What is the difference between NIST 800-171 and CMMC Level 2?

They cover the same 110 security controls. NIST 800-171 is the standard itself. CMMC Level 2 is the certification program that verifies you have actually implemented those 110 controls through a third-party assessment. Think of NIST 800-171 as the textbook and CMMC Level 2 as the exam.

We have been self-attesting to NIST 800-171 for years. Are we compliant?

Probably not fully. Most companies that have been self-attesting have significant gaps they are not aware of. Self-attestation had no verification mechanism, so many companies submitted scores based on what they thought they were doing rather than what they could prove. A gap assessment gives you the real picture.

How long does it take to implement all 110 controls?

For a typical small contractor with 20 to 50 employees, expect 4 to 8 months from gap assessment to assessment-ready. The timeline depends on how many controls you already have in place, whether you need to migrate to GCC High, and how quickly your team can adopt new processes. Companies starting from scratch take longer than companies that have some controls in place.

Do we need GCC High for NIST 800-171 compliance?

If you process, store, or transmit CUI in Microsoft 365, you need GCC or GCC High. Standard commercial Microsoft 365 does not meet the security requirements for handling CUI. Most contractors working with CUI need GCC High specifically. We handle the full migration.

Can we reduce the number of controls we need to implement?

You cannot skip controls, but you can reduce your scope. By limiting where CUI lives in your environment through an enclave approach, you reduce the number of systems that need to meet all 110 controls. Fewer systems in scope means less work, lower cost, and faster implementation.

What happens if we have gaps we cannot fix right away?

That is what a Plan of Action and Milestones (POA&M) is for. A POA&M documents known gaps, explains what you are doing to fix them, and sets timelines. Assessors expect to see a POA&M. What they do not want to see is gaps you did not know about or have no plan to address.

Services

NIST 800-171 Compliance for Small Defense Contractors

The 110 security controls your contracts require, your assessor will grade you on, and your business depends on. Implemented properly, documented thoroughly, and built to survive a third-party assessment.

The Framework Behind Everything

NIST 800-171 is the foundation of cybersecurity compliance for anyone handling Controlled Unclassified Information. It is the 110 security controls that CMMC Level 2 is built on. It is what DFARS 252.204-7012 has required since 2017. It is what your assessor will be grading you against.

For years, defense contractors were required to self-attest to NIST 800-171 compliance. You submitted a score to SPRS, said you were implementing the controls, and that was the end of it. Nobody verified. Nobody checked your documentation. Nobody asked to see your audit logs.

That era is over. CMMC means third-party assessors will be walking through your environment, reviewing your documentation, and testing whether your controls actually work. Self-attestation is being replaced by verification. If you have been checking the box without doing the work, the gap between what you reported and what you can prove is about to become a serious business problem.

We help small defense contractors and manufacturers close that gap. Not with a binder of generic policies, but with real implementation that holds up when someone actually looks.

What NIST 800-171 Actually Requires

NIST 800-171 organizes its 110 controls into 14 families. Each family covers a different area of your security program. You need to address all of them, but some trip up small companies far more than others.

Access Control

This is the largest family with 22 controls, and it is where most small companies have the biggest gaps. Access control is about proving who can see what in your environment. That means role-based access, least privilege, session controls, remote access policies, and wireless access restrictions. Your assessor will ask you to show them exactly who has access to CUI and why. If the answer is "everyone has admin access because it was easier to set up that way," you have work to do.

Audit and Accountability

You need to log what happens in your environment and actually review those logs. Not just turn on logging and forget about it. Your assessor will want to see that you are creating audit logs, protecting those logs from tampering, reviewing them on a defined schedule, and that you can correlate events across systems. Most small companies either have no logging at all or have logs they have never looked at. Neither passes an assessment.

Configuration Management

Every system that touches CUI needs a secure baseline configuration, and you need to document what that baseline is. When changes happen, you need a process for approving, documenting, and tracking those changes. This is not just about having secure settings. It is about proving you have a system for managing those settings over time.

Identification and Authentication

Multi-factor authentication is non-negotiable for any system accessing CUI. Beyond MFA, you need proper password policies, account management procedures, and a way to uniquely identify every user. Shared accounts are a problem. Service accounts without proper controls are a problem. No MFA on remote access is a problem.

Media Protection

This one catches people off guard. Media protection covers USB drives, external hard drives, printed documents, and any other physical or digital media that could contain CUI. You need policies for how media is marked, stored, transported, and destroyed. If your employees can plug in a personal USB drive and copy CUI to it, that is a control failure.

System and Communications Protection

CUI must be encrypted in transit and at rest. That means TLS for data moving across networks and encryption on drives where CUI is stored. You also need to separate your public-facing systems from internal systems, monitor your network boundaries, and protect the confidentiality of CUI during transmission. If you are sending CUI over unencrypted email, that is a finding.

The Other Eight Families

The remaining families are equally important even if they tend to cause fewer surprises:

Awareness and Training -- your people need security training and you need to document it
Incident Response -- you need a plan for what happens when something goes wrong, and you need to test it
Maintenance -- systems need regular maintenance with proper controls on who performs it
Personnel Security -- screening employees and managing access when people leave
Physical Protection -- controlling physical access to systems that process CUI
Risk Assessment -- identifying and assessing risks to your operations and CUI
Security Assessment -- periodically evaluating whether your controls are actually working
System and Information Integrity -- identifying flaws, monitoring for threats, and patching systems

Every one of these families has controls you need to implement, document, and be ready to demonstrate. Miss one family and your assessment has a gap.

Where Small Companies Typically Fall Short

After working with dozens of small defense contractors, the same gaps show up over and over. These are not obscure technicalities. They are fundamental issues that will fail an assessment.

No SSP or a Template Nobody Customized

Your System Security Plan is the single most important document in your compliance program. It describes your environment, your boundaries, and how you implement each control. Downloading a template and filling in your company name is not an SSP. Your assessor will read this document line by line and compare it to your actual environment. If those do not match, you have a problem.

No POA&M Tracking Actual Gaps

A Plan of Action and Milestones is not optional. It documents the gaps you know about and your plan to fix them. Many companies either have no POA&M at all or have one that was created once and never updated. Your assessor expects to see a living document that reflects your real security posture.

No Audit Logging or Log Review

Turning on Windows Event Logging does not make you compliant. You need centralized logging, protection against log tampering, defined retention periods, and a regular review process. When your assessor asks "show me your last log review," you need to have something to show them.

Personal Devices Accessing CUI

If employees are accessing CUI from personal laptops, phones, or home computers with no mobile device management and no security controls, you have a scope problem and a control failure. Every device that touches CUI is in scope and needs to meet all applicable controls.

Learn how BYOD can pass a CMMC assessment →

No Incident Response Plan

You need a plan for what to do when a security incident happens. Not a generic document you downloaded. A plan with roles, responsibilities, communication procedures, and reporting requirements specific to your organization. And you need to test it. An untested incident response plan is almost as bad as not having one.

Commercial Microsoft 365 for CUI

Standard commercial Microsoft 365 does not meet the requirements for handling CUI. You need GCC or GCC High, which are Microsoft's government cloud environments built to meet federal security standards. This is one of the most common and most expensive gaps to close, but there is no way around it.

How We Help You Get There

We do not hand you a checklist and wish you luck. We work alongside your team from gap assessment through assessment readiness, handling the technical implementation and documentation that most small companies do not have the staff or expertise to do themselves.

Gap Assessment Against All 110 Controls

We start by evaluating your current environment against every NIST 800-171 control. Not a surface-level questionnaire. We look at your systems, your configurations, your policies, and your documentation. You get an honest picture of where you stand, what is working, and what is not. This is the foundation everything else builds on.

Prioritized Remediation Roadmap

Not all gaps are equal. Some controls are harder to implement. Some carry more risk if left unaddressed. Some are quick wins that improve your posture immediately. We build a remediation roadmap that prioritizes by risk and assessment readiness, so you are fixing the right things in the right order. We also give you realistic timelines and cost expectations so there are no surprises.

Technical Implementation

This is where the real work happens. We handle GCC High migration, endpoint hardening, MFA deployment, centralized logging, encryption configuration, network segmentation, and every other technical control that needs to be in place. If reducing scope makes sense for your environment, we design and implement enclave solutions that limit where CUI lives so you have fewer systems to secure.

Documentation

Controls without documentation are controls you cannot prove. We write your System Security Plan, Plan of Action and Milestones, incident response plan, and the policies and procedures that support every control family. These are not templates. They are documents that describe your actual environment and your actual processes, written to withstand assessor scrutiny.

Pre-Assessment Readiness Review

Before you engage a C3PAO for your assessment, we do a readiness review that simulates what the assessor will look for. We walk through your controls, test your documentation, and identify anything that needs to be tightened up. You go into your assessment knowing what to expect, not hoping for the best.

Ongoing Support

Compliance is not a one-time project. Controls need to be maintained, policies need to be updated, logs need to be reviewed, and people need to be trained. We offer ongoing support options so your compliance program stays current and your environment stays secure between assessments.

NIST 800-171 vs CMMC Level 2

Here is the short version: NIST 800-171 and CMMC Level 2 cover the same 110 controls. If you implement NIST 800-171 fully, you have implemented what CMMC Level 2 requires. The difference is verification.

Under the old system, you self-attested to NIST 800-171 compliance. You scored yourself, submitted that score, and moved on. CMMC Level 2 replaces self-attestation with third-party assessment. A certified assessor (C3PAO) comes in, reviews your documentation, examines your environment, interviews your staff, and determines whether you have actually implemented the controls you claim.

This is why we build every engagement to CMMC Level 2 standard. Implementing NIST 800-171 controls just well enough to check a box is not good enough anymore. You need to implement them well enough that an independent assessor agrees they are working. That is a higher bar, and it is the bar we build to.

If you are weighing whether to tackle this yourself or bring in help, the complexity of meeting assessment standards rather than just checking boxes is the key difference. Self-implementation works when nobody is checking. Assessment readiness requires a different level of rigor.

NIST 800-171 Compliance FAQ

Most Companies Are Surprised by Their Gaps

Even companies that have been self-attesting for years find gaps they didn't know about. A gap assessment gives you the honest picture.

Schedule a Free Assessment Call

We'll tell you where you actually stand.

Not ready to talk? Read our CMMC gap assessment guide to learn what's involved.