The Same 110 Controls — Completely Different Accountability
Let's start with the part that confuses a lot of people: CMMC Level 2 and NIST 800-171 cover exactly the same security requirements. Same 110 controls. Same 14 control families (Access Control, Audit and Accountability, Configuration Management, and so on). Same technical requirements.
So why is CMMC a bigger deal than NIST 800-171 ever was?
Because under NIST 800-171, you assessed yourself. You graded your own homework. You uploaded a score to a government database called SPRS and no one came to verify it. The DoD trusted you to be honest about where you stood.
Under CMMC Level 2, a certified independent organization — a C3PAO — comes in and verifies your implementation for themselves. They test your controls. They review your documentation. They interview your staff. They probe your network. And if you've been claiming a score you don't deserve, that's when it becomes a problem.
CMMC didn't change what security you need. It changed who decides whether you have it. That's not a small change — it's the whole game.
Why the DoD Created CMMC
The honest answer: self-attestation was failing badly.
The DoD required contractors to self-assess under NIST 800-171 and upload scores to SPRS starting in November 2020. It was supposed to create transparency — primes and contracting officers could see each contractor's score and make decisions accordingly.
What actually happened was widespread score inflation. The DoD Inspector General and external researchers found that contractors were self-reporting perfect or near-perfect SPRS scores while their actual security posture was far below that. Some contractors had experienced significant breaches — IP theft, Chinese APT intrusions — and still maintained high self-reported scores. Others simply didn't understand the requirements well enough to assess accurately.
A 2021 DoD IG report found that the military departments weren't even verifying that contractors had uploaded SPRS scores, let alone checking whether those scores were accurate. The system had essentially no enforcement mechanism.
CMMC was the DoD's answer: mandatory third-party verification. If you can't be trusted to assess yourself accurately, someone else will do it.
What Changes Practically — A Side-by-Side
| Dimension | NIST 800-171 (self-attestation) | CMMC Level 2 |
|---|---|---|
| Who assesses you | You assess yourself | A certified C3PAO |
| Assessment frequency | Annually (self-reported) | Every 3 years (C3PAO) + annual affirmations |
| Can you claim compliance without meeting controls? | Technically yes (honor system) | No — assessors verify each control |
| Cost of "compliance" | Time to self-assess | $30K–$100K+ (assessment + prep) |
| Where results go | SPRS (self-reported score) | SPRS + eMASS (verified certification) |
| Contract requirement | DFARS 252.204-7012 (active now) | DFARS 252.204-7021 (rolling out 2025–2026) |
| POA&M allowed | Yes, no restrictions | Limited — only for lower-weight controls |
SPRS Scores — The Bridge Between the Two
SPRS (Supplier Performance Risk System) is the DoD database where your compliance score lives. Understanding SPRS helps you understand the relationship between NIST 800-171 and CMMC.
When you self-assess under NIST 800-171, you calculate a score using the NIST scoring methodology: start at 110, subtract points for each control you're not fully implementing based on that control's assigned weight. Not all controls are equal — missing an access control requirement might cost you 5 points while missing multi-factor authentication costs 3 points. A perfect score is 110. Scores can go negative for significant gaps.
Your SPRS score is visible to any contracting officer and any prime contractor who looks you up. Even before CMMC certification is required, a low score can affect contract decisions.
The average self-reported SPRS score for small defense contractors is somewhere around 47 out of 110. That's not good. And remember — those are self-reported scores. The real numbers, once C3PAOs start verifying, are likely lower in many cases.
The DFARS Clauses That Connect Everything
Two DFARS clauses are the legal plumbing behind all of this. You should know what they are and whether they're in your contracts.
DFARS 252.204-7012 — Already in Your Contract
This clause has been in DoD contracts since 2016. It requires you to:
- Implement NIST 800-171 and maintain a System Security Plan
- Report cyber incidents to the DoD within 72 hours
- Preserve images of systems involved in an incident for 90 days
- Flow these requirements down to subcontractors who handle CUI
If your contract has DFARS 252.204-7012, you're already legally required to implement NIST 800-171. CMMC doesn't add new requirements — it adds verification.
DFARS 252.204-7021 — The CMMC Clause
This is the new clause that implements CMMC. When it appears in a contract, you're required to have CMMC certification at the level specified before you can be awarded the contract. DoD started including this clause in selected contracts in 2025, and it's rolling out more broadly through 2026 and beyond.
When you see DFARS 252.204-7021 in a solicitation, you need a CMMC certification before you can respond. If you don't have one yet, you need to start now — assessment slots are booked out months in advance.
If You've Been Working on NIST 800-171, You Have a Head Start
This is genuinely good news for contractors who have been serious about NIST 800-171 implementation. Everything you've done transfers directly.
Your existing System Security Plan, security policies, technical configurations, access controls, audit logging, incident response plan — all of it is directly relevant to CMMC Level 2. You're not starting over. You're getting verified.
The contractors who have been implementing NIST 800-171 in good faith — not gaming the SPRS score, but actually building and documenting the controls — often find they're 60–80% of the way to CMMC readiness. What they typically need:
- Documentation cleanup — Making sure their SSP accurately reflects current implementation (not what they planned to implement)
- Evidence collection — Gathering the artifacts an assessor will want to see for each control
- Gap remediation — Closing the remaining gaps, especially on higher-weight controls
- Mock assessment — A dry run with a Registered Practitioner to identify surprises before the real thing
Our 2-minute readiness assessment maps your current NIST 800-171 posture and tells you what gaps still need to close before your CMMC assessment.
Take the Free Readiness Check →What If You Haven't Done NIST 800-171 Work Yet?
If you've been on contracts that required DFARS 252.204-7012 but haven't actually implemented the controls — you're in a common but challenging position.
You likely have a SPRS score on file from when the requirement started. If that score was based on an honest self-assessment, it's a starting point. If it was optimistic (and many were), you need to get to an accurate score first before you can plan a path to CMMC readiness.
Don't try to hide the gap by filing an inflated score. With DOJ actively pursuing False Claims Act cases against contractors who self-attested to NIST compliance they didn't have, the risk-reward calculus has shifted dramatically. An accurate, lower SPRS score with a credible plan of action is much safer than an inflated score with no evidence to back it up.
The practical path forward:
- Get an honest gap assessment — find out which controls you've actually implemented vs. which you haven't
- Update your SPRS score to reflect reality
- Build your remediation plan, starting with the highest-weight controls
- Start documentation (SSP, policies) in parallel with remediation
- Schedule your C3PAO assessment for when you're genuinely ready
MyCMMC's Assessment-Ready Package starts with a gap analysis, then builds your SSP and documentation around what you've actually implemented. No inflated scores, no false starts.
See If You Qualify →Frequently Asked Questions
CMMC Level 2 is built on NIST 800-171 — it requires implementing all 110 controls in that standard. The key difference is verification. Under NIST 800-171, you self-assessed and uploaded your score to SPRS. Under CMMC Level 2, a certified third-party assessment organization (C3PAO) must independently verify that you've actually implemented those same 110 controls. Same controls, completely different accountability.
Absolutely. If you've been genuinely implementing NIST 800-171 controls — not just claiming you have — you have a meaningful head start. Your SSP, your policies, your technical controls, your incident response plan — all of that work transfers directly to CMMC Level 2. What you'll need to add is the formal assessment documentation, evidence collection, and third-party review. Contractors who have been serious about NIST 800-171 implementation often find they're 60–80% of the way to CMMC readiness.
SPRS (Supplier Performance Risk System) is a DoD database where contractors report their self-assessed NIST 800-171 compliance score. The score starts at 110 and decreases for each unmet control based on that control's assigned weight. Your score is visible to contracting officers and prime contractors when they look up your company. A low SPRS score can affect your ability to win contracts even before CMMC assessment requirements take effect.
Because self-attestation wasn't working. The DoD required contractors to self-assess under NIST 800-171 and report scores to SPRS starting in 2020. Audits and breach investigations revealed that many contractors were claiming compliance scores they didn't deserve. Some were reporting perfect scores of 110 while their actual security posture was far below that. CMMC was created specifically to add independent verification so the DoD could trust that compliance claims were accurate.
Yes. Your SPRS score and your CMMC certification are separate but related requirements. After you pass your CMMC Level 2 assessment, your C3PAO will upload your assessment results to a DoD system called eMASS, and your certification will be reflected in SPRS. But you're still responsible for maintaining your controls and updating your score when your posture changes. CMMC certification is valid for three years, during which you're expected to maintain the controls you were assessed on.
Know where you stand before your C3PAO does.
Our free readiness check tells you which NIST 800-171 controls you're likely meeting and where your gaps are. Takes 2 minutes.
Start Free Readiness Check →No email required. See your results immediately.
Or see pricing & packages →