NIST 800-171 vs CMMC: What Small Contractors Actually Need to Know (2026)

If the alphabet soup of NIST 800-171, CMMC, DFARS, and SPRS has you confused, you're not alone — and the good news is the relationship is simpler than it sounds. This guide untangles it in plain English so you know exactly what your small business has to do.

The one-sentence answer

NIST SP 800-171 is the set of security requirements. CMMC is the program that makes you prove you meet them. Same controls underneath — CMMC just adds verification on top.

NIST SP 800-171: the "what"

NIST Special Publication 800-171 is a catalog of 110 security requirements for protecting Controlled Unclassified Information (CUI) on non-federal systems. If you handle CUI, you've technically been required to meet these since DFARS 252.204-7012 took effect back in 2017. It's the substance — the actual locks on the doors.

CMMC: the "prove it"

The Cybersecurity Maturity Model Certification (CMMC) is the Department of War program that verifies contractors actually implement the required protections — instead of just claiming they do. CMMC didn't invent new controls for most contractors; for Level 2 it points right back at the same 110 NIST 800-171 requirements. What it adds is accountability: a score, documentation, and — depending on the contract — a third-party assessment.

The CMMC levels

Level	For	Requirements	How it's assessed
Level 1	Federal Contract Information (FCI)	15 basic safeguarding requirements (FAR 52.204-21)	Annual self-assessment
Level 2	Controlled Unclassified Information (CUI)	All 110 NIST SP 800-171 requirements	Self-assessment or third-party (C3PAO) assessment, depending on the contract
Level 3	The most sensitive programs	110 + enhanced controls (NIST SP 800-172)	Government-led assessment

Most small defense contractors handling CUI are aiming at Level 2 — which is exactly the 110 requirements your SPRS score measures.

Quick gut-check: if your contracts involve CUI, you're in Level 2 territory (all 110 requirements). If you only touch FCI (federal contract info that isn't CUI), you may only need Level 1. Your contract language and your prime can tell you which.

Where SPRS and your SSP fit

Two deliverables tie it all together, and they're the same ones whether you're prepping for self-assessment or a C3PAO:

Your SPRS score — the result of self-assessing against the 110 requirements, reported to the Supplier Performance Risk System. Calculate yours here.
Your System Security Plan (SSP) — the document describing how you meet each requirement. Required by 3.12.4, and without it an assessment can't even be completed. Draft yours here.

Find out where you stand — free

Whichever level you're targeting, it starts with knowing your number. Run the SPRS calculator, then document it with the SSP generator.

Calculate your SPRS score →

What a small contractor actually needs to do

Figure out your level. FCI only → likely Level 1. CUI → Level 2.
Self-assess against the applicable requirements and get your SPRS score.
Document it in an SSP, with a POA&M for any gaps.
Know your assessment type. Some Level 2 contracts allow self-assessment; others require a third-party C3PAO. Check your contract and ask your prime.
Close gaps, highest-impact first — the 5-point requirements move your score (and your risk) the most.

2026 status

CMMC enforcement is live (Phase rollout began late 2025). SPRS scoring still runs on NIST SP 800-171 Revision 2, and following the February 2026 FAR Overhaul, self-assessment score submission flows through CMMC under DFARS 252.204-7021. The Department of War estimates 100,000+ companies need Level 2 — so you're far from alone in working through this.

Start here

Don't overthink the acronyms. Score yourself, document it, and you've done the foundational work both NIST 800-171 and CMMC are asking for. Both tools are free.