CMMC 2.0, NIST, and Risk Management

Cyber threats continue to grow in complexity and sophistication. To address this evolution, the Department of Defense has introduced the Cybersecurity Maturity Model Certification (CMMC) 2.0 to ensure that defense contractors maintain robust cybersecurity practices to protect Controlled Unclassified Information (CUI). 

To address one of the most important processes in modern security (risk management), CMMC 2.0 includes some risk assessment requirements. 

This article will explore risk management’s vital role in achieving CMMC 2.0 compliance and its connection to the National Institute of Standards and Technology (NIST) guidelines, specifically NIST SP 800-171. We will delve into the various control families of NIST 800-171 and 800-172, their impact on risk management, and the steps organizations can take to address potential risks effectively.

How Do CMMC Maturity Levels Impact the Adoption of NIST Controls?

Currently, CMMC version 2.0 is operating under a notional standard as stakeholders in the DoD supply chain assess and provide revisions to the framework. However, one change that seems stable per the mission of the new CMMC version (streamlining compliance) is the reduction of maturity levels from five to three. 

Currently, the three maturity levels of CMMC 2.0 are:

• Level 1 (Foundational): This is the introductory level of CMMC 2.0, suitable for low-priority organizations handling FCI (and, in limited circumstances, some less sensitive forms of CUI). At this level, a contractor is only expected to have implemented a subset of 15 controls from NIST Special Publication 800-171. 
• Level 2 (Advanced): The core level of CMMC emphasizes an organization’s alignment with the security requirements established by NIST. That means that the contractor must align with 110 controls at this level–the complete list of controls in NIST SP 800-171. This is the level that, by and large, organizations must meet to handle CUI under most circumstances. 
• Level 3 (Expert): This level is for contractors handling CUI with much higher threats, specifically those associated with Advanced Persistent Threats (APTs). Level 3 includes requirements for all 110 controls in NIST SP 800-171 plus a subset of controls from NIST SP 800-172.

This article isn’t a deep dive into the nuances of the differences between these levels. Instead, it looks at how one specific family of controls (in this case, risk management) may impact compliance across them.

What Are NIST Special Publications 800-171 and 800-172?

First, a discussion of NIST and CMMC requirements. 

NIST 800-171 and NIST 800-172 are publications by the National Institute of Standards and Technology that provide guidelines and recommendations for protecting CUI in non-federal systems and organizations. 

• NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”: NIST 800-171 provides guidelines for ensuring the confidentiality of CUI in nonfederal systems and organizations. The publication outlines requirements for basic controls that include authentication, encryption, data privacy, and system and information integrity.
  

• NIST 800-172, “Enhanced Security Requirements for Protecting Controlled Unclassified Information”: A Supplement to NIST Special Publication 800-171″: NIST 800-172 is an extension to NIST 800-171 that provides enhanced security requirements for protecting CUI against APTs. The enhanced security requirements in NIST 800-172 are intended for organizations with a higher risk of APTs or those handling particularly sensitive CUI.

Risk Management and CMMC

CMMC control requirements are defined by the maturity level of the organization and compliance expectations of the data associated with their task. Both NIST SP 800-171 and 800-172 contain a control family of “Risk Assessment” that may apply to an organization.

• At Level 1, there are no risk management requirements. 
• At Level 2, an organization must meet all controls from NIST SP 800-171, including all Risk Management controls. 
• At Level 3, an organization must meet everything from NIST SP 800-171 and include certain controls from NIST SP 800-172 as dictated by the contractor’s role in the supply chain. 

Both documents contain the “Risk Assessment” family, albeit with different controls. 

Risk Management Controls from NIST SP 800-171

The risk assessment control family in this document contains three primary requirements:

• Risk Assessment (Basic Requirement): Organizations should be able to periodically assess risks to and from operations, assets, and individuals. This includes defining system boundaries from which threats may emerge and understanding how operations open up new and compound threats. These assessments can be conducted at almost any formal or informal level and can come during any part of a system development life cycle. 
• Vulnerability Scans (Derived Requirement): Organizations should be able to conduct regular vulnerability scans to catch risks and threats as they emerge. This includes the ability to conduct Security Content Automated Protocol (SCAP) validated tools and identify vulnerabilities listed in the CVE database.
• Remediation (Derived Requirement): Once vulnerabilities are identified, the organization should have policies and procedures to remediate these issues.

Risk Management Controls from NIST SP 800-172

NIST SP 800-172 also contains a Risk Assessment family that defines several enhanced requirements for organizations at the highest level of compliance:

• Threat Intelligence (Enhanced Requirement): Organizations should have ways to conduct intelligence-gathering around potential risks to combat evolving threats. This intelligence should inform defining system requirements and architectures, selecting software, and remediating threats. 
• Threat Hunting (Enhanced Requirement): Organizations should conduct active threat hunting alongside passive security measures. This can include penetration testing, red team exercises, active intelligence sharing with other organizations, and consulting with security and government agencies. 
• Automation and Analytics (Enhanced Requirement): Organizations should look beyond manual security teams and scans and look to automation (potentially including machine learning) to analyze data, take specific actions, and control workflows. These tools should also use analytics to aid decision-making around risk and remediation.
• Documentation (Enhanced Requirement): The organization must have documented rationales for any system security solutions selected, including a risk determination.
• Assessment (Enhanced Requirement): Organizations should be able to assess the effectiveness of their security over time and under dynamic circumstances. 
• Supply Chain (Enhanced Requirement): Organizations expanding their risk assessment efforts should do so to incorporate their supply chain (including managed services, cloud services, or other providers).

Learn More About CMMC or Partner with Us for Your Assessment

CMMC is a rigorous standard requiring organizations to undergo third-party assessments. Lazarus Alliance is now a certified third-party assessment organization under CMMC 2.0, one of only a few dozen in the United States. 

What does that mean for you? You can trust our decades of experience to help guide you through your assessment process. 

Preparing for your CMMC audit? Looking for a C3PAO you can trust? Contact Lazarus Alliance.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→