NIST 800-172 and CMMC Level 3: What You Actually Have to Comply With
Overview
If you’ve started reading NIST SP 800-172, you’ve probably noticed it contains far more requirements than the list our system (Future Feed) shows you. This article explains why you only have to implement 24 of them for CMMC Level 3, where that number comes from, and how to spot the incorrect lists floating around online.
The short version
NIST SP 800-172 adds 39 enhanced security requirements beyond the 110 requirements found in NIST SP 800-171 Rev. 2. You do not have to implement all 39. For CMMC Level 3, the Department of Defense selected 24 of them. As of the current CMMC Program Rule (32 CFR Part 170), those 24 enhanced requirements are the only NIST SP 800-172 requirements assessed as part of CMMC Level 3. Combined with the 110 requirements from 800-171 Rev. 2 (your Level 2 baseline), that is a total of 134 requirements in scope at Level 3.
|
Requirement set |
Count |
|
NIST SP 800-171 Rev. 2 (Level 2 baseline) |
110 |
|
NIST SP 800-172 enhanced requirements (Feb 2021 catalog) |
39 |
|
Selected by DoD for CMMC Level 3 |
24 |
|
Total CMMC Level 3 assessment scope (110 + 24) |
134 |
Level 3 scope = 110 (from 800-171 Rev. 2) + 24 (selected from the 39 in 800-172) = 134. The full 39-requirement catalog is shown for reference; only the 24 selected by DoD are assessed.
Common question:
Q: My assessor will evaluate all of NIST SP 800-172, right?
A: No. Under the current CMMC Program Rule, a Level 3 assessment evaluates the 110 requirements from NIST SP 800-171 Rev. 2 plus the 24 enhanced requirements identified in Table 1 to § 170.14(c)(4) — 134 in total. The remaining NIST SP 800-172 enhanced requirements are not assessed at Level 3 today.
Why only 24, not all of 800-172
NIST SP 800-172 is a menu, not a mandate. It is a supplement to 800-171 that organizations and agencies can draw from based on their threat environment. NIST itself does not require all 39 of anyone.
CMMC is the program that turns part of that menu into a contractual requirement. In the CMMC Program final rule, DoD chose the 24 enhanced requirements it considers necessary to defend the most sensitive CUI against Advanced Persistent Threats (APTs). That selection is fixed and is the same for every Level 3 organization. The remaining 15 enhanced requirements in 800-172 are simply not part of CMMC Level 3.
Bottom line: “Comply with 800-172” does not mean “do everything in 800-172.” For CMMC Level 3 it means “do the 24 DoD selected.”
The authoritative source for the 24
The definitive list is Table 1 to § 170.14(c)(4) in the CMMC Program final rule (32 CFR Part 170), published in the Federal Register on October 15, 2024. Each control in that table traces directly to a requirement in NIST SP 800-172 (Feb 2021), with assessment objectives in NIST SP 800-172A.
Chain of authority: CMMC final rule, Table 1 to § 170.14(c)(4) → the matching requirement in NIST SP 800-172 (Feb 2021) → assessment objectives in NIST SP 800-172A.
How Future Feed is set up — and why
Future Feed is configured to show exactly those 24 controls, grouped into the 10 families that actually contain them. This is not a subset or a simplification — it is a one-to-one match with the regulatory table. The 24 break down as:
|
Family |
Level 3 controls (enhanced requirements) |
|
AC – Access Control |
3.1.2e, 3.1.3e |
|
AT – Awareness & Training |
3.2.1e, 3.2.2e |
|
CM – Configuration Management |
3.4.1e, 3.4.2e, 3.4.3e |
|
IA – Identification & Authentication |
3.5.1e, 3.5.3e |
|
IR – Incident Response |
3.6.1e, 3.6.2e |
|
PS – Personnel Security |
3.9.2e |
|
RA – Risk Assessment |
3.11.1e, 3.11.2e, 3.11.3e, 3.11.4e, 3.11.5e, 3.11.6e, 3.11.7e |
|
CA – Security Assessment |
3.12.1e |
|
SC – System & Communications Protection |
3.13.4e |
|
SI – System & Information Integrity |
3.14.1e, 3.14.3e, 3.14.6e |
If you count them, that’s 24. If the platform shows you these, you’re looking at the correct, complete set — nothing is missing and nothing extra has been added.
Why different sources show different lists
If you compare “CMMC Level 3” control lists from different websites, you will find they often disagree. That is usually not a mystery — it comes down to which source material each list was built from:
- Draft CMMC material — proposed and draft versions circulated before the final rule (Oct 15, 2024). Lists built from those drafts can differ from what was ultimately adopted.
- NIST SP 800-172 Revision 3 — the May 2026 revision renumbers and significantly expands the enhanced requirements. A list based on Rev. 3 will not match what CMMC currently assesses (see the version note below).
- The full 800-172 catalog — some lists enumerate all 39 enhanced requirements rather than the 24 that DoD selected for Level 3.
- Transcription or AI-generated errors — some lists include control IDs that don’t exist in 800-172 (for example, a “3.3.1e” under Audit & Accountability, a family that has no enhanced requirement) or omit selected ones entirely.
- CMMC Program final rule — Federal Register, Oct 15, 2024 (32 CFR Part 170; see Table 1 to § 170.14(c)(4)): federalregister.gov
- DoD CIO — CMMC Alignment to NIST Standards: dodcio.defense.gov (PDF)
- NIST SP 800-172 (Feb 2021) — the version CMMC currently references; now marked withdrawn/superseded: csrc.nist.gov
- NIST SP 800-172 Rev. 3 (Final, May 13, 2026) — finalized but not yet adopted by CMMC: csrc.nist.gov (NIST release note)
- Reference enumeration of all 24 (cites the CFR table directly) — Peak InfoSec: peakinfosec.com
How to validate any list: compare it against Table 1 to § 170.14(c)(4) of the CMMC final rule, or against the family breakdown above. If it doesn’t match, it isn’t the CMMC Level 3 set.
A note on the 800-172 version
CMMC Level 3 is currently defined by 32 CFR Part 170, which references NIST SP 800-172 (Feb 2021). On May 13, 2026, NIST finalized Revision 3 of SP 800-172 (and SP 800-172A) and withdrew the Feb 2021 version, which Rev. 3 supersedes.
Importantly, a NIST publication being withdrawn does not by itself change what CMMC requires. The rule cites the specific Feb 2021 version, so the 24 selected requirements remain the Level 3 assessment scope until DoD amends the rule through formal rulemaking. For current certification work, continue to source against the Feb 2021 version and the existing rule. If a list uses Rev. 3 numbering, it will not match your assessment.
Sources: