Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

CMMC vs. NIST 800-171: What US Government Contractors Need to Know

January 11, 2021,

CMMC and NIST 800-171. Every day we receive emails and phone calls from companies that need help with compliance. Preparing for CMMC certification is a huge undertaking, and you should start preparing NOW if you haven't already. 

The NIST 800-171 deadline was December 31, 2017, and CMMC is rolling out now. If you’re a government contractor, you’re probably familiar with NIST 800-171. But what about CMMC? It’s in the process of being created but will be the new standard for future Department of Defense (DoD) contracts. Both NIST 800-171 and CMMC pertain to information security processes and standards. 

This article will be updated as more information becomes available. 

What is Controlled Unclassified Information (CUI)?

According to the National Archives and Records Administration (NARA), Controlled Unclassified Information (CUI) is:

...information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

What does that actually mean? CUI is information created or owned by the US government and needs to be protected due to a law, regulation or government-wide policy. Instead of using designations like “For Official Use Only” or “Sensitive But Unclassified”, the designation CUI is used instead. 

The CUI Registry contains information about the categories and subcategories of CUI. It specifically states what is considered CUI and how to properly mark the information.

What is NIST 800-171?

NIST 800-171 was developed by the National Institute of Standards and Technology (NIST) to provide standards of protecting CUI. NIST 800-171 contains 109 specific things that you, as a government contractor, must do to help protect the United States against cybersecurity attacks. The deadline for compliance with NIST 800-171 was December 31, 2017. 

Hackers want to learn what you sell to the government (and in what amounts) to gain intelligence about US government activity and military plans. By implementing NIST 800-171, the DoD was trying to make it harder for cyber attackers.

NIST 800-171 Control Families and Requirements

NIST 800-171 contains a long list of security requirements. This can be quite overwhelming for small firms. There are 109 specific task items within these 14 control families:

NIST control families

Compliance with NIST 800-171

If you’re a government contractor and need access to CUI, you must follow the security procedures outlined in NIST 800-171 and verify compliance. Your customers should have audited your compliance with NIST 800-171. 

You need to prove that your computers are protected against hackers, that your staff knows how to handle confidential government data and that your team knows how to spot a cyber attack AND how to handle it responsibly. And, most importantly, you need to protect your revenue by proving that you were open and transparent when you said “yes, we comply with NIST 800-171.” 

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is in the process of being created. It contains 17 capability domains and 5 levels of cybersecurity maturity. CMMC will serve as a verification method to ensure compliance with certain cybersecurity practices to protect CUI.

The Department of Defense (DoD) is planning to shift to the CMMC framework to create a unified cybersecurity standard for DoD contracts. According to The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)), “security is foundational to acquisition and should not be traded along with cost, schedule and performance moving forward”. 

Basically, too many contractors didn’t comply with NIST 800-171 before (or after) the deadline, so the CMMC is a reaction to that. Contractors will need a valid CMMC certification (of a certain level) to bid or win a DoD contract. Allowing firms to self-certify their compliance with NIST 800-171 is not working, so they’re moving towards a third-party audit process with CMMC. 

DFARS Interim Rule - November 2020

The Interim Rule solidifies that CMMC will be the new framework for DoD contracts moving forward. Contractors are required to report a self-assessment score based on NIST 800-171. 

You should upload your score now if you haven’t done so already. 

CMMC and NIST 800-171 Capability Domains

There are 17 capability domains within CMMC, many of which you’ll recognize from the NIST 800-171 control families. Domains designated with * are not included with NIST 800-171.

CMMC Capability domains

There are 5 maturity levels. Higher CMMC levels means higher restrictions and advanced cybersecurity protections. Hot 

CMMC Maturity Levels

CMMC Maturity Levels

Your company will need to achieve a certain maturity level depending on what type of information (whether that’s FCI or CUI) your company needs to protect. 

*Note for MSPs: Only a very small percentage of government contractors will be over Level 3. You shouldn't need any full-time staff to be added (like a full-time security person) for Levels 1-3. It will still be a lot of work if your clients don't have anything in place, but you don't need to go crazy on monitoring and staffing. If your client isn't very large, then you probably don't need to worry about Level 4 or 5.

CMMC Level 1 - Performed / Basic Cyber Hygiene

17 Total Practices

Level 1 Organizations focus on protecting Federal Contact Information (FCI) and need to follow the basic safeguarding requirements.

CMMC Level 2 - Documented

71 Total Practices

Level 2 Organizations need to establish and document practices and policies. Level 2 includes some NIST 800-171 requirements and only a subset of practices concern CUI protection.

CMMC Level 3 - Managed

130 Total Practices

Level 3 Organizations focus on protecting CUI and must follow all of the security requirements in NIST 800-171 plus additional practices. 

CMMC Level 4 - Reviewed

156 Total Practices

Level 4 Organizations work to protect CUI from Advanced Persistent Threats (APTs). In addition to following 

CMMC Level 5 - Optimizing 

171 Total Practices

Level 5 Organizations need to standardize and optimize processes across their organization, since you’ll be protecting CUI from APTs. 

CMMC Timeline

Nov 2020: DFARS Interim Rule became effective. CMMC will be phased in over the next 5 years.

2021: 15 contracts anticipated to have CMMC requirements*

2022: 75 contracts

2023: 250 contracts

2024: 325 contracts

2025: 475 contracts

Until 2025: the Office of the Under Secretary of Defense for Acquisition and Sustainment must approve the inclusion of the CMMC requirement in any solicitation.

*estimated targets listed under FAQ #26:

CMMC Accreditation Body  

So how do you receive your CMMC Level? Your organization will need to be certified. There won’t be an option for self-certification.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) is a non-profit, independent organization overseeing CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors. 

The CMMC-AB’s website indicates that the CMMC is still being finalized, so there are currently no complete standards to follow (yet) and no training for assessors (yet). 

CMMC-AB Registered Practitioners

CMMC-AB Registered Practitioners (CMMC-AB RP) provide advice, consulting and recommendations to clients regarding CMMC. They receive training and assist with implementing programs that align with CMMC standards. 

Adelia Risk’s CISO Josh Ablett is a CMMC-AB RP, and specializes in CMMC Level 3 Certification. We've helped clients with cybersecurity since 2010 and with NIST 800-171/CMMC since 2017. We offer a tried-and-true, repeatable process to find your gaps, build a plan, and work with you to get where you need to go. Learn more: 

How can you prepare for a CMMC audit? 

Even without a complete standard to follow, your organization can get started on a self-assessment by utilizing the most current CMMC Model. Assessing your organization against NIST 800-171 would also be wise. 

Near the end of this article you’ll find a sample compliance checklist and direct links to NIST 800-171. We cannot stress enough that if you are a government contractor and want to continue working as a government contractor you need to be prepared for a CMMC audit. The best way to prepare for the CMMC audit is to comply with NIST 800-171 ASAP. Then, once CMMC is fully finalized you won’t have an overwhelming amount of work to do. 

Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Learn more: 

CMMC and NIST 800-171: how are they different?

As we’ve explained, there are similarities between NIST 800-171 and CMMC. Both regulations pertain to cybersecurity standards and protecting CUI. Here are some major differences:

  1. Organizations can self-assess their compliance with NIST 800-171. CMMC requires third-party assessments.
  2. CMMC includes three new domains: Asset Management, Recovery and Situational Awareness.
  3. CMMC has five different levels of maturity. 

Complying with NIST 800-171 is very close to achieving CMMC Level 3. This means there are two “lower” levels of CMMC, which essentially scales down the cybersecurity requirements for smaller organizations. This also means there are two “higher” levels of CMMC, which include additional practices and standards. 

CMMC and NIST 800-171: If I comply with NIST am I compliant with CMMC?

Not really, but it's a great place to start! If you're aiming for CMMC Levels 3-5 you should definitely work on getting compliant with NIST 800-171, since those levels contain the standards of NIST. 

Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Learn more  

NIST/CMMC: Sample Checklist for Compliance

Small firms, this section is for you! You may be wondering about the overall cost for compliance. For the clients we work with (even small ones), it's usually at least in the tens of thousands of dollars between the audit, the documentation, and all of the technology fixes required. It's definitely worth asking "are you sure you want to keep doing business with the DoD" before you go too far down the path.

In terms of getting your arms around cost, here's what we typically see small companies need to do to get there (this isn't a complete list, just some of the big things):

  • Finally get their arms around Active Directory permissions and their messy file shares
  • 2FA all the things, even at computer login and on any email access
  • Segregate out all of those old WinXP/Win7 computers so they can't touch the Internet or, if possible, the network
  • Get everything up to Win10
  • Start doing vulnerability scanning and get patching under control (third party too)
  • Implement higher-security logging across all machines, and selectively collect logs into a SIEM
  • Roll out some kind of MDR
  • Roll out some kind of MDM
  • Enforce encryption on all devices
  • Set up visitor tracking software
  • Badge all the doors and restrict access
  • Make sure firewalls are up to snuff
  • Big old policy
  • Lots of upfront and ongoing training
  • Ongoing training and phishing tests
  • Stop people from using Dropbox and Google Drive and install a properly secured file sharing mechanism
  • Move everyone off of Admin accounts to Standard on their local machine
  • Replace Wi-Fi routers with FIPS-140-validated
  • Set up a way to assess the compliance of their downstream vendors
  • Lots of physical security and process changes to make sure that paper can't be stolen, criminal background checks on hiring, etc.

And the list goes on. That's not meant to be exhaustive, and during your gap assessment you might find good reasons why some of these aren't necessary. Check out the 21 Most Common CMMC Technology Projects

Helpful CMMC Links

Securing the DoD Supply Chain: Experts discuss CMMC’s impact on suppliers: video featuring DoD CISO Katie Arrington 

CMMC Model: Overview briefing, current Model and Appendices

CMMC Accreditation Body Website

CMMC Audit Preparation - Community Resources

NIST 800-171 v2 - use for self-assessment before a CMMC audit

National Checklist Program Repository - NIST 800-171 security checklists


The deadline for NIST 800-171 has long since passed. Whether you self-certified your organization or put it off, you can’t do that for much longer. CMMC encompasses NIST 800-171 and there won’t be an option for self-certification. If you have contracts with the DoD, you will be audited by the CMMC-AB. So it’s best to prepare sooner than later if you want to continue with government contracts. 

Use NIST 800-171 and the current model of the CMMC to start preparing for your CMMC audit. 

Want help with your cybersecurity?

Adelia Risk can assess your business and identify gaps with NIST 800-171. We help you demonstrate compliance at the lowest possible cost. Our CISO Josh Ablett is a CMMC-AB Registered Practitioner and specializes in CMMC Level 3 Certification. Learn more: 

Have questions or feedback?  Please share them in the comments below.

Like this article?  Share it!

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2024 Adelia Associates, LLC | All Rights Reserved