NIST 800-171 and CMMC Level 2: How the Controls Map

If your organization has done any NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171) work, you have already laid the groundwork for CMMC Level 2. CMMC Level 2 is built almost entirely on 800-171 Rev 2, with a mostly one-to-one relationship between 800-171 requirements and Level 2 practices. If you have a current System Security Plan (SSP) and a reasonable self-assessment score posted in SPRS (the Supplier Performance Risk System), you are not starting from scratch.


That said, having done 800-171 self-assessment work and being ready for a formal CMMC Level 2 certification are different things. The controls map closely, but CMMC adds third-party assessment accountability, strict evidence standards, and consequences that a self-assessment never imposed. Contractors who treat their existing 800-171 documentation as a near-finished product often find meaningful gaps when they look closely.


This post covers how the 800-171 requirements translate to CMMC Level 2 practices, what the 14 control domains cover, what CMMC adds that 800-171 self-assessment did not, and where companies most often discover they were not as ready as they thought. APT Security Management, based in North Charleston, South Carolina, works with defense contractors at exactly this stage of the process.

How NIST 800-171 Becomes CMMC Level 2

NIST SP 800-171 was developed to protect Controlled Unclassified Information (CUI) in non-federal systems. It has 110 security requirements organized into 14 families. CMMC Level 2 takes those same 110 requirements and codifies them as 110 practices using a different numbering convention.


The relationship is straightforward. A NIST 800-171 requirement like 3.1.1 becomes the CMMC practice AC.L2-3.1.1. The "AC" refers to the domain (Access Control), "L2" marks it as a Level 2 practice, and "3.1.1" is the original NIST control number. The mapping is exact. If you have an SSP that documents NIST 800-171 requirement 3.1.1, that same documentation applies to AC.L2-3.1.1 under CMMC.


The regulatory basis for this is 32 CFR Part 170, which codifies CMMC 2.0 requirements. The current rule references NIST SP 800-171 Rev 2 as the Level 2 baseline. If you are doing any 800-171 work right now for CMMC purposes, Rev 2 is your target. NIST has published Rev 3, and the DoD has released a transition roadmap, but the current compliance target under 32 CFR Part 170 is Rev 2. Your C3PAO (Certified Third-Party Assessment Organization) will assess you against Rev 2 requirements.

The 14 Control Domains and What Each Covers

These domains correspond directly to the 14 NIST 800-171 families:

Access Control (AC)

Covers who can access your systems, under what conditions, and how access is controlled and monitored. This is one of the larger domains and commonly trips contractors up on least-privilege enforcement and remote access controls.

Awareness and Training (AT)

overs security awareness training for all users and role-based training for those with elevated responsibilities. Documentation of training completion matters here.

Audit and Accountability (AU)

Requires you to log security-relevant events, protect those logs, and review them. Contractors without centralized logging or SIEM (Security Information and Event Management) capabilities frequently have gaps here. Endpoint protection platforms like Sophos can help with log collection and audit trail requirements.

Configuration Management (CM)

Covers baseline configurations for your systems, change control processes, and restrictions on software installation. Missing baselines and undocumented changes are common findings.

Identification and Authentication (IA)

Covers how users and devices prove their identity before accessing systems. Multi-factor authentication (MFA) is required for privileged and non-local access. This domain tends to produce clear-cut gaps that are also straightforward to remediate.

Incident Response (IR)

Requires a documented incident response capability, including a plan, defined roles, and the ability to report incidents to appropriate authorities within the required timeframes. Under DFARS 252.204-7012, cyber incidents involving covered defense information must be reported to the DoD within 72 hours.

Maintenance (MA)

Covers how maintenance is performed on systems that process CUI, particularly remote maintenance sessions, which require controls to prevent unauthorized access.

Media Protection (MP)

Covers how CUI stored on physical and digital media is handled, labeled, transported, and disposed of. Contractors who store CUI on laptops, USB drives, or portable storage without controls often have gaps here.

Personnel Security (PS)

Covers screening individuals before granting system access and managing access when someone leaves. Smaller contractors often have informal practices that do not meet the documentation standard.

Physical Protection (PE)

Requires controlling physical access to systems and facilities where CUI is processed or stored. For most small contractors, this focuses on controlling who can access servers or workstations handling CUI.

Risk Assessment (RA)

Requires periodic assessments of the risk to organizational operations from the operation of CUI systems, including vulnerability scanning. Regular vulnerability scanning and documented risk analysis are required, not optional.

Security Assessment (CA)

Covers periodic assessment of your security controls, plans for continuous monitoring, and a plan of action for addressing deficiencies. Your SSP and POA&M live here.

System and Communications Protection (SC)

Covers how CUI is protected in transit and how your network segments systems to limit exposure. Network boundary controls and encrypted communications are central requirements. Fortinet network security solutions are a common way to address segmentation and boundary protection requirements in this domain.

System and Information Integrity (SI)

Covers malware protection, security alerts, and patching. Contractors running unpatched software or lacking endpoint protection tools regularly surface gaps here.

What CMMC Adds That Self-Assessment Did Not

If your company has self-assessed against 800-171 and posted a score to SPRS, you have already gone through most of the substantive work. But CMMC Level 2 changes the stakes and the standard of proof in several ways.

Third-party assessment for most contractors

Under CMMC 2.0, most Level 2 contracts require assessment by a C3PAO, not self-attestation. A C3PAO will not take your word for it. They will review your documentation, interview personnel, and test controls. Evidence that satisfied your internal self-assessment may not satisfy a formal assessment.

Certification outcome with contracting consequences

CMMC certification is a condition of contract award for contracts with DFARS 252.204-7021 (effective November 10, 2025). A failed assessment does not just generate a finding. It can affect your ability to win or maintain contracts. Your SPRS profile is also visible to contracting officers under DFARS 252.204-7024 during proposal evaluation. A low score or an unresolved assessment has competitive consequences, not just compliance consequences.

Evidence standards are higher

Self-assessment often relies on self-reported status. A C3PAO assesses against specific assessment objectives. For each practice, the assessor is looking at whether the practice is implemented, whether it is documented in your SSP, and whether evidence of implementation exists. Saying a control is implemented is not the same as demonstrating it.

SSP completeness is scrutinized

Your System Security Plan must describe your system boundary, document your asset inventory, show CUI data flows, and provide a specific implementation narrative for each of the 110 practices. Vague descriptions fail. A copied template that does not reflect your actual environment fails.

POA&M use is limited

Under CMMC Level 2, not all gaps can be deferred to a Plan of Action and Milestones (POA&M) at the time of certification. A C3PAO may accept a limited number of open items under specific conditions, but this is not a blanket deferral. You cannot list unmet practices in a POA&M and expect to receive certification.

Where Companies Most Often Find They Were Not Ready

Having done self-assessment work is valuable. But there are consistent areas where contractors discover the gap between self-assessment and formal assessment readiness.

SSP completeness

The most common issue. Contractors have SSPs that list controls as "implemented" without sufficient narrative to demonstrate how implementation actually works. Under formal assessment, this does not pass.

POA&M closure

Contractors carry open POA&M items for months or years without closing them. Assessors look at the age of items, the credibility of milestone dates, and whether closure evidence exists. A stale POA&M raises questions about whether the organization is actually remediating or just documenting.

Evidence collection

Many contractors implement controls but do not retain the evidence needed to demonstrate implementation. Configuration screenshots, policy acknowledgment records, training completion logs, and access review documentation need to be collected and retained as a matter of practice, not assembled right before the assessment.

Scoping gaps

The systems in scope for your assessment must cover everything that processes, stores, or transmits CUI. Contractors who scoped their self-assessment narrowly sometimes discover that additional systems should have been included all along. Adding scope late in the process adds remediation time.

Email security gaps

Email is a common CUI transmission channel that many contractors have not adequately secured. Access control, audit logging, and data protection requirements all apply. Email security solutions like Proofpoint are commonly part of remediation for contractors with gaps in this area.

If you want to know where you stand before an assessor does, our free CMMC Readiness Quickcheck gives you a structured starting point. For a more specific picture of your SPRS scoring exposure, the SPRS Score Calculator walks through your 800-171 practice status and estimates the score impact.

What to Do If You Have an Existing 800-171 SSP

If you already have an SSP and a posted SPRS score, your next steps are focused on gap validation rather than starting from scratch.


Start with a structured review of your SSP against actual assessment objectives, not just the control text. Each practice has specific criteria that a C3PAO uses to determine whether it is implemented. Reviewing your SSP against those criteria reveals where documentation is thin.


Then confirm your POA&M is current. Every item should have an owner, a realistic closure date, and a path to closure evidence. Items without those attributes need to be updated before an assessment.


Finally, look at your scoping decisions. Confirm that every system handling CUI is included in your assessment boundary, and that systems that are out of scope are genuinely isolated from CUI.


Our free SSP Scaffolder can help you rebuild or restructure an SSP that needs a cleaner foundation. If your gaps run deeper, a formal CMMC gap assessment gives you a control-by-control review against the current Level 2 assessment objectives.


For broader context on what CMMC Level 2 involves from the start, see our overview post: What is CMMC 2.0? A Plain English Guide for DoD Contractors.


And if you are still in the process of understanding your assessment process and workflow, What to Expect From a CMMC Gap Assessment walks through exactly what that engagement looks like.

What to Do Next

If your organization has existing 800-171 work, the mapping to CMMC Level 2 is already mostly done on paper. What usually remains is the documentation quality, the evidence posture, and the scoping accuracy. A gap assessment focused on Level 2 assessment readiness, rather than just control coverage, is the most efficient way to find out where you actually stand before a C3PAO does.

Get a Quote for Your Environment

APT Security Management reviews your existing 800-171 documentation and assesses your Level 2 readiness against current assessment objectives. Token-based pricing means you pay for what your environment actually needs. Request a quote to see what a scoped engagement looks like for your organization.

Get a Custom Quote