Skip to content

CMMC and Related Frameworks

 

Learn about CMMC and NIST SP 800-171 Revision 2 and 3, ITAR, FedRAMP, supply chain risk management (SCRM) under CMMC, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.

Table of Contents

What is the relationship between NIST SP 800-171 Rev 2 and CMMC compliance? 

 

NIST SP 800-171 Rev 2 is the technical security standard on which CMMC Level 2 compliance is built, CMMC Level 2 requires full implementation of all 110 controls in NIST SP 800-171 Rev 2 and adds mandatory independent verification on top of that requirement through C3PAO assessments. 

The relationship is additive: DFARS clause 252.204-7012 originally imposed the NIST SP 800-171 Rev 2 obligation and allowed self-attestation. CMMC adds the verification layer without changing the underlying control requirements. Every CMMC Level 2 compliance activity, gap analysis, remediation, SSP development, evidence collection, is built around the 14 domains and 110 controls of NIST SP 800-171 Rev 2. 

Organizations that have genuinely implemented NIST SP 800-171 Rev 2 and accurately reflected that implementation in their SPRS score are well positioned for CMMC Level 2 certification, the assessment confirms what should already be in place. The common framing used by compliance professionals is that NIST SP 800-171 tells you what to do, and CMMC proves that you did it. 

 

Is CMMC currently assessed against NIST SP 800-171 Revision 2 or Revision 3? 

 

CMMC assessments are currently conducted against NIST SP 800-171 Revision 2, not Revision 3, and will continue to be evaluated against Rev 2 until the DoD completes a separate future rulemaking to incorporate Rev 3 into the CMMC program. 

NIST published Revision 3 of SP 800-171 in May 2024, updating and reorganizing the control framework. The DoD explicitly maintained the requirement for contractors to comply with Rev 2 for CMMC assessment purposes, confirmed in DFARS clause 252.204-7012 and in a DoD class deviation memorandum. Contractors who have implemented Rev 3 controls are not penalized, assessors will not mark a Rev 3 implementation as non-compliant if it satisfies the corresponding Rev 2 objective, but the official assessment standard is Rev 2. 

In April 2025, the DoD CIO published a memorandum establishing Organization-Defined Parameters (ODPs) for NIST SP 800-171 Revision 3, signaling preparation for an eventual transition, but this rulemaking has not been completed as of March 2026. Contractors should maintain Rev 2 compliance as the current legal requirement.

 

What are Organization-Defined Parameters (ODPs) in NIST SP 800-171 Rev 3 and how do they affect CMMC compliance preparation? 

 

Summary: Organization-Defined Parameters are specific values, frequencies, thresholds, or conditions that individual organizations must define for certain security controls in NIST SP 800-171 Revision 3, where the standard specifies that the organization determines the appropriate implementation rather than prescribing a fixed value. 

In NIST SP 800-171 Rev 2, all control parameters were fixed. In Revision 3, some controls use ODPs, for example, a control might require periodic review of access authorizations “at defined frequency [ODP],” requiring the organization to specify whether that frequency is monthly, quarterly, or annually. 

In April 2025, the DoD CIO published a memorandum establishing specific DoD-directed ODP values for NIST SP 800-171 Rev 3, effectively standardizing many parameters. Since CMMC assessments are currently based on Rev 2, contractors are not assessed against ODPs today, but understanding and planning for ODPs now will reduce the transition effort when the DoD completes the rulemaking to incorporate Rev 3 into CMMC.

 

Will CMMC eventually transition to NIST SP 800-171 Revision 3? 

 

The DoD has confirmed that CMMC will transition to NIST SP 800-171 Revision 3 through a future rulemaking process, but as of March 2026 no timeline for that rulemaking has been finalized and all current CMMC assessments remain based on NIST SP 800-171 Revision 2. 

The DoD’s position, confirmed in DFARS clause 252.204-7012 and in official CMMC program communications, is that the transition to Rev 3 requires amending the regulatory framework through a formal notice-and-comment rulemaking process, this cannot be accomplished administratively. The DoD CIO’s April 2025 ODP memorandum for Rev 3 indicates that internal preparation for the transition is underway. 

When the Rev 3 transition rulemaking is finalized, contractors will receive an implementation period before Rev 3 assessment requirements take effect. Contractors should not delay their Rev 2 compliance work anticipating a Rev 3 transition, full Rev 2 compliance remains the legal obligation and the foundation upon which the eventual Rev 3 transition will build. 

 

What is supply chain risk management (SCRM) under CMMC and what does it require? 

 

Summary: Supply chain risk management under CMMC Level 2 requires contractors to identify, assess, and mitigate cybersecurity risks introduced by the products, services, and suppliers in their information and communications technology (ICT) supply chain, as addressed in the Risk Assessment (RA) domain of NIST SP 800-171 Rev 2 and expanded in NIST SP 800-172 for Level 3. 

Under CMMC Level 2, SCRM obligations include: evaluating the security practices of vendors and suppliers providing hardware, software, or services used within the CMMC assessment scope; avoiding the acquisition of information technology from vendors or sources with known security risks or foreign adversary ties; reviewing supplier security documentation before integrating third-party components into the CUI environment; and including supply chain risk considerations in the organization’s formal risk assessment process documented in the SSP. 

Practically, this means vetting software vendors, hardware suppliers, and cloud service providers for supply chain integrity, confirming that components used in the CUI environment have not been tampered with, do not contain known backdoors, and come from sources not subject to foreign adversary control. SCRM is explicitly strengthened at CMMC Level 3 through NIST SP 800-172 enhanced requirements, which add proactive threat analysis and supply chain incident response obligations.

 

What is the relationship between CMMC and ITAR? 

 

Summary: CMMC and ITAR (International Traffic in Arms Regulations, 22 CFR Parts 120–130) are separate regulatory frameworks with overlapping applicability for defense contractors, and compliance with one does not constitute compliance with the other, organizations subject to both must maintain independent compliance programs for each. 

ITAR is administered by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) and governs the export and transfer of defense articles, defense services, and related technical data listed on the U.S. Munitions List (USML). CMMC is a DoD cybersecurity certification program governing the protection of CUI and FCI on contractor information systems. 

The intersection occurs because ITAR-controlled technical data frequently qualifies as CUI, specifically under the Controlled Technical Information (CTI) and Export Controlled categories, meaning the same technical drawings or specifications may simultaneously require ITAR compliance for export controls and CMMC compliance for digital protection. Contractors handling ITAR-controlled data that also constitutes CUI must implement all 110 NIST SP 800-171 Rev 2 controls to protect that data digitally while separately maintaining ITAR compliance for all export licensing, transmission, and access control obligations.

 

What is the relationship between CMMC and FedRAMP? 

 

Summary: CMMC and FedRAMP are complementary federal cybersecurity frameworks that address different parts of the same compliance ecosystem: CMMC governs defense contractor information systems, while FedRAMP governs the cloud service platforms those contractors use to handle CUI, and where a contractor stores CUI in a cloud service, both frameworks apply simultaneously. 

CMMC applies to Organizations Seeking Certification in the Defense Industrial Base, the contractors themselves. FedRAMP applies to Cloud Service Providers offering platforms to federal agencies and contractors. Under DFARS clause 252.204-7012, any cloud service handling CUI must meet FedRAMP Moderate or equivalent standards, this is the direct legal link between the two frameworks. 

CMMC does not regulate CSPs directly; it requires OSCs to use only FedRAMP-compliant cloud services for CUI. Conversely, a CSP achieving FedRAMP authorization is not automatically CMMC compliant, FedRAMP authorization covers the cloud platform; CMMC compliance covers how the contractor implements controls within and around that platform. Databrackets supports organizations in evaluating their cloud environments against both CMMC and FedRAMP requirements as part of comprehensive compliance assessments. 

 

Explore Blogs, Webinars and other Resources

Trusted by Reputed Companies

pVerify, Inc.
Electronic Data Solutions
Bernard Robinson & Company
Avance Care
iCliniq
Botsplash
Logically
Mr.Internet Systems
Vision Radiology
Tangible Solutions
Tangible Solutions
WorkSmart
Triyam
Med First Primary and Urgent Care
Arizona State Radiology
DataCaliper
Dose Spot Company Logo
DoseSpot
Forsyte I.T. Solutions
Tego Data

Accreditations and Associations

* Disclaimer: This list of accreditations is held by our team of employees and consultants.

What Our Clients Say

We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center

Our Growing List of Credentials

0 +
Assessments
0 +
Clients
0 +
Assessment Libraries
0 +
Years of Experience
0 +
No. of Staff Trained
0 +
HIPAA
0 +
SOC 2 Readiness
0 +
Pen Testing
0 +
ISO 27001 Certifications
0 +
Dollars Saved in Compliance Penalties