· CMMC  · 7 min read

NIST 800-171 to CMMC Level 2: How the 110 Controls Map Together

How the 110 NIST SP 800-171 r2 security requirements map to CMMC Level 2 practices.

How the 110 NIST SP 800-171 r2 security requirements map to CMMC Level 2 practices.

For organizations preparing to certify against the Cybersecurity Maturity Model Certification (CMMC) Level 2, one piece of news has been clear since the program rule landed in the Federal Register: the technical bar is NIST SP 800-171. Not a parallel set of practices. Not a different framework. CMMC Level 2 is, at its core, an assessor-verified implementation of the same 110 security requirements published in NIST SP 800-171 r2. The mapping is one-to-one. The differences are in how the controls are assessed, who can assess them, and what evidence must be retained.

This post walks through the practical relationship between the two, where the boundaries blur, and what changes for an organization that has been working to a self-attested SPRS score and now needs a defensible third-party assessment.

The Starting Point: NIST SP 800-171 r2

NIST SP 800-171 r2 defines 110 security requirements grouped into 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity. Each requirement is written as a Basic or Derived security requirement, with the Basic requirements drawn from FIPS 200 and the Derived requirements pulled from NIST SP 800-53.

These 110 requirements form the contractual obligation set by DFARS 252.204-7012(b)(2)(i)(A), which requires contractors handling Covered Defense Information (a subset of Controlled Unclassified Information, or CUI) to implement them on covered contractor information systems. The clause has been in effect since December 2017. Contractors have been required to submit a self-assessment score to the Supplier Performance Risk System (SPRS) since November 2020 under DFARS 252.204-7019 and 7020.

What CMMC Level 2 Adds On Top

The CMMC program, codified in the final rule at 32 CFR Part 170, formalizes verification of NIST 800-171 implementation. CMMC Level 2 maps directly to the 110 NIST 800-171 r2 requirements, but with three structural differences from the self-assessment regime that preceded it:

  • Independent assessment. A Level 2 certification is performed by a CMMC Third-Party Assessment Organization (C3PAO). Self-assessment for Level 2 is reserved for a narrow subset of non-prioritized acquisitions and is becoming the exception, not the norm.
  • Three-year certification cycle. A passing assessment carries a three-year certification with annual affirmation by a senior company official. SPRS scores no longer stand alone for CUI-handling contracts that flow down Level 2.
  • Pass/fail scoring at the practice level. Each of the 110 practices is scored MET, NOT MET, or NOT APPLICABLE. A practice that is partially implemented is NOT MET, full stop. SPRS-style point deductions do not apply to the Level 2 pass decision in the same way.

How the Mapping Actually Looks

The mapping is published by the DoD CIO and is straightforward: every CMMC Level 2 practice carries the same identifier as its NIST 800-171 r2 counterpart, in the form FAMILY.L2-3.x.y. For example:

  • NIST SP 800-171 r2 requirement 3.1.1 (“Limit system access to authorized users”) maps to CMMC practice AC.L2-3.1.1.
  • NIST 3.13.11 (“Employ FIPS-validated cryptography when used to protect the confidentiality of CUI”) maps to CMMC SC.L2-3.13.11.
  • NIST 3.14.2 (“Provide protection from malicious code at appropriate locations”) maps to CMMC SI.L2-3.14.2.

There is no renaming, no consolidation, no expansion of the practice text in Level 2. The control language is the language inherited from NIST. The Level 2 Assessment Guide, published by the DoD, supplies discussion and assessment objectives for each practice but does not change the requirement.

Where Level 3 (and SP 800-172) Come In

CMMC Level 3 adds 24 selected practices from NIST SP 800-172, the enhanced security requirements publication. Level 3 is reserved for contracts involving CUI of the highest criticality and is assessed by the DoD itself, not by C3PAOs. For the bulk of the DIB working with standard CUI, Level 2 against the 110 NIST 800-171 controls is the relevant target.

What the Assessment Actually Scores

For each of the 110 practices, a C3PAO assessor evaluates three categories of objective evidence: examined (artifacts and documentation), interviewed (personnel attestation), and tested (technical or operational verification). All applicable assessment objectives within a practice must be satisfied to score MET.

For example, AC.L2-3.1.20 (“Verify and control/limit connections to and use of external systems”) has assessment objectives that include: identifying external systems; establishing terms and conditions for their use; verifying enforcement at the technical layer (typically Conditional Access, network ACLs, or Intune compliance signals); and producing logs that demonstrate the enforcement is operational. Missing any one of those leaves the practice NOT MET.

This is why a control implementation that looked acceptable for a self-assessed SPRS score may fail a Level 2 assessment. The 110 requirements have not changed, but the burden of producing evidence for every assessment objective is significantly higher.

The Scoring Math Difference

SPRS scoring under the DoD Assessment Methodology starts at 110 and subtracts a fixed value (1, 3, or 5 points) for each NOT IMPLEMENTED requirement. A perfect score is 110; the lowest possible is −203. The methodology was designed to give the DoD a quantitative snapshot of contractor posture under self-attestation.

Under CMMC Level 2, the calculation is different. A passing certification requires 88 of 110 practices MET at the time of assessment, with the remaining 22 practices on an approved Plan of Action and Milestones (POA&M) and closed within 180 days. Crucially, certain practices are not POA&M-eligible. The 1-point and some 3-point practices in the Assessment Methodology must be MET at assessment. The full list of POA&M-eligible practices is in the Level 2 Assessment Guide and 32 CFR Part 170.21.

For organizations approaching their first Level 2 assessment, this means the SPRS score is no longer a sufficient predictor of outcome. A score in the 90s with the wrong practices NOT IMPLEMENTED can still be a failing certification.

Where the Practical Work Shifts

The mapping being one-to-one is good news for organizations with mature NIST 800-171 programs: there is no surprise additional control set to implement. The shift is in two areas:

1. Scope Definition Becomes Assessor-Defensible

Under self-assessment, an organization could draw an optimistic CUI boundary and rely on its own interpretation. A C3PAO will challenge boundary diagrams that exclude systems with realistic CUI exposure. Scoping is now an assessor conversation, not an internal one.

2. Evidence Retention Is Non-Negotiable

Every MET practice needs documented evidence the assessor can examine. Screenshots from a year ago in a shared drive will not survive a Level 2 assessment. The expectation is a System Security Plan that describes the implementation as built and a corresponding evidence library: configuration exports, audit logs, policy documents with revision history, training records, and incident response plan walkthroughs. The SSP is the central document anchoring all of it.

3. POA&M Discipline Tightens

The 180-day POA&M closure window is a hard deadline tied to conditional certification. Open items past that window collapse the certification. The POA&M discipline that worked under self-assessment (“we’ll fix it when we get to it”) becomes a tracked, dated, evidence-bearing closure process.

What to Do Next

  • Pull your current SPRS score and the DoD Assessment Methodology scoring sheet. Identify the practices currently scored NOT IMPLEMENTED.
  • Cross-check those against the POA&M-eligibility list in the CMMC Level 2 Assessment Guide. Any non-POA&M-eligible practice in your NOT IMPLEMENTED set is a blocker for certification at today’s posture.
  • Inventory existing evidence by practice. Where evidence is screenshots, anecdotes, or “we do this but it isn’t written down,” that practice is at risk under assessor review even if scored 1 in SPRS.
  • Confirm the CUI boundary your SSP describes is the boundary an assessor would draw. If it is more optimistic, expect challenge.

The good news is that the controls are not new. The work is moving from self-asserted implementation to assessor-defensible implementation, and the gap between those two states is what most pre-assessment engagements end up closing.

Share:
Back to Blog

Related Posts

View All Posts »