Cybersecurity Frameworks: What's Required and What's Optional

Word count: ~1,750 Specificity markers hit: (1) NIST/CMMC control references, (2) time/cost estimates, (3) tool/resource names, (4) common mistakes, (5) decision point with guidance — 5 of 5

---

# Cybersecurity Frameworks: What's Required and What's Optional

There are more cybersecurity frameworks than any organization needs. The problem for defense contractors is that the required ones are sometimes presented alongside optional ones without clear distinction, and consultants with certifications in particular frameworks have obvious incentives to tell you that their framework is the most important.

Let's be direct about what you're actually obligated to implement, what you might want to implement for business reasons, and what's largely irrelevant to your situation unless you fall into a specific category.

The Required Frameworks

These aren't optional. If you're a defense contractor handling the relevant information, these apply to you contractually and legally.

NIST SP 800-171 Rev 2 — Required for CUI

This is the framework your CMMC assessment tests you against. If your DoD contract includes DFARS clause 252.204-7012, you are contractually required to implement all 110 security requirements in NIST SP 800-171 Rev 2. That obligation has existed since 2017, well before CMMC added formal certification on top of it.

NIST SP 800-171 organizes requirements into 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

Every control in this framework maps directly to a CMMC Level 2 practice. When people say "Level 2 has 110 controls," they mean the 110 requirements in NIST SP 800-171 Rev 2. The two are the same standard.

Key document: NIST SP 800-171 Rev 2 at nvlpubs.nist.gov — free to download. Read it with a highlighter. Every requirement in there is something your C3PAO assessor will evaluate.

Companion document: NIST SP 800-171A — the assessment guide. It translates each 800-171 requirement into specific assessment objectives (what to examine, who to interview, what to test). Download this too. It's essentially the assessor's playbook.

FAR 52.204-21 — Required for FCI (All DoD Contractors)

If you handle Federal Contract Information — any information provided by or generated for the government under a contract that isn't intended for public release — you're subject to FAR 52.204-21. This applies to virtually all DoD contractors, even those without CUI.

FAR 52.204-21 maps to CMMC Level 1: 17 practices covering basic safeguarding of systems that handle FCI. If you only have FCI (no CUI), Level 1 is your floor. Annual self-assessment, score in SPRS, no C3PAO needed.

DFARS 252.204-7012 — Required for DoD CUI Specifically

This clause extends the 800-171 requirement with additional DoD-specific obligations: 72-hour cyber incident reporting to DoD via the DIBNET portal, preservation and submission of malicious code and media after incidents, and a requirement to flow down equivalent protections to subcontractors who handle CUI.

If this clause is in your contract, you have all three obligations: 800-171 controls, incident reporting, and subcontractor flow-down.

The FAR CUI Rule (2024): The civilian agency equivalent of DFARS 252.204-7012 is being phased in through the FAR CUI Rule. Once fully effective, contractors working with any federal agency's CUI — not just DoD — will face similar requirements. If you work with non-DoD federal agencies, track this rule's implementation.

The Useful-But-Not-Required Frameworks

These frameworks may legitimately add value to your program, but don't confuse "useful" with "required."

NIST Cybersecurity Framework (CSF) 2.0 — Voluntary

The NIST CSF organizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond, and Recover (with Govern added in CSF 2.0). It's a communication and management tool — it helps leadership understand where a security program stands and what categories of activity it covers.

The CSF is not a compliance standard. There are no assessment objectives, no certificate of compliance, and no contract clause that requires it. NIST explicitly describes it as voluntary.

Where it genuinely helps defense contractors: if you're building a security program from the ground up, the CSF's five functions provide a logical structure for organizing your activities before you map them to NIST SP 800-171 requirements. The CSF Protect function, for example, covers roughly 40 of the 110 Level 2 controls — a useful mental model for planning work.

If your organization already uses the CSF, you can use it as an overlay to identify which 800-171 controls you've likely addressed. But this is a planning aid, not a compliance shortcut.

Decision point: If you're not already using the CSF and someone proposes implementing it as a path to CMMC compliance, push back. The CSF doesn't substitute for 800-171 work — it may help organize it. Your time is better spent directly against the 110 controls in 800-171.

NIST SP 800-53 — Reference Framework, Not Required for Contractors

NIST SP 800-53 is the comprehensive federal information system security framework, containing over 1,000 controls across 20 families. Federal agencies use it to comply with FISMA. Defense contractors do not use it for CMMC — NIST SP 800-171 is the DIB-appropriate subset of 800-53, derived from its controls and tailored for non-federal systems.

You may encounter 800-53 references when your systems connect to federal networks, or when working on federal system development. For CMMC purposes, 800-171 is your framework. Reading 800-53 for background understanding is worthwhile; implementing it as your CMMC compliance strategy is unnecessary overhead.

ISO 27001 — Optional (and a Poor CMMC Substitute)

ISO 27001 is an international standard for Information Security Management Systems (ISMS). It provides a process framework for establishing, implementing, and continually improving an information security program. Achieving ISO 27001 certification involves a formal third-party audit.

ISO 27001 is not required for CMMC. It does not satisfy NIST SP 800-171 obligations. Some organizations pursue both because they work with international clients who require ISO 27001, or because they want a recognizable international credential alongside their CMMC certification.

If someone recommends pursuing ISO 27001 instead of CMMC Level 2 certification because the two overlap, that advice is wrong. The DoD does not accept ISO 27001 certification as a substitute for CMMC. The two frameworks do share some concepts, and ISO 27001 implementation does prepare you for some 800-171 work — but you can't present an ISO 27001 certificate to your contracting officer and call it CMMC compliance.

For a defense contractor whose primary concern is retaining DoD contracts, ISO 27001 is optional overhead unless you have a specific business reason to pursue it (international clients, corporate policy, or dual-market positioning).

SOC 2 — Optional for Defense Contractors

SOC 2 is a framework for service organizations (cloud providers, SaaS vendors, managed service providers) to demonstrate security practices to their customers. It's built around five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Defense contractors typically aren't the ones pursuing SOC 2 — they may evaluate their MSPs and cloud providers' SOC 2 reports when assessing vendor risk. If your MSP manages systems that process CUI, their SOC 2 Type 2 report is one piece of evidence for evaluating whether they provide adequate protection. It's an input to your risk assessment, not a certification that satisfies your own 800-171 obligations.

If you happen to be both a defense contractor and a cloud service provider, you may need both. That's a specific situation, not the general case.

The Conditional Frameworks

These apply only if you operate in specific sectors or handle specific types of data.

HIPAA — Required Only for Health Data

If your defense contracts involve medical data, military health records, clinical research, or any protected health information (PHI) — and many DoD medical support contracts do — HIPAA applies to that data regardless of your defense contractor status. HIPAA requirements layer on top of CMMC, they don't replace it.

If you're a defense contractor and you don't handle any PHI, HIPAA is irrelevant to your operations. Don't let someone talk you into a HIPAA compliance program as part of your CMMC preparation unless you have a specific reason.

NERC-CIP — Required Only for Electric Grid Operations

NERC-CIP (North American Electric Reliability Corporation Critical Infrastructure Protection standards) applies to organizations that own or operate bulk electric system assets. If you're a defense contractor building or maintaining power infrastructure for military installations or defense facilities and your role puts you in the NERC-CIP applicability scope, you may face dual compliance obligations.

The average defense contractor has nothing to do with NERC-CIP. If you're not in the electric power sector, skip this framework.

GDPR — Required Only When Processing EU Citizen Data

The General Data Protection Regulation applies when you process personal data of EU citizens, regardless of where your organization is located. If you have employees, partners, or customers in the EU, or if your contracts involve EU-citizen data in any form, GDPR is relevant.

Most U.S.-based, DoD-focused defense contractors work with U.S. government data and U.S. employees. GDPR typically doesn't apply. If you're a multinational organization or if your defense work involves coalition partner data from EU nations, get qualified legal advice about your GDPR exposure — that's a legal question, not just a cybersecurity question.

Common Mistakes

Implementing multiple optional frameworks instead of investing in the required one. The most common misdirection is spending resources on ISO 27001 or NIST CSF implementation while the actual 800-171 controls remain partially implemented. Every hour spent on optional frameworks is an hour not spent getting your 110 controls to Met status.

Assuming overlap means equivalence. Yes, ISO 27001 and NIST 800-171 share concepts. Yes, the NIST CSF Protect function overlaps with much of 800-171. Overlap means there's shared work that can be used — it doesn't mean one satisfies the other. Document the overlap in your SSP for efficiency. Don't claim one framework satisfies the other for compliance purposes.

Confusing your cloud provider's framework compliance with your own. Your Microsoft Azure environment has FedRAMP authorization. Your AWS GovCloud environment has various certifications. None of these mean you are CMMC-compliant. Your cloud provider's certifications cover the infrastructure layer they manage — you're responsible for the configuration, the access controls, the data handling, and all the controls above the provider's responsibility boundary.

What Your Assessor Expects

Your C3PAO assessor cares about one framework in detail: NIST SP 800-171 Rev 2, as assessed per NIST SP 800-171A. They may ask about your use of the NIST CSF or other frameworks as context — "how did you structure your security program?" is a reasonable interview question — but their scoring is entirely based on 800-171 control implementation.

If you've implemented ISO 27001 or NIST CSF and that work helped you build your 800-171 compliance program, document the connections in your SSP. Show how the framework work translated into specific 800-171 control implementations. The assessor appreciates the context, but they evaluate your controls, not your framework portfolio.

---

Bottom line for most defense contractors: NIST SP 800-171 is the framework that matters. Everything else is either a useful tool (NIST CSF) or irrelevant to your situation (SOC 2, GDPR) unless you have a specific business reason to pursue it. If you are not sure where to start, see which security standards apply to your organization.