Key Documents
Four documents work together to define CMMC Level 2. Understanding how they relate saves you from reading 500+ pages of overlapping content.
The Four Documents
Section titled “The Four Documents”NIST SP 800-171 Rev 2 — Defines the 110 security requirements. This is the technical standard. It tells you what you must do. Published by NIST, mandated by DoD.
NIST SP 800-171A — Defines how to assess each requirement. 320 determination statements across the 110 requirements. For each requirement: what documents to examine, who to interview, what to test. This is the assessor’s evidence checklist.
CMMC Assessment Guide Level 2 — The DoD’s layer on top of NIST. Adds CMMC-specific scoring rules (MET/NOT MET/N/A), practical guidance, real-world examples, and the questions assessors are likely to ask. This is the C3PAO’s playbook.
CMMC Scoping Guide Level 2 — Defines how to determine your assessment boundary. Five asset categories, separation techniques, ESP rules, enclave models. This document controls your compliance costs.
How They Relate
Section titled “How They Relate”800-171 Rev 2 → What you must do (110 requirements) ↓800-171A → How to prove you did it (320 determination statements) ↓CMMC Assessment Guide → How the assessor evaluates it (scoring + guidance) ↓CMMC Scoping Guide → What gets assessed (boundary definition)Rev 2 vs Rev 3
Section titled “Rev 2 vs Rev 3”NIST withdrew Rev 2 in May 2024 and published Rev 3. However, the DoD issued a class deviation requiring Rev 2 for all CMMC assessments. Rev 2 remains the enforceable standard until the DoD formally transitions to Rev 3, which is expected to take years.
This entire reference is built on Rev 2.