NIST 800-171 is a standard that defines security controls for protecting Controlled Unclassified Information (CUI). CMMC builds on NIST 800-171 by adding a certification program that requires organizations to demonstrate compliance through third-party or government-led assessments.