NIST SP 800-171 is a controls catalog. CMMC is a DoD compliance program. They are related but not the same, and the difference decides whether your CMMC project is five focused days of paperwork or a six-month engagement with a $50,000 C3PAO assessment.
Most of the writing online conflates them — “CMMC is NIST 800-171” — because most of the writing online is aimed at Level 2 contractors handling CUI, where the two really do almost overlap. For everyone else (which is most small DoD subs), getting this distinction right saves real money.
TL;DR
- NIST SP 800-171 = 110 controls for protecting CUI on non-federal systems. Written by NIST. Voluntary on its face.
- CMMC = the DoD program that makes 800-171 contractually binding (at Level 2) and adds an assessment + affirmation regime on top.
- CMMC Level 1 ≠ NIST 800-171. Level 1 is the 15 FAR 52.204-21 safeguarding requirements (a small subset of 800-171), for FCI only.
- CMMC Level 2 ≈ NIST 800-171, plus an annual affirmation and a triennial assessment (self or C3PAO depending on the contract).
- CMMC Level 3 = NIST 800-171 + 24 additional controls from NIST SP 800-172. DIBCAC-assessed.
What each of them actually is
NIST SP 800-171 — the controls catalog
Published by the National Institute of Standards and Technology, SP 800-171 is titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It defines 110 security controlsacross 14 families (Access Control, Awareness & Training, Audit, Configuration Management, etc.). Revision 2 has been the operative version for years; Revision 3 was published in May 2024 and is being phased in.
NIST itself doesn't enforce anything. NIST publishes; agencies adopt. DoD adopted 800-171 by referencing it in DFARS 252.204-7012 in 2017. That clause requires contractors who handle CUI under DoD contracts to implement 800-171.
CMMC — the DoD program
CMMC (Cybersecurity Maturity Model Certification) is the program established by 32 CFR Part 170. It does what 800-171 alone never did: it requires verification that contractors actually meet the controls, and it scales the verification to the sensitivity of the data — self-assessment for FCI (Level 1), self-assessment or C3PAO for CUI (Level 2), DIBCAC for the highest priority programs (Level 3).
The relationship in one sentence: NIST 800-171 is the rulebook; CMMC is the referee.
Where they overlap (the Level 1 subset)
The 15 FAR 52.204-21(b)(1) safeguarding requirements at the heart of CMMC Level 1 are a strict subset of NIST 800-171. They're the “basic safeguarding” floor — the small set of controls that apply even when you don't handle CUI.
Mapped to NIST/CMMC practice IDs, the 15 FAR requirements correspond to 17 CMMC practice IDs (a couple of FAR requirements split into two NIST controls):
| Family | FAR refs | CMMC L1 practice IDs | NIST 800-171 control |
|---|---|---|---|
| AC (Access Control) | (i), (ii), (iii), (iv) | 3.1.1 / 3.1.2 / 3.1.20 / 3.1.22 | Same 4 of 110 |
| IA (Identification & Auth) | (v), (vi) | 3.5.1 / 3.5.2 | Same 2 of 110 |
| MP (Media Protection) | (vii) | 3.8.3 | Same 1 of 110 |
| PE (Physical Protection) | (viii), (ix), (x) | 3.10.1 / 3.10.3 / 3.10.4 / 3.10.5 | 4 of 110 (one FAR req → 2 NIST) |
| SC (System & Comm Protection) | (xi), (xii) | 3.13.1 / 3.13.5 | Same 2 of 110 |
| SI (System & Info Integrity) | (xiii), (xiv), (xv) | 3.14.1 / 3.14.2 / 3.14.4 / 3.14.5 | 4 of 110 (one FAR req → 2 NIST) |
Bottom row arithmetic: 17 CMMC L1 practices ↔ 17 of NIST 800-171's 110 controls. If you ever move to Level 2, all your Level 1 work counts — you just implement the remaining 93.
Who needs which
| If you handle | You need | Controls count | Assessed by |
|---|---|---|---|
| FCI only | CMMC Level 1 (FAR 52.204-21) | 15 (= 17 NIST practices) | Self, annually |
| CUI | CMMC Level 2 (NIST 800-171) | 110 | Self or C3PAO, triennial |
| CUI on critical programs | CMMC Level 3 (800-171 + 800-172) | 110 + 24 | DIBCAC, triennial |
Unclear which bucket you're in? The fast path: 4-question decision tree. The slower-but-deeper path: FCI vs CUI explained.
Why the confusion is so common
- Most online CMMC content is written for Level 2. That's where the dollar volume is (C3PAO assessments are $25K–$75K+). Level 1 readers wander into Level 2 content and assume the 110 controls apply to them.
- DFARS 252.204-7012 has been around since 2017. Long enough for “you have to comply with NIST 800-171” to enter the GovCon vocabulary as a default. It was never the default for FCI-only subs; that distinction got flattened.
- Vendors sell up.Consultants who can quote a $50K Level 2 engagement have no business reason to tell a 5-person sub “you're fine on Level 1.”
- The terms “controls” and “practices” cross-pollinate. NIST calls them controls; CMMC calls them practices. Same things, different label.
If you have to move from L1 to L2
Some Level 1 contractors eventually land work that involves CUI. The good news: nothing about your L1 work is wasted. The 17 NIST practices that come from FAR 52.204-21 are a literal subset of the 110. The bad news: Level 2 is genuinely an order of magnitude more work — a real SIEM, access reviews, encryption requirements, a working incident response capability, and (for most contracts going forward) a C3PAO certification.
Custodia is intentionally Level 1 only. We're the platform that gets the 12-person sub through the 15-requirement annual cycle without paying for L2 infrastructure they don't need. If your work crosses into CUI, we'll point you at the right Level 2 path; we don't pretend to be it.
FAQ
Is CMMC the same thing as NIST 800-171?
No. NIST SP 800-171 is a controls catalog written by the National Institute of Standards and Technology — 110 security requirements for protecting CUI on non-federal systems. CMMC is the DoD program that incorporates NIST 800-171 (at Level 2) into a contractual compliance regime with assessment, certification, and an annual affirmation. NIST writes the controls; DoD enforces them via CMMC.
Do I need NIST 800-171 if I'm only CMMC Level 1?
No. CMMC Level 1 is based on FAR 52.204-21 (15 safeguarding requirements), not NIST SP 800-171. The 110 NIST 800-171 controls only apply at CMMC Level 2 and above. If you handle only Federal Contract Information (FCI) — not CUI — you're at Level 1 and you don't need to implement 800-171.
How many controls overlap between CMMC L1 (FAR 52.204-21) and NIST 800-171?
All 15 FAR 52.204-21(b)(1) safeguarding requirements map directly to NIST SP 800-171 controls — they're a strict subset. The 15 FAR requirements correspond to 17 NIST/CMMC practice IDs (a few FAR requirements map to multiple NIST practices). So if you later move from Level 1 to Level 2, your Level 1 work counts; you just have to implement the remaining 93 controls.
Why do people keep using the two terms interchangeably?
Because most CMMC discussion is written about Level 2, where the two are almost synonymous. At Level 2, the assessment is literally against NIST SP 800-171. Vendors selling Level 2 services don't distinguish carefully because their audience already handles CUI. Small Level 1 contractors get pulled into Level 2 jargon and panic — that's the most common avoidable mistake we see.
What's NIST 800-171A and how is it different from 800-171?
SP 800-171 is the controls catalog (what you must do). SP 800-171A is the assessment guide (how to verify you did it). 800-171A breaks each of the 110 controls into discrete assessment objectives (about 320 total) that an assessor checks. The CMMC L2 assessment process uses 800-171A objectives. At Level 1, the equivalent assessment guidance is in the official CMMC Assessment Guide for Level 1 (v2.13).