CMMC COMPLIANCE GUIDE
You already self-assessed against NIST 800-171. Now CMMC Level 2 requires a third-party assessor to verify those same 110 controls. Here is the complete control-by-control mapping — and what your current SPRS score actually means for certification.
Talk to a ProTHE COMPLIANCE SHIFT
Defense contractors have been required to implement NIST 800-171 since DFARS 252.204-7012 took effect in 2017. Most posted a self-assessment score in SPRS and moved on. CMMC changes the game by adding an enforcement layer: an independent assessor walks through every control, reviews your evidence, and decides whether you pass or fail.
The controls did not change. What changed is that someone other than you is checking the work.
CONTROL-BY-CONTROL MAPPING
Every NIST SP 800-171 Rev 2 security requirement maps directly to a CMMC Level 2 practice. The table below shows the 14 control families, the number of requirements in each, and the CMMC domain identifier. There is no translation needed — the controls are the same. What changes is how you prove you implemented them.
| NIST 800-171 Family | CMMC Domain | Abbrev | Controls | Key Focus Areas |
|---|---|---|---|---|
| 3.1 Access Control | Access Control | AC | 22 | RBAC, least privilege, remote access, wireless, mobile, CUI flow |
| 3.2 Awareness & Training | Awareness & Training | AT | 3 | Security awareness, role-based training, insider threat |
| 3.3 Audit & Accountability | Audit & Accountability | AU | 9 | Centralized logging, audit trail protection, correlation, retention |
| 3.4 Configuration Management | Configuration Management | CM | 9 | Baselines, change control, least functionality, software restrictions |
| 3.5 Identification & Authentication | Identification & Authentication | IA | 11 | MFA, password complexity, authenticator management, replay resistance |
| 3.6 Incident Response | Incident Response | IR | 3 | IR plan, testing, DFARS 72-hour reporting |
| 3.7 Maintenance | Maintenance | MA | 6 | Controlled maintenance, remote maintenance, media sanitization |
| 3.8 Media Protection | Media Protection | MP | 9 | CUI marking, transport, sanitization, storage, backup |
| 3.9 Personnel Security | Personnel Security | PS | 2 | Screening, personnel actions (termination/transfer) |
| 3.10 Physical Protection | Physical Protection | PE | 6 | Facility access, visitor logs, monitoring, alternate sites |
| 3.11 Risk Assessment | Risk Assessment | RA | 3 | Risk assessments, vulnerability scanning, remediation |
| 3.12 Security Assessment | Security Assessment | CA | 4 | Periodic assessments, POA&M, continuous monitoring, SSP |
| 3.13 System & Comms Protection | System & Comms Protection | SC | 16 | Boundary protection, encryption, session termination, FIPS crypto |
| 3.14 System & Info Integrity | System & Info Integrity | SI | 7 | Flaw remediation, monitoring, alerting, threat intelligence |
| Total | 110 | |||
WHERE SELF-ASSESSMENTS BREAK DOWN
Here is the part most contractors miss: a passing self-assessment score does not mean you will pass a CMMC assessment. Self-assessments are graded on the honor system. A C3PAO assessor is going to pull back the curtain and look at actual evidence — configuration screenshots, policy documents, log exports, access reviews.
These are the control families where the gap between "we self-assessed a MET" and "we can prove it to an assessor" is widest:
The largest family covers everything from role-based access to mobile device encryption to CUI flow enforcement. Most contractors have MFA and basic access policies. Few have documented least-privilege reviews, portable storage controls, or CUI-specific data loss prevention. AC is where self-assessment scores inflate the most.
SC catches organizations still running flat networks with legacy VPN. Split tunneling prevention (SC.L2-3.13.7), boundary protection (SC.L2-3.13.1), and FIPS-validated cryptography (SC.L2-3.13.11) require specific architectural choices. If your remote workers can bypass the security stack by disconnecting from VPN, you have an SC problem.
Every vendor in your stack generates logs. But are they flowing to a centralized SIEM? Can you correlate events across systems? Can you prove the logs have not been tampered with? AU requires centralized aggregation, cross-system correlation, protected storage, and defined retention — not just "we have logging enabled."
The pattern is clear: most self-assessment gaps are not about whether you have the technology. They are about whether you can demonstrate the technology is configured, monitored, and documented in a way that satisfies an independent assessor.
PHASED ENFORCEMENT TIMELINE
CMMC enforcement is rolling out in four phases. Self-assessment does not disappear overnight, but the window where it is sufficient is closing:
| Phase | Effective Date | What Changes |
|---|---|---|
| Phase 1 | November 10, 2025 | New solicitations require Level 1 or Level 2 self-assessment |
| Phase 2 | November 10, 2026 | Solicitations require Level 2 C3PAO certification |
| Phase 3 | November 10, 2027 | Level 3 certification required for advanced programs |
| Phase 4 | November 10, 2028 | Full implementation — all solicitations and contracts include CMMC |
Phase 2 starts November 2026. If your organization needs C3PAO certification and you have not started remediation, the math is simple: a 16–20 week implementation means you need to begin by Q2 2026 at the latest.
ASSESSMENT COMPARISON
Understanding the gap between self-assessment and certification helps you estimate the work required. Here is what changes when someone else is doing the grading:
| Dimension | NIST 800-171 Self-Assessment | CMMC Level 2 Certification |
|---|---|---|
| Who Assesses | Your own organization | Authorized C3PAO (third-party) |
| Evidence Standard | Self-reported — "we believe we meet this" | Objective evidence — config screenshots, logs, policies, interviews |
| Controls Evaluated | 110 (NIST 800-171 Rev 2) | 110 (same controls, higher evidentiary bar) |
| Scoring | SPRS score (-203 to +110) | MET / NOT MET per practice (no partial credit) |
| Reporting | Score posted in SPRS portal | Assessment report filed with DIBCAC; certificate issued |
| Frequency | Every 3 years + annual affirmation | Every 3 years + annual affirmation |
| Accountability | False Claims Act liability for misrepresentation | False Claims Act liability + independent verification |
| POA&M Allowed? | Yes — document gaps and timeline | Limited — must be closed within 180 days of assessment |
The DOJ's Civil Cyber-Fraud Initiative (October 2021) allows prosecution of contractors who misrepresent their cybersecurity compliance. Aerojet Rocketdyne paid $9M in settlement. The maximum penalty is 3× the contract value. Your own employees can file whistleblower suits if they know you self-attested to compliance you have not actually achieved — and there is a financial bounty for doing so. [2]
HOW RIDGE IT CLOSES THE GAP
Ridge IT is a CMMC Registered Provider Organization (RPO). We conduct a gap assessment against your existing NIST 800-171 posture and build a remediation path to certification-ready — typically in 16–20 weeks.
Our approach uses an isolated CMMC enclave architecture deployed in Azure Government Cloud. The enclave separates CUI-handling operations from your commercial environment, reducing the assessment boundary to only the systems that process, store, or transmit CUI. Every component in the stack is FedRAMP authorized.
| Control Family | Primary Ridge IT Solution | Coverage |
|---|---|---|
| AC — Access Control (22) | Okta SSO/MFA + Zscaler ZPA + Microsoft Entra ID | ✓ |
| AT — Awareness & Training (3) | KnowBe4 Platinum + M365 compliance training | ✓ |
| AU — Audit & Accountability (9) | Microsoft Sentinel SIEM (all 8 vendors as log sources) | ✓ |
| CM — Configuration Management (9) | Intune + Qualys Policy Compliance + DISA STIGs | ✓ |
| IA — Identification & Auth (11) | Okta Adaptive MFA + YubiKeys + CrowdStrike Identity | ✓ |
| IR — Incident Response (3) | Sentinel SOAR + CrowdStrike MDR + Ridge IT SOC | ✓ |
| MA — Maintenance (6) | Intune remote mgmt + Qualys patching + procedural | 4/6 tech + 2 procedural |
| MP — Media Protection (9) | Microsoft Purview AIP + Zscaler DLP + AvePoint backup | ✓ |
| PS — Personnel Security (2) | Procedural (Ridge IT templates) | Procedural |
| PE — Physical Protection (6) | FedRAMP inheritance (Azure Gov) + procedural templates | Inherited + procedural |
| RA — Risk Assessment (3) | Qualys VMDR + CrowdStrike Spotlight + Sentinel | ✓ |
| CA — Security Assessment (4) | Sentinel dashboards + Qualys + all vendor reporting | ✓ |
| SC — System & Comms Protection (16) | Zscaler ZIA/ZPA + M365/Purview + CrowdStrike | ✓ |
| SI — System & Info Integrity (7) | CrowdStrike + Qualys + Sentinel + KnowBe4 | ✓ |
Ridge IT's 8-vendor enclave stack covers all 110 NIST 800-171 / CMMC Level 2 controls. 106 are addressed by technology; 4 (PE and PS domains) require procedural implementations supported by Ridge IT's 41-document compliance template library.
FREQUENTLY ASKED QUESTIONS
RELATED RESOURCES
Full-scope CMMC compliance from gap assessment to certification-ready. RPO-backed, enclave-based, 16–20 week timeline.
Find out how →The architectural foundation that addresses AC and SC control families — Zscaler, CrowdStrike, Okta, and Microsoft Entra.
Find out how →Independent evaluation of your current cybersecurity posture against NIST 800-171 and other frameworks.
Find out how →TAKE THE NEXT STEP
Phase 2 certification starts November 2026. Ridge IT maps your NIST 800-171 posture to CMMC readiness and builds the enclave to close every gap.
Talk to a ProForget navigating the complexities of cybersecurity. See our CMMC services
Get A Battle PlanRapid response times, with around the clock IT support, from Inc. Magazine’s #1 MSSP.