If you’ve been complying with NIST SP 800-171 under DFARS 252.204-7012 since 2017, you’re ahead of most contractors. But “NIST 800-171 compliant” and “CMMC Level 2 certified” are not the same thing — and the gap between them is exactly where most established contractors are getting caught.
This guide is for defense contractors who already have a NIST SP 800-171 program in place. You understand the 110 controls, you’ve submitted a SPRS score, you have documentation. What you need to understand is what CMMC adds, where your existing program falls short, and what the actual compliance actions are between where you stand today and where you need to be for Level 2 certification.
The Short Answer: Same Controls, Different Verification Standard
CMMC Level 2 requires the same 110 practices as NIST SP 800-171 Rev 2. No new controls were added for Level 2. The fundamental change is who verifies compliance:
| Requirement | NIST SP 800-171 (pre-CMMC) | CMMC Level 2 |
|---|---|---|
| Controls required | 110 practices | Same 110 practices |
| Who verifies | You (self-attestation) | Authorized C3PAO (third party) |
| Verification frequency | Annual SPRS resubmission | Triennial C3PAO assessment |
| DoD visibility | SPRS score (self-reported) | CMMC certification in database |
| Cost | Internal labor | $30,000–$100,000+ assessment fee |
| Legal exposure | Representation in SPRS | Same + certification liability |
If you’ve been implementing NIST SP 800-171 rigorously since DFARS 252.204-7012 took effect, CMMC Level 2 is largely a verification exercise — not a new compliance buildout. The challenge is that most contractors who believed they were compliant were not actually compliant.
What Changed Between DFARS 252.204-7012 and CMMC 2.0
The Pre-CMMC Landscape (2017–2024)
DFARS 252.204-7012 required contractors handling Covered Defense Information (CDI) — the predecessor term to CUI — to implement NIST SP 800-171 and report cyber incidents to DoD within 72 hours. The compliance mechanism was pure self-attestation:
- You implemented the 110 controls (or documented a plan to)
- You submitted your SPRS score
- DoD had limited ability to verify whether implementation was real
The practical result, documented by CyberSheath and others who audited real contractor environments: widespread non-compliance, with average SPRS scores in the DIB hovering around 39 (per CyberSheath’s 2023 DIB compliance survey) out of 110. Many contractors with scores above 100 had demonstrably unimplemented controls. The self-attestation model produced data that was fundamentally unreliable.
CMMC 2.0 Interim Rules and Final Rule (2021–2024)
The CMMC framework went through significant revision after CMMC 1.0 was introduced in 2020. CMMC 2.0 (published as an Interim Final Rule in 2021, finalized December 2024) made two critical decisions:
- Aligned Level 2 exactly to NIST SP 800-171 Rev 2 — eliminated the additional CMMC-specific practices that were in CMMC 1.0
- Eliminated self-attestation for Level 2 — all contracts involving CUI handling require C3PAO assessment (with a small carveout for non-critical Level 2 contracts that may allow self-attestation in limited circumstances, per OUSD(A&S) guidance)
What CMMC 2.0 Did NOT Change
- The 110 NIST SP 800-171 Rev 2 practices remain unchanged
- The DFARS 252.204-7012 obligation to implement those practices remains unchanged
- The SPRS self-assessment requirement under DFARS 252.204-7019/7020 remains unchanged
- CUI handling and reporting obligations under DFARS 252.204-7012 remain unchanged
Your DFARS 252.204-7012 compliance obligation has not changed. CMMC adds a third-party verification mechanism to an obligation that already existed.
NIST SP 800-171 Rev 1 vs. Rev 2: Are You on the Right Version?
NIST SP 800-171 Rev 2 was published in February 2020. If your NIST 800-171 compliance program was built against Rev 1 (published 2016) and not updated, you have a version problem.
Rev 2 added two new practices:
- 3.7.5 — Require MFA for establishing network maintenance sessions via external networks
- 3.7.6 — Supervise maintenance activities of maintenance personnel without required access authorization
If your SSP references Rev 1 or doesn’t include these two practices, update your documentation before a C3PAO arrives. These aren’t major technical changes — but an SSP that doesn’t match the current control set raises questions about the currency of your overall compliance program.
NIST SP 800-171 Rev 3: What’s Coming
NIST published SP 800-171 Rev 3 in May 2024. Here’s what contractors need to know:
CMMC Level 2 currently maps to Rev 2. The CMMC 2.0 Final Rule published December 2024 is based on NIST SP 800-171 Rev 2. Your assessment will be conducted against Rev 2.
CMMC’s eventual alignment to Rev 3 will require a rulemaking process. No CMMC Rev 3 transition date has been established. Do not build your compliance program against Rev 3 for the purpose of CMMC assessment — you’ll be assessed against Rev 2.
What changed in Rev 3 (for future planning):
- Reorganization of practices into new families
- New emphasis on supply chain risk management
- Expanded configuration management requirements
- New organization and supply chain risk practices
When CMMC alignment to Rev 3 is established, you’ll need to update your SSP and program. Monitor NIST and Cyber AB announcements. For the 2026 assessment cycle, Rev 2 is the standard.
The Real Gap: Implementation vs. Documentation vs. Verification
Here’s where contractors with existing NIST 800-171 programs most often fall short when preparing for CMMC Level 2:
Gap 1: The Implementation-Documentation Mismatch
Your security environment may be substantially compliant, but your SSP doesn’t accurately describe how controls are implemented. A C3PAO will assess your SSP first — if the SSP says you implement a control one way and your systems show it’s implemented differently (or not at all), that’s a finding regardless of technical implementation.
Common example: SSP states “MFA is implemented using Microsoft Authenticator for all user accounts.” Technical reality: MFA is enforced via Conditional Access for most users but has exceptions for service accounts and legacy authentication protocols. The SSP says Met; the configuration shows gaps. The C3PAO scores it Not Met.
Gap 2: Evidence Packaging
NIST SP 800-171 compliance under DFARS 252.204-7012 didn’t require you to maintain evidence packages ready for external review. CMMC assessment does. For every control you claim as Met, a C3PAO will request evidence.
Contractors who have implemented controls but never assembled evidence packages spend significant pre-assessment time documenting what they’ve already built. This is lower-cost than remediation, but it’s a real time investment — typically 200–400 hours for a mid-size contractor, depending on documentation maturity.
Gap 3: Scope Creep
Your original NIST 800-171 compliance scope may not match the scope a C3PAO will apply. Common scope expansion scenarios:
- Cloud services: If your original assessment scoped out Microsoft 365 because it was “vendor-managed,” a C3PAO will evaluate your M365 configuration against relevant controls. Vendor management of infrastructure doesn’t remove your NIST 800-171 obligations.
- Remote workers: If employees who access CUI work from home offices, physical protection controls apply to those environments.
- Mobile devices: If CUI is accessible on company mobile devices, device management controls apply.
A pre-assessment scope review is essential for any contractor whose NIST 800-171 program is more than two years old — environments change faster than scopes get updated.
What the DFARS Clause Stack Actually Requires
Defense contractors often conflate the overlapping DFARS clauses. Here’s the operational distinction:
| DFARS Clause | What It Requires | Who It Applies To |
|---|---|---|
| 252.204-7012 | Implement NIST SP 800-171; report cyber incidents within 72 hours; preserve images | Contracts involving CDI/CUI |
| 252.204-7019 | Conduct NIST SP 800-171 self-assessment; submit results to SPRS | Contracts including 7020 |
| 252.204-7020 | Provide DoD access to SPRS score; affirm accuracy of self-assessment | Contracts with 7020 |
| 252.204-7021 (anticipated) | Possess CMMC certification at required level before award | Contracts specifying CMMC |
If your contracts currently include 7012, 7019, and 7020, you’re already operating under the self-attestation regime. CMMC adds 7021 as the verification layer — the same controls, now with third-party enforcement.
Practical Differences When Working with a Consultant
Contractors who already have NIST 800-171 programs need different consulting support than contractors starting from scratch. The work isn’t remediation — it’s:
- SSP accuracy review: Does your SSP accurately describe your actual implementation?
- Evidence gap assessment: For each Met control, do you have defensible evidence ready for C3PAO review?
- Scope validation: Does your current assessment scope match what a C3PAO will apply?
- POA&M review: Are your POA&M items realistic and appropriately categorized?
- Pre-assessment rehearsal: Walking through the assessment process with your team before the C3PAO arrives
This is a meaningfully different engagement than building a compliance program from scratch. When evaluating consultants, ask specifically whether they offer pre-assessment readiness reviews for contractors with existing NIST programs — not just gap assessment for contractors starting from zero.
The Self-Assessment to Certification Timeline for Established Programs
For a contractor who has genuinely implemented NIST SP 800-171 and has a functioning compliance program, the path to CMMC Level 2 certification typically looks like:
Months 1–2: SSP accuracy review and update; scope validation; evidence gap identification
Months 2–4: Evidence package assembly and documentation cleanup; POA&M current-state review
Months 3–5: C3PAO selection and scheduling (start this early — backlog is real)
Months 4–6: Remediation of any actual control gaps identified in review
Months 5–8: Pre-assessment documentation review with consulting support
Months 6–10: C3PAO assessment
Total timeline for a genuinely-compliant contractor: 6–10 months. For contractors who believed they were compliant but have implementation gaps, add 3–6 months of remediation.
Get an Honest Assessment of Your NIST-to-CMMC Gap
The most expensive mistake for contractors with existing NIST programs is assuming their compliance documentation will survive C3PAO scrutiny without review. We’ve seen contractors with SPRS scores above +90 fail assessment because their SSP didn’t match their implementation.
A readiness review from a qualified practitioner before you engage a C3PAO is the most cost-effective step you can take. It identifies documentation gaps, scope issues, and evidence weaknesses before they become assessment findings.
CMMC First offers a free CMMC Readiness Assessment specifically structured for contractors with existing NIST SP 800-171 programs. You’ll get an honest evaluation of what your current compliance documentation will look like to a C3PAO, and a clear action plan for closing the gap between your current posture and certification-ready.
Schedule your free CMMC readiness assessment →
Frequently Asked Questions
If I’m already compliant with NIST SP 800-171, do I need to do anything for CMMC?
Yes. CMMC Level 2 requires all 110 NIST SP 800-171 Rev 2 practices, but requires third-party verification by an authorized C3PAO — not self-attestation. Contractors with existing NIST programs still need to: (1) validate their SSP accurately reflects implementation, (2) assemble evidence packages for C3PAO review, (3) validate scope completeness, and (4) schedule and complete a C3PAO assessment. The work for a well-postured contractor is primarily documentation and evidence readiness, not remediation.
Does CMMC require anything beyond NIST SP 800-171?
CMMC Level 2 maps exactly to NIST SP 800-171 Rev 2 — 110 practices, no additions. CMMC Level 3 (for high-value programs) adds practices from NIST SP 800-172. Most defense contractors will only need Level 2. Level 1 (17 practices for federal contract information, not CUI) is a separate, lower requirement.
My SPRS score is above 100. Am I ready for CMMC assessment?
Not necessarily. A high SPRS score that was generated via self-assessment may not survive C3PAO scrutiny. The systematic issues with self-assessed scores (partial implementation scored as full, policy existence without enforcement evidence, scope gaps) affect high scorers as well as low scorers. A practitioner pre-assessment review is warranted regardless of your current SPRS score.
What version of NIST SP 800-171 does CMMC assessment use?
CMMC Level 2 assessment uses NIST SP 800-171 Revision 2 (published February 2020), as reflected in the CMMC 2.0 Final Rule (December 2024). NIST SP 800-171 Revision 3 was published in May 2024 but has not yet been incorporated into CMMC requirements. Your assessment will be against Rev 2.
Can I use a consultant’s template SSP for CMMC compliance?
Template SSPs are a starting point, not a deliverable. A CMMC Level 2 SSP must describe how your specific organization implements each of the 110 controls in your actual environment — not how a generic organization might implement them. Assessors are experienced at identifying boilerplate SSPs, and a template-driven SSP that doesn’t match your actual implementation will produce findings regardless of your technical posture.
Related reading:
- CMMC Level 2 Requirements: Complete Guide to 110 Security Controls
- SPRS Score Explained: What Defense Contractors Need to Know Before CMMC
- The C3PAO Assessment Backlog: What Defense Contractors Need to Know in 2026
This content is for informational purposes only and does not constitute legal, compliance, or cybersecurity advice. Consult qualified professionals for guidance specific to your organization.<\/em><\/p><\/div>
References: NIST SP 800-171 | CMMC program | 32 CFR Part 170