CMMC 2.0 maturity levels are tied directly
to NIST 800-171-mandated controls
Since CMMC 2.0’s 110 controls are aligned completely with NIST 800-171 requirements, assessment is tied to those requirements. NIST 800-171 controls fall under 14 “families,” shown in the table below.
| CONTROL FAMILIES | TOTAL CONTROLS |
|---|---|
| Access Control | 22 |
| Audit and Accountability | 9 |
| Awareness and Training | 3 |
| Configuration Management | 9 |
| Identification and Authentication | 11 |
| Incident Response | 3 |
| Maintenance | 6 |
| CONTROL FAMILIES | TOTAL CONTROLS |
|---|---|
| Media Protection | 9 |
| Personnel Security | 2 |
| Physical Protection | 6 |
| Risk Assessment | 3 |
| Security Assessment | 4 |
| System and Communications Protection | 16 |
| System and Information Integrity | 7 |
Key security assessment outcomes
A properly executed assessment will provide a comprehensive analysis of how your systems score against NIST 800-171 security requirements.
Two required — and extremely useful — assessment outcomes are a System Security Plan (SSP) and Plan of Action and Milestones (POAM).
System Security Plan: A detailed, periodically updated plan that documents the full system environment, security system implementation and connections between all systems.
Plan of Action and Milestones: Detailed, formal plans, including timing, for documenting and addressing each gap in NIST 800-171 compliance.
SPRS Score and Submission:
When your assessment is complete, the results must be submitted through the DOD’s Supplier Performance Risk System, or SPRS, a web-based mechanism for housing and retrieving supplier performance information.
Trust an assessment and
compliance expert
The assessment process can be complex and time-consuming. CyberSheath is an expert. We have completed hundreds of NIST 800-171 assessments to date and counting.
