Skip to main content
govconCyber

Federal Cybersecurity Frameworks Compared

Federal RequirementsReferencepublishedEffective:

How CMMC 2.0, NIST SP 800-171, NIST CSF 2.0, and FISMA relate — what each requires and who must comply.

Last reviewedJune 4, 2026Version v1

Overview

Government contractors routinely confuse the major cybersecurity frameworks because they overlap. This page lays them side by side so you can see what each one is, who it binds, and how they connect. Keep one thing in mind throughout: every framework below sits *on top of* the generally-applicable legal baseline — the FTC Act, state breach and data-security laws, GLBA, and HIPAA — that already governs any business handling data. The frameworks are what federal work adds; they are not where data-security law begins.

Quick Comparison

FrameworkWhat it isWho must complyHow it's assessed
FAR 52.204-2115 basic FCI safeguardsAll federal contractorsSelf-attestation
NIST SP 800-171110 requirements to protect CUIContractors handling CUISelf/Med/High DoD assessment; SPRS score
CMMC 2.0DoD verification of 800-171/172 practicesDoD/DIB contractorsSelf-assessment (L1/L2) or C3PAO (L2/L3)
NIST CSF 2.0Voluntary risk-management frameworkAnyone (best practice)Self-directed; not contractually mandated
FISMAFederal information-security lawAgencies and certain contractors operating federal systemsAgency ATO process

NIST SP 800-171: The Core CUI Standard

When you handle CUI, NIST SP 800-171 is the standard you implement. A critical nuance as of 2026: DoD contracts under DFARS 252.204-7012 remain tied to Revision 2 and its 110 controls through a standing DoD class deviation, even though NIST published Revision 3 in 2024. DoD has issued "organization-defined parameters" signaling it intends to move to Rev 3 for both DFARS and CMMC, but until contracts say otherwise, Rev 2's 110 controls are what you must meet. Watch your contract language and SPRS guidance for the transition.

SPRS: the Supplier Performance Risk System, where DoD contractors post their NIST 800-171 self-assessment scores. A current score (generally within three years) is a condition of award on covered DoD contracts.

CMMC 2.0: Verification, Not a New Standard

CMMC does not invent new controls — it verifies that you have implemented NIST 800-171 (and, at Level 3, parts of 800-172). Its three levels:

  • Level 1 — basic FCI safeguarding (the FAR 52.204-21 fifteen); annual self-assessment.
  • Level 2 — full NIST 800-171; self-assessment or, for most CUI, a third-party (C3PAO) certification.
  • Level 3 — Level 2 plus selected 800-172 enhanced controls; government-led assessment.

The CMMC contractual rule became effective November 10, 2025, with requirements phasing into solicitations over several years (see the Defense industry page for the rollout timeline).

NIST CSF 2.0 and FISMA

NIST CSF 2.0 (2024) organizes cybersecurity into six functions — Govern, Identify, Protect, Detect, Respond, Recover. It is voluntary and risk-based; many contractors use it as the management layer above their 800-171 controls. FISMA is the underlying federal law requiring agencies — and contractors operating information systems on their behalf — to secure those systems, typically through an Authorization to Operate (ATO).

Which Framework Applies to Me?

  • Handle only FCI? → FAR 52.204-21 (and CMMC Level 1 for DoD).
  • Handle CUI on a DoD contract? → NIST 800-171 + CMMC Level 2 + DFARS 7012.
  • Handle CUI on a civilian agency contract? → NIST 800-171 (watch the proposed FAR CUI rule).
  • Want a management framework on top? → NIST CSF 2.0.

Run the Find My Requirements tool for a tailored answer.

Sources

  • NIST SP 800-171 Rev 2 & Rev 3; NIST SP 800-172; NIST CSF 2.0 (csrc.nist.gov)
  • 32 CFR Part 170 (CMMC Program); DFARS 252.204-7012/7019/7020
Was this page helpful?

Side by side

Comparison: CMMC 2.0 vs NIST SP 800-171 vs NIST CSF vs FISMA

Plain-English summary of what each framework is, who it applies to, and how it gets verified. Citations and detail are in the body above.

DimensionCMMC 2.0NIST SP 800-171NIST CSF 2.0FISMA / NIST SP 800-53
PurposeVerify defense contractors meet 800-171 (and selected 800-172) controls.Protect Controlled Unclassified Information on non-federal systems.Voluntary risk-management framework for any organization.Mandatory security program for federal agencies and systems operated on their behalf.
Who it applies toDoD prime and sub contractors handling FCI or CUI.Any non-federal entity handling CUI under federal contract.Anyone, voluntarily — often a baseline private-sector reference.Federal agencies and contractors operating systems on their behalf.
Mandatory?Yes, by DFARS clause once phased in.Yes, when DFARS 252.204-7012 or equivalent applies.No (voluntary).Yes, by statute.
VerificationSelf-attestation (L1, some L2), third-party (C3PAO) for L2, DIBCAC for L3.Self-assessment with SPRS score; auditable.Self-assessment.Agency authorization to operate (ATO); continuous monitoring.
Control count17 (L1) / 110 (L2) / 110 + selected 800-172 (L3).110 controls in 14 families.6 functions (Govern, Identify, Protect, Detect, Respond, Recover); profile-driven.~1,000 controls, tailored to FIPS 199 impact level.

Which applies to me?

Quick decision tree

  1. Step 1

    Do you hold or pursue a federal contract?

    If no, the FAR/DFARS layer does not apply yet — focus on the legal baseline (FTC Act, state breach laws, sector statutes).

  2. Step 2

    Does the contract touch FCI?

    If yes, FAR 52.204-21 (the 15 basic safeguards) applies. This is the floor for any contractor that creates non-public information for the government.

  3. Step 3

    Does the contract touch CUI?

    If yes, NIST SP 800-171 controls apply. For DoD work, that means DFARS 252.204-7012 plus the relevant CMMC level.

  4. Step 4

    Are you hosting a federal information system?

    If yes, you fall under FISMA / NIST SP 800-53, and any cloud service typically needs FedRAMP authorization at the matching impact level.

Use the guided tool →Read the FAR baseline