The Difference Between 800-171 & CMMC

CMMC is the future of government contracting work. Learn what’s different with the new compliance standards and what you’ll need to stay up to date.

Both NIST SP 800-171 and CMMC aim to strengthen the cybersecurity posture of the defense industrial base and protect sensitive information from unintended disclosure. But each of these cybersecurity compliance standards takes a different approach to achieving these goals. We’ll outline the differences between these two frameworks to help you understand and identify what next steps you need to take to ensure you are protecting data safely.


NIST SP 800-171, or National Institute of Standards and Technology Special Publication 800-171, was developed in response to the Federal Information Security Management Act (FISMA), a United States federal law passed in 2002 that recognized the importance of information security to the economic and national security interests of the country.

NIST SP 800-171 is essentially a one-size-fits-all standard. The original version specified 110 security controls, many of which were unreasonably difficult for small DoD contractors to comply with. For example, Control 3.14.6 essentially requires contractors to implement a security information and event management (SIEM) solution because it requires organizations to “monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.”

CMMC abolishes the one-size-fits-all approach to cybersecurity by mapping security controls to one of five maturity levels. In the CMMC model, you would not be required to cover 100 percent of the NIST 800-171 controls until you reached the third cybersecurity maturity level. This way, contractors that represent minimal risk can certify only to one of the two lower levels, whose requirements are easier to achieve.


Under NIST SP 800-171, contractors didn’t have to pass any official certification process to prove that they have the ability to protect CUI. While some behaved responsibly and took cybersecurity seriously, many merely submitted a plan for how compliance would eventually be achieved in the future.

This is changing with CMMC, which requires contractors to be certified by official assessment organizations, CMMC 3rd Party Assessment Organizations. These organizations will be licensed by the CMMC Accreditation Body (CMMC- AB), which was established in January 2020 to train, test, and license up to 10,000 C3PAOs. Find more information on how to get your CMMC.


NIST SP 800-171 was presented by the DoD as a competitive advantage in the tender process, but the evolving threats that we face demand a different approach- one that doesn’t rely on contractors to decide on their own how to proactively address their defensive measures for protecting sensitive information from malicious third-parties and unintended public disclosure.

To work with the DoD in the future, all contractors will eventually be required to obtain a CMMC certification from a C3PAO.

The DoD has already begun including minimum certification requirements in requests for information in select requests for proposals, and all contractors will soon need to get certified by an accredited C3PAO in order to bid on new work.


For CMMC Level 4 and 5 there are 157 and 173 controls, respectively. These two numbers significantly exceed the 110 controls found in the most recent version of NIST 800-171 because they include controls from multiple other cybersecurity compliance standards, including CERT RMM v1.2, NIST 800-53, ISO 27002, CIS CSC 7.1, NIST’s Cybersecurity Framework (CSF), and FEDRAMP.

These additional controls were included in CMMC Level 4 and 5 to ensure proactive protection against advanced persistent threats (APTs), which typically involve continuous and sophisticated hacking techniques used by a nation- state or state-sponsored group with the objective of gaining access to a computer network and remaining undetected for an extended period.


The DoD, as mentioned earlier, has already begun including minimum certification requirements in requests for information in select requests for proposals, and all contractors will soon need to get certified by an accredited C3PAO in order to bid on new work. Don’t wait until every contractor is required to have their CMMC- get your certification before it’s required & show a history of established compliance before the field gets inundated with requests. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is happy to talk through the steps your particular company should take in the CMMC process, or get started on your certification.

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business