Module 4: Mapping CMMC to NIST SP 800-171 and 800-172

Orienting CMMC 2.0 Within the NIST Ecosystem

In this module, you will treat CMMC as an application profile of NIST SP 800-171 and 800-172, not as a standalone framework.

Current context (relative to today – December 2025):

• CMMC 2.0 Final Rule was published by DoD on December 26, 2024 and the four‑phase rollout began November 10, 2025 (as covered in Module 3).
• CMMC Level 2 is explicitly based on NIST SP 800-171 Rev. 2 (110 controls / 14 families), with some DoD-specific implementation and assessment expectations.
• CMMC Level 3 adds a subset of NIST SP 800-172 enhanced security requirements to address Advanced Persistent Threats (APTs).
• Both 800-171 and 800-172 are aligned with the NIST Cybersecurity Framework (CSF) functions: Identify, Protect, Detect, Respond, Recover.

Your mental model:

• NIST SP 800-171 = baseline protections for CUI in non-federal systems.
• CMMC Level 2 = assessment and contract enforcement layer on top of 800-171.
• NIST SP 800-172 = enhanced protections for APT environments.
• CMMC Level 3 = selected 800-172 enhancements + all of 800-171.

By the end of this module, you should be able to navigate the NIST documents themselves and map any CMMC Level 2 or Level 3 requirement back to its NIST source.

> Key idea for this module: CMMC 2.0 is not replacing NIST 800-171/172; it is operationalizing them for the Defense Industrial Base (DIB).

Decomposing NIST SP 800-171 Rev. 2 (The Level 2 Backbone)

NIST SP 800-171 Rev. 2 (February 2020) defines 110 security requirements organized into 14 families. These are the source requirements for CMMC Level 2.

14 Control Families (800-171)

1. Access Control (AC) – e.g., least privilege, session controls, separation of duties.
2. Awareness and Training (AT) – security training, role-based training.
3. Audit and Accountability (AU) – logging, audit review, protection of logs.
4. Configuration Management (CM) – baselines, change control, configuration settings.
5. Identification and Authentication (IA) – user/device identification, MFA.
6. Incident Response (IR) – incident handling, reporting, testing.
7. Maintenance (MA) – controlled maintenance, remote maintenance.
8. Media Protection (MP) – media access, sanitization, transport.
9. Personnel Security (PS) – screening, termination, transfer.
10. Physical Protection (PE) – physical access, monitoring, visitor control.
11. Risk Assessment (RA) – risk assessments, vulnerability scanning.
12. Security Assessment (CA) – system security plans, plan of action & milestones.
13. System and Communications Protection (SC) – boundary protection, cryptography.
14. System and Information Integrity (SI) – flaw remediation, malware protection.

Each family has basic and derived requirements. For example, AC-3 (basic) might spawn AC-3(1), AC-3(2) (derived) in NIST 800-53 terms, but in 800-171 they are numbered as 3.1.x within the AC family.

800-171 Numbering vs. CMMC Practice Numbering

• 800-171 uses a chapter.family.requirement pattern (e.g., 3.1.1 = AC requirement #1).
• CMMC 2.0 Level 2 uses practice IDs that map one-to-one to those requirements.

Crucial point: If you understand 800-171’s families and requirements, you already understand what CMMC Level 2 is asking for; CMMC adds how rigorously and how often you must demonstrate it to DoD.

Hands-On Mapping: CMMC Level 2 Practice to 800-171 Requirement

Imagine you are reading a CMMC Level 2 assessment guide and see a practice like this (simplified wording):

> "The organization enforces multifactor authentication (MFA) for network access to privileged accounts and for remote access."

Task 1 – Identify the 800-171 Requirement

1. Open (or imagine opening) NIST SP 800-171 Rev. 2.
2. Navigate to the Identification and Authentication (IA) family.
3. Look for requirements related to MFA.

> Question: Which 800-171 requirement(s) does this most closely correspond to?

Think it through before reading the hint.

<details>

<summary>Hint (hover/click to reveal)</summary>

You should land on 3.5.3 and 3.5.8:

• 3.5.3: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
• 3.5.8: Uniquely identify and authenticate non-organizational users (e.g., remote users).

The CMMC practice is not inventing a new requirement; it is operationalizing 3.5.3 (and related IA requirements) with specific assessment criteria.

</details>

Task 2 – Reflection

Write (mentally or on paper) a one-sentence rule of thumb for yourself:

> "When I see a CMMC Level 2 practice about authentication, I will first map it to 800-171 IA requirements such as 3.5.x before worrying about CMMC-specific language."

This mindset will make CMMC documentation feel like a thin layer over NIST rather than a whole new universe.

NIST SP 800-172: Enhanced Protections for APT Environments

NIST SP 800-172 (February 2021) adds "Enhanced Security Requirements" on top of 800-171 for systems that process high-value CUI and are at risk from Advanced Persistent Threats (APTs).

Key characteristics of 800-172:

• It does not replace 800-171; it layers additional requirements.
• Organized into the same 14 families, but only selected families receive enhanced requirements.
• Requirements are grouped into three major objective areas:

1. Increased System Resiliency (e.g., diversification, redundancy, segmentation).
2. Enhanced Detection and Monitoring (e.g., behavioral analytics, advanced logging).
3. Advanced Incident Response and Recovery (e.g., deception, rapid isolation).

Examples of enhanced concepts in 800-172:

• Deception and concealment technologies to mislead or slow adversaries.
• Dynamic isolation of compromised components.
• Behavior-based anomaly detection beyond simple signature-based tools.
• Protection of critical programs and information even when parts of the system are compromised.

CMMC Level 3 does not take all 800-172 requirements. Instead, DoD selected a subset that they consider practical and high value for the Defense Industrial Base.

> Important nuance: 800-172 is written in a technology-neutral way. CMMC Level 3, through its assessment guides, makes those requirements testable (e.g., specific evidence, interviews, and technical demonstrations).

Comparative Example: 800-171 Baseline vs. 800-172 Enhanced Control

To internalize the difference between 800-171 and 800-172, compare a baseline requirement with an enhanced one.

Baseline (800-171 – System and Communications Protection)

• 3.13.1: "Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems."

In CMMC Level 2, this maps to practices such as implementing firewalls, IDS/IPS, and network segmentation with logging.

Enhanced (800-172 – System and Communications Protection)

An example enhanced requirement (paraphrased for brevity):

• "Employ dynamic isolation of system components based on indicators of compromise or suspicious behavior."

When selected into CMMC Level 3, this might translate into expectations like:

• Ability to automatically quarantine endpoints when suspicious activity is detected.
• Use of software-defined networking (SDN) or micro-segmentation to isolate traffic flows.
• Documented playbooks that show how isolation decisions are triggered and executed.

Why this matters

• 800-171 (Level 2): Focuses on preventing and limiting compromise using static controls (e.g., fixed firewall rules, standard logging).
• 800-172 (Level 3 subset): Assumes compromise may occur and focuses on limiting blast radius and detecting/containing APTs with adaptive controls.

Thought question (no need to answer here):

> In your own environment (real or hypothetical), what technical capabilities would you need to move from static perimeter defenses (800-171) to dynamic isolation (800-172)?

Triangulating with the NIST Cybersecurity Framework (CSF)

The NIST Cybersecurity Framework (CSF) provides a high-level, risk-based structure for cybersecurity activities. Most organizations in the DIB already know CSF’s five core functions:

• Identify – asset management, risk assessment, governance.
• Protect – access control, awareness, data security, maintenance.
• Detect – anomalies, continuous monitoring.
• Respond – incident response, analysis, mitigation.
• Recover – recovery planning, improvements, communications.

How 800-171 and 800-172 relate to CSF:

• 800-171 and 800-172 can be seen as detailed control catalogs that implement CSF outcomes for systems handling CUI.
• Each 800-171 requirement can be mapped to one or more CSF subcategories. For example:
• 800-171 3.3.1 (AU – create and retain audit records) → CSF DE.AE-3 (event detection) and PR.PT-1 (log audit/log records).
• 800-171 3.6.1 (IR – incident response) → CSF RS.RP-1 (response planning) and RS.CO-1 (coordination).

Where CMMC fits:

• CMMC Level 2: A concrete implementation profile of CSF for CUI, using 800-171 as the control source.
• CMMC Level 3: A more advanced profile targeting APT resilience, using 800-171 + a subset of 800-172.

> If you already have a CSF-based program, CMMC alignment is often a mapping exercise: CSF → 800-171/172 → CMMC practices and assessment objectives.

Practical Mapping Exercise: From CMMC Level to NIST Control

Work through this step-by-step mapping as if you were advising a small defense contractor.

Scenario

A contractor is bidding on a new DoD contract that:

• Involves Controlled Unclassified Information (CUI).
• Specifies CMMC Level 2 as a requirement.

They ask: "Which NIST documents do we actually need to implement?"

Your Task – Stepwise Reasoning

1. Determine the CMMC level’s NIST basis:

• Level 2 → based on NIST SP 800-171 Rev. 2.

1. Check if 800-172 applies:

• Level 2 → no; 800-172 is relevant for Level 3 only.

1. Identify primary references:

• NIST SP 800-171 Rev. 2 (requirements).
• NIST SP 800-171A (assessment procedures – crucial for evidence planning).

1. Overlay CMMC assessment layer:

• Use CMMC Level 2 Assessment Guide to understand how DoD wants those 800-171 requirements to be tested and scored.

> Write down (mentally or on paper) a concise answer you would give the contractor in one or two sentences.

<details>

<summary>Sample expert-level answer</summary>

> "For CMMC Level 2, your primary technical baseline is NIST SP 800-171 Rev. 2. You should implement all 110 requirements and use NIST SP 800-171A to structure your internal assessments. The CMMC Level 2 Assessment Guide then tells you exactly how DoD assessors will verify those NIST requirements and score your compliance. You do not need to implement NIST SP 800-172 unless you are targeting CMMC Level 3."

</details>

Now extend the scenario: if the contract instead required CMMC Level 3, how would you change your answer? Be explicit about 800-172 and the concept of a subset of its requirements.

Check Understanding: Level 2 vs. Level 3 Foundations

Answer the following question to test your understanding of how CMMC levels map to NIST documents.

Using a Simple Mapping Table (Pseudo-Code) to Plan Compliance

You do not need to be a programmer to benefit from a structured mapping table. Below is a pseudo-code / CSV-style example of how you might organize your mapping between CMMC, 800-171, 800-172, and CSF.

```text

Columns: CMMCLevel, CMMCPracticeID, NIST800171Req, NIST800172Req, CSFFunction, Notes

2, AC.L2-3.1.1, 3.1.1, , Protect, "Limit system access to authorized users"

2, IA.L2-3.5.3, 3.5.3, , Protect, "MFA for privileged and network access"

2, AU.L2-3.3.1, 3.3.1, , Detect, "Create and retain audit records"

3, SC.L3-ENH-1, 3.13.1, 3.13.3.enh, Detect, "Dynamic isolation of suspicious traffic (subset of 800-172)"

3, IR.L3-ENH-2, 3.6.1, 3.6.2.enh, Respond, "Advanced incident response with deception and rapid isolation"

```

How to use this in practice

1. Start from the contract:

• Identify required CMMC level.

1. List all CMMC practices for that level.
2. Map each practice to:

• 800-171 requirement(s) (always for Level 2 and 3).
• 800-172 enhanced requirement(s) (only for selected Level 3 practices).
• CSF function for strategic context.

1. Use this table to:

• Plan implementation projects.
• Plan evidence collection for assessments.
• Communicate with leadership in CSF language while implementing in NIST language.

You could implement this mapping in a spreadsheet, a GRC tool, or a simple database. The structure matters more than the technology.

Key Term Review: CMMC–NIST Relationships

Flip these cards (mentally) to reinforce the critical vocabulary and relationships for this module.

Final Check: Using NIST as a Primary Reference

One more question to ensure you can reason from CMMC back to NIST documents.