching the data you handle.

Common pitfalls

Self-assessed SPRS score that can't be defended

Under DoJ Civil Cyber-Fraud Initiative, an inflated SPRS basic assessment score is a False Claims Act exposure. Aerojet Rocketdyne settled at $9M. Every 'implemented' must have evidence — policy + procedure + screenshots/tickets.

Treating External Service Providers as out of scope

Per CMMC final rule (32 CFR 170), ESPs handling CUI must themselves be CMMC L2 certified. Many MSPs/MSSPs are scrambling — primes must verify before flow-down.

No FIPS 140-validated cryptography for CUI

AC.L2-3.13.11 and SC.L2-3.13.11 require FIPS-validated modules — NOT just 'AES-256'. Many cloud services have FIPS modes that are NOT on by default. Document the validation certificate # in your SSP.

FAQ

Is CMMC the same as NIST 800-171?

CMMC Level 2 = NIST SP 800-171 Rev. 2 (110 controls, 1:1). CMMC adds the assessment model (self vs C3PAO vs DIBCAC), Level 1 (17 FAR practices for FCI), and Level 3 (800-171 + enhanced 800-172 practices). The control content at L2 is identical.

When does CMMC become enforced?

The 48 CFR rule (DFARS 252.204-7021) is in effect — DoD began phased inclusion in solicitations in 2025, full coverage by 2028. New solicitations are already requiring Level 2 self or C3PAO depending on contract.

Can I self-attest at Level 2?

Only for a limited subset of contracts the DoD program office identifies as 'self-assessment eligible' (typically lower-criticality CUI). The majority of Level 2 contracts require triennial C3PAO assessment.

Audit your existing policy — free

Paste your current policy and get a clause-by-clause grade against either framework in 20 seconds. No signup. 3 audits/day.

Audit against CMMC 2.0Audit against NIST SP 800-171 Rev. 2