NIST 800–171 vs. CMMC Compliance

Are you up-to-date with the changes around NIST 800–171 requirements? With CMMC compliance, how do you know which certification is right for your organization?

What is NIST 800–171?

NIST Special Publication 800–171 provides federal agencies with recommended requirements for protecting the confidentiality of controlled unclassified information (CUI):

  1. when the CUI is resident in nonfederal information systems and organizations;
  2. when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  3. where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.

NIST SP 800–171 requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. A nonfederal information system is a system that does not meet the criteria for a federal system. A federal system is an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency

NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800–171

Who Does NIST 800–171 Apply To?

NIST 800–171 is typically valid for federal government contractors and sub-contractors. Many external vendors today work with the federal government to help carry out a wide range of business functions. Because of all the sensitive information transferred from the government to these vendors, the government is cracking down on the compliance and security regulations for these vendors — and any companies that work with those vendors or service providers.

What is CMMC Compliance?

Cybersecurity Maturity Model Certification, or CMMC, is a unified cybersecurity standard for future Department of Defense (DoD) acquisitions. CMMC model framework organizes processes and cybersecurity best practices into a set of domains including:

  • Process maturity or process institutionalization characterizes the extent to which an activity is embedded or ingrained in the operations of an organization. The more deeply ingrained an activity, the more likely it is that:
    − An organization will continue to perform the activity — including under times of stress — and
    − The outcomes will be consistent, repeatable, and of high quality.
  • Practices are activities performed at each level for the domain

Read More in the CMMC Model Briefing PDF

Beginning in the fall of 2020, CMMC compliance will be a prerequisite for all new contracts including prime and subcontractor for the Department of Defense. Any contractor storing or transmitting controlled unclassified information (CUI) will need to achieve Level 3 compliance.

The Department of Defense has defined 5 levels of CMMC compliance, each with a set of supporting practices and processes. To meet a specific level, each contractor must meet the practices and processes within that level and below. The Department of Defense has released the following descriptions of each level of CMMC:

Level 1: Basic Cybersecurity
Level 2: Inclusive of universally accepted cybersecurity best practices
Level 3: Coverage of all NIST 800–171 rev 1 controls
Level 4: Advanced and sophisticated cybersecurity practices
Level 5: Highly advanced cybersecurity practices

Learn more

CMMC vs. NIST 800–171?

Unlike NIST SP 800–171, which required DoD contractors to self-certify to either be compliant or to be taking concrete steps towards compliance, CMMC makes provisions for third-party assessment organizations (C3PAOs) to analyze the company and assign a maturity level based on the state of its cybersecurity program. 1 is the lowest rating and 5 is the highest rating.

According to the Infosec Institute, it’s important to understand how CMMC grew out of NIST 800–171 to get a better understanding of which compliance level will work for you.

On January 30, 2020, the DoD released CMMC, which was intended to replace NIST 800–171 compliance across the DIB and remedy the issue of non-compliance of some vendors. In past years, primary contractors or subcontractors have struggled to implement specific security measures, assess and report their progress while having already been awarded a defense contract and entrusted with the handling of sensitive data.

The CMMC is the DoD’s means to combat the incredible number of cyberthreats directed to the DIB and respond to significant compromises of sensitive defense information located on contractors’ information systems. This unified standard for DoD acquisitions will expand cybersecurity requirements to contractors and their supply chains for the purpose of reducing the impact of advanced persistent threat (APT) attacks.

However, with the coming mandate of CMMC, many companies may be struggling to address the various requirements within the model. Many things have changed between the current standard NIST SP 800–171r1 and CMMC which will require a great deal of work for current contractors. Connect with Cybriant to learn more about our CMMC Guidance.

Read the full article at



Our cyber risk management services make enterprise-grade cybersecurity services accessible to the Mid-Market and beyond.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Our cyber risk management services make enterprise-grade cybersecurity services accessible to the Mid-Market and beyond.