CMMC 2.0 maturity levels are tied directly
to NIST 800-171-mandated controls

Since CMMC 2.0’s 110 controls are aligned completely with NIST 800-171 requirements, assessment is tied to those requirements. NIST 800-171 controls fall under 14 “families,” shown in the table below.

Access Control22
Audit and Accountability9
Awareness and Training3
Configuration Management9
Identification and Authentication11
Incident Response3
Media Protection9
Personnel Security2
Physical Protection6
Risk Assessment3
Security Assessment4
System and Communications Protection16
System and Information Integrity7

Key security assessment outcomes

A properly executed assessment will provide a comprehensive analysis of how your systems score against NIST 800-171 security requirements.

Two required — and extremely useful — assessment outcomes are a System Security Plan (SSP) and Plan of Action and Milestones (POAM).

System Security Plan: A detailed, periodically updated plan that documents the full system environment, security system implementation and connections between all systems.

Plan of Action and Milestones: Detailed, formal plans, including timing, for documenting and addressing each gap in NIST 800-171 compliance.

SPRS Score and Submission:
When your assessment is complete, the results must be submitted through the DOD’s Supplier Performance Risk System, or SPRS, a web-based mechanism for housing and retrieving supplier performance information.

Trust an assessment and
compliance expert

The assessment process can be complex and time-consuming. CyberSheath is an expert. We have completed hundreds of NIST 800-171 assessments to date and counting.

Learn about CyberSheath assessment services