NIST SP 800-171A
Also known as: Assessing Security Requirements for Controlled Unclassified Information
NIST SP 800-171A is the companion assessment guide to SP 800-171 — it breaks each of the 110 controls into discrete assessment objectives (about 320 in total) that an assessor uses to verify implementation. CMMC Level 2 assessments are conducted against the 800-171A objectives.
Related terms
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.
- Assessment Objective
An assessment objective is a discrete, atomic statement an assessor uses to determine whether a security requirement has been satisfied. NIST SP 800-171A breaks each of the 110 NIST 800-171 controls into multiple assessment objectives (approximately 320 in total) — the CMMC Level 1 Assessment Guide breaks each of the 15 requirements into a smaller set of objectives.
- CMMC Third-Party Assessment Organization
A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1 — Level 1 is exclusively self-assessed — and they are not used at Level 3, which is assessed by DIBCAC.