The Department of Defense (DoD) has been battling digital threats for decades, striving to fortify the defense industrial base (DIB). To achieve this, numerous cybersecurity requirements have been introduced for organizations that process or store Controlled Unclassified Information (CUI). Among these requirements are NIST SP 800-171 and CMMC 2.0, which, while similar in many ways, also have distinct differences in their approach.
In this article, we will explain the differences between NIST SP 800-171 and CMMC 2.0, and explore how they relate to other existing regulations, namely the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS).
What Is NIST 800-171?
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 is a set of cybersecurity guidelines created to protect CUI within non-federal information systems and organizations. NIST SP 800-171 was published as a Defense Federal Acquisition Regulation Supplement (DFARS), specifically DFARS clause 252.204-7012, which was issued in 2016. Today, the 7012 clause is commonly found in both DoD contracts and subcontracts.
Developed based on input from industry experts and government officials under the direction of NIST, NIST SP 800-171 contains the minimum security requirements that the federal government deems necessary to protect CUI data, regardless of the size of the entity that holds the data. The standard consists of 110 requirements, each covering different areas of an organization’s IT technology, policy, and practices. These requirements are divided into 14 families:
- Access Control – Limits system access to authorized users and controls the flow of CUI within the system.
- Awareness and Training – Educates team members on the importance of cybersecurity, teaching them how to protect sensitive information effectively.
- Audit and Accountability – Tracks and records system activities, providing a detailed log that can pinpoint who did what and when.
- Configuration Management – Keeps systems running smoothly and securely by standardizing settings and managing changes.
- Identification and Authentication: Identifies and authenticates users and devices accessing the information system to prevent unauthorized access.
- Incident Response: Provides a plan for handling and recovering from cyberattacks.
- Maintenance: Performs regular updates and fixes to keep your systems strong.
- Media Protection: Secures physical storage of sensitive data (hard drives, etc.).
- Personnel Security: Secures the human element, ensuring that those with access to CUI are thoroughly vetted and managed.
- Physical Protection: Restricts access to the actual buildings and hardware housing data.
- Risk Assessment: Proactively identifies and addresses potential security threats, keeping the organization a step ahead of risks.
- Security Assessment – Regularly evaluates security measures to ensure they’re effective, adapting to new threats as they arise.
- System and Communications Protection – Guards data as it travels within and exits an organization’s network.
- System and Information Integrity – Maintains the accuracy and trustworthiness of system data, promptly addressing any flaws or vulnerabilities.
There is no certification process for NIST SP 800-171 compliance that contractors would have to pass in order to prove their ability to protect CUI. Instead, contractors are expected to self-assess their compliance with NIST SP 800-171, and they required to demonstrate it only when requested by the DoD.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
What Is CMMC?
The self-assessment nature of NIST SP 800-171 resulted in many cybersecurity gaps among DoD contractors, so Department of Defense (DoD) decided to create the Cybersecurity Maturity Model Certification (CMMC). The goal of CMMC is to improve the cybersecurity posture of the DIB by introducing a framework where compliance with specific cybersecurity standards is verified through a mix of self-assessments and third-party assessments, depending on the level and specific contract requirements.
CMMC was first introduced in January 2020 as a five-tier compliance model. In November 2020, the DoD introduced an interim rule via DFARS 252.204-7019 and 7020 to strengthen the existing DFARS 7012 requirements while the CMMC program was being ramped up. This interim rule required contractors to perform a self-assessment against NIST SP 800-171 and provide a score to the DoD prior to contract award.
However, after a comprehensive internal review and public feedback, the DoD announced a new version in November 2021. CMMC 2.0, as this new version is called, is divided into three tiers based on the type of information that DIB members handle. This tiered approach allows for targeted security measures, flexibility and scalability, and streamlined compliance and assessment. The three tiers are:
- CMMC Level 1: Intended for contractors handling only Federal Contract Information (FCI), this level requires compliance with 17 key requirements derived from the Federal Acquisition Regulation (FAR) clause 52.204-21. The assessment process for level one is a self-assessment model.
- CMMC Level 2: Designed for contractors handling CUI, this level validates the implementation of the 110 requirements contained in NIST SP 800-171 Revision 2. For level two, the self-assessment option is available, but it may not be practical or applicable for most contractors.
- CMMC Level 3: The highest tier within the CMMC 2.0 program, level three is reserved for contractors integral to the DoD’s most critical programs and technologies. In addition to the 110 requirements of level two, level three includes 24 requirements from NIST SP 800-172. Assessments at this level are conducted directly by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
CMMC 2.0 employs two types of assessments to meet the needs and realities of contractors at different levels: self-assessment and certification assessment. Self-assessments are used exclusively at CMMC Level One and are expected to be adopted by a small percentage of level two contractors. Certification assessments, conducted by a Certified 3rd Party Assessor Organization (C3PAO) or DIBCAC, are used for the majority of CMMC Level Two and all Level Three contractors.
CMMC 2.0 will be required in contracts by adding a reference to DFARS 252.204-7021. Contractors must obtain certification before or during the bidding process, as there is no provision for certification post-contract award. When a contract necessitates CMMC 2.0 Level 2 or higher, CMMC 2.0 will be incorporated alongside NIST SP 800-171 and DFARS 7012 through DFARS 7021. It is important to note that CMMC 2.0 does not supersede the previous DFARS 7012 requirements.
What Is the Difference Between NIST SP 800-171 and CMMC?
Aspect | NIST SP 800-171 | CMMC 2.0 |
Certification Process | Self-assessment only | Self-assessments combined with mandatory third-party certification for most Level 2 contractors and all Level 3 contractors |
Requirements | Narrowly focused on CUI protection | Broader, covering cybersecurity maturity beyond just CUI handling |
Plan of Actions and Milestones | Allows organizations to have a POA&M in place at the start of an assessment with no limit on the number of practices included. | Introduces structured guidelines for POA&Ms, specifying that not all requirements can be deferred, particularly the highest weighted requirements. Allows for a limited waiver process for select mission-critical needs, subject to senior DoD leadership approval. |
As the above-provided descriptions of NIST SP 800-171 and CMMC 2.0 show, the two frameworks differ in several important aspects.
Certification Process
NIST SP 800-171 does not require a formal certification process. Contractors self-assess their compliance with the framework’s 110 security requirements and implement necessary measures to meet these standards. This self-assessment approach allows for flexibility but has led to inconsistencies in the implementation and enforcement of cybersecurity measures across the DIB.
CMMC 2.0 introduces a certification process that varies based on the level. Level 1 requires self-assessment, while most Level 2 and all Level 3 contractors must undergo assessments conducted by accredited third-party assessors. This process verifies that contractors have implemented the required cybersecurity practices and processes at one of three defined levels of maturity. The certification is intended to create a standardized level of cybersecurity across all contractors within the DIB.
Scope
The scope of NIST SP 800-171 is narrowly focused on protecting Controlled Unclassified Information (CUI) by establishing baseline cybersecurity standards. It consists of 110 security requirements that contractors must self-assess and implement to ensure the protection of CUI within their systems and organizations.
On the other hand, CMMC 2.0 has a broader scope, covering cybersecurity maturity beyond just CUI handling. While CMMC Level 1 and 2 include only the 110 security requirements from NIST SP 800-171, CMMC Level 3 goes further by incorporating additional requirements from NIST SP 800-172. These extra requirements address advanced cybersecurity practices such as:
- Establishing and maintaining a security operations center capability that operates at a specified frequency (3.6.1e).
- Conducting penetration testing at a specified frequency, leveraging automated scanning tools and ad hoc tests using subject matter experts (3.12.1e).
- Verifying the integrity of security-critical or essential software using root of trust mechanisms or cryptographic signatures (3.14.1e).
- Monitoring organizational systems and system components on an ongoing basis for anomalous or suspicious behavior (3.14.2e).
Plan of Actions and Milestones (POA&MS)
NIST SP 800-171 allows organizations to have a POA&M in place at the start of an assessment and provides an action plan with specific dates for attaining full compliance while working with federal agencies. There is no limit to the number of practices that can be included in a POA&M, providing organizations the latitude to manage and prioritize their compliance efforts as they see fit.
CMMC 2.0 introduces more structured guidelines regarding the use of POA&Ms. While it still allows for the use of POA&Ms, CMMC 2.0 specifies that not all requirements can be deferred to the POA&M. Particularly, the highest weighted requirements, which are deemed critical for the protection of CUI, cannot be included in a POA&M. This approach guarantees that certain foundational cybersecurity practices are in place prior to contract award.
CMMC 2.0 also introduces a limited waiver process. This process allows for the exclusion of certain CMMC requirements from acquisitions for select mission-critical needs, subject to senior DoD leadership approval. The waiver process is applied to the entire CMMC requirement, not individual cybersecurity practices, and is intended for use in very limited circumstances.
Conclusion
NIST SP 800-171 remains the cornerstone of cybersecurity for handling CUI, but CMMC 2.0 raises the bar by mandating third-party assessments and introducing a tiered structure that reflects an organization’s cybersecurity maturity. This shift towards third-party certification for most Level 2 and all Level 3 contractors aims to create a more robust and consistent cybersecurity posture across the defense industrial base. As a result, contractors must now prioritize not only the implementation of security controls but also the demonstration of their effectiveness to an external assessor.