Originally published 10/4/2024, updated content 10/30/2025.
If you’re a small government contractor and current and future regulations seem daunting, we’ve got you covered. In this blog post, we’ll unravel the mystery behind these cybersecurity standards, bring you up-to-speed on the CMMC transition, and reveal why NIST 800-171 compliance isn’t just important—it’s been mandatory for some since December 2017.
We’ll also explore the key distinctions between NIST 800-171 and CMMC, equipping you with the knowledge to navigate these requirements and keep your business secure and compliant.
NIST 800-171: Numbers Aside, What Does it Mean?
It’s essential to protect any sensitive data from unauthorized access or changes—especially when that data comes from the federal government. The US lost an estimated 12.5 billion dollars in 2023 to cyber-crime, and with threat actors—from bored teenagers to cyber espionage units—on the rise, increasing cyber hygiene amongst the nation’s government contractors has become a top priority.
NIST SP 800-171 is a collection of cybersecurity recommendations set out to safeguard Controlled Unclassified Information—or CUI.
Divided into 17 ‘control families’, the 110 controls outlined in NIST SP 800-171 (revision 3, published May 2024) aims to ensure any non-federal organization dealing with CUI and any of the subtypes of CUI implements the same practices and defenses across the board and self-assess those controls.
Who Should Follow The NIST 800-171 Framework?
Any federal government contractors and subcontractors, including service providers, consulting firms, universities, and manufacturers that sell to the government or government suppliers are required to comply with NIST 800-171 when clause 252.204-7012 appears in your contract.
Though it’s not mandatory, if your business supports government contractors, implementing NIST 800-171 recommendations can go a long way towards demonstrating your commitment to cybersecurity in a manner that will make sense to your customers.
Why the Transition to CMMC?
NIST SP 800-171 provides a pretty comprehensive set of cybersecurity guidance—but there’s no official certification to prove whether a business complies with the controls.
The transition from NIST SP 800-171 to the Cybersecurity Maturity Model Certification (CMMC) was driven by the need to address gaps in cybersecurity compliance among Department of Defense (DoD) contractors. Here are the key changes:
- Certification Levels: CMMC introduced multiple certification levels (initially five, now three in CMMC 2.0) to allow for varying degrees of cybersecurity maturity, whereas NIST SP 800-171 had a one-size-fits-all approach.
- Third-Party Assessments: Unlike NIST SP 800-171, which relied on self-assessments, CMMC requires third-party assessments for certain levels to ensure compliance.
- Additional Controls: CMMC incorporates additional controls from NIST SP 800-172 for higher levels, providing more stringent security measures for handling highly sensitive information.
- Verification Mechanism: CMMC includes a verification mechanism to ensure that contractors are not only implementing, but also maintaining the required cybersecurity practices.
These changes aim to enhance the overall cybersecurity posture of the Defense Industrial Base (DIB) by providing a more structured and verifiable approach to protecting Controlled Unclassified Information (CUI).
Similar to the NIST framework’s control families and controls, the CMMC consists of domains, capabilities, and practices. A practice is a control or activity conducted to ensure security, and multiple of these practices make up a capability. One or several capabilities then make up a larger domain.
The Latest on CMMC Compliance (as of October 2025)
Since our last update in 2024, the Cybersecurity Maturity Model Certification (CMMC) program has moved from preparation to implementation. The Department of Defense (DoD) finalized its rulemaking, officially enforcing CMMC 2.0 starting November 10, 2025. For defense contractors and subcontractors, this is no longer a future requirement – it’s now a critical operational standard.
What’s Official Now
On September 10, 2025, the DoD published the final 48 CFR CMMC Acquisition Rule in the Federal Register. This rule authorizes contracting officers to include CMMC requirements in new solicitations and contracts. Beginning November 10, 2025, CMMC certification will appear as a condition of award – meaning businesses that aren’t certified at the required level will not be eligible to win new DoD contracts.
The Updated Rollout Timeline
CMMC will be introduced in four phases over the next few years:
Phase 1 (Nov 10, 2025 – Nov 9, 2026): Level 1 and Level 2 self-assessments required for contracts involving Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Phase 2 (Nov 10, 2026 – Nov 9, 2027): Level 2 third-party assessments (C3PAO) required for contracts handling sensitive CUI.
Phase 3 (Nov 10, 2027 – Nov 9, 2028): Level 3 assessments introduced for prioritized CUI contracts.
Phase 4 (Nov 10, 2028 onward): Full implementation across all DoD contracts.
What Each Level Means
Level 1 (FCI): 15 basic cybersecurity practices aligned with FAR 52.204-21. Requires an annual self-assessment.
Level 2 (CUI): 110 practices mapped to NIST SP 800-171. Depending on contract sensitivity, either a self-assessment or third-party certification is required.
Level 3 (Prioritized CUI): Adds select controls from NIST SP 800-172. Requires a DoD-led assessment.
Where Businesses Stand Now
Even with enforcement on the horizon, only a few hundred organizations have achieved Level 2 certification. With more than 118,000 expected to need third-party assessments, demand for accredited C3PAOs far exceeds availability – fewer than 100 are currently authorized. This makes early preparation essential for maintaining contract eligibility and competitive advantage.
What You Should Do Next
If your business hasn’t started the process yet, here’s where to begin:
Identify the CMMC level your contracts require.
Conduct a gap analysis against NIST SP 800-171 (for Level 2).
Update your System Security Plan (SSP) and Plan of Action and Milestones (POA&M).
Schedule your assessment or complete your self-attestation.
Confirm that your cloud provider is FedRAMP Moderate Authorized or Equivalent if handling CUI in the cloud.
CMMC compliance isn’t just about meeting DoD mandates—it’s about demonstrating you’re a trusted, secure partner in the defense supply chain.
Where Are We in the Transition to CMMC? (as of September 2024)
The rollout of the Cybersecurity Maturity Model Certification (CMMC) is progressing through several key phases:
- December 2023: The Department of Defense (DoD) published a proposed rule for CMMC, followed by a 60-day public comment period.
- August 2024: The DoD released another proposed rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC requirements.
- Q1 2025: The final rule is expected to be published, and the CMMC program will go into effect, incorporating CMMC requirements into DoD contracts.
The DoD is executing a phased rollout, and by late 2025, all contracts are expected to meet the CMMC standards.
If your business stores, processes, and/or transmits CUI, or Federal Contract Information (FCI), or is hoping to secure one of these contracts in the future, you’ll need to re-examine your current cybersecurity measures in the upcoming year. The NIST 800-171 requirements are a perfect place to start, since they lay the essential foundations needed to secure sensitive data. Working through NIST 800-171 will address what’s needed today, as well as most of what will be needed when CMMC goes live.
How An IT Service Provider Can Help
An experienced IT provider with an on-staff CMMC RP can be invaluable in helping your business implement any outstanding controls needed to achieve NIST 800-171 compliance and prepare for CMMC 2.0 compliance. They can assist with:
- Assessment and Gap Analysis: Conducting a thorough assessment to identify any current deficiencies in your security, and developing a roadmap to address them.
- Control Implementation: Aiding in the deployment of new controls, ensuring that the process is as smooth and stress-free as possible.
- Policy Development: Developing and refining cybersecurity policies and procedures that align with NIST 800-171 guidelines and helping to make sure they’re consistently enforced across your organization.
- Employee Training: Providing comprehensive training for staff to ensure they understand their roles in maintaining cybersecurity (and therefore compliance), including proper data handling and incident response protocols.
- SPRS Scoring: Recalculating and updating your SPRS score once you’ve implemented new controls.
- Continuous Monitoring and Reporting: Implementing continuous monitoring solutions to detect and respond to security incidents in real-time, ensuring ongoing compliance and readiness for CMMC 2.0 audits.
- Documentation and Audit Preparation: Assisting in maintaining thorough documentation of all security controls and procedures, simplifying the audit process for both NIST 800-171 and CMMC 2.0.
Depending on your starting point, implementing enough security measures to meet these frameworks can seem rather intimidating—but don’t let that deter you from aspiring to government contracts. Find a professional IT Partner with experience and see how much more straightforward the journey becomes.
Infinity Technologies: North Virginia’s Premier Managed IT, Cybersecurity, and IT Support Partners
At Infinity Technologies, we specialize in providing IT and cybersecurity solutions that cover all bases—from initial assessment to ongoing threat management, response, and recovery—to SMBs in Charlottesville, VA, and beyond. Our services are designed to keep your business safe, secure, and operational, no matter the cyber threats you face.
Curious to see the difference that we can make for your SMB? Contact us today to learn how our IT support and cybersecurity solutions can provide the robust protection your business deserves.
