NIST 800-171 and CMMC,explained
NIST 800-171 sets the requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. CMMC is the US Department of Defense programme that verifies contractors meet them. In short, 800-171 is the control set, and CMMC is the certification built on top of it for the defense supply chain.
What NIST 800-171 is
NIST SP 800-171 protects Controlled Unclassified Information held by contractors and other non-federal organisations. It organises requirements into 14 families, covering access control, audit, configuration management, incident response, system protection, and more.
Defense contractors are typically required to meet it through the DFARS clause in their contracts, and to record an implementation score that reflects how many requirements are in place.
What CMMC adds
CMMC, the Cybersecurity Maturity Model Certification, was created because self-attestation to 800-171 was not always reliable. CMMC verifies the practices are genuinely in place, with the level of verification scaling to the sensitivity of the information.
The CMMC levels
- Level 1 (Foundational): basic safeguarding of Federal Contract Information, generally by self-assessment.
- Level 2 (Advanced): aligned with the NIST 800-171 requirements for CUI, assessed by a third party for most contracts.
- Level 3 (Expert): adds controls from NIST 800-172 for the highest-priority programmes.
Who needs them
Organisations in the US defense supply chain that handle Federal Contract Information or Controlled Unclassified Information. The exact CMMC level is set by the contract and the type of information involved, so suppliers should confirm their requirement early.
How to approach it
- 1Identify whether you handle FCI, CUI, or both, and the CMMC level your contracts require.
- 2Implement the NIST 800-171 requirements and record your implementation score.
- 3Close gaps with a plan of action and milestones.
- 4Prepare evidence for assessment, whether self-assessment or a third-party assessor.
- 5Reuse overlapping ISO 27001 and SOC 2 work where you already have it.
Frequently asked questions
What is the difference between NIST 800-171 and CMMC?
NIST 800-171 is the control set for protecting CUI. CMMC is the Department of Defense programme that verifies a contractor meets it, with CMMC Level 2 aligned directly to the 800-171 requirements. One is the requirements, the other is the certification built on them.
Who has to be CMMC certified?
Organisations in the US defense supply chain, depending on whether they handle Federal Contract Information or Controlled Unclassified Information and what their contracts require. The required level is set per contract.
Who performs the CMMC assessment?
Level 1 is generally a self-assessment, while Level 2 for CUI is assessed by an accredited third-party assessor organisation (a C3PAO). A tool can prepare and maintain your programme, but it cannot issue the certification.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.