NIST 800-171 versus CMMC

Corserva blog

Since the end of 2017, all subcontractors working within Department of Defense (DoD) supply chains were required to comply with the NIST 800-171 mandate. Since then, the Cybersecurity Maturity Model Certification (CMMC) has been published. Suppliers need to understand the differences between NIST 800-171 and CMMC and how they impact DoD contracts under which they are working.

Controlling Unclassified Information

As described in DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, subcontractors must protect unclassified information, which is Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).


NIST 800-171

NIST Special Publication (SP) 800-171 requires compliance by all subcontractors working within the federal supply chain, whether they are subcontractors working for a prime or subcontractors working for another subcontractor. The NIST 800-171 mandate provides guidance as to how CUI should be accessed, shared, and stored.



CMMC is a new unified cybersecurity standard created by the DoD to increase the security posture of companies operating in DoD supply chains. CMMC is being rolled out gradually and will eventually replace NIST 800-171. (Learn more in "What is CMMC compliance?")


Differences Between NIST 800-171 and CMMC

Because CMMC is to be rolled out gradually, there will be a period where both NIST 800-171 and CMMC will be in effect. It is expected that starting in 2020, CMMC will be included in some RFPs, and by 2026, all new DoD contracts will require CMMC.




Suppliers working under multiple contracts may be complying with NIST 800-171 on some contracts and CMMC on others.

NIST 800-171 was about compliance whereas CMMC is about reducing risk in DoD supply chains. What hasn't changed is the goal – to protect information.


Effective Dates

NIST 800-171

As of December 31, 2017, all DoD suppliers were expected to be in compliance with NIST 800-171.


Version 1.0 of the document was released in January 2020 with a minor update to Version 1.02 in March 2020. The DoD is gradually transitioning from NIST 800-171 to CMMC, and by 2026, all new DoD contracts will require CMMC. No existing contracts will have CMMC requirements inserted into them. The potential for CMMC requirements is only with new future contracts. 


Methods of Compliance

NIST 800-171

Compliance with NIST 800-171 can be achieved on your own or with the help of an outside company. Self-attestation is possible.


To meet CMMC, you must pass an assessment performed by an outside company (C3PAO) who will submit the assessment report to the CMMC-AB (CMMC Accreditation Body) for approval.


How to Prepare for a CMMC Audit


Security Requirements

NIST 800-171

There are 14 families of requirements in NIST 800-171 and across the 14 families are a total of 110 individual requirements.


There are a total of 171 cybersecurity best practices across 17 capability domains in CMMC.



NIST 800-171

There are no levels in NIST 800-171.


There are five maturity levels in CMMC. Levels 1–3 encompass the 110 security requirements specified in NIST 800-171. You can think of NIST 800-171 as the foundation for CMMC. For DoD contracts with CMMC requirements, it is expected most companies will need to meet Level 1, 2, or 3.




Proof of Compliance

NIST 800-171

To comply with NIST 800-171, you submit your System Security Plan (SSP) and Plan of Action with Milestones (POA&M) to your DoD prime contractor or subcontractor at the time of contract initiation or renewal (or when asked to produce them). These documents serve as proof of compliance.


For CMMC, after assessment by a third party assessment company (C3PAO), the C3PAO submits the assessment report to the CMMC-AB for approval. The approved assessment report serves as proof of compliance and is needed before the contract can be awarded.


How Does This Impact Bidding?

NIST 800-171

Under NIST 800-171, as long as you had created SSPs and POA&Ms, you could bid on, win, and even start working on contracts. You wouldn't need to provide those documents until asked for them by your prime.


For CMMC, you must be able to pass the assessment performed by the C3PAO to win a contract. A POA&M describing what changes you plan to make to become compliant is not sufficient. If at the time of the assessment you do not pass, it is expected there will be a grace period of 90 days during which you can implement changes to receive certification. It is only after you have made those changes that the C3PAO will submit your assessment to the CMMC-AB for approval. 


How Do I Know If I Need to Comply?

NIST 800-171

For NIST 800-171, you may receive notification from a prime or subcontractor via mail or email. Or, you might be notified via messages you see when logging into a portal that you use for procurement or order management. You may or may not receive direct notification about your need to comply. Keep in mind that if you receive no notification, this does not mean you do not need to comply. It's possible the notification was sent but the correct person to receive it never saw it.


For contracts that require subcontractors to meet CMMC, you must be certified to CMMC at the time of contract award. Even before that, it is possible that a contractor would expect you to be certified at the time of proposal. If a contract requires CMMC, it will be included in the RFP in section C ("Description/specifications/statement of work") and section L ("Instructions, conditions, and notices to offerors or respondents").


Section C


Section L


Costs to Comply

NIST 800-171

If you have the internal security staff and the time, compliance with NIST 800-171 can be achieved completely internally using free resources and documents available from the government. You can also use an outside partner to perform the assessment and even develop the SSP and POA&M for you, as well as perform the needed remediation work.


For CMMC, there will be some cost for the assessment by the C3PAO. Costs will depend upon several factors including to which level the certification is needed (1–5).



NIST 800-171

Yes, self-attestation is possible with NIST 800-171.


No, there is no option for self-attestation with CMMC.


"The Definitive Guide to Compliance with the NIST 800-171 Mandate & CMMC"


Required Evidence

NIST 800-171

Compliance with NIST 800-171 requires that you create documents such as SSPs and POA&Ms.


The approval of an assessment submitted by the C3PAO to the CMMC-AB for review constitutes evidence of CMMC.


RPOGet Ready for CMMC

There are steps you can take now to get ready for CMMC. Contact Corserva to learn how to get ready for CMMC.

Corserva is a CMMC-AB Registered Provider Organization™ (RPO) and we are listed on the CMMC-AB Marketplace.



Post Date: July 14, 2020 // 4:26 PM

Topic category:



Lisa DeVoto

Lisa has 25+ years of experience working for technology companies in B2B marketing and technical communications. She has written on various technology topics including disaster recovery, IT services, and enterprise software. Lisa has an MBA from University of Connecticut and a BS in Computer Science from Rensselaer Polytechnic Institute.