Home β€Ί CMMC FAQs β€Ί CMMC Model
CMMC Model β€” Official DoD FAQ

What Is the Relationship Between NIST SP 800-171 and CMMC?

πŸ’Ό
Need help mapping your NIST 800-171 controls to CMMC? Jun Cyber specializes in gap assessments.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (B-Q2)

NIST SP 800-171 is the federal safeguarding standard for controlled unclassified information (CUI) required by 32 CFR Part 2002, which the Department implemented contractually through inclusion of DFARS clause 252.204-7012 in applicable contracts. As of November 10, 2025, applicable contractors are required to undergo a Level 2 self-assessment to verify compliance with NIST SP 800-171 Revision 2 requirements. Beginning November 10, 2026, CMMC Level 2 third-party assessments will be required.

In-Depth Analysis

NIST 800-171 Is the Foundation of CMMC

Understanding the relationship between NIST SP 800-171 and CMMC is critical. In simple terms: NIST SP 800-171 defines the requirements, and CMMC verifies you've implemented them.

The Evolution

Before CMMC, defense contractors were required to self-attest compliance with NIST SP 800-171 under DFARS 252.204-7012. The problem? A 2019 DoD IG report found that many contractors claimed compliance but hadn't actually implemented the controls. CMMC was created to add independent verification to the process.

How They Map Together

  • CMMC Level 1: 15 requirements from FAR 52.204-21 (a subset of 800-171)
  • CMMC Level 2: All 110 requirements from NIST SP 800-171 Rev 2
  • CMMC Level 3: 110 requirements from 800-171 + 24 requirements from NIST SP 800-172

Key Timeline

Now through November 2026: Level 2 self-assessments against NIST SP 800-171 Rev 2 are required. After November 2026: Third-party (C3PAO) assessments become mandatory for applicable contracts.

If you've already been implementing NIST SP 800-171 under DFARS 7012, you're not starting from scratch. CMMC Level 2 uses the exact same 110 controls β€” the difference is that now someone independent verifies your implementation.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more β€” powered by official DoD documentation.

Ask ChatCMMC β†’

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

CMMC Model

Will CMMC Update to Use NIST SP 800-171 Revision 3?

β†’ CMMC Model

How Will My Organization Know What CMMC Level Is Required for a Contract?

β†’ CMMC Model

What Is the Relationship Between NIST SP 800-172 and CMMC?

β†’
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness β€” we've got you covered.

πŸ“… Schedule a Consultation Learn About CMMC Select β†’