Free Download: RMF Artifacts Checklist: Every artifact you need for an ATO
Get the free PDF

RMFInsider

RMF vs CMMC: What’s the Actual Overlap (For Contractors)

Published by

Batmunkh N

on

As CMMC enforcement has ramped up, a question comes up constantly from contractors who already work inside DoD RMF: does CMMC replace RMF, run alongside it, or do something else entirely? The honest answer is that it depends on what kind of contractor you are and what kind of system you’re talking about, and the overlap between the two frameworks is bigger than most people realize, but not in the way they expect.

This guide breaks down what each framework actually governs, where they share DNA, and what that means practically if you’re operating in both worlds.

Two Different Questions

RMF answers the question: is this specific federal information system secure enough to operate? It’s a system-by-system authorization process, run by the organization that owns the system, resulting in an ATO granted by an Authorizing Official.

CMMC answers a different question: does this contractor’s environment meet a baseline level of cybersecurity maturity to handle Controlled Unclassified Information (CUI) on DoD contracts? It’s an organization-wide certification, assessed against a maturity model, and increasingly required as a condition of winning or keeping certain contracts.

One is about a system. The other is about a company. That’s the core distinction that resolves most of the confusion, but it doesn’t mean they’re unrelated.

Real-World Example: “Do We Need Both?”

A mid-sized contractor running a system under an active ATO got a notice that an upcoming contract would require CMMC Level 2 certification for their corporate environment. The first reaction internally was confusion: they already had RMF authorization, so why was a separate certification being asked for?

The answer was that the RMF ATO covered one specific information system operating within a government enclave. CMMC was being asked for at the corporate level, covering the contractor’s own networks, laptops, and infrastructure where CUI related to the contract would live outside that government system. Two different boundaries, two different questions, both legitimately required.

An ATO covers a system’s boundary. CMMC covers the contractor’s boundary. Most confusion comes from assuming those are the same boundary.

Where the Controls Overlap

Here’s where the real overlap lives. RMF control baselines come from NIST SP 800-53. CMMC Level 2 is built on NIST SP 800-171, which itself was derived from a subset of 800-53 controls, specifically the ones relevant to protecting CUI in non-federal systems.

In practice, this means an organization that has been doing RMF well already has most of the underlying security practices CMMC is looking for: access control, audit logging, configuration management, incident response, and so on. The controls aren’t identical, and the assessment processes are different, but the underlying security posture transfers significantly.

The gap usually isn’t in security practices themselves. It’s in documentation and scope. RMF documentation describes a specific system’s boundary. CMMC requires a System Security Plan that describes the contractor’s broader CUI environment, which may include systems, networks, and processes that were never part of any RMF package because they sit outside any government-owned system boundary.

Real-World Example: Reusing RMF Work for CMMC Readiness

One organization preparing for a CMMC Level 2 assessment started by mapping their existing RMF control implementation statements against the 800-171 control set. For a large portion of the controls, the implementation was already there: the access control policy, the audit logging configuration, the incident response plan. The work wasn’t building these from scratch.

The actual effort went into the controls that existed for the RMF system but hadn’t been extended to the broader corporate environment, things like configuration management practices that applied to the authorized system’s servers but not to the general corporate laptop fleet where CUI also got handled day to day.

Treating CMMC as a from-scratch effort would have meant redoing work that already existed. Treating it as a scoping and gap-mapping exercise against existing RMF documentation cut the effort significantly.

The Assessment Models Are Different

RMF assessments are performed by a Security Control Assessor, often internal to the organization or a designated independent assessor, and the authorization decision is made by an Authorizing Official within the agency.

CMMC Level 2 certification, for most contractors, requires assessment by a Certified Third-Party Assessment Organization (C3PAO), an accredited external body. This is a more formal, external certification process compared to the often internally-managed RMF assessment, and it results in a certification that’s tracked centrally rather than an authorization decision made by an individual AO.

Practically, this means CMMC timelines and costs are less flexible than RMF timelines often are. An ATO can sometimes be granted with conditions or an interim status while remediation continues. CMMC certification is closer to pass or fail at the point of assessment.

A Practical Approach for Contractors

Start by identifying your CUI boundary separately from your RMF system boundaries. These are often different shapes. Your RMF system boundary is defined by what’s inside the authorized system. Your CMMC boundary is defined by everywhere CUI related to your contracts actually flows, which often includes general business systems that have nothing to do with any specific ATO.

Then map your existing RMF control implementations against the 800-171 control set for your CMMC boundary. Wherever the implementation already exists and applies to the CUI environment, you’re done with that control. Wherever it exists for the RMF system but doesn’t extend to the broader environment, that’s your gap list.

Finally, don’t assume disciplined RMF practices mean CMMC is a formality. The documentation requirements are different enough that you’ll need a dedicated System Security Plan for the CMMC boundary, even if most of the underlying controls are already in place.

Final Thoughts

RMF and CMMC aren’t competing frameworks, and CMMC isn’t replacing RMF. They answer different questions at different scopes: one system’s authorization versus a contractor’s overall maturity to handle CUI. For organizations that have done RMF well, CMMC readiness is much less about building new security practices and much more about extending and documenting the practices that already exist across a wider boundary.

The contractors who struggle most with CMMC are usually the ones who treat it as a brand new compliance program instead of recognizing how much of the groundwork their RMF discipline already laid.

Discover more from RMFInsider

Subscribe to get the latest posts sent to your email.

Leave a Reply

Hello,

I’m Babux

Welcome to RMFInsider. A focused space dedicated to understanding RMF, compliance, and the cleared cyber economy. Here, we simplify complex frameworks, break down real-world costs, and explore the career and business opportunities hidden inside the system.

Let’s connect

      Get the Weekly RMF Brief

      Practical breakdowns of RMF, cleared cyber careers, and compliance — delivered weekly.

      Recent posts

      Discover more from RMFInsider

      Subscribe now to keep reading and get access to the full archive.

      Continue reading