fbpx
  • Skip to primary navigation
  • Skip to main content
  • Skip to footer

  • Compliance
    • CMMC/NIST 800-171 Virtual Classroom
    • Consulting
    • Compliance Software
  • Consulting
    • Cyber Risk Assessment
    • Security Controls Assessment
    • Supply Chain Security
    • Cybersecurity Policy Development
      • System Security Plan
      • Plan of Action and Milestones
      • Acceptable Use Policy
      • Incident Response Plan
    • ICS/SCADA Services
    • Penetration Testing
    • Vulnerability Scanning
  • Industries
    • DoD Contractors
    • Health Care (HIPAA)
    • Higher Education
    • Utilities/Critical Infrastructure
    • Local and Federal Government
  • Trainings
    • CMMC / NIST 800-171 Virtual Classroom
    • Totem Town Hall
    • DFARS Cybersecurity E-Book
    • Cybersecurity Awareness
    • IT Administrators
    • Resources
      • Acronyms
      • Glossary
  • Pricing
  • About
    • Team
    • Partners
    • Clients
    • Careers
  • Blog
  • Contact
Request a Quote

Differences between NIST 800-171 and the CMMC

You are here: Home / Glossary / Differences between NIST 800-171 and the CMMC

April 1, 2021 by Zoie Schiermeyer

NIST 800-171 is a Controls standard that lists the required safeguards to be implemented to protect CUI. CMMC includes Controls–which they call “Practices”–as well as Process requirements for an organization, whereby an organization is required to demonstrate it has the resources required to fully implement and maintain the Practices. All 110 NIST 800-171 Controls are included as Practices at some level of the CMMC. Some levels of the CMMC add additional Practices over and above NIST 800-171. CMMC Level 1 includes 17 Practices, all of which are included in 800-171. CMMC Level 2 has 72 Practices, including 65 800-171 Controls and 7 additional Practices. CMMC Level 3 includes all 110 Controls from 800-171 and 20 additional Practices. For a breakdown of these additional Practices, see the Totem.Tech blog here: https://www.totem.tech/cmmc-nist-800-171/. CMMC Levels 4 and 5 build off Level 3 and contain 26 and 41 additional Practices, respectively. CMMC also contains additional resources, including a Clarification of the intent of each Practice, an Example of implementation of the Practice, and references to sources the DoD drew from to define the Practice. It appears the DoD will develop the CMMC Assessment Methodology from NIST Assessment Objectives, for example those contained in 800-171A and -171B.

Footer

Totem Cybersecurity

Simplifying your cybersecurity through consulting, compliance training, cybersecurity compliance software, and other cybersecurity services.

(855) 405-4075

[email protected]

Cybersecurity Services

  • Consulting
  • Cybersecurity Training
  • Compliance Software
  • Industries Served
  • Pricing

Cybersecurity Compliance

  • DoD Contractors
  • CMMC
  • NIST 800 171
  • HIPAA Security Rule
  • Colleges and Universities

Newsletter

Copyright © 2021  Haight Bey & Associates LLC DBA Totem Technologies. All rights reserved. Return to top

Cybersecurity Compliance from Totem