CMMC and NIST SP 800-171 Deepdive

1. Overview

What CMMC Is

The Cybersecurity Maturity Model Certification (CMMC) is the US Department of Defense (DoD) program for verifying that contractors and subcontractors in the Defense Industrial Base (DIB) implement the cybersecurity requirements applicable to the federal contract information (FCI) and controlled unclassified information (CUI) they handle. CMMC 2.0 was codified through the final rule (32 CFR Part 170) published in October 2024 and integrated into the Defense Federal Acquisition Regulation Supplement (DFARS) through 48 CFR Part 204 in late 2025. The DoD CIO maintains the program at dodcio.defense.gov/CMMC; the underlying control catalog is NIST SP 800-171 Revision 3.

Who It Applies To

Any prime contractor or subcontractor that processes, stores, or transmits FCI or CUI for the DoD. Inclusion will be phased into contract clauses on a rolling basis through the program's three-year ramp following the rule's effective date in December 2024. Subcontractor flowdown follows the same level as the prime contract.

Maturity Levels

• Level 1 — Foundational: 17 basic safeguarding controls drawn from FAR 52.204-21. Annual self-assessment with senior official affirmation. Covers FCI only.
• Level 2 — Advanced: 110 NIST SP 800-171 controls. Triennial third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) for most contracts; self-assessment permitted only for a narrow subset specified by the DoD. Annual senior-official affirmation. Covers CUI.
• Level 3 — Expert: Level 2 plus a defined subset of NIST SP 800-172 enhanced security requirements. Triennial assessment by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Targets the most sensitive CUI and Advanced Persistent Threat scenarios.

NIST SP 800-171 r2 to r3 Transition

NIST published SP 800-171 Rev. 3 in May 2024, restructuring the control families and adding organization-defined parameters. CMMC 2.0 codified the use of r2 (110 controls in 14 families) at the rule's effective date. DoD has signaled a transition to r3 (currently 97 base requirements with substantial parameter-driven sub-requirements) once contractual updates are in place. Contractors building a CUI program today should design to r3 while still asserting compliance to r2 until the contract clause changes. The DFARS clause 252.204-7012 already requires NIST SP 800-171 implementation as the underlying technical basis.

Outcome

Level 1 self-attestation, Level 2 self- or C3PAO-issued certification (most contracts require C3PAO), or Level 3 DIBCAC-issued certification. The result is recorded in the Supplier Performance Risk System (SPRS) with a numeric score derived from the SPRS scoring methodology.

Security Consultants supports DIB contractors through the CMMC and NIST 800-171 service, typically alongside an aligned ISO 27001 program where the contractor also serves commercial customers.

2. Scope & Applicability

FCI vs CUI

• FCI — Federal Contract Information: information not intended for public release, provided by or generated for the government under a contract to develop or deliver a product or service. Level 1 applies.
• CUI — Controlled Unclassified Information: unclassified information that the government creates or possesses, or that an entity creates or possesses on its behalf, that requires safeguarding or dissemination controls per law, regulation, or government-wide policy. CUI is itemized in the National Archives CUI Registry. Level 2 or Level 3 applies.

Scope Boundary

The CMMC assessment scope covers people, processes, technology, and facilities that process, store, or transmit FCI or CUI, plus security-relevant components that protect those assets. Three asset categories shape scope:

• CUI Assets — directly process, store, or transmit CUI. Fully in scope.
• Security Protection Assets — protect CUI assets (firewalls, IdP, SIEM, jump hosts). In scope.
• Contractor Risk Managed Assets — capable of processing CUI but contractually prohibited. In scope at reduced intensity if documented.
• Out-of-scope assets — cannot process CUI and are physically or logically separated.

Most contractors achieve practical scope reduction by establishing a dedicated CUI enclave with hardened boundary controls, separate IdP, and isolated workloads.

Cloud Service Providers

A cloud service provider handling CUI on behalf of a contractor must meet FedRAMP Moderate baseline or equivalent (DFARS 252.204-7012(b)(2)(ii)(D)). External SSPs supporting CUI must demonstrate this. CSPs in CMMC scope for Level 2 must either hold FedRAMP Moderate authorization (or equivalent) or accept assessment as part of the contractor's CMMC scope. See our FedRAMP service for parallel work.

3. Core Principles

The CMMC program rests on three principles:

• Implementation — the contractor implements the security requirements. NIST SP 800-171 is the control catalog; CMMC adds attestation rigor.
• Assessment — implementation is independently verified at Level 2 (most cases) and Level 3.
• Affirmation — a senior official affirms compliance annually, with criminal and civil liability under the False Claims Act for knowingly false affirmations.

The 14 control families in NIST SP 800-171 r2 are: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity. r3 reorganizes these into 17 families and adds Planning, Supply Chain Risk Management, and System and Services Acquisition.

4. Control Breakdown

Selected high-impact controls from NIST SP 800-171 r2 (Level 2):

3.1 Access Control

3.1.1 limit access to authorized users; 3.1.2 enforce approved authorizations for logical access; 3.1.5 employ least privilege; 3.1.12 monitor and control remote access; 3.1.20 verify and control connections to external systems; 3.1.22 control publicly accessible information.

3.3 Audit and Accountability

3.3.1 create and retain audit logs; 3.3.5 correlate audit record review, analysis, and reporting; 3.3.8 protect audit information from unauthorized access; 3.3.9 limit audit record management to a defined subset of users.

3.4 Configuration Management

3.4.1 establish and maintain baseline configurations; 3.4.2 establish and enforce security configuration settings; 3.4.6 employ the principle of least functionality; 3.4.9 control and monitor user-installed software.

3.5 Identification and Authentication

3.5.1 identify users and devices; 3.5.3 multi-factor authentication for privileged accounts and for any remote access; 3.5.7 enforce password complexity and reuse limits; 3.5.10 store cryptographically protected passwords.

3.6 Incident Response

3.6.1 establish an operational incident-handling capability; 3.6.2 track, document, and report incidents to internal and external officials and authorities; 3.6.3 test the incident response capability.

3.7 Maintenance

3.7.1 perform maintenance; 3.7.2 provide controls on tools, techniques, mechanisms, and personnel used for maintenance; 3.7.4 ensure equipment removed for off-site maintenance is sanitized.

3.8 Media Protection

3.8.3 sanitize or destroy media; 3.8.5 control access to media containing CUI; 3.8.7 control use of removable media.

3.9 Personnel Security

3.9.1 screen individuals prior to authorizing access to systems with CUI; 3.9.2 ensure CUI is protected during and after personnel actions.

3.11 Risk Assessment

3.11.1 periodically assess risk; 3.11.2 scan for vulnerabilities periodically and when new vulnerabilities are identified; 3.11.3 remediate vulnerabilities in accordance with risk assessments.

3.12 Security Assessment

3.12.1 periodically assess security controls; 3.12.2 develop a Plan of Action; 3.12.3 monitor security controls on an ongoing basis; 3.12.4 develop, document, and update System Security Plans.

3.13 System and Communications Protection

3.13.1 monitor and control communications at boundaries; 3.13.8 employ cryptographic mechanisms to prevent unauthorized disclosure of CUI in transit; 3.13.11 employ FIPS-validated cryptography when protecting CUI; 3.13.16 protect the confidentiality of CUI at rest.

3.14 System and Information Integrity

3.14.1 identify, report, and correct system flaws timely; 3.14.2 provide malicious code protection; 3.14.6 monitor systems including inbound and outbound communications.

Level 3 adds a subset of NIST SP 800-172 enhanced requirements covering penetration testing (3.12.1e), zero-trust architecture elements, supply chain assessment, and threat hunting. Coordination with our penetration testing service covers the Level 3 testing expectation.

5. Minimum Requirements (Non-Negotiable)

Mandatory Documents

• System Security Plan covering all NIST SP 800-171 controls in scope
• Plan of Action and Milestones (POA&M) for unimplemented controls; CMMC limits POA&Ms to specific eligible controls and a 180-day closure window
• Asset inventory categorized as CUI / Security Protection / CRMA / Out of Scope
• Network and data-flow diagrams showing the CUI boundary
• Incident response plan with DoD reporting procedure (DFARS 252.204-7012)
• Configuration baselines per system type
• Risk assessment documentation
• Continuous monitoring strategy
• External service provider documentation including FedRAMP or equivalent evidence for cloud services handling CUI
• Senior Official affirmation for SPRS submission

Mandatory Processes

• Annual self-assessment for Level 1 with affirmation
• Triennial C3PAO assessment for Level 2 (most contracts) plus annual affirmation
• Triennial DIBCAC assessment for Level 3
• Continuous vulnerability scanning and remediation
• FIPS-validated cryptography for CUI in transit and at rest
• Phishing-resistant MFA for privileged users and remote access
• Cyber incident reporting to DoD within 72 hours per DFARS 252.204-7012(c)
• Annual security awareness training plus role-based training
• Background screening for personnel with CUI access

Technical Controls

• Boundary protection with documented data flows in and out of the CUI enclave
• Multi-factor authentication on all privileged access and all remote access to CUI
• Centralized logging with retention sufficient to support incident investigation
• FIPS 140-2 / 140-3 validated cryptographic modules for any CUI at rest and in transit
• Endpoint protection with anti-malware and behavioral monitoring
• Configuration management with documented baselines and change control

6. Technical Implementation Guidance

Establish a CUI Enclave

• Build a dedicated, hardened environment for CUI workloads on a FedRAMP-authorized platform (typically Azure Government, AWS GovCloud, or Google Government)
• Use a separate identity provider scope or a dedicated tenant for the CUI environment
• Implement physical or virtual separation from non-CUI workloads
• Document the boundary in network diagrams and the SSP

FIPS Cryptography

• Use only FIPS 140-2 or 140-3 validated modules. Reference the CMVP certificate for each module in the SSP
• Avoid TLS configurations that rely on non-validated cipher suites
• Use AWS KMS / Azure Key Vault / GCP KMS in the government cloud variants that maintain FIPS validation

Identity and Access

• Phishing-resistant MFA (hardware token or FIDO2) for privileged users
• Conditional access policies restricting CUI access to managed devices and known locations
• Quarterly access reviews on the CUI enclave with documented attestations

Logging and Monitoring

• Centralize CUI enclave logs in a SIEM
• Tune detections for CUI-relevant scenarios: anomalous data exfiltration, privilege escalation, lateral movement, anti-malware tampering
• Retain logs for at least 12 months online; 3 years total for incident investigation support

Vulnerability Management

• Authenticated monthly scans on all CUI assets and security protection assets
• Remediation prioritized by exploitability and impact
• Track open items in the POA&M with CMMC-eligible flag where applicable

Cyber Incident Reporting

• Implement DoD reporting workflow: prepare medium-assurance certificate; rehearse 72-hour reporting via DIBNet portal
• Maintain evidence preservation procedures for incident artifacts

7. Policy & Procedure Requirements

• System Security Plan (SSP)
• Access Control Policy and Procedures
• Awareness and Training Policy and Procedures
• Audit and Accountability Policy and Procedures
• Configuration Management Policy and Procedures
• Identification and Authentication Policy and Procedures
• Incident Response Plan and Procedures (with DoD reporting workflow)
• Maintenance Policy and Procedures
• Media Protection Policy and Procedures
• Personnel Security Policy and Procedures
• Physical Protection Policy and Procedures
• Risk Assessment Policy and Procedures
• Security Assessment Policy and Procedures
• System and Communications Protection Policy and Procedures
• System and Information Integrity Policy and Procedures
• POA&M template
• External Service Provider register including FedRAMP evidence

For contractors running parallel commercial assurance programs, the same control library generally serves ISO 27001 and SOC 2 with CMMC-specific extensions. See our ISO 27001 service for the dual-standard approach.

8. Audit Evidence & Verification

C3PAO Role

A CMMC Third-Party Assessment Organization is accredited by the CyberAB and authorized to conduct Level 2 assessments. Certified CMMC Assessors (CCAs) within the C3PAO lead the engagements. The C3PAO does not authorize the system; the certification is recorded in the CMMC Enterprise Mission Assurance Support System (eMASS) and reflected in SPRS.

DIBCAC Role

The Defense Industrial Base Cybersecurity Assessment Center performs Level 3 assessments and selected Level 2 government-led assessments. DIBCAC also conducts Medium Assessment and High Assessment of DFARS 252.204-7012 implementation independent of CMMC.

Typical Evidence Categories

• SSP and POA&M
• Asset inventory with classification
• Network diagram and data flow diagram
• Configuration baselines and configuration change records
• IAM and MFA configurations with FIPS validation references
• Vulnerability scan reports and remediation records
• Incident response plan and tabletop / exercise records
• Training completion records including role-based training
• Personnel screening records
• External service provider FedRAMP or equivalent documentation
• Senior Official affirmation documentation

Common Remediation Items

• SSP control implementation statements describe policy intent rather than the operational control
• FIPS cryptography claims without CMVP certificate references
• External cloud services in scope without FedRAMP Moderate (or equivalent) evidence
• POA&M entries on controls that are not CMMC-eligible
• Phishing-resistant MFA not rolled out to all privileged users
• Incident response plan not tested within the past 12 months

9. Implementation Timeline Considerations

Typical Duration

• Level 1 self-assessment: 4–8 weeks for a contractor with basic IT hygiene
• Level 2 readiness (existing controls maturity): 6–12 months from kickoff to C3PAO assessment
• Level 2 readiness (significant remediation): 12–24 months including CUI enclave build-out
• Level 3: add 6–12 months over Level 2 to implement and assess the 800-172 enhancements

Milestones

• CUI scoping and asset categorization
• Gap analysis against NIST SP 800-171 r2 (and r3 design where applicable)
• CUI enclave architecture and build
• SSP authoring and control implementation
• SPRS interim scoring (self-assessment)
• Pre-assessment readiness review
• C3PAO assessment
• Certification recorded in eMASS and SPRS
• Senior Official affirmation
• Continuous monitoring cadence

Dependencies

• Contractual visibility into FCI / CUI flow and reporting requirements
• Cloud platform decisions (Government cloud variants for CUI workloads)
• Engineering capacity for FIPS-validated cryptography and CUI enclave build
• vCISO or program lead to coordinate the program (see vCISO service)

10. Ongoing BAU Requirements

• Annual Senior Official affirmation in SPRS
• Triennial C3PAO reassessment (Level 2) or DIBCAC reassessment (Level 3)
• Continuous vulnerability scanning and POA&M maintenance
• Continuous monitoring of CUI enclave with tuned SIEM
• Annual IR tabletop and contingency plan test
• Annual security awareness and role-based training refresh
• 72-hour cyber incident reporting readiness (DFARS 252.204-7012)
• Continuous external service provider validation
• Configuration baseline maintenance under change control

11. Maturity Levels

Minimum Compliance

• CUI enclave operational with documented boundary
• SSP authored against NIST SP 800-171 r2
• Manual evidence collection per assessment cycle
• POA&M maintained with eligible-control flags

Intermediate

• CUI environment built on Government cloud platform with FedRAMP inheritance
• Continuous configuration validation through IaC and policy as code
• Shared evidence library across CMMC, ISO 27001, and SOC 2
• SSP designed to r3 control structure ahead of regulatory transition

Advanced

• Level 3 controls implemented including zero-trust and threat hunting
• Continuous monitoring with automated SPRS scoring
• Integrated CMMC, FedRAMP, ISO 27001 evidence with mapped control library
• External red-team and threat-hunting program

12. FAQs

When does CMMC start applying to our contracts?

The CMMC 2.0 rule became effective in December 2024, with contractual flowdown phased over three years. New solicitations and contracts will progressively include CMMC clauses; existing contracts will not be retroactively modified, but options and modifications may include the requirement.

Do we need C3PAO assessment or can we self-assess?

Level 1 is always self-assessment with annual senior official affirmation. Level 2 self-assessment is permitted only for a narrow set of contracts the DoD has specified; in practice most Level 2 contracts require C3PAO assessment. Level 3 always requires DIBCAC assessment.

What is the difference between FCI and CUI?

FCI is non-public information provided by or generated for the government under a contract. CUI is unclassified information requiring specific safeguarding per law, regulation, or government-wide policy (itemized in the National Archives CUI Registry). Level 1 covers FCI; Level 2 and 3 cover CUI.

How does CMMC relate to NIST SP 800-171?

CMMC Level 2 implements NIST SP 800-171 as its control catalog and adds assessment rigor and senior official affirmation. NIST SP 800-171 implementation has been required under DFARS 252.204-7012 since 2017; CMMC verifies the implementation rather than relying on contractor self-attestation.

Is r2 or r3 in force?

The CMMC 2.0 final rule references NIST SP 800-171 r2 at its effective date. DoD has indicated a transition to r3 once contractual updates are in place. Build the program to r3 now to avoid expensive re-work; affirm to r2 until the clause updates require otherwise.

What does CMMC cost?

Level 1 self-assessment: minimal direct cost beyond internal effort. Level 2 readiness for a mid-size contractor: $250,000–$1,500,000 first year depending on existing maturity, plus the C3PAO assessment ($75,000–$200,000) every three years. Level 3 adds 30–60 percent.

Can we use the same controls for ISO 27001 or SOC 2?

Yes — the underlying NIST SP 800-171 controls overlap substantially with ISO 27001 Annex A and the SOC 2 Trust Services Criteria. A shared evidence library lets a contractor serve commercial and DIB customers with framework-specific extensions for CMMC (CUI scoping, FIPS cryptography, SPRS reporting).

What is the 72-hour DoD reporting requirement?

DFARS 252.204-7012(c) requires contractors to rapidly report cyber incidents that affect a covered contractor information system or covered defense information within 72 hours of discovery to the DoD via the DIBNet portal. This obligation predates CMMC and remains in force.

Does FedRAMP cover our cloud services?

If a cloud service handles CUI on your behalf, it must meet FedRAMP Moderate baseline or equivalent. AWS GovCloud, Azure Government, Google Government, and Oracle Government cloud variants typically maintain the necessary authorization. See our FedRAMP service if your own service is being authorized.

What about subcontractors?

Subcontractors handling FCI or CUI flow the same CMMC level down to their organizations. Prime contractors are responsible for ensuring subcontractor assertions are made before contract award.

Can a POA&M cover any control?

No. CMMC limits POA&Ms to specific eligible controls and excludes critical controls (for example, MFA on privileged users). All POA&M items must be closed within 180 days of the assessment.

13. Summary

CMMC 2.0 converts DFARS 252.204-7012's longstanding NIST SP 800-171 implementation requirement into a verified, contract-conditioned certification. Most defense contractors handling CUI must achieve Level 2 through a C3PAO assessment, with Level 3 reserved for the most sensitive workloads via DIBCAC. The path runs through tight CUI scoping, FedRAMP-aligned cloud platforms, FIPS-validated cryptography, phishing-resistant MFA, and disciplined SSP and POA&M management — most of which overlaps with ISO 27001 and SOC 2 controls a commercial program already has.

To scope an engagement, book a call from the CMMC and NIST 800-171 service page, or talk to us about combining CMMC with ISO 27001, penetration testing, or a vCISO program for ongoing program management.