Why is there a page for NIST SP 800-171 on a CMMC website?
The NIST standard, as described in a document named “NIST Special Publication 800-171” is a set of 110 security best practices that are CURRENTLY required for all DoD contractors that deal with Controlled Unclalssified Information.
You can tell if your contract requires NIST SP 800-171 by looking for a contract clause that calls out “DFARS 252.204-7012”. If this is the case, you should also check out the DFARS 252.204-7012 page.
In other words, If you are a DoD contractor that is concerned about CMMC, there is a decent chance that you should be following NIST SP 800-171 already.
These 110 best practices are extremely relevant to CMMC, and are re-used for almost all of the CMMC Level 1, Level 2, and Level 3 practices.
During the gradual rollout of CMMC, most contracts will not require CMMC certification. Contracts that process Controlled Unclassified Information (CUI) WILL still require NIST 800-171 until that point. So it is always a good idea to get compliant with 800-171 first, then worry about CMMC afterwards.
Official NIST homepage for SP 800-171 v2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
NIST homepage for assessing compliance with SP 800-171: https://csrc.nist.gov/publications/detail/sp/800-171a/final
If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page