Explainer
CMMC compliance vs NIST 800-171: what's the difference, and do you need both?
NIST 800-171 is the underlying control set. CMMC compliance is the DoD audit and certification framework that wraps it. If you sell to the Department of Defense or to a prime contractor that does, you need both. NIST is what you build. CMMC is how you prove it.
Reviewed by the Helix Stax team — IT consultants serving Hampton Roads, VA.
The 60-second answer
NIST 800-171 is the underlying control set, 110 security requirements across 14 families. CMMC compliance is the DoD audit and certification framework that wraps it and proves you actually meet those controls. If you sell to the Department of Defense or to a prime contractor that does, you need both. NIST 800-171 is what you build. CMMC is how you prove it.
Before CMMC, DoD suppliers self-attested to NIST 800-171 compliance under a DFARS clause and hoped the number on their SPRS profile held up. Under CMMC, a third-party assessor walks the perimeter and certifies the work. Same controls. New audit floor.
TL;DR, quick answer for DoD suppliers
- NIST SP 800-171 Rev. 2 is the 110-control standard published by the National Institute of Standards and Technology. It tells you what to build.
- CMMC 2.0 is the DoD program that audits compliance with those 110 controls (at Level 2) plus assessment objectives. It tells the contracting officer whether your build holds up.
- You cannot pick one. If your contract carries CUI flow-down, you implement NIST 800-171 and you certify CMMC.
- CMMC enforcement begins November 10, 2025 on new DoD contracts. Full certification mandatory by November 2028 under the phased rollout.
- Self-attestation was the old answer. Third-party certification is the new one.
- Compliance with NIST 800-171 is necessary for CMMC Level 2; it is not sufficient. The C3PAO assessor measures evidence, not intent.
The rest of this article walks through both frameworks, names where they share DNA, names where CMMC goes beyond NIST, and explains how Hampton Roads defense suppliers score readiness on the Controls pillar before the C3PAO arrives.
What is NIST 800-171?
NIST SP 800-171 Rev. 2, formally titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is the federal standard for safeguarding CUI when it lives outside government systems. It was published by NIST in 2015, revised in 2020, and a Revision 3 draft has been in public comment since 2023.
The standard organizes 110 security requirements into 14 control families. The families cover the full sweep of cybersecurity hygiene: access control, audit and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
Important distinction. NIST 800-171 is a control standard. It tells you what to implement. It does not tell you how to prove it, who audits you, or what the consequences are for falling short. Compliance under the pre-2025 DFARS regime was self-attested. You scored yourself against the standard, posted the score in SPRS (Supplier Performance Risk System), and the contracting officer took the number at face value until something went wrong.
That trust model is what changed.
What is CMMC compliance?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that audits and certifies contractor compliance with cybersecurity requirements, including NIST 800-171. CMMC compliance means a third party has verified your controls hold up, not that you’ve told the contracting officer they do. The current version is CMMC 2.0, finalized in October 2024 and rolling into contracts under the November 2025 enforcement clock.
CMMC 2.0 has three levels.
- Level 1 (Foundational): 17 basic safeguarding practices, applicable to contractors handling only Federal Contract Information (FCI), not CUI. Annual self-assessment, no third-party audit.
- Level 2 (Advanced): All 110 NIST 800-171 controls plus assessment objectives. Most DoD suppliers handling CUI land here. Triennial third-party assessment by a Certified Third Party Assessment Organization (C3PAO) for contracts involving prioritized acquisitions; annual self-assessment for the remainder.
- Level 3 (Expert): NIST 800-171 plus a subset of NIST SP 800-172 enhanced security requirements, for the highest-priority programs. Triennial assessment conducted by the DoD itself through DIBCAC.
CMMC is not a new control standard. It is the audit and certification layer that decides whether your NIST 800-171 implementation holds up under a third party’s review. The DoD wrote CMMC because too many suppliers were self-attesting to scores their environments could not back up. The MSP said it was covered. The cyber insurance broker said you needed a new policy. The compliance firm said you needed a full assessment that costs tens of thousands of dollars before anyone could tell you where you stood. None of those answers gave a contracting officer a defensible number. CMMC does.
Side-by-side comparison
| Dimension | NIST 800-171 | CMMC |
|---|---|---|
| Who issues it | National Institute of Standards and Technology (NIST) | Department of Defense, via the Cyber Accreditation Body (Cyber-AB) ecosystem |
| What it covers | 110 security requirements across 14 control families | NIST 800-171 (at Level 2) plus assessment objectives, maturity levels, and audit cadence |
| Audit type | Self-attestation under DFARS 252.204-7012 | Third-party assessment by a C3PAO at Level 2 (prioritized contracts); self-assessment for the rest |
| Enforcement | Contractual, via DFARS 7012 | Contractual, via DFARS 252.204-7021; tied to contract eligibility |
| Applicability | Any nonfederal system that processes, stores, or transmits CUI | DoD contracts that carry CUI flow-down, phased rollout starting November 10, 2025 |
| Cost | Internal cost of implementation; SPRS scoring is free | Implementation cost plus C3PAO assessment fees ($25,000-$150,000+ depending on scope and supplier size) |
| Cadence | Score updated as the environment changes | Triennial third-party assessment at Level 2; annual affirmation |
| Failure consequence | Loss of contract; False Claims Act exposure for false attestation | Loss of contract eligibility; same FCA exposure on affirmation |
| Document trail | System Security Plan (SSP) and Plan of Action and Milestones (POA&M) | SSP, POA&M, C3PAO assessment report, SPRS posting, annual affirmation |
The takeaway. NIST 800-171 is the what. CMMC is the how-you-prove-it. Same controls. Different verbs.
The 14 control families they share
CMMC Level 2 inherits all 110 controls from NIST SP 800-171 Rev. 2, organized in the same 14 families. The C3PAO assessor walks each family and asks for evidence, not intent. Here is the audit floor.
| # | Family | What it covers |
|---|---|---|
| 1 | Access Control (AC) | Who can reach CUI, from where, with which privileges |
| 2 | Awareness and Training (AT) | Whether your staff knows what CUI is and how to handle it |
| 3 | Audit and Accountability (AU) | Logs that prove who did what, and that you read them |
| 4 | Configuration Management (CM) | Baselines for your systems and the change control around them |
| 5 | Identification and Authentication (IA) | MFA, identity assurance, account hygiene |
| 6 | Incident Response (IR) | The plan, the drills, the reporting trail |
| 7 | Maintenance (MA) | Who touches the systems, with what tools, on whose authority |
| 8 | Media Protection (MP) | How CUI on portable media is labeled, transported, and destroyed |
| 9 | Personnel Security (PS) | Screening, access on hire, deprovisioning on departure |
| 10 | Physical Protection (PE) | Facility access, visitor logs, where CUI lives in the building |
| 11 | Risk Assessment (RA) | Vulnerability scanning, risk register, mitigation plans |
| 12 | Security Assessment (CA) | The SSP, the POA&M, the recurring review |
| 13 | System and Communications Protection (SC) | Boundary controls, encryption in transit, segmentation |
| 14 | System and Information Integrity (SI) | Patching, malicious code defense, monitoring |
Every family has a name and a control count. Every control has assessment objectives the C3PAO uses to score it. The work is not abstract. It is checkbox-able if you have the evidence and ungradable if you do not.
Where CMMC goes beyond NIST 800-171
If CMMC inherited NIST 800-171 unchanged, it would be a relabeling exercise. It is not. Three differences matter for a tier-2 or tier-3 supplier walking into the first Level 2 audit cycle.
Third-party assessment. Under DFARS 7012, you scored yourself. Under CMMC Level 2 for prioritized acquisitions, a C3PAO scores you. The bar is the same on paper. The audit floor is different in practice. An assessor who has never met you reviews your evidence with adversarial discipline. The supplier who scored themselves a 110 out of 110 and never read the assessment objectives will get a different number from the C3PAO than they posted in SPRS.
Maturity model framing. CMMC was originally a five-level maturity model. The 2.0 revision collapsed that to three levels but kept the maturity instinct: not just “is the control implemented” but “is the control operating, documented, repeatable, and measured.” Adoption matters. Controls fail because people do not use them, not because the tools are weak. The C3PAO asks your staff how they handle CUI, and if the answers do not match the SSP, the gap shows up in the assessment report.
Assessment objectives, not just controls. NIST 800-171 lists 110 controls. CMMC Level 2 lists 110 controls plus the underlying assessment objectives from NIST SP 800-171A. The assessor scores each objective. A control like AC.L2-3.1.1 (“limit system access to authorized users”) has multiple objectives the assessor must score independently. The granularity exists to remove the subjective wiggle room that self-attestation tolerated.
The shorthand: NIST 800-171 was honor system. CMMC is graded.
CMMC enforcement timeline (November 10, 2025 → 2028)
The DoD published the final CMMC 2.0 rule (32 CFR Part 170) in October 2024. The implementing DFARS clause rule (48 CFR Part 204) followed. The phased rollout schedule looks like this.
- November 10, 2025: Enforcement begins on new DoD contracts. Phase 1: Level 1 and Level 2 self-assessment requirements show up in solicitations.
- November 2026: Phase 2: Level 2 third-party C3PAO assessments required on prioritized contracts.
- November 2027: Phase 3: Level 3 DIBCAC assessments begin on highest-priority programs.
- November 2028: Phase 4: Full enforcement across all applicable DoD contracts and option-year renewals.
If your DoD contract renews after the November 10, 2025 enforcement date, your readiness window is now. Suppliers carrying Level 2 requirements with a renewal inside 18 months should have a remediation plan running by Q3 2026. Suppliers who have not posted a SPRS score, identified their CUI flows, or scoped GCC High should treat the next 90 days as the discovery cycle.
The clock is real. It is the same November 10, 2025 date every CMMC consultant cites on their own page, and it is published in 32 CFR Part 170. Not marketing urgency. Enforcement calendar.
How DFARS 7012 fits in
DFARS 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) is the clause that put NIST 800-171 into DoD contracts in the first place. It has been in force since December 2017. Under DFARS 7012, contractors who handle Covered Defense Information (the DoD’s term for CUI) must implement NIST 800-171, report cyber incidents within 72 hours, and flow the same requirements down to subcontractors that touch the data.
CMMC does not replace DFARS 7012. It supplements it. The two new clauses sit alongside 7012 in your contract: DFARS 252.204-7019 (the SPRS scoring requirement) and DFARS 252.204-7021 (the CMMC certification requirement).
The practical implication for a tier-2 supplier. If you sell to a prime that holds a DoD contract with CUI flow-down, the 7012 clause is in your subcontract. The 7019 clause requires you to post a NIST 800-171 self-assessment score in SPRS. The 7021 clause, once it lands on your contract, requires you to hold the CMMC certificate at the applicable level. You owe the same flow-down to your own subs if you have any. The chain runs from prime to tier-2 to tier-3 to wherever the CUI ends up.
DFARS 7012 is the legal anchor. CMMC is the audit mechanism that makes the anchor enforceable.
SPRS, what it is, why it matters
The Supplier Performance Risk System (SPRS) is the DoD’s repository for supplier risk data. Among other things, it stores the NIST 800-171 self-assessment scores DoD contractors are required to post under DFARS 7019.
The score runs from -203 to +110. Each unimplemented NIST 800-171 control costs you points off the maximum. A perfect score is 110. A score of zero or below means substantial gaps. The contracting officer can pull your SPRS posture before awarding a new contract or exercising an option year. A score that does not match the C3PAO’s eventual finding is a False Claims Act problem waiting for an audit.
How to register. SPRS access requires a Procurement Integrated Enterprise Environment (PIEE) account, which requires a CAGE code, which requires SAM.gov registration. Most defense suppliers already have all three. Once inside SPRS, the contractor or an authorized representative posts the NIST 800-171 self-assessment score, the date of the assessment, the scope, and the included system security plan name.
The SPRS posting is the supplier’s public-facing statement of cybersecurity posture inside the federal contracting ecosystem. Score honestly. The C3PAO assessment will eventually true it up, and the delta between your posted score and your audited score is the part that lands in court if the gap turns into a False Claims Act case.
The GCC High question, do you need it?
The Microsoft 365 GCC High question is the most common CMMC scoping question we hear from Newport News suppliers, and the answer is “probably, but not always.”
The underlying issue: CMMC Level 2 inherits the NIST 800-171 control set, and several of those controls reference FedRAMP Moderate equivalency for cloud services that store or process CUI. Commercial Microsoft 365 (the standard Business and Enterprise SKUs) does not meet FedRAMP Moderate equivalency for CUI workloads. Microsoft 365 GCC High does.
For most defense suppliers handling CUI in email, file storage, or collaboration, GCC High is the path. The migration is real work. The licensing cost step-change is real ($35-$50 per user per month versus $20-$30 on commercial equivalents). The cutover involves identity, mail flow, SharePoint, OneDrive, Teams, and any third-party integration on top.
When you can skip GCC High. If your CUI never touches Microsoft 365 (it lives only in a dedicated engineering environment, for example, or in an on-premises file server outside the M365 boundary), you can sometimes scope GCC High out. The boundary work has to be airtight. A C3PAO assessor who finds CUI in a commercial M365 tenant during the assessment will fail the relevant controls regardless of what the SSP says.
The honest read for most tier-2 suppliers: budget for GCC High and start the migration scope conversation early. The 6-to-12-month CMMC readiness timeline assumes GCC High is part of the work.
How Helix Stax scores CMMC readiness, we score, your C3PAO certifies
Here is the part that needs to be explicit, because the certification ecosystem has many roles and they are easy to confuse.
Helix Stax is not a Registered Practitioner Organization (RPO). Helix Stax is not a C3PAO. We do not certify CMMC compliance. We do not sign the official assessment documentation. We do not perform the third-party audit that produces the certificate. Those are roles held by RPOs (who prepare the documentation and may sign the SSP) and C3PAOs (who conduct the certification audit). We coordinate with both. We are neither.
What we do. CTGA scores your CMMC readiness on the Controls pillar (0-225 within the 100-900 framework). You walk into the C3PAO audit conversation knowing where you stand. The Controls pillar of the CTGA framework maps every NIST 800-171 control family against the actual environment your team uses every day. The score is the receipt. The score moves, or it does not. That is harder to bullshit than “we strengthened your security posture.”
The deliverable from a Helix Engagement runs in five layers. A written Controls pillar score (0-225, banded). A gap list aligned to NIST 800-171 control families, ranked by audit risk. A System Security Plan outline written in the structure your RPO partner uses to finalize the official document. A CUI flow map that names where Controlled Unclassified Information enters your environment, where it sits, and where it leaves. A Plan of Action and Milestones (POA&M) for the unresolved findings the assessor will see.
We come in as your CMMC squad at the Helix Engagement tier, close the Controls gaps the Pulse score named, and ride the remediation program until your C3PAO walks out signing the certificate. We do not sign it. Your RPO partner signs the official documentation, the C3PAO certifies the assessment, and you carry the certificate forward into your next contract. We score readiness honestly so the certified parties walk into a defensible posture.
If an IT consulting firm tells you they can do the certification themselves and they are not a C3PAO, walk out. The DoD program is structured to keep readiness and certification separate. Conflating them is how suppliers end up with certificates that do not survive a Cyber-AB audit of the assessor.
Frequently asked questions
What’s the difference between CMMC and NIST 800-171? NIST 800-171 is the 110-control security standard published by the National Institute of Standards and Technology. It tells you what to implement. CMMC is the DoD certification program that audits compliance with NIST 800-171 (at Level 2) and certifies the result through a Certified Third Party Assessment Organization. Before CMMC, suppliers self-attested under DFARS 7012. Under CMMC, a third party audits. Same controls. New audit floor.
Does compliance with NIST 800-171 satisfy CMMC? Necessary, not sufficient. NIST 800-171 compliance is a prerequisite for CMMC Level 2, but CMMC adds assessment objectives, maturity expectations, and a third-party audit cadence that self-attestation does not. A supplier honestly compliant with NIST 800-171 today still needs the CMMC certificate before the contract renewal lands, and the C3PAO assessor will measure evidence at a granularity NIST 800-171 alone did not require.
When does CMMC enforcement begin? CMMC enforcement begins November 10, 2025 on new DoD contracts under the 32 CFR Part 170 phased rollout. Phase 2 (third-party C3PAO assessments on prioritized contracts) begins November 2026. Full enforcement across all applicable DoD contracts lands by November 2028. If your DoD contract renews after the enforcement date, your readiness window is now.
What is CMMC Level 2? CMMC Level 2 (Advanced) is the certification tier required for DoD contractors and subcontractors that handle Controlled Unclassified Information. It maps to all 110 security requirements in NIST SP 800-171 across 14 control families, plus the assessment objectives published by the DoD in NIST SP 800-171A. Most tier-2 and tier-3 defense suppliers in Hampton Roads will need Level 2. Suppliers handling only Federal Contract Information may only need Level 1.
What is SPRS and how do I register? SPRS (Supplier Performance Risk System) is the DoD’s repository for supplier risk data, including NIST 800-171 self-assessment scores. Defense contractors handling CUI must post a current score as a condition of contract award. Registration runs through PIEE (Procurement Integrated Enterprise Environment) and requires a CAGE code from SAM.gov. Once inside, you post the score, the assessment date, the scope, and the System Security Plan reference. Score honestly. The C3PAO assessment will eventually true it up.
What is DFARS 7012? DFARS 252.204-7012 is the Defense Federal Acquisition Regulation Supplement clause that requires DoD contractors to safeguard Covered Defense Information (the DoD’s term for CUI) using NIST 800-171 controls, report cyber incidents within 72 hours, and flow that requirement down to subcontractors. The clause has been in force since December 2017 and remains in effect alongside the newer DFARS 7019 (SPRS scoring) and DFARS 7021 (CMMC certification) clauses.
Do I need GCC High to meet CMMC? For most workloads touching CUI, yes. Commercial Microsoft 365 does not meet the FedRAMP Moderate equivalency requirements that CMMC Level 2 inherits from NIST 800-171. Microsoft 365 GCC High is the path most suppliers take. Exceptions exist when CUI never touches the M365 boundary at all, but the boundary work has to be airtight. The migration is real work and the licensing step-change is real.
How much does CMMC certification cost? C3PAO assessment fees range $25,000-$150,000+ depending on supplier size, scope, and CUI footprint. That is the certification line item alone. Readiness work (the gap remediation, the SSP, the POA&M, the GCC High migration if needed) typically runs 5x-10x the C3PAO fee for a tier-2 supplier in their first cycle. Total all-in for a $5M revenue supplier starting from a low NIST 800-171 posture often lands in the $100,000-$300,000 range across an 18-month program.
Are you a CMMC Registered Practitioner Organization (RPO)? No. Helix Stax is not a Registered Practitioner Organization, and we are not a C3PAO. We score your CMMC readiness on the Controls pillar of the CTGA framework and write the gap list. Your RPO partner signs the official assessment documentation. Your C3PAO certifies. We coordinate the handoff between the readiness work and the certification work so you do not pay twice for the same scoping conversation.
What does the CTGA Controls score measure? The Controls pillar scores 0-225 within the 100-900 CTGA framework. It maps your environment against all 14 NIST 800-171 Rev. 2 control families and the corresponding CMMC Level 2 practice families. Each family scores against actual evidence in your stack rather than checklist self-attestation. You walk into the C3PAO audit conversation knowing where you stand and what evidence will hold up.
How long does CMMC readiness take? A typical readiness arc runs 6-12 months from kickoff to a C3PAO-defensible posture. Suppliers starting from a low NIST 800-171 score (under 50 on the SPRS scale or under 100 on the CTGA Controls pillar) usually need 9-12 months. Suppliers already running Microsoft 365 GCC High and a documented SSP can sometimes hit Level 2 readiness inside 6 months. The free Helix Pulse gives you the honest read on which timeline applies to your shop.
Can I do CMMC without an RPO? Yes, technically. The DoD does not require suppliers to use an RPO. You can build the readiness program internally, run the C3PAO assessment directly, and post the certificate yourself. Most tier-2 and tier-3 suppliers find this difficult in practice because the documentation expectations (the SSP, the POA&M, the assessment evidence package) are extensive and the C3PAO will fail the assessment if the package is not in the format and depth the program expects. An RPO partner accelerates the work; a readiness consultant like Helix Stax scores the posture and shepherds the program. Both are optional. Neither is the certifier.
Get your number before the audit conversation starts
The free Helix Pulse covers your Controls posture in 60 minutes. Sixty minutes, free, in person if you are in Hampton Roads. You leave with your score and the top three gaps written down. No pitch on the call.
The session opens with 10 minutes on your DoD contract picture, who your primes are, and which contracts carry CMMC flow-downs. The next 25 minutes walks your current environment against the Controls pillar at high level. The final 25 minutes names your top three CMMC gaps, an honest read on whether you can hit your next audit date, and the one remediation move that would shift the Controls score fastest this quarter.
CMMC enforcement begins November 10, 2025. If your DoD contract renews after that date, your readiness window is now.
We cover all seven Hampton Roads cities, Newport News, Norfolk, Virginia Beach, Chesapeake, Portsmouth, Hampton, Suffolk, with in-person Pulse sessions where the geography fits, and the rest of the United States by Zoom.
60 minutes · Free · You walk out with your top three gaps written down
Related reading on Helix Stax: CMMC Readiness service → · Defense Supply Chain industry page → · Newport News location page → · CIO Services → · Contact →