NIST SP 800-171 Mapping
Browse CMMC topics
CMMC Level 2 and NIST SP 800-171
CMMC Level 2 is a direct mapping to NIST SP 800-171 Rev 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." Every one of the 110 CMMC Level 2 practices corresponds to a NIST SP 800-171 security requirement. There are no additions, modifications, or deletions — the mapping is one-to-one.
This alignment was a deliberate design choice in CMMC 2.0. The original CMMC 1.0 introduced unique practices and maturity processes on top of NIST standards. CMMC 2.0 eliminated those additions, making NIST SP 800-171 the single authoritative source for Level 2 requirements.
The 14 control families
NIST SP 800-171 organizes its 110 security requirements into 14 families. Each family addresses a specific domain of cybersecurity:
3.1 Access Control (22 requirements)
The largest family. Covers how organizations limit system access to authorized users, processes, and devices. Key areas include account management, access enforcement, remote access, and wireless access restrictions.
Example requirements:
- Limit system access to authorized users (3.1.1)
- Employ the principle of least privilege (3.1.5)
- Use multifactor authentication for network access (3.1.8)
- Encrypt CUI on mobile devices and mobile computing platforms (3.1.19)
3.2 Awareness and Training (3 requirements)
Ensures personnel are aware of security risks and trained on their responsibilities. Includes role-based training for users with elevated privileges or security-sensitive roles.
3.3 Audit and Accountability (9 requirements)
Covers creation, protection, and review of system audit logs. Organizations must create and retain system audit logs sufficient to enable monitoring, analysis, investigation, and reporting of unauthorized activity.
3.4 Configuration Management (9 requirements)
Addresses baseline configurations, change control, and least functionality. Organizations must establish and enforce security configuration settings and track changes to systems.
3.5 Identification and Authentication (11 requirements)
Requires unique identification of users and devices, multifactor authentication, and credential management. This family includes some of the most technically demanding requirements.
Example requirements:
- Authenticate (or verify) the identities of users, processes, or devices (3.5.2)
- Use multifactor authentication for local and network access (3.5.3)
- Employ replay-resistant authentication mechanisms (3.5.4)
3.6 Incident Response (3 requirements)
Organizations must establish incident handling capabilities including preparation, detection, analysis, containment, recovery, and reporting. Incidents involving CUI must be reported to the DoD within 72 hours.
3.7 Maintenance (6 requirements)
Covers system maintenance procedures, maintenance tools, and remote maintenance controls. Includes requirements for supervising maintenance personnel and sanitizing equipment removed for off-site maintenance.
3.8 Media Protection (9 requirements)
Addresses protection of system media — both digital and physical — containing CUI. Includes marking, storage, transport, sanitization, and destruction requirements.
3.9 Personnel Security (2 requirements)
Requires screening individuals before granting access to systems containing CUI and ensuring CUI access is revoked when personnel are terminated or transferred.
3.10 Physical Protection (6 requirements)
Covers physical access controls to systems, equipment, and operating environments. Includes visitor management, monitoring, and protection of physical access devices.
3.11 Risk Assessment (3 requirements)
Organizations must periodically assess risk to operations, assets, and individuals. Includes vulnerability scanning and remediation requirements.
3.12 Security Assessment (4 requirements)
Requires periodic assessment of security controls, monitoring for control effectiveness, and a plan of action for addressing deficiencies. This family directly supports the CMMC assessment process itself.
3.13 System and Communications Protection (16 requirements)
The second-largest family. Covers boundary protection, CUI confidentiality during transmission and at rest, network segmentation, and cryptographic protections. FIPS-validated encryption is required for CUI at rest and in transit.
Example requirements:
- Implement FIPS-validated cryptography for CUI (3.13.11)
- Prohibit remote activation of collaborative computing devices (3.13.12)
- Control and monitor the use of mobile code (3.13.13)
3.14 System and Information Integrity (7 requirements)
Addresses flaw remediation, malicious code protection, security alerts, and system monitoring. Organizations must identify, report, and correct system flaws in a timely manner.
Cross-framework overlap
Organizations pursuing CMMC Level 2 alongside other frameworks can reuse significant portions of their control implementation.
CMMC and NIST CSF
NIST CSF provides a high-level risk management framework organized around six functions: Govern, Identify, Protect, Detect, Respond, and Recover. NIST SP 800-171 requirements map across these functions:
| NIST CSF function | NIST SP 800-171 families |
|---|---|
| Govern | Security Assessment, Risk Assessment |
| Identify | Risk Assessment, Configuration Management |
| Protect | Access Control, Awareness and Training, Configuration Management, Identification and Authentication, Maintenance, Media Protection, Personnel Security, Physical Protection, System and Communications Protection |
| Detect | Audit and Accountability, System and Information Integrity |
| Respond | Incident Response |
| Recover | Incident Response, System and Information Integrity |
An organization with a mature NIST CSF implementation will have significant coverage toward CMMC Level 2, though the specific implementation details and evidence requirements differ.
CMMC and ISO 27001
ISO 27001 Annex A controls overlap substantially with NIST SP 800-171 requirements. Key areas of overlap include access control, cryptography, operations security, communications security, and incident management. Organizations already ISO 27001 certified will find that many of their existing controls satisfy CMMC Level 2 practices — though CUI-specific handling requirements and DoD incident reporting obligations are unique to CMMC.
CMMC and FedRAMP
Cloud service providers supporting DoD contracts often need both FedRAMP authorization and CMMC certification. FedRAMP is based on NIST SP 800-53, which is more comprehensive than NIST SP 800-171. A FedRAMP-authorized system at the Moderate baseline will satisfy the majority of CMMC Level 2 requirements, but organizations must still verify coverage and produce CMMC-specific documentation.
NIST SP 800-171 Rev 3
NIST published SP 800-171 Rev 3 in May 2024 with significant restructuring. However, CMMC 2.0 Level 2 currently maps to Rev 2, not Rev 3. The DoD has indicated it will update CMMC to align with Rev 3 in a future rulemaking, but no timeline has been announced. Organizations should implement against Rev 2 for current CMMC compliance while monitoring for updates.
How episki helps
episki maps every CMMC Level 2 practice to its NIST SP 800-171 Rev 2 source requirement with pre-written narratives and evidence templates. When you also pursue NIST CSF or ISO 27001, the unified control graph highlights overlap automatically — one control satisfies multiple frameworks without duplicating documentation. As NIST SP 800-171 Rev 3 alignment is announced, episki will provide migration guidance showing what changes. Start a free trial to see the full mapping.
