Practical compliance guidance for regulated organizations.

NIST Compliance Foundations

Primary factors for achieving and maintaining NIST alignment.

• Governance + risk: formal risk assessments, security policies, SSP, and continuous risk tracking.
• Identity + access: least privilege, MFA, role-based access, privileged access review, and account lifecycle control.
• System hardening: secure baselines, vulnerability scanning, patch management, and configuration drift control.
• Detection + response: centralized logging, alert triage, incident response playbooks, and recovery validation.
• Data protection: encryption in transit/at rest, key management, backup integrity, and restoration testing.
• Evidence discipline: retain change records, scan reports, access reviews, and training artifacts for audits.

Relevant technology categories

CMMC Level Requirements

CMMC 2.0 structure for levels 1, 2, and 3.

• Level 1 (Foundational): 15 security requirements aligned to FAR 52.204-21 for protection of FCI.
• Level 2 (Advanced): 110 security requirements aligned to NIST SP 800-171 Rev. 2 for protection of CUI.
• Level 3 (Expert): Adds 24 selected requirements from NIST SP 800-172 on top of Level 2.

• Level 1 generally follows annual self-assessment and annual affirmation workflows.
• Level 2 assessment path can be annual self-assessment or triennial C3PAO certification, based on contract sensitivity.
• Level 3 uses government-led assessment (DIBCAC) with annual affirmations and triennial review cadence.

Official References

• DoD CMMC Program Overview
• FAR 52.204-21 (Level 1 baseline)
• NIST SP 800-171 Rev. 2 (Level 2 baseline)
• NIST SP 800-172 (Level 3 source set)
• 32 CFR §170.14(c)(4) Level 3 table

Numbers above are aligned to the DoD CMMC final rule framework and NIST mappings.