CMMC 2.0 Maturity Levels and NIST 800-171 

cmmc 2.0 featured

The original CMMC (version 1.0) was based on several cybersecurity guidelines, most prominently NIST 800-171. With the announcement of CMMC version 2.0 in early November 2021, however, the alignment between the frameworks and the NIST document has changed a bit. Fortunately, this change seems to be for the better, or at least more intuitive, for assessors and contractors. 

Here, we’ll discuss how the new CMMC 2.0 assessment levels align with NIST 800-171 and how this can help contractors more readily meet their security obligations once the new framework goes into effect. 


What Are the CMMC Version 2.0 Levels?

CMMC version 1.0 originally defined five different maturity levels, each one corresponding to a different (and increasing) set of capabilities and responsibilities. At Level 1, contractors could manage Federal Contract Information (FCI), and at Level 3, they could manage Controlled Unclassified Information (CUI). At higher levels, the contractor demonstrated that they had advanced capabilities to handle complex dangers like advanced persistent threats (APTs).

After feedback from contractors and assessors, the DoD decided to release CMMC 2.0 with a different approach to cybersecurity maturity. One of the most significant changes suggested is the reduction of the CMMC Maturity Levels from five to 3. Furthermore, they eliminated the “maturity” requirements at each level. Originally, the contractor had to demonstrate they could perform specific tasks (documentation, optimization, etc.).

Now, levels are tied explicitly to NIST controls called “practices,” which refer to specific, implemented security measures from NIST 800-171, an organization has in place.

The three CMMC 2.0 Maturity Levels are:

  1. Level 1: At Level 1, contractors are certified to handle FCI. They must implement 15 practices and conduct annual self-assessments.
  2. Level 2: At Level 2, contractors are certified to handle CUI. They must implement 110 practices aligned with NIST 800-171 and undergo triennial third-party assessments from a certified C3PAO (with some exceptions for self-assessment).
  3. Level 3: At Level 3, the contract can work with agencies in the most sensitive non-classified contexts. They must implement 134 controls (some based on NIST 800-172) and undergo triennial third-party assessments.

This new set of levels significantly reduces the original CMMC model’s complexity. Furthermore, it ties the model directly to its source document, namely NIST 800-171.


What is NIST 800-171, and How Does it Relate to CMMC 2.0?

cmmc 2.0

The original CMMC (version 1.0) was created to provide a tiered, maturity-based approach to NIST 800-171 compliance. CMMC 2.0 takes this further by eliminating maturity as a requirement and aligning CMMC certification strictly with NIST 800-171.

What’s NIST Special publication 800-171? This document, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” focuses specifically on how agencies can implement the right controls necessary to protect CUI from threats.

The guidelines in NIST 800-171 break down controls (known in CMMC as “practices”) into several families, including:

  • Access Control
  • Awareness and Training
  •  Audit and Accountability
  •  Configuration Management
  •  Identification and Authentication
  •  Incident Response
  •  Maintenance
  •  Media Protection
  •  Personnel Security
  •  Physical Protection
  •  Risk Assessment
  •  Security Assessment
  •  System and Communications Protection
  •  System and Information Integrity

Each of these families covers integral protections for IT systems, including maintaining security through identity management, protection against insider threats, protecting data during transmission, and mitigating issues when they arise.

In total, NIST 800-171 contains 110 total controls.

It becomes apparent, then, that CMMC Level 2 essentially encompasses the entirety of NIST 800-171. While Level 1 includes a bare minimum of security practices needed to simply protect the information, Level 2 requires a contractor to essentially implement NIST 800-171 from top to bottom. Following this, it’s critical for organizations looking to the future of CMMC 2.0 to understand NIST 800-171 as the central document of their defense compliance strategy.

Level 3, however, presents an interesting addition. The official release of CMMC 2.0 from the DoD lists Level 3 as “110+ practices based on NIST SP 800-172.” NIST Special Publication 800-172 is titled “Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171,” and as the name suggests, it adds critical and advanced featured for more complex IT systems handling CUI.

More specifically, NIST 800-172 outlines guidelines for meeting the challenges of advanced persistent threats (APTs). Originally, CMMC 1.0 Levels 4 and 5 addressed the practices that a contractor would face handling APTs and shifting tactics and techniques used by more complicated attacks, typically those from state-sponsored organizations.

Its structure is much the same as NIST 800-171, including all the same control categories in its predecessor. It simply adds more demanding and comprehensive controls into those categories, including practices like conducting cyber hunting activities, using techniques for assessing a reassessing employee for CUI access and managing an internal incident response team. Not every category has an expanded set of capabilities in NIST 800-171, but many do.

In terms of CMMC 2.0 and Level 3 assessment, the number of practices an organization would actually implement is variable. Requirements would come directly from the agency themselves, thus the plus sign at the end. Contractors at Level 3 would be managing systems for specific contexts and advanced threats, and as such, it will be the case that the agency need will dictate what certification will look like


Understand CMMC and NIST 800-171 and Automate Audits

CMMC 2.0 isn’t expected to become a part of defense contracts for at least 9-24 months. In the meantime, the DoD is pausing the inclusion of new CMMC contract requirements and honoring ongoing certifications.

Understand, though, that full compliance requirements are on the horizon, and any contractor working in the defense industry will be expected to meet them. If you are or plan to support defense agencies with their information management need related to CUI, then CMMC 2.0 is 100% in your future.

Fortunately, compliance with NIST 800-171 and CMMC can be automated, and Continuum GRC has built a cloud-based system to streamline audits and reporting. Take a process that often stretches for weeks or even months and reduce it to mere days, all without sacrificing accuracy. More importantly, do so hand-in-hand with industry experts with decades of combined experience to guide you.


Are You Preparing for CMMC or Other Government Audits?

Call Continuum GRC at 1-888-896-6207 or complete the form below.


Continuum GRC