Why is there a page for NIST SP 800-171 on a CMMC website?
The NIST standard, as described in a document named “NIST Special Publication 800-171” is a set of 110 security best practices that are CURRENTLY required for all DoD contractors that deal with Controlled Unclalssified Information.
You can tell if your contract requires NIST SP 800-171 by looking for a contract clause that calls out “DFARS 252.204-7012”. If this is the case, you should also check out the DFARS 252.204-7012 page.
In other words, If you are a DoD contractor that is concerned about CMMC, there is a decent chance that you should be following NIST SP 800-171 already.
These 110 best practices are extremely relevant to CMMC, and are re-used for almost all of the CMMC Level 1, Level 2, and Level 3 practices.
During the gradual rollout of CMMC, most contracts will not require CMMC certification. Contracts that process Controlled Unclassified Information (CUI) WILL still require NIST 800-171 until that point. So it is always a good idea to get compliant with 800-171 first, then worry about CMMC afterwards.
Resources for NIST SP 800-171
Please go to our DFARS 252.204-7012 page for the full list of NIST SP 800-171 resources.
If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page