Home     |     Steps to Compliance     |     Understanding CMMC

minutes remaining

Wherever you can find information about CMMC, the term “NIST SP 800-171” is likely present. While CMMC is the DoD’s new model for implementing cyber security standards across the Defense Industrial Base, the controls required in each level are adopted from proven NIST standards. It’s vital for contractors working toward CMMC compliance to learn about the standards found in NIST SP 800-171.

What is NIST SP 800-171?

NIST Special Publication 800-171, secondarily titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is one of many cyber security publications written by the National Institute of Standards and Technology. The 113-page document outlines the methodology for developing its security standards and describes the 110 recommended control requirements.

Protecting Controlled Unclassified Information

The publication provides a set of recommended cyber security standards that are useful for any organization. However, these NIST standards were developed specifically to address the protection of federal controlled unclassified information (CUI) processed, stored, and transmitted in support of delivering products and services within the DIB:

  1.  when the CUI is resident in a nonfederal system and organization.
  2. when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency;  and
  3. where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.

The Purpose of NIST SP 800-171

According to NIST, the protection of CUI in nonfederal systems (an information system that is not used or operated by an executive agency) is essential to the protection of the U.S. government and the nation as a whole. DoD contractors’ can come across CUI in processes such as providing financial and cloud services, processing healthcare data, or developing communications and weapons systems1.

Between 2009 and 2013, a Chinese businessman and hacker team successfully broke into multiple contractors’ information systems. The hackers focused on retrieving plans for fighter jets F-22 and F-35 as well as a C-17 cargo aircraft in order to then sell the plans to the Chinese government2. This event and others like it served as motivation for the DoD to require contractors to implement effective safeguards.

Control Requirements

NIST SP 800-171’s control requirements are well-known and widely accepted3. There are 110 security requirements organized into 14 families for protecting the confidentiality of CUI in contractors’ systems. Each family covers a different general security topic. CMMC language refers to NIST families as “domains.”

Each requirement, or practice, uses the following naming convention:

AC.L1-3.1.1 = [Family/Domain] . [CMMC Level] – [Practice Number]

Click a tab to see a description of each family and its list of control requirements (“Level 1” and “Level 2” categories aid in understanding which practices are required for each CMMC level).

Access Control (AC)

Controls in the Access Control domain restrict system access to protected information based on authentic user, process, or device identities.

AC Control Example: An organization monitors and controls their employees’ internet remote access sessions to the system and implements a VPN (virtual private network) to improve confidentiality.

CMMC Level 1 Practices

  • AC.L1-3.1.1 – Authorized Access Control
  • AC.L1-3.1.2 – Transaction & Function Control
  • AC.L1-3.1.20 – External Connections
  • AC.L1-3.1.22 – Control Public Information

CMMC Level 2 Practices

  • AT.L2-3.1.3 – Control CUI Flow
  • AC.L2-3.1.4 – Separation of Duties
  • AC.L2-3.1.5 – Least Privilege
  • AC.L2-3.1.6 – Non-Privileged Account Use
  • AC.L2-3.1.7 – Privileged Functions
  • AC.L2-3.1.8 – Unsuccessful Logon Attempts
  • AC.L2-3.1.9 – Privacy & Security Notices
  • AC.L2-3.1.10 – Session Lock
  • AC.L2-3.1.11 – Session Termination
  • AC.L2-3.1.12 – Control Remote Access
  • AC.L2-3.1.13 – Remote Access Confidentiality
  • AC.L2-3.1.14 – Remote Access Routing
  • AC.L2-3.1.15 – Privileged Remote Access
  • AC.L2-3.1.16 – Wireless Access Authorization
  • AC.L2-3.1.17 – Wireless Access Protection
  • AC.L2-3.1.18 – Mobile Device Connection
  • AC.L2-3.1.19 – Encrypt CUI on Mobile
  • AC.L2-3.1.21 – Portable Storage Use

Awareness and Training (AT)

Controls in the Awareness & Training domain ensure that all users of a system are made aware of security risks and applicable policies, standards, and procedures through rigorous training.

AT Control Example: An organization teaches their staff how to recognize and report potential insider threats through security awareness training.

CMMC Level 1 Practices

  • No Level 1 AT Practices

CMMC Level 2 Practices

  • AT.L2-3.2.1 – Role-Based Risk Awareness
  • AT.L2-3.2.2 – Role-Based Training
  • AT.L2-3.2.3 – Insider Threat Awareness

Audit and Accountability (AU)

Controls in the Audit & Accountability domain provide protocols for system audit scheduling and audit log storage for the monitoring and reporting of unauthorized system use.

AU Control Example: An organization specifies the system event types to be logged and outlines requirements for retaining and storing the audit records.

CMMC Level 1 Practices

  • No Level 1 AU Practices

CMMC Level 2 Practices

  • AU.L2-3.3.1 – System Auditing
  • AU.L2-3.3.2 – User Accountability
  • AU.L2-3.3.3 – Even Review
  • AU.L2-3.3.4 – Audit Failure Alerting
  • AU.L2-3.3.5 – Audit Correlation
  • AU.L2-3.3.6 – Reduction & Reporting
  • AU.L2-3.3.7 – Authoritative Time Source
  • AU.L2-3.3.8 – Audit Protection
  • AU.L2-3.3.9 – Audit Management

Configuration Management (CM)

Controls in the Configuration Management domain govern the baseline settings installed on software, hardware, and firmware and listed in documentation.

CM Control Example: An organization establishes and maintains sets of specifications and configuration items (standard software packages installed on devices, current version numbers on applications, etc.) throughout all organizational systems (software, hardware, firmware,  System Security Plan) listed in their system inventory.

CMMC Level 1 Practices

  • No Level 1 CM Practices

CMMC Level 2 Practices

  • CM.L2-3.4.1 – System Baselining
  • CM.L2-3.4.2 – Security Configuration Enforcement
  • CM.L2-3.4.3 – System Change Management
  • CM.L2-3.4.4 – Security Impact Analysis
  • CM.L2-3.4.5 – Access Restrictions for Change
  • CM.L2-3.4.6 – Least Functionality
  • CM.L2-3.4.7 – Nonessential Functionality
  • CM.L2-3.4.8 – Application Execution Policy
  • CM.L2-3.4.9 – User-Installed Software

Identification and Authentication (IA)

Controls in the Identification & Authentication domain serve to specify the user and device identification process and set up authentication of users and devices before allowing them access to the system. 

IA Control Example: An organization assigns unique user IDs to each employee to be able to log into the system. This allows for granting access to information needed for a project to certain users while preventing other users not working on the project from accessing the information.

CMMC Level 1 Practices

  • IA.L1-3.5.1 – Identification
  • IA.L1-3.5.2 – Authentication

CMMC Level 2 Practices

  • IA.L2-3.5.3 – Multifactor Authentication
  • IA.L2-3.5.4 – Replay-Resistant Authentication
  • IA.L2-3.5.5 – Identifier Reuse
  • IA.L2-3.5.6 – Identifier Handling
  • IA.L2-3.5.7 – Password Complexity
  • IA.L2-3.5.8 – Password Reuse
  • IA.L2-3.5.9 – Temporary Passwords
  • IA.L2-3.5.10 – Cryptographically-Protected Passwords
  • IA.L2-3.5.11 – Obscure Feedback

Incident Response (IR)

Controls in the Incident Response domain establish the systematic approaches and architecture needed to respond to real-time attacks. An incident response plan outlines an organization’s capacity to handle incidents, including preparation, detection, analysis, containment, recovery, and user response activities.

IR Control Example: An organization establishes a procedure for users to identify and report potential incidents by emailing a certain address. The procedure also assigns roles and responsibilities to different users within a system to prepare incident handling capabilities like determining a place to store evidence of an incident.

CMMC Level 1 Practices

  • No Level 1 IR Practices

CMMC Level 2 Practices

  • IR.L2-3.6.1 – Incident Handling
  • IR.L2-3.6.2 – Incident Reporting
  • IR.L2-3.6.3 – Incident Response Testing

Maintenance (MA)

Controls in the Maintenance domain list protocols and procedures for scheduling regular and special event maintenance on organizational systems.

MA Control Example: An organization establishes a procedure and performs preventative maintenance by updating operating systems and applications to avoid potential problems, tracking what maintenance was perform to help with troubleshooting (if needed).

CMMC Level 1 Practices

  • No Level 1 MA Practices

CMMC Level 2 Practices

  • MA.L2-3.7.1 – Perform Maintenance
  • MA.L2-3.7.2 – System Maintenance Control
  • MA.L2-3.7.3 – Equipment Sanitization
  • MA.L2-3.7.4 – Media Inspection
  • MA.L2-3.7.5 – Nonlocal Maintenance
  • MA.L2-3.7.6 – Maintenance Personnel

Media Protection (MP)

Controls in the Media Protection domain outline practices for the safeguarding of FCI and CUI in information system media like paper documents, USB drives, or mobile phones. These practices include the encryption and secure storage of media and the sanitization or destroying of media before its disposal or reuse.

MP Control Example: An organization has CUI stored on a USB drive which is then locked in a drawer and logged in a system inventory. Any time the USB drive is checked out by an employee, a log is updated with their information.

CMMC Level 1 Practices

  • MP.L1-3.8.3 – Media Disposal

CMMC Level 2 Practices

  • MP.L2-3.8.1 – Media Protection
  • MP.L2-3.8.2 – Media Access
  • MP.L2-3.8.4 – Media Markings
  • MP.L2-3.8.5 – Media Accountability
  • MP.L2-3.8.6 – Portable Storage Encryption
  • MP.L2-3.8.7 – Removeable Media
  • MP.L2-3.8.8 – Shared Media
  • MP.L2-3.8.9 – Protect Backups

Personnel Security (PS)

Controls in the Personnel Security domain require that an organization define protocols for screening individuals during the recruiting, hiring, and onboarding processes prior to granting access to systems containing CUI.

PS Control Example: An organization assesses a newly hired employee’s conduct and reliability, as well as background and credit checks, before they can access CUI.

CMMC Level 1 Practices

  • No Level 1 PS Practices

CMMC Level 2 Practices

  • PS.L2-3.9.1 – Screen Individuals
  • PS.L2-3.9.2 – Personnel Actions

Physical Protection (PE)

Controls in the Physical Protection domain limit physical access through proximity-based safeguards for workspaces and devices linked to CUI or CDI (covered defense information).

PE Control Example: An organization keeps a log of visitors to their office and requires that they be escorted by an employee at all times. Video cameras are installed at each entrance and exit and feed video to a reception desk monitor.

CMMC Level 1 Practices

  • PE.L1-3.10.1 – Limit Physical Access
  • PE.L1-3.10.3 – Escort Visitors
  • PE.L1-3.10.4 – Physical Access Logs
  • PE.L1-3.10.5 – Manage Physical Access

CMMC Level 2 Practices

  • PE.L2-3.10.2 – Monitor Facility
  • PE.L2-3.10.6 – Alternative Work Sites

Risk Assessment (RA)

Controls in the Risk Assessment domain advise periodically assessing the risk to an organization by monitoring, analyzing, and mitigating known threats and vulnerabilities.

RA Control Example: An organization performs their annual risk assessment exercise by reviewing incident reports, identifying threat sources and events, and determining the likelihood of risk to the safeguarding of CUI.

CMMC Level 1 Practices

  • No Level 1 RA Practices

CMMC Level 2 Practices

  • RA.L2-3.11.1 – Risk Assessments
  • RA.L2-3.11.2 – Vulnerability Scan
  • RA.L2-3.11.3 – Vulnerability Remediation

Security Assessment (CA)

Controls in the Security Assessment domain includes protocols for conducting regular internal and external audits of cybersecurity measures and practices to determine their effectiveness.

CA Control Example: An organization uses their own System Security Plan (SSP) as a guide and reviews the efficacy of their security controls, proposing updated or new controls where needed.

CMMC Level 1 Practices

  • No Level 1 CA Practices

CMMC Level 2 Practices

  • CA.L2-3.12.1 – Security Control Assessment
  • CA.L2-3.12.2 – Plan of Action
  • CA.L2-3.12.3 – Security Control Monitoring
  • CA.L2-3.12.4 – System Security Plan

System and Communications Protection (SC)

Controls in the System and Communications Protection domain optimize the security of all internal and external network traffic, such as through a web proxy and a firewall.

SC Control Example: An organization installs a firewall to separate their internal network from the internet. The firewall allows them to block access to websites that appear to spread malware and keeps a log of blocked activity for use in monitoring.

CMMC Level 1 Practices

  • SC.L1-3.13.1 – Boundary Protection
  • SC.L1-3.13.5 – Public-Access System Separation

CMMC Level 2 Practices

  • SC.L2-3.13.2 – Security Engineering
  • SC.L2-3.13.3 – Role Separation
  • SC.L2-3.13.4 – Shared Resource Control
  • SC.L2-3.13.6 – Network Communication by Exception
  • SC.L2-3.13.7 – Split Tunneling
  • SC.L2-3.13.8 – Data in Transit
  • SC.L2-3.13.9 – Connections Termination
  • SC.L2-3.13.10 – Key Management
  • SC.L2-3.13.11 – CUI Encryption
  • SC.L2-3.13.12 – Collaborative Device Control
  • SC.L2-3.13.13 – Mobile Code
  • SC.L2-3.13.14 – Voice Over Internet Protocol
  • SC.L2-3.13.15 – Communications Authenticity
  • SC.L2-3.13.16 – Data at Rest

System and Information Integrity (SI)

Controls in the System and Information Integrity domain entail protocols, like system security alerts and communication monitoring, that ensure total confidentiality of protected data within systems.

SI Control Example: An organization sets up system security alerts for different parts of the system, reviews alerts, and researches how to appropriately address them.

CMMC Level 1 Practices

  • SI.L1-3.14.1 – Flaw Remediation
  • SI.L1-3.14.2 – Malicious Code Protection
  • SI.L1-3.14.4 – Update Malicious Code Protection
  • SI.L1-3.14.5 – System & File Scanning 

CMMC Level 2 Practices

  • SI.L2-3.14.3 – Security Alerts & Advisories
  • SI.L2-3.14.6 – Monitor Communications for Attacks
  • SI.L2-3.14.7 – Identify Unauthorized Use

How NIST SP 800-171 and CMMC Align

Before the advent of CMMC, the DoD required that contractors self-attest their compliance with NIST SP 800-171 requirements. The CMMC 2.0 model aims to improve on this system. For example, CMMC Level 2 requires a third-party assessment for certification for some contracts, but its requirements are the same as those found in the NIST publication. Because of this, many contractors who have already self-attested their NIST compliance don’t have to implement new controls to comply with CMMC.

CMMC Level 117/110 NIST SP 800-171 Requirements
CMMC Level 2*110/110 NIST SP 800-171 Requirements
CMMC Level 3110/110 NIST SP 800-171 Requirements35 NIST SP 800-172 Requirements

*Note: CMMC 1.0 Level 2 listed ten additional CMMC-specific process requirements to the 110 found in NIST. CMMC 2.0 reversed these additions and mirrors NIST.

While CMMC Level 1 requires 17 of the 110 NIST SP 800-171 controls, Level 2 requirements mirror the NIST publication entirely. Level 3 requirements include all of NIST SP 800-171 and the 35 supplemental requirements found in NIST SP 800-172.

DFARS Clauses and Rules

The Defense Federal Acquisition Regulation Supplement is a collection of acquisitions rules and guidance to facilitate contractors’ supply of goods and services to the DoD. As such, DFARS is the medium by which the DoD announces regulations, policies, and procedures to the DIB.

Several DFARS amendments in recent years include NIST SP 800-171:

DFARS Clause 252.204-7012

Date Published: September 19, 2017

Subject: “Safeguarding Covered Defense Information and Cyber Incident Reporting” — Implementing the Security Requirements of NIST SP 800-171

This rule stated that any contractor that has CUI in their system is required to document and protect that information by following the guidelines in NIST SP 800-171. Self-attestation of NIST requirements was required by the end of December 2017.

DFARS Rule 2019-D041 (DFARS Interim Rule)

Date Published: September 29, 2020

Subject: Assessing Contractor Implementation of Cybersecurity Requirements

Published in tandem with DFARS Clause 252.204-7019, DFARS Rule 2019-D041, also known as the DFARS Interim Rule, announces the phased implementation plan for the CMMC Framework. It also amends DFARS Clause 252.204-7012 to implement the NIST SP 800-171 DoD Assessment Methodology in the acquisition process.

The rule requires contracting officers to take actions prior to awarding a contract on or after November 30, 2020:

  • The contracting officer must verify an offeror has a NIST SP 800-171 DoD Assessment on record in the SPRS system before granting the contract.
  • The contracting officer must verify an offerer has a CMMC certificate at the level required by the solicitation. (CMMC requirements will only apply to certain new contracts until September 30, 2025 when all contracts are expected to contain CMMC certification requirements.)

DFARS Clause 252.204-7019

Date Published: November 2020

Subject: Notice of NIST SP 800-171 DoD Assessment Requirements

The government issued DFARS Clause 252.204-7019 in November 2020, which requires contractors to submit a basic assessment score (the number of controls compliant out of 110) into the Supplier Performance Risk System (SPRS) demonstrating their current level of compliance with NIST requirements. Also required is a brief summary of a contractor’s system security plan and the date that all requirements are expected to be implemented.

How to Become NIST SP 800-171 Compliant

Get an Assessment

To be considered for a new or renewal contract, contractors must complete a basic assessment and submit the summary level score to the SPRS system.

There are two options to find your SPRS score:

  • A self-assessment
  • A readiness assessment performed by a cybersecurity service provider

The results of these assessments are referred to as a “gap analysis.”

Remediate Compliance Gaps

Once a contractor performs an assessment and receives a gap analysis, they must remediate the gaps in compliance. Similarly to assessments, there are two main methods to remediate compliance gaps:

  • Contractors can implement requirements themselves (with or without the help of documentation templates and one-off solutions)
  • Contractors can hire a cybersecurity service provider who offers comprehensive compliance services

Note: Many cybersecurity service providers claim to offer comprehensive compliance, but only operate as advisory consultants, leaving clients to complete remediation largely on their own.

CyberSecure 360 is an all-in-one NIST SP 800-171 and CMMC compliance program at a fraction of the cost of DIY options. Choose from five cost-effective packages of 23 turnkey cyber security services, all including POA&M, SSP, and Policies & Standards.

Get a CMMC Certification Assessment

As C3PAOs become available, Level 2 and 3 contractors who require CMMC certification must undergo a third-party assessment. This assessment will assess the contractors’ adherence to NIST SP 800-171 requirements and issue a certification to enable contract eligibility.


1 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

2 https://www.theguardian.com/technology/2014/jul/12/chinese-man-charged-with-hacking-into-us-fighter-jet-plans

3 https://www.acq.osd.mil/cmmc/model.html










{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never Miss a Post

Sign up to be updated with the newest CMMC Insights.

Approx. 2 emails per month. Read our Privacy policy.