Clarification on CMMC and NIST 800-171


Clarification on CMMC and NIST 800-171


Aug. 2nd, 2019

There seems to be a good bit of confusion surrounding the upcoming Cybersecurity Maturity Model Certification (CMMC), particularly regarding what DoD contractors can expect from it and how it relates to the current NIST 800-171 requirements. Through talks with our customers and others in the industry, we’re learning that there’s a lot of misinformation out there. We have had direct conversations with Ms. Katie Arrington and her team, and we would like to clarify some things around the subject.

What exactly is CMMC? How does it relate to NIST 800-171?

CMMC is a new standard that will take the place of NIST 800-171. CMMC is not entirely derived from NIST 800-171; rather it builds upon it along with many other regulations to create five levels of certification that will better reflect the type of cybersecurity that a contractor will need to attain for a particular contract.

As it stands, thousands of small businesses that perform minor but crucial roles on contracts for the DoD are being asked to adhere to the same standard (NIST 800-171) that the big boys like Lockheed Martin and Northrop Grumman are going through. This puts a tremendous burden on the small and mid-size businesses due to the costs and efforts of implementing and maintaining the requirements in 800-171.

CMMC is a much more practical approach. If you are only selling nuts and bolts to a larger prime, there is no need for you to go through the effort of implementing all 110 requirements of NIST 800-171. You may only need to implement 63 of the new requirements to achieve a level 2 certification for CMMC, or even less to be level 1 certified.

Another key difference between the two standards is that while NIST 800-171 allows contractors to self-attest compliance, CMMC will require 3rd party certification. This means contracts requiring Level 1 certification will only be open to bidding by those businesses that have implemented the 17 Level 1 controls in CMMC and been audited.

In short, CMMC is not the same standard as NIST 800-171.

Do I still need to comply with NIST 800-171 with CMMC right around the corner?

Yes. NIST 800-171 is still in full effect under the DFARS clause 252.204-7012. Although CMMC is moving quickly, it will not be implemented overnight. It is still important that you produce documentation demonstrating compliance with 800-171.

The best way to get compliant with 800-171 while still preparing for CMMC is to assess your organization against the current 110 requirements of 800-171 and produce the required documentation (System Security Plan and Plan of Actions & Milestones). This will satisfy the current DFARS clause and give your organization clarification on where you stand in relation to the upcoming CMMC requirements.

To learn more about the CMMC process and how to get your organization ahead of the curve, get plugged in at or reach us at for more information.