← Custodia

FAR 52.204-21 vs NIST 800-171 vs CMMC Level 1 vs Level 2: A Plain-English Comparison

Four federal cybersecurity frameworks, one acronym soup. Which one applies to your DoD work, what it requires, and which contracts you can bid on at each level.

By Custodia Compliance Team· Information security engineers, CustodiaMay 3, 202611 min read

Federal cybersecurity acronyms are an industry by themselves. Contractors get pulled into FAR 52.204-21, NIST 800-171, DFARS 7012, CMMC Level 1, CMMC Level 2, FedRAMP, and StateRAMP — sometimes all in the same week, often by people who can't explain the difference. This post is the plain-English map.

Start here: FCI vs CUI

Before any of this matters, figure out what kind of government data you handle. The framework that applies depends entirely on the data type.

Data typeDefinitionExamples
FCI — Federal Contract InformationInformation not intended for public release that's provided by or generated for the government under a contract.Statement of work, contract correspondence, delivery schedules, internal status reports.
CUI — Controlled Unclassified InformationInformation that requires safeguarding under a specific law, regulation, or government-wide policy.Technical data subject to ITAR, controlled technical info under DFARS 252.204-7012, PII under the Privacy Act, draft solicitations.

FAR 52.204-21 — the 15 basic safeguarding requirements

FAR 52.204-21— “Basic Safeguarding of Covered Contractor Information Systems” — is the clause the federal government has been writing into contracts since 2016 for any contractor handling FCI. It defines the baseline 15 safeguarding requirements that became, verbatim, CMMC Level 1.

FAR 52.204-21 is a contract clause. There's no submission or registration. If you signed a contract with the clause in it, you've agreed to comply. Most contractors don't notice until a prime asks for proof.

NIST SP 800-171 — the 110-control standard

NIST Special Publication 800-171is the National Institute of Standards and Technology's standard for protecting CUI in non-federal systems. It defines 110 controls across 14 families, scored against the SPRS rubric (110 maximum, deductions per missing control). NIST 800-171 is required by DFARS 252.204-7012 for any contractor handling CUI.

Important: NIST 800-171 is what your SPRS score measures. The 15 FAR safeguarding requirements are a strict subset of the 110 NIST controls. If you implement all 110, you've also implemented the 15.

CMMC Level 1 — self-attestation against the 15

CMMC Level 1 took the 15 FAR 52.204-21(b)(1) safeguarding requirements, added a self-attestation requirement, and made it annual. The DoD's final rule (32 CFR 170, effective Dec 16, 2024) requires:

  • Annual self-assessment against all 15 basic safeguarding requirements (FAR 52.204-21(b)(1)(i)–(b)(1)(xv))
  • Annual affirmation in SPRS, signed by a senior official of the contractor (i.e., your CEO/COO — their name on a federal attestation)
  • System Security Plan (SSP) documenting how each practice is implemented
  • Affirmation memo retained for record

No third-party assessor required. No assessment cost. Just a signed self-attestation by a senior official, and the False Claims Act exposure that comes with one.

CMMC Level 2 — assessed against the 110

CMMC Level 2 requires implementation of all 110 NIST 800-171 controls and is the floor for any contractor handling CUI. There are two sub-tiers:

  1. Level 2 self-assessment— permitted for some lower-risk CUI scenarios. Self-attestation, like L1.
  2. Level 2 third-party assessment(the common case) — required for prioritized CUI work. Conducted by a C3PAO(Certified Third-Party Assessment Organization). Typical engagement: 6–9 months, $80,000–$250,000 for an SMB.

Side-by-side comparison

FAR 52.204-21NIST 800-171CMMC Level 1CMMC Level 2
Data coveredFCICUIFCICUI
Number of controls1711017110
Assessment typeContract clause; no formal assessmentSelf-assessment with SPRS scoreAnnual self-attestationSelf or 3PAO depending on tier
FrequencyContinuous (contract obligation)Every 3 yearsAnnualEvery 3 years (3PAO) / annual self
Filed in SPRS?NoYes (Basic Assessment score)Yes (CMMC Status)Yes (CMMC Status)
Senior official sign-off?ImpliedYesYes — FCA exposureYes — FCA exposure
Typical cost (SMB)$0–$5K (template work)$10K–$60K$0–$10K (SaaS) / $9K–$30K (consultant)$80K–$250K (3PAO engagement)
Custodia covers it?YesNoYesNo

Decision tree: which one applies to you

  1. Do you have any DoD contract paperwork? If no, none of this applies (yet). If yes, continue.
  2. Does your contract include DFARS 252.204-7012? If yes — you handle CUI, you need NIST 800-171 / CMMC L2. If no, continue.
  3. Does your contract include FAR 52.204-21? If yes — you handle FCI, you need CMMC Level 1. (This is the most common case for small DoD contractors.)
  4. You don't see either clause but a prime asked for a SPRS score? Get on a call with the prime's small-business liaison and ask which clause applies. Then come back here.

If you landed on CMMC Level 1 in step 3, you're in the right place. The 15-requirement walkthrough is your next read, or skip the reading and take the free 4-minute SPRS quiz to see where you stand.

FAQ

If I have CMMC Level 2, do I also need Level 1?

No. Level 2 supersedes Level 1. If you're assessed at L2, the 17 L1 practices are part of that scope.

Can I do CMMC Level 2 self-assessment instead of paying a 3PAO?

Only for the subset of L2 contracts the DoD has designated as eligible for self-assessment — typically lower-risk CUI. Most prioritized contracts require a C3PAO assessment.

What about FedRAMP?

FedRAMP is for cloud service providers selling to the federal government. It's a different regime entirely. If you're not a CSP selling SaaS to federal agencies, you don't need it.

Does StateRAMP affect DoD work?

No. StateRAMP is for cloud services sold to state and local governments. Federal DoD contractors are unaffected.

What's the cheapest path through CMMC Level 1?

Self-led with templates and SaaS. Custodia's entire reason for existing is that L1 doesn't justify a $9k–$30k consultantengagement when it's ultimately a structured data-collection problem. See the cost comparison.

The L1 vs L2 question almost always comes down to the data type. If your contract doesn't flow CUI down, you don't need the $150,000 engagement. You need a week and a checklist.The Custodia Compliance Team
Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)