Understanding The Differences Between NIST SP 800-171, DFARS, and CMMC

DFARS, NIST SP 800-171, and CMMC are all cybersecurity frameworks that are relevant to the US Department of Defense (DoD) contractors.

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a regulation that requires DoD contractors to comply with certain cybersecurity standards, including the NIST SP 800-171 standard.

NIST SP 800-171 is a set of cybersecurity requirements that must be followed by all nonfederal organizations that process, store, or transmit Controlled Unclassified Information (CUI) on behalf of the federal government. It provides a standardized set of security controls to protect CUI.

CMMC stands for Cybersecurity Maturity Model Certification. It is a framework developed by the DoD that requires DoD contractors to undergo a third-party assessment of their cybersecurity practices to ensure compliance with the appropriate level of cybersecurity controls necessary to protect CUI. It builds upon the NIST SP 800-171 standard and adds additional controls and assessments.

In summary, DFARS requires compliance with NIST SP 800-171, and CMMC builds upon both DFARS and NIST SP 800-171 by requiring third-party assessments of a contractor's cybersecurity practices to achieve certification at different levels of cybersecurity maturity.

Backed by an award-winning cyber security and IT management team, On Call Compliance Solutions is the #1 source for CMMC, NIST SP 800-171 Compliance, DFARS and ITAR consulting. Give us a call now to schedule a free phone call with one of our compliance experts to see how we can help.

NIST SP 800-171 Compliance Experts


Fill out the form below to get a FREE consultation with one of our CMMC, NIST SP 800-171, DFARS and ITAR experts who can help you achieve your goals. There is never a fee or obligation to find out how we can help.

Contact Us