NIST 800-171 and CMMC compliance, explained
NIST SP 800-171 is a U.S. standard of 110 security controls across 14 families that protect Controlled Unclassified Information (CUI) in non-federal systems. CMMC (Cybersecurity Maturity Model Certification) builds on it to verify that defense contractors actually implement those controls, through self-assessment or third-party certification depending on the level.
Organizations in the U.S. defense supply chain handle Controlled Unclassified Information — sensitive but unclassified data that still needs protection. NIST SP 800-171 defines what that protection looks like, and CMMC is the Department of Defense's mechanism for confirming contractors have it in place.
The two are often confused. The short version: 800-171 is the set of requirements; CMMC is how compliance with those requirements is verified.
What NIST 800-171 is
NIST SP 800-171 specifies 110 security requirements organized into 14 families — covering areas such as access control, identification and authentication, audit and accountability, configuration management, incident response, and system and information integrity. It applies to non-federal systems that store, process, or transmit CUI.
How CMMC relates
CMMC packages the 800-171 requirements into certification levels and adds a verification step. Lower levels permit self-assessment; higher levels require assessment by an accredited third party (a C3PAO). The point of CMMC is assurance: rather than trusting that controls exist, the DoD requires evidence that they do.
Self-assessment vs. certification
A self-assessment, often summarized as a score submitted to the Supplier Performance Risk System (SPRS), is the organization's own evaluation of how fully it meets each requirement, with a plan of action and milestones (POA&M) for gaps. Certification is an independent confirmation of the same. A tool can help you prepare for and run a credible self-assessment; it cannot replace a formal third-party assessment where one is required.
From spreadsheet to live posture
Most teams track 800-171 in a spreadsheet that, like a network diagram, drifts from reality. Mapping controls to a live model of the environment keeps the assessment honest: evidence reflects how systems are actually configured today, and gaps surface as the environment changes rather than at audit time.
How Onek helps with 800-171 and CMMC
Onek supports preparedness and self-assessment by mapping controls to your live environment. It is an aid to readiness, not a substitute for a formal C3PAO assessment.
Available today
- A NIST 800-171 catalog of 110 controls across 14 families.
- Evidence-backed self-assessment with honest met / partial / not-assessed status.
- CMMC preparedness gap analysis and POA&M candidates.
- Control status mapped to your live environment.
On the roadmap
- System Security Plan (SSP) generation, full POA&M workflow, SPRS-weighted scoring, and CUI scoping.
Frequently asked questions
- How many controls are in NIST 800-171?
- NIST SP 800-171 contains 110 security requirements organized into 14 families, covering areas such as access control, audit and accountability, configuration management, incident response, and system and information integrity.
- What is the difference between NIST 800-171 and CMMC?
- NIST 800-171 is the set of security requirements for protecting Controlled Unclassified Information. CMMC is the Department of Defense's framework for verifying that contractors implement those requirements, via self-assessment or third-party certification depending on the level.
- Can software make me CMMC compliant automatically?
- No. Software can help you assess readiness, organize evidence, and track gaps, but compliance depends on actual implemented controls and, at higher levels, an independent assessment. Treat tools as preparation aids, not guarantees of certification.
Related platform capabilities
Learn the concepts
