Differences between NIST 800-171 and the CMMC

NIST 800-171 is a Controls standard that lists the required safeguards to be implemented to protect CUI. CMMC includes Controls–which they call “Practices”–as well as Process requirements for an organization, whereby an organization is required to demonstrate it has the resources required to fully implement and maintain the Practices. All 110 NIST 800-171 Controls are included as Practices at some level of the CMMC. Some levels of the CMMC add additional Practices over and above NIST 800-171. CMMC Level 1 includes 17 Practices, all of which are included in 800-171. CMMC Level 2 has 72 Practices, including 65 800-171 Controls and 7 additional Practices. CMMC Level 3 includes all 110 Controls from 800-171 and 20 additional Practices. For a breakdown of these additional Practices, see the Totem.Tech blog here: https://www.totem.tech/cmmc-nist-800-171/. CMMC Levels 4 and 5 build off Level 3 and contain 26 and 41 additional Practices, respectively. CMMC also contains additional resources, including a Clarification of the intent of each Practice, an Example of implementation of the Practice, and references to sources the DoD drew from to define the Practice. It appears the DoD will develop the CMMC Assessment Methodology from NIST Assessment Objectives, for example those contained in 800-171A and -171B.