(Hint: Comply with NIST SP 800-171)

The Department of Defense (DoD) has released updates to its CMMC (Cybersecurity Maturity Model Certification) framework. CMMC 2.0 is a streamlined version of the original model, one that aims to lower costs and simplify the program.

The new framework drops the number of CMMC levels from five to three, including Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). CMMC 2.0 also will permit some defense contractors to self-attest their cybersecurity compliance, as opposed to all having to undergo outside third-party reviews as mandated by CMMC 1.0. Further, unlike the original model, CMMC 2.0 will allow time-limited use of POAMs (Plans of Actions and Milestones) that can be submitted in lieu of meeting certain non-critical security controls (more on this below). CMMC 2.0 also eliminates all of CMMC 1.0’s process maturity requirements.

Importantly, DoD also has dropped the 20 security controls that had been added to the CMMC 1.0 model. This means that requirements for the new Level 2 will be in complete alignment with the 110 security controls of NIST SP 800-171. The new Level 2 certification will indicate that an organization is able to securely store and share Controlled Unclassified Information (CUI)—a matter of high priority for the DoD and the focus of this blog.

If your company does work for the DoD that involves handling CUI—either as a prime or subcontractor—then you will need to achieve at least the new Level 2 certification. The blog is written to help small to mid-size businesses (SMBs) understand the changes made to the CMMC framework, and to help your company get on the best path forward to better security and compliance.

Fact: You already are required to do what the new Level 2 will require

The new CMMC Level 2 requirements will mirror the 110 security controls of NIST SP 800-171, currently in effect. Current cybersecurity regulations are specified by the DoD in the Defense Federal Acquisition Regulation Supplement, released in 2015 and commonly known as DFARS. The DFARS mandated that, by the end of 2017, defense contractors would need to have built their cybersecurity infrastructure according to the 110 security controls specified in NIST SP 800-171. The National Institute of Technology and Standards (NIST) developed those security controls specifically to protect CUI.

Since 2017, defense contractors have been permitted to self-assess their compliance with NIST SP 800-171. Beginning in late 2020, however, DoD began to require not only that self-assessments be conducted, but also that the scores from those assessments be filed with the DoD’s Supplier Performance Risk System, known as SPRS.

If a defense contractor’s SPRS score falls below the highest possible NIST SP 800-171 score of 110, they are required to create a POAM—again, a Plan of Action and Milestones—and indicate when the controls they have not yet met will be met.

CMMC 2.0 will continue to permit the use of POAMs to show compliance, but with two critical changes from current practice: First, POAMs will be acceptable only for a limited number of lower-risk controls. It won’t be possible to defer on controls that are fundamental to the protection of CUI. Second, once CMMC 2.0 is implemented, the DoD intends to impose limits on how long contractors can take to meet the controls they’ve had to write POAMs for. The DoD has indicated that the time limit will be 180 days.

That means that under CMMC 2.0, the reprieve from security controls that POAMs have historically offered—given that the timelines contractors committed to in them often haven’t been enforced—will be short-lived.

To summarize:

  • Defense contractors have been required to comply with NIST SP 800-171 since 2017.
  • The new CMMC Level 2 security requirements will be in complete alignment with the 110 security controls of NIST SP 800-171.
  • Once CMMC 2.0 is implemented, POAMs will be acceptable only for a limited number of lower-risk security controls.
  • The reprieve that POAMs historically have offered will be short-lived: the DoD has indicated that contractors will have six months to remediate the security gaps identified in their POAMs

If you’re a defense contractor—or you’d like to be part of the Defense Industrial Base (DIB)— now is the time to act. The goal is not just to win defense contracts, but also to secure your data, minimize business risk, and to protect yourself and your company against federal enforcement of cybersecurity regulations. Given today’s high-risk cyber environment, enforcement is being stepped up on several fronts, as described in the next section.

Enforcement has ramped up—and will continue to do so

The CMMC initiative is part of a larger effort of renewed scrutiny and enforcement of cybersecurity regulations by the DoD and others. DFARS 252.204-7012, NIST SP 800-171, and ITAR remain the law of the land and are required for handling CUI or ITAR data in the performance of many DoD contracts. Incident reporting, forensic snapshots, FIPS 140-2 encryption, and all 110 NIST 800-171 controls are required in full effect for companies handling CUI or ITAR data.

The Defense Contract Management Agency (DCMA) enforces DFARS compliance through its auditor, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DIBCAC—the DoD’s ultimate authority on compliance—has announced plans to increase the size of its audit staff in response to the very clear need to improve security in the Defense Industrial Base. Just like the IRS can audit any taxpayer, the DIBCAC can select any defense contractor for a NIST SP 800-171 audit. To defend yourself against an audit, be sure that your company is implementing adequate data protections and is well along the path toward achieving a 110-point SPRS score.

For its part, the US Department of Justice (DoJ) has launched a Civil Cyber-Fraud Initiative to hold contractors more accountable for cybersecurity. DoJ is utilizing the power of the False Claims Act to help enforce cybersecurity compliance, and is encouraging whistleblowers to come forward via a hotline established for that purpose. A new DoJ task force will focus on investigating reports of contractors choosing to withhold reports of breaches or falsifying claims on SPRS. The consequences of withholding information or submitting false SPRS scores are severe.

In a key related effort, when CMMC 2.0 is implemented, SPRS scores will need to be signed off by a company executive, who will be held accountable for the validity of the score. Currently, any employee can sign off on the NIST SP 800-171 self-assessment score; that most often falls to IT staff. This new CMMC 2.0 approach is akin to the responsibility corporate leaders in the financial realm had to take on when the Sarbanes-Oxley Act was adopted nearly 20 years ago in response to a string of highly visible financial scandals. Given how effective Sarbanes-Oxley has been in improving the accuracy of financial reporting, that model is now being followed by the DoD.

Finally, recent DFARS requirements have raised the stakes for prime contractors by placing responsibility squarely on their shoulders for confirming that their suppliers are submitting accurate SPRS scores—and to take action by dismissing those that do not make the grade.

Now is the time to focus on achieving NIST SP 800-171 compliance

Now is the time to implement a compliant cybersecurity program—contractors won’t have time to react later when CMMC 2.0 becomes law over the next nine to 24 months, nor when a DIBCAC audit is coming their way or a prime starts asking tough questions.

The key to achieving NIST SP 800-171 compliance is to implement technology solutions in conjunction with appropriate policies and procedures to ensure the security of CUI. But most widely-deployed commercial systems used to store and share CUI—such as Microsoft O365, Gmail, or Exchange email—do not comply with NIST SP 800-171 requirements. Organizations using those standard commercial solutions will need to adopt new platforms to improve their cybersecurity.

In an actual recent use case, a small defense contractor prepared for a rigorous DIBCAC audit by deploying PreVeil as an overlay to its O365 system for all its users handling CUI. Users then simply dragged and dropped sensitive data and CUI into folders in their PreVeil Drive, and began using PreVeil Email for sensitive communications, knowing that all communication between PreVeil users is automatically end-to-end encrypted. This simple deployment led to compliance with NIST SP 800-171’s most important controls—that is, the controls critical for the protection of CUI (and, importantly, the controls that PreVeil expects the DoD will not allow POAMs for once CMMC 2.0 becomes law).

Upon conclusion of a thorough and demanding audit, DIBCAC certified that the contractor met 109 of the 110 NIST SP 800-171 controls. Remarkably, its near-perfect score of 109 placed this small defense contractor alongside the nation’s top prime contractors for cybersecurity. Under CMMC 2.0, the contractor would have been deemed to be Level 2 compliant. Without PreVeil’s advanced security and compliance features to protect CUI, the SPRS score would have been significantly lower.

This case study is a textbook example of how your small or mid-size company, too, can achieve NIST SP 800-171 compliance now and be Level 2 certified later when CMMC 2.0 becomes law.

To learn more about this use case, see PreVeil’s brief, Case Study: How a Defense Contractor Achieved a Near-Perfect NIST SP 800-171 Score in DIBCAC Audit.

PreVeil also has written a brief, DFARS Self-Assessment: How to Raise Your NIST SP 800-171 Score, which shows specifically how PreVeil can help raise your company’s NIST SP 800-171 self-assessment score by nearly 40 points.


The new CMMC Level 2 security requirements will be in complete alignment with the 110 security controls of NIST SP 800-171—which defense contractors have been required to comply with since 2017. DoD’s current requirements to protect CUI are in effect while CMMC 2.0 works its way through the federal rulemaking process, and enforcement has been ramped up.

If you’re a small to mid-size business in the DIB, noncompliance with current federal cybersecurity requirements carries significant personal and business risks. Without question, SMBs that do work for the DoD need to maintain their efforts to secure their data and continue to raise their NIST SP 800-171 scores towards the goal of 110. Companies that are prepared and compliant, with a high NIST SP 800-171 score and few POAMs, will have competitive advantages when contracts are awarded, audits happen, and CMMC 2.0 is implemented.

PreVeil can help your company improve its cybersecurity and raise its NIST SP 800-171 score. PreVeil was designed from the ground up based on modern Zero Trust principles and uses end-to-end encryption to protect your company’s sensitive information and CUI. PreVeil needs to be deployed only to your employees that handle CUI. The PreVeil platform deploys in hours, not months, with no disruption to existing IT systems. One key benefit of a simple-to-deploy system is that is costs far less to own and manage.

But better security isn’t enough: if security is difficult to use, it won’t be used. To be effective, security must be as frictionless as possible. PreVeil was created with this principle in mind so that your employees will actually use PreVeil for storing and sharing sensitive data. In turn, your company will be poised for a near-perfect NIST SP 800-171 score, and ready to achieve the new CMMC Level 2 when that becomes law.

Learn more about CMMC 2.0

To learn more about CMMC 2.0, what your company needs to do to comply, and how PreVeil can help, see PreVeil’s paper, Complying with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), which has been downloaded more than 1,500 times by defense contractors.