This is one of the most common questions in the defense industrial base right now. The short answer: the technical requirements are identical, both require the 110 practices in NIST SP 800-171 Rev 2. The critical difference is in how compliance is verified, and that difference changes everything about how you need to prepare.
NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, defines 110 security requirements across 14 practice families. It was published to give defense contractors a clear security framework for protecting CUI, the sensitive but unclassified information that flows through the defense supply chain.
DFARS 252.204-7012 made NIST 800-171 compliance a contractual requirement in 2017. Contractors were required to implement all 110 controls, conduct a self-assessment, and submit their score to the Supplier Performance Risk System (SPRS). The problem: nobody verified the scores. The honor system, applied to national security data. Self-reporting an inflated compliance score had no immediate consequences.
CMMC (Cybersecurity Maturity Model Certification) was created specifically to address the self-attestation gap. Rather than taking contractors at their word, CMMC Level 2 requires an independent third-party assessment organization, a C3PAO, to verify that the 110 NIST 800-171 practices are actually implemented.
CMMC is codified under 32 CFR Part 170 and became effective December 16, 2024. It's being phased into DoD contracts on a rolling basis through 2028, with priority on contracts involving critical or sensitive programs.
| Dimension | NIST 800-171 (DFARS Self-Attestation) | CMMC Level 2 |
|---|---|---|
| Security requirements | 110 practices across 14 families | 110 practices across 14 families (identical) |
| Reference framework | NIST SP 800-171 Rev 2 | NIST SP 800-171 Rev 2 |
| Assessment type | Self-assessment | Third-party C3PAO assessment (or annual self-attestation for lower-risk programs) |
| Assessment methodology | DoD Assessment Methodology | CMMC Assessment Process (CAP) + NIST 800-171A |
| Score submitted to | SPRS (self-reported) | CMMC eMASS / SPRS (C3PAO-validated) |
| POA&M allowed? | Yes, can operate with open POA&M items | Limited, conditional certification possible for minor items, but major gaps block certification |
| SSP required? | Yes (NIST 800-171 §3.12.4) | Yes, reviewed in detail by assessors |
| Regulatory basis | DFARS 252.204-7012 | 32 CFR Part 170 |
| Who verifies | Nobody (honor system) | Accredited C3PAO (for Level 2 certification) |
| Certification required by | Not applicable | Contract award date specified in solicitation |
The controls are the same. The difference is in what "implemented" means when someone is actually going to check.
Under DFARS self-attestation, many contractors had SSPs that were high-level at best. C3PAO assessors read SSPs critically. They look for specific implementation details: what system enforces this control, who is responsible, how is effectiveness measured, what is the scope of the CUI boundary. Generic statements like "we use strong passwords" don't pass muster. NIST 800-171 §3.12.4
Assessors don't take your word for control implementation. They test. For access control practices, they'll ask you to demonstrate that MFA is enforced on remote access, and watch you do it. For audit logging, they'll ask to see logs from your systems. For incident response, they'll ask to walk through the IRP and may conduct a tabletop. NIST 800-171A
Under DFARS, you could have dozens of open POA&M items and still submit whatever SPRS score you wanted. Under CMMC, a POA&M represents practices that are NOT MET. To achieve certification, all 110 practices must be MET. Conditional certification exists for minor deficiencies with active remediation plans, but there are strict limits on which practices qualify and how long the conditional window lasts.
One of the most impactful parts of a CMMC assessment is the scoping review, where the C3PAO determines what systems, users, and components are actually in scope for the assessment. Many contractors have been informally scoping their CUI boundary narrowly for years. Assessors may expand that scope based on actual data flows, which can significantly change what controls are required where.
Key insight: CMMC doesn't add new technical requirements, it adds accountability for requirements that already existed. If you've been genuinely implementing NIST 800-171 for years, a CMMC assessment is validation, not transformation. If you've been self-reporting a score that outpaced your actual implementation, the gap will surface. Unlike a self-assessment, a C3PAO doesn't accept "we're working on it" as evidence.
The answer depends on your specific contracts. As of 2026:
If you're not sure whether your current or pipeline contracts will require CMMC certification, the solicitation language will specify it, look for references to DFARS 252.204-7021 (CMMC requirements) alongside 252.204-7012.
The SSP and Access Control policy are the two documents C3PAO assessors scrutinize most closely. Both are available as ready-to-use, practitioner-written templates, structured exactly the way assessors expect to see them.
If you're already genuinely compliant with NIST 800-171 and your documentation is solid, CMMC Level 2 is a validation exercise. If there's a gap between what you've been self-reporting and what you've actually implemented, well, a C3PAO charges by the day and knows what to look for. Now is the time to close it.
Start with the SSP. If it doesn't hold up to the scrutiny of someone who's been hired specifically to challenge it, it won't hold up to an assessment.
No spam. Just practical guidance on CMMC compliance and new resources when we publish them.