CMMC Compliance Guide
Our experiences inspired the creation of The CMMC Compliance Guide Podcast and its accompanying resources. The podcast began as a way to share what we learned through real-world challenges—like helping that aerospace machine shop—and to provide accessible education for businesses navigating DoD cybersecurity requirements.
The CMMC Compliance Guide Podcast breaks down complex topics like NIST 800-171 and CMMC into actionable, easy-to-understand steps. Whether you’re a subcontractor struggling to meet compliance deadlines or a business owner looking to secure your supply chain, the guide offers practical advice to help you take control of your cybersecurity journey.
CMMC Compliance Guide
NIST 800-171 and CMMC 2.0: How Assessors Actually Score You
Submit any questions you would like answered on the podcast!
Are assessors judging you on CMMC or NIST 800 171 when audit day arrives?
In this episode of the CMMC Compliance Guide Podcast, Stacey and Brooke break down the real relationship between CMMC 2.0 and NIST 800 171 so you are not guessing when it matters most.
We walk through how the 110 NIST 800 171 controls and 320 assessment objectives drive your CMMC level 2 certification, and what CMMC layers on top, including POA&M limits, timelines, and who is allowed to certify you. You will hear practical examples around SPAs, cloud tools, customer responsibility matrices, FedRAMP, and how assessors actually validate things like MFA, logging, and scope.
We also explain the difference between a NIST self assessment and a CMMC level 2 certification by a C3PAO, clear up common misconceptions about “being NIST compliant”, and talk about False Claims Act risk when SSPs, inventories, and controls are not kept current. Finally, Brooke shares a step by step path for contractors: identify your CUI, scope systems, run a gap analysis, build your SSP and POA&M, collect evidence, and engage a C3PAO for a mock and full assessment.
If you are a small or midsized defense contractor trying to get ready for 2026, this episode will help you focus on what assessors really care about so you can prepare with confidence.
Need help getting your SPRS score to 110 before the New Year?
Schedule your free SPRS Roadmap Session: https://cmmccomplianceguide.com/free-sprs-roadmap
Hey there. Welcome to the CMMC Compliance Guide podcast. I'm Stacy.
SPEAKER_01:And I'm Brooke.
SPEAKER_00:From Justice IT Consulting, where we help businesses like yours navigate CMMC and NIST 800-171 compliance. We're hard guns getting companies fast track to compliance. But today we're here to give you all the secrets for free. So if you want to tackle it yourself, you're equipped to do so. Let's dive into today's episode and keep your business on track. Today's topic gets right at the heart of the confusion. Do assessors judge you on CMMC or NIST 800-171? If you're wondering which one really matters when the assessment comes around, this episode is for you. All right, Brooke. A good place to start here is what is the actual relationship between CMMC 2.0 and NIST 800-171?
SPEAKER_01:Well, NIST 800-171 is the uh foundation is the uh list of controls that CMMC is built upon. Uh so there's 110 controls. Um, and if you look at the NIST 800171A, uh there's 320 assessment objectives. Um so that's uh the the NIST 800171 is the are the controls basically. Uh and CMMC is kind of uh uh an overlay on top of it and gives it further description and and clarification. Some of the things uh that CMMC does is it clarifies clarifies a few things like uh MSPs are considered um well for the most part, MSPs are considered an SPA unless they handle CUI uh in their systems. Uh so SPA again is uh security protection asset uh because generally MSPs are gonna help you with the security on your network at some level, hopefully. Uh and uh CUI is class uh controlled and classified information. Uh that is the protected information that this is all about. Um and um so generally a lot of MSPs are not gonna be handling uh CUI directly on their systems. They may have access to it, which makes the them have uh access to the CUI on the client systems, but their systems not aren't necessarily gonna be uh under CUI. Uh but that the CMMC kind of clarified uh clarified all that. Uh CMMC certifications and accreditations are managed and uh taken care of by the by the Cyber A B and the CACO. CMMC also specifies levels one through three. Uh CMMC level one, um, and that is uh uh self-assessment only. Uh CMMC level two, uh that can be self-assessment, or it can be, and for the most part, it's gonna be uh level two certification. Uh so uh certification by a C through PAO. Um a C through PAO is a CMMC third-party uh assessment organization. Um I had another note there. Oh, and uh the other thing I was gonna say, level three, there are gonna be some of those. Uh and uh again, CMMC spells out those levels uh where NIST one uh NIST 800 171 does not. Uh but uh the third level third CMMC level three uh is gonna be uh a lot fewer organizations than level two, uh, and it's gonna require your level two uh certification assessment, and then DibCAC is gonna come in on top of that and do your do the rest of your level three assessment. Um NIST 800-171, the POAMs are pretty wide open. Uh there's there's not a lot of um specificity about them. Uh however, uh CMMC has put some uh some restrictions and and clarifications around your POAM. Uh so for CMMC, uh uh well technically before they define the latest versions of CMMC, when you you know, as far as NIST 800171 goes, uh you have to put as many of the controls as you can in place, and then you create a POAM, which is your plan of action and milestones, right? POAM. So it's a list of stuff to do that uh to be compliant. So um once you uh wrote all your policies and uh your SSP and uh put as many controls as you could in place and then defined everything on the POAM and put some sort of timeline there for it. It can be, you know, 50 years out, I guess. Probably wouldn't want to make it that, but uh and uh the NIST 800, you're complying after that, right? Uh but CMMC came in and said, you know, we need to put some timeline on this and uh restrict what can go on that uh uh what can go in on that POAM. So they uh basically there, if you look at the uh scoring methodology, there's one-pointers, three pointers, and five pointers. Uh so none of the five or three pointers can go on a POM, and uh there's certain one-pointers that cannot go on a POM. So um then after that, if you are able to have a POM of things that can go on a POAM, uh you have 180 days to clear it up. So six months uh you have to clear it up. That's all CMMC, that is not NIST 800-171. Um another thing I have on here uh is that only uh with uh CMMC, only C3 PAOs can do uh a level two certification. Uh they're the only ones that can certify against CMMC. Uh anybody could come in and assess your organization against uh um against Nestate Herm 171, uh, but that assessment doesn't necessarily mean a whole lot, uh especially to the Department of Defense. So the uh but the level two certification by C through PAO, uh that's golden, and that's that's what you need. Now that's what most people need, I should say, not not everybody. Um so short answer is you're preparing for uh CMMC. Uh yes, you do have to cover all the controls and all the assessment objectives for NIST 800 171. Uh, but then you also have to keep in mind all the stuff that uh CMMC kind of layers on top.
SPEAKER_00:So, Brooke, when assessors show up on assessment day, what are they actually looking for and looking at?
SPEAKER_01:Uh well they're looking uh to make sure that you have all of the 110 controls from the NIST 800171 complete, and they'll also look at the uh 320 assessment objectives inside those uh 110 controls. Each of those controls can have one to six assessment objectives that go along with it. So that's what tells the assessor, look through here and look at these assessment objectives. If they're met, then that control is met, right? Uh and it'll tell them exactly how to look for them, exactly what to do. Um so that's what they're that's what they're assessing against. They'll also uh so for the most part, take care of the NIST home 171, but you also got to keep CMMC in mind. And so for things like uh security protection asset uh that has security protection data in it, so SPA that has SPD, um you know, you'll want to make sure that if it's not FedRAMP, which it doesn't need to be FedRAMP necessarily, if it is, great. Uh, but if your SPA is not FedRAMP and it's a cloud solution, uh then uh then you're gonna want to make sure that you have a complete uh customer responsibility matrix, a CRM for that. Uh the assessor is gonna want to see that. NIST 800-171 says nothing about that. So uh, well, anyway, uh but that's what's uh that's what you'll need to make sure that you have. So um and of course they'll also um they're not just gonna trust uh your what you say. You know, do you have MFA configured? Oh yeah, got it taken care of. All right, well, show me. Where let's see, here's your uh here's your CUI data flow diagram, and it says you have it on the server. So uh let me see your MFA for when you access a server. Great. Says you also have it in uh your this cloud ERP. Uh so show me uh that your cloud ERP, one is FedRant, but also show me that it has MFA on it. Um and so they'll they'll want to see that and understand that. So uh those are the kind of things they'll be looking for.
SPEAKER_00:So for the contractors listening and they're trying to get everything ready, should they start with NIST or CMMC?
SPEAKER_01:Well, you should start with you should start with NIST. Absolutely. You should start with NIST 800-171. Uh revision two. Uh CM, that's the other thing that CMMC says is that um is that this is locked into CMMC is locked into revision two of NIST 800 171. So pay attention to that one, not revision three. Revision three is current, revision two has been superseded by revision three. So and you'll see that when you go look it. Uh when you go look at um the uh the website, it'll tell you that's been superseded. So uh but you still look at uh revision two. Uh that'll be for the foreseeable future until they get this all rolled out and everything, then they'll look at changing the rule to stay current. Um but uh but I digress, you asked about uh about uh starting to get ready. You should look at the NIST 800 171. You also really do need to keep in mind the if you just pay attention to just the uh NIST controls and assessment objectives, you have a potential to get yourself in trouble uh by not thinking about all the stuff that uh CMMC layers on top of it. So you know you need to think about those as well. But really, you look at those controls and uh implement all the security controls. If there's something you need to change, a cloud provider or something like that, you just need to make sure you take it all into account. So if you're just implementing MFA like NIST 800-171 says, sure, go implement it everywhere you need to implement it. Uh but if it's having a cloud provider come in and provide a SIM, for instance, a SIM is a security and information and event monitoring. So if you're looking at a cloud provider uh providing that for you, then that's which NIST 800 171 and CMC don't necessarily call for. Uh but if you look at the if you look at the assessment objectives and the and the the uh controls around that, it really does kind of call for a sim. It's uh really if if you're not putting a sim in place these days anyway, you're just you're uh negligent really, uh, because there are way, way too many logs to even think about trying to trying to look through. So but aside from chasing that rabbit, if if you're uh uh if you're looking at putting something else in place, uh, you know, like a cloud sim or something, then you really want to uh take the whole picture, you know, not just NIST 800-171, but uh but CMMC as well.
SPEAKER_00:So for those listening, what's the real difference between a NIST self-assessment and a CMMC certification?
SPEAKER_01:Well, NIST self-assessment, uh, you have to use uh the uh NIST 800-171A uh and look uh assess yourself using the scoring methodology that the uh um uh DOD put out. And you have to go through and score yourself and you start at 110. And for the one-pointers, three-pointers, and five-pointers, I know I'm using my fingers have one, one, three, and five, but that's I guess that's one, three, and five. But in any case, um the uh you start at 110. If you don't meet a control, it's a five-pointer, you deduct five points. So that 110 just became 105. You can end up, if you don't meet any of the controls, you can end up, I believe, at a two minus 203 or something like that. You can end up at a huge negative score. Uh you can even end up at a a pretty good negative score and have a few things in place. So um, so don't let it alarm you too much. You just know you have a lot of work to do. Um, but uh that's what a NIST uh assessment is. Uh you uh do a self-assessment on your environment. Uh and I would encourage you along the way to do that anyway. Um and in fact, uh depending on what if you're already in SPR, the SPRS system, you've already had to do that. Um but the uh CMMC certification really is a uh CMMC level two uh certification, and it's a assessment by C3PAO, is what that is. An outside organization comes in and assesses you, uh, and they assess you uh against the uh NIST 800171 and with all the CMMC um stuff layered on top of it. So uh they'll assess you against all that, and then they will score each of the controls is met or not met. Hopefully they're all met, and when you're done, uh then you can uh you they'll issue your uh level two certification, and you'll have a nice, pretty new certification that you can say, hey Mr. Government, uh I'm ready for my contracts. So uh the other thing, uh the other way it might go is uh C3PAO might come in and say, Good, you got all your five-pointers, you got all your one uh three-pointers, um, they're all met. Um most of your one-pointers are met, and you have, you know, one, two, three, four, whatever one-pointers that need to go on a POAM, and you need to address those. And luckily, these are ones that you can put on your POAM. And so uh, Mr. Organization seeking uh certification, uh, you now have 180 days to get your POM cleared, uh to get everything on that poem complete. Call us back out to verify that it's complete. If you do that, then after 180 or sometime between one and 180 days, I guess, uh if if they leave, I'm I'm almost guarantee uh you can't get them back in a day. But point is between one day and 180 days, uh you call them back out to come finish that up, and at that point, uh as long as they agree that you've met everything now, you get your level two certification.
SPEAKER_00:Moving on to some common misconceptions, can you delve into the biggest misconceptions that maybe our listeners may have about NIST versus like CMMC?
SPEAKER_01:Sure. Um CMMC doesn't necessarily put replace NIST, it just builds on top of it. Uh so it's it's uh it uses those uh controls. It's gonna continue to use those controls. Like I said, right now we're locked into revision two. Um and eventually, a few years down the road, um four years down the road, maybe, who knows? Uh they'll look at r releasing another uh uh rule uh that says now we're gonna keep up, most likely the next time you have an assessment, it'll have to be uh uh at the at the current revision of uh NIST 800 171. There are changes, some significant changes. There's the same basic number of uh controls for revision three, uh, but there are some changes in it that'll require you to possibly put some other things in place if you don't already have them in place. You know, if you're uh kind of alluded to this a minute ago, but you know, if you're uh NIST compliant, NIST 800171 compliant, that does not mean uh you are CMMC certification ready. Doesn't guarantee CMMC certification. As I said, there's there are things that uh CMMC layers on top of NIST 800171. I think I've said that a hundred times already, but uh uh that's what you know, that's some what some people uh have asked us and talked about. Uh another thing is that uh CMMC is one and done. Um hey, I just want to put these things, I know I want to hire you to come and put these things in place for us, and we'll be good. You don't necessarily have to keep us around, that's true, but CMMC, uh or even NIST 800 171 is not a one-and-done thing. Uh it's built for ongoing management and monitoring and and proof that you have ongoing management and monitoring. So uh that's what it's what it's all about is ongoing management management and monitoring of the security of that system and of the CUI that you uh that you protect. And the other one is, you know, only the main contractors need uh need CMMC, you know. Um it'd be too hard for me to check and see who which of my subs uh you know uh have CMMC and which ones don't, and and they're not gonna get it because they're not big enough. Well, guess what? CMMC uh has always had a flow down rule. There is flow down, and not only uh does the contractor have to have it, but their sub uh their subcontractors have to have it. And if their subcontractors have subcontractors, they have to have it. And if those subs have subs, they have to have it. So it flows down as far as that CUI goes. Now, if that CUI does not actually go out to that subcontractor, uh that information doesn't go out to that contractor that's CUI, uh then no, they don't have to be uh they don't have to be uh CMMC level two or whatever level you're at, they don't have to be CMMC compliant, right? Uh but if any part of that uh CUI actually does go to those subs, they absolutely have to be compliant. And you have to, you have to do your due diligence, make sure that you've asked and they've done, they've crossed their heart, hoped to die, showed you their score, showed you their certification or something that uh you know that they're compliant. So if you've done your due diligence, uh but they're really not, um hopefully you've have done some sort of due diligence that takes care to make sure, but uh there's only so much you can do. If somebody's lying, they're lying, right? Um but you do it is uh incumbent upon you to make sure that uh your subs are are the same level as you.
SPEAKER_00:Are there any repercussions that contractors can fall under if they fall under maybe a misconception where they fail to meet requirements for NIST 800-171 or CMMC?
SPEAKER_01:Absolutely. We're talking about the False Claims Act. Um so if you've got everything covered and it's all documented and you did everything like you said you were, um, and something still happens, then you're probably okay. Um there may be other things that you need to implement. There may be whatever. There's always uh, you know, zero day vulnerabilities exploits, right? Um and uh and you can guard against them to some degree as well. Uh uh, you at least need to be aware of them when they happen so you can address them uh uh when they come up so you can address them before it happens to you. Uh but aside from that, What a false claims act is, is what it sounds like a false claim. Say, yes, I've met all these controls and I've got them all in place, yet you didn't tell the assessor that you had this other system that had CUI in it that is come you know that is not under the same uh controls, right? And so um if there's a whistleblower or if there's an incident and it comes to light that that system uh is not really under control and and you just kind of left it out because you didn't want to deal with it, or or whatever the case may be, uh, you just didn't secure that system and you knew it was there and kept using it, that's a false claim. Uh so there was there's several of them you can look up. Uh, and what I can tell you off the top of my head is that the huge majority of them are whistleblower claims. So uh, you know, they said, look, this company says they're meeting uh CMMC standards and that they're they're all compliant, and they're not, you know. Uh so if you're just blatantly not taking care of your stuff, then yes, you're gonna you have a uh you're a false claims act waiting to happen. So um, but uh one that was uh more recent is uh Morse Corp uh failed to maintain an updated SSP under an estate 100171 and ended up paying$4.6 million under the False Claims Act. Uh so DOD audits show the most common failures include missing or weak MFA, failing to update system inventories, uh poor incident response testing, and outdated SSPs. Uh so again, uh this goes back to if you're just not doing something you say you're doing, that's that's waiting for a false claims act uh to come up. So uh the and part of this, if you paid attention, that's uh outdated SSPs, uh fail to update system inventories. Guess what? That's ongoing monitoring and maintenance. So if you you know, if you fail to update your SSP when things change a little bit, uh or uh or you don't update your system inventories on some sort of regular basis, you're you should have it spelled out how often you uh keep your inventories updated and how often you update different things in your SSP. If you fail to do that, that's the ongoing monitoring part I was telling you about, and that is a false claims act because you said, yes, we do this and we keep it up to date. So be careful of that. Be careful of the false claims. Even if you put everything in place at the beginning, like I said, is not a once and done. It is not one time and it's over, it is ongoing. Uh yes, it is a headache, yes, there is a whole lot more management to it. Uh you can't just set it and forget it. The the old days, even in just forget about CMMC, but in the regular world, the the old days of hiring some IT guy to come in and put in Microsoft Office in an antivirus, you know, uh, or whatever, or an ERP system, uh, and then just walk away and and you're done. That those days are long, long gone. Uh those all those systems need to be updated. Everything from the ERP systems to Windows, Mac, Linux, Microsoft Office, everything uh requires security updates. I can tell you that because there's vulnerabilities being found all the time. And uh so those you've got to build, and that's another thing, the systems have to be in support uh and be able to get those security patches. So if you're using Windows XP, good luck. Uh it needs to be uh off the network. So um but yeah, it's there's you need to think about those things. It's not a one-and-done thing. It hadn't been in in just normal IT circles for a long time, but especially here with CMMC, with all this documentation and management, it is not a one and done. It's a it's an ongoing management thing.
SPEAKER_00:So for any contractors listening right now, what should they be doing right after this episode that can help them cover both NIST 800-171 and CMMC?
SPEAKER_01:Get busy. Uh so uh really uh you need to figure out uh what CUI, first of all, figure out what CUI you have, you know. Uh how do you know you have that CUI? You know, does somebody just tell you and you guess it's there somewhere? You know, uh hopefully you're starting to see it come through documented and marked. Don't laugh, don't fall out of your seat. I know that's funny. Uh, but um the CUI is starting to come through as being marked as CUI more and more. So that's good. Uh it's always a good thing. There is a tendency of some to overmark things, but then there's also a tendency to uh to not mark because they don't want to overdo it, uh, because that's believe it or not, that's a headache on them also. Um but uh make sure you know what kind of CUI you have because that'll matter when you scope your systems. Speaking of scoping, the next thing is scope all your systems out. Figure out where that CUI is processed, where it's stored, and where it's transmitted, right? Not just where do you store it, but where it's processed and transmitted as well. Uh, because anything that process, stores, or transmits CUI, it's in scope. So even if you download it from a uh Primes portal and put it right into your enclave, guess what? It just touched that computer you downloaded it on, uh transmitted it to and from and processed it on. That it just it just touched that computer and that computer's in scope. So uh you got to think about those things, but make sure you scope all your systems and scope them properly. So know your CRI, CUI, scope your systems, uh, then run a gaps analysis, you know. Just do a regular analysis gaps analysis, um figure out where your where your gaps are. That could be just a manual look at things and write them down. That could include uh running a you know a scan of your network. It can't just be a scan of your network, that doesn't tell you everything, but um but running a scan of your network, I would take the NIST 800 and 171, uh all the assessment objectives, and I would go through all those and make notes by each one of them and see where you're at, you know, uh, and see what needs to be done. Uh from there, uh you can develop your SSP, uh, you can develop your scope, and uh if you need to change your scope after you assess, uh figure out what your scope wants to be, what you want your scope to be. Um then uh you develop your SSP, uh, develop your POAM, so all stuff that's not done that needs to be done. Uh implement uh the high value controls first. Uh after that, I would say implement the easiest things, get the all the low-hanging fruit, you know. Uh get all that stuff uh as quickly and easily as you can. Uh so you can get that, get that in without much uh uh chatter from um upper management or executives about how much it costs, right? So get all those easy wins, uh and then um make sure along the way, make sure you're collecting evidence for your for all those assessment objectives. And I would I would collect the evidence based on assessment objectives. It may be the same evidence for you know for some of those. Um, but uh but make sure you gather it and and tag it for those assessment objectives. So um do a mock once you get everything in place, once you get your poem done, uh I would highly suggest doing a mock assessment. Uh if not a mock uh you can do a mock assessment, which is just like a normal assessment. They go through the whole thing, doesn't cost as much, which when you're when you're talking about cost, it's all relative, right? It's just money. Um so we're uh where a full uh C through PAO uh level two certification assessment may cost, we'll just say$60,000. Uh a mock assessment is typically somewhere around$30,000, or it may be a little less than that. Depends on how the C through PAO does things. So uh they all do things just a little bit different, but that's the kind of the basis of how it works. Um may be a little bit different, and I'm not saying which is better or not. Um, and I'm not saying I'm definitely not saying go pick the the lowest bidder on that either. Um so do a mock assessment with a C through PAO. Uh the other thing that um I have here that I should have put uh before doing a mock assessment is engage a C through PAO early and interview several C through PAOs. Um we have ones that uh we like. Uh we have ones that uh well, I'll just say we have ones that we like. Uh so and uh because we know that they they are not trying to stick it to people. They're trying to trying to make sure they understand what you have and and that you have these controls implemented and actually implemented. So not just a very narrow view of how that might be implemented, but they they're trying to understand. So engage that C through Pa C through Pao early. They're getting backed up on their schedules. Um I haven't talked to one since the so this is uh early in December here. Um so I haven't talked to one before since before, well before Thanksgiving. Uh but at that time they were uh you know three months out. So even more than that. There are some that are booked out through most of the next year. Uh, but you can find good ones still that are that are maybe three months, uh, three months out. So uh but engage that C through PO, interview several, uh decide on one, engage that C through PAO, and then do a mock assessment, and then from there uh you can move on and do your your uh actual assessment.
SPEAKER_00:If you have questions about what we covered, reach out to us. We're here to fast track your compliance journey. Text, email, or call in your questions, and we'll answer them for free here on the podcast. You can find our contact info at cmc compliance guide.com. Stay tuned for our next episode. Until then, stay compliant, stay secure, and make sure to subscribe.
.jpg)
