What Is NIST SP 800-171?
NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is the cybersecurity framework that governs how defense contractors handle Controlled Unclassified Information (CUI). It specifies 110 security requirements organized across 14 control families — from access control and audit logging to system integrity and incident response.
CUI is the government's term for information that isn't classified but still warrants protection: engineering drawings, contract pricing, technical specifications, export-controlled research, and anything with a FOUO (For Official Use Only), ITAR, or EAR marking. If your company receives, processes, or generates CUI under a DoD contract, NIST 800-171 applies to every system that touches that information.
NIST 800-171 applies to nonfederal contractors — it governs company-owned systems, not the federal government's own networks (which use NIST 800-53). If you are a defense contractor and your systems touch CUI, you are subject to all 110 requirements. VERIFIED
The framework was first published in 2015 and has been through two major revisions. Revision 2 (September 2020) is the current compliance baseline for DoD contracts and is the foundation of CMMC Level 2. A third revision (Rev 3) is in progress but is not yet the contractual standard as of 2026.
Why Defense Contractors Must Comply
The contractual trigger is DFARS clause 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting. If this clause appears in your prime contract, you must implement the security requirements in NIST SP 800-171. Prime contractors are required to flow this clause down to any subcontractor whose work involves CUI — which means even a small machining shop or software developer well down the supply chain can be bound by all 110 requirements.
If your prime contract includes DFARS 252.204-7012, you must flow it down to every subcontractor that will process, store, or transmit CUI on your behalf. Ignoring flowdown obligations creates False Claims Act exposure for the prime — and for the sub if they knowingly misrepresent compliance. VERIFIED
The 14 Control Families: What They Require
NIST 800-171 organizes its 110 requirements into 14 families. Each family addresses a distinct security domain. The table below summarizes each family, its requirement count, and the highest-impact controls for most SMBs.
| # | Family | Reqs | Key SMB Controls |
|---|---|---|---|
| 3.1 | Access Control (AC) | 22 | Limit user access to CUI by role; enforce least privilege; control remote access |
| 3.2 | Awareness and Training (AT) | 3 | Security awareness training for all users; role-specific training for privileged users |
| 3.3 | Audit and Accountability (AU) | 9 | Generate, retain, and review audit logs; protect logs from tampering |
| 3.4 | Configuration Management (CM) | 9 | Baseline configurations; restrict unauthorized software; change control process |
| 3.5 | Identification and Authentication (IA) | 11 | MFA for privileged accounts and remote access; strong password policy; no shared accounts |
| 3.6 | Incident Response (IR) | 3 | Documented IR capability; 72-hour cyber incident report to DoD; evidence preservation |
| 3.7 | Maintenance (MA) | 6 | Controlled maintenance; sanitize equipment before sending to third parties |
| 3.8 | Media Protection (MP) | 9 | Protect, label, and securely dispose of CUI media; encryption on removable media |
| 3.9 | Personnel Security (PS) | 2 | Screen individuals before granting CUI access; terminate access promptly on departure |
| 3.10 | Physical Protection (PE) | 6 | Control physical access to systems processing CUI; protect against unauthorized physical access |
| 3.11 | Risk Assessment (RA) | 3 | Periodic risk assessments; remediate vulnerabilities based on risk; scan for vulnerabilities |
| 3.12 | Security Assessment (CA) | 4 | System Security Plan (SSP); Plan of Action & Milestones (POA&M); periodic control assessment |
| 3.13 | System and Communications Protection (SC) | 16 | Network boundary protection; encrypt CUI in transit; control mobile code; architect segmented networks |
| 3.14 | System and Information Integrity (SI) | 7 | Patch management; malware protection; security alerts monitoring; input validation |
The Largest Families Are the Hardest
Access Control (22 requirements) and System and Communications Protection (16 requirements) account for more than a third of all 110 controls. These are also where most SMBs have the largest gaps: inadequate role-based access, no network segmentation, unencrypted CUI on laptops, and no remote access controls. The Identification and Authentication family (11 requirements) is where MFA requirements live — a common gap and a high-value fix.
DFARS 252.204-7012: Your Contractual Obligations
DFARS 252.204-7012 is the mechanism that transforms NIST 800-171 from a voluntary framework into a binding contract requirement. Understanding what the clause actually requires — beyond just implementing the 110 controls — is critical for avoiding compliance gaps.
What DFARS 252.204-7012 Requires
- Implement all 110 NIST SP 800-171 requirements (or have a Plan of Action & Milestones for gaps)
- Report cyber incidents to DoD within 72 hours via dibnet.dod.mil — any incident that affects covered defense information or compromises ability to perform the contract
- Submit a self-assessment score to SPRS (required since November 2020 under companion clause 252.204-7019)
- Preserve and image affected systems for 90 days following a reportable cyber incident
- Flow down the clause to all subcontractors whose work involves covered defense information
- Use cloud services that meet FedRAMP Moderate baseline (or an equivalent DoD-approved authorization) for any cloud processing of CUI
In 2021, the DoJ announced a Civil Cyber-Fraud Initiative specifically targeting contractors that knowingly misrepresent their cybersecurity compliance. Submitting an inflated SPRS score or signing a contract representation without actually implementing required controls creates False Claims Act exposure — with treble damages and mandatory exclusion. This is not theoretical: FCA settlements in this space have already occurred. VERIFIED
Companion Clauses to Know
DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) requires contractors to have a current SPRS score on record before award. Without a SPRS entry, you may be ineligible for contract award. DFARS 252.204-7020 gives the government the right to conduct higher-level assessments (Medium or High confidence assessments beyond your self-attestation) — so your documented controls need to stand up to scrutiny.
Relationship to CMMC 2.0 Level 2
Understanding where NIST 800-171 ends and CMMC begins matters for planning. The short version: CMMC Level 2 = NIST 800-171 + third-party verification for critical programs.
| Dimension | NIST SP 800-171 | CMMC Level 2 |
|---|---|---|
| Control count | 110 requirements | 110 practices (1-to-1 mapping) |
| Assessment method | Self-attestation (submitted to SPRS) | Self-attestation OR C3PAO third-party assessment, depending on program |
| Contractual trigger | DFARS 252.204-7012 | 32 CFR Part 170 + DFARS rule (phased rollout through 2028) |
| Score system | SPRS score (-203 to 110) | Pass/Fail per control, conditional certification with POA&M allowances |
| Certification validity | Annual self-attestation | 3 years for C3PAO assessments; annual affirmation |
| Who enforces | Contracting officer; DoJ via FCA | DCSA (as CMMC Third-Party Assessor Organization accreditor) |
If your contract currently requires DFARS 252.204-7012 and will eventually require CMMC Level 2 certification, implementing NIST 800-171 correctly now is the direct path. You are essentially doing CMMC Level 2 pre-work — the only additional step is either a C3PAO assessment or annual self-attestation, depending on your specific program requirements.
Step-by-Step Self-Assessment Process
The self-assessment uses NIST SP 800-171A — the companion assessment guide — as the methodology. 800-171A maps each of the 110 requirements to specific assessment objectives and recommended assessment methods (examine, interview, test). Here is the sequence:
NIST 800-171 Self-Assessment: 8-Step Process
- Define the assessment scope Identify every system, component, and service that processes, stores, or transmits CUI. This is your assessment boundary. Out-of-scope systems cannot be used for CUI. The scope decision is documented in your System Security Plan.
- Complete or update your System Security Plan (SSP) Document how each of the 110 requirements is implemented (or why it is not applicable). The SSP must describe your system boundary, data flows, personnel, and the controls in place. Use NIST's SSP template or the OUSD(A&S) template as a starting point.
- Work through each family using NIST SP 800-171A For each requirement, 800-171A specifies the assessment objectives. Mark each as: Met (fully implemented), Not Met (gap), or Not Applicable (documented justification required). Gather evidence: screenshots, configuration exports, policy documents, interview notes.
- Calculate your SPRS score Start at 110. For each requirement that is Not Met, subtract its weighted value using the DoD Assessment Methodology v1.2.1. The highest-weighted requirements (typically 5-point deductions) are: MFA (3.5.3), audit log protection (3.3.8), and encrypted remote sessions (3.13.8). Partial implementations can be scored at different levels (Basic/Medium/High confidence).
- Build your Plan of Action & Milestones (POA&M) Every Not Met control needs a POA&M entry: description of the gap, planned action, responsible party, resources required, and target completion date. A realistic POA&M with milestone dates is more defensible than an inflated score with no documentation.
- Submit your score to SPRS Log in to sprs.us, navigate to NIST SP 800-171 DoD Assessment, and submit your score, assessment date, and POA&M closure date. Keep a copy of the assessment evidence package — you may need to produce it in a government audit.
- Remediate gaps per your POA&M Execute the POA&M. Prioritize high-weight controls first — MFA, encryption, audit logging — as these have the biggest score impact and are the most commonly inspected. Implement controls in phases; do not wait for perfect before submitting.
- Reassess annually (minimum) DFARS 252.204-7012 and the CMMC rule require that assessments remain current. Any significant change to the assessed environment (new cloud provider, network architecture change, major system addition) triggers a partial reassessment. Annual full reassessment is the standard.
SPRS Scoring System
SPRS (Supplier Performance Risk System) is the DoD portal where your self-assessment score lives. Every contracting officer can see it before award. A score below 110 signals gaps — a very low or negative score signals a company that has done little or no implementation.
How the Score Is Calculated
The DoD Assessment Methodology assigns a point value to each of the 110 requirements. The total possible score is 110. Each unimplemented requirement reduces the score by its assigned weight. Point deductions are not uniform — some requirements are worth 1 point, others 3 or 5. The exact weighting is published in the DoD Assessment Methodology document (v1.2.1).
| Score Range | Interpretation | Contractor Risk Level |
|---|---|---|
| 90–110 | Strong implementation, minor gaps or POA&M items | Low — competitive for most contracts |
| 60–89 | Partial implementation, meaningful gaps | Medium — may face scrutiny on sensitive programs |
| 1–59 | Significant gaps, substantial POA&M required | High — at risk for contract loss on CMMC-required programs |
| Below 0 (negative) | Widespread non-implementation | Very High — likely ineligible for new CMMC-gated awards |
Confidence Levels: Basic, Medium, High
The DoD Assessment Methodology defines three confidence levels that affect how your score is treated. Basic is the standard self-assessment — submitted by the contractor, not independently verified. Medium is a government review of your SSP. High is an on-site assessment by government personnel. For CMMC Level 2 programs that require third-party assessment, the C3PAO assessment effectively replaces the Medium/High DoD assessment. If you only have a Basic score and a contracting officer requests a Medium or High assessment, you may need to provide your full evidence package on short notice.
What's Your CMMC Readiness Score?
Our free CMMC Readiness Assessment maps your controls against all NIST 800-171 requirement families and gives you a prioritized gap report in 10 minutes.
Take the Free Assessment →Common Gaps SMBs Face
Most small and mid-size defense contractors score below 70 on their first honest self-assessment. The gaps are predictable — and most can be remediated without enterprise-scale spending. Here are the top gaps by category.
1. Multi-Factor Authentication (3.5.3)
Requirement 3.5.3 mandates MFA for local and network access to CUI systems using privileged accounts, and for remote access to any CUI system. Many SMBs still rely on single-factor logins for remote desktop, VPN, email, and cloud file storage. MFA implementation is one of the cheapest high-impact fixes available — Microsoft 365, Google Workspace, and most VPN solutions have MFA built in. No implementation = a guaranteed SPRS score deduction and a CMMC assessment fail.
2. Encryption at Rest (3.13.16)
CUI stored on mobile devices and removable media must be encrypted. This means full-disk encryption on all laptops and workstations that handle CUI (BitLocker or FileVault), and encrypted USB drives only. Cloud storage of CUI must meet FedRAMP Moderate baseline — which standard Google Drive and consumer Dropbox do not. Many contractors store CUI in unencrypted folders on personal laptops or ship it on unencrypted USB drives. This is both an 800-171 violation and a reportable security event under DFARS.
3. Audit Logging (3.3.1, 3.3.2)
Requirements 3.3.1 and 3.3.2 require generating, retaining, and reviewing audit records for system activity sufficient to detect and respond to security events. Most SMBs either have no centralized logging at all, or collect logs they never review. A basic SIEM (Security Information and Event Management) tool — or even Windows Event Log forwarding to a central location — satisfies the technical requirement. The review requirement means someone must actually look at the logs on a regular basis, with a defined process. Log retention is typically 90 days minimum, 3 years preferred.
4. Incident Response Plan (3.6.1, 3.6.2)
Requirements 3.6.1 and 3.6.2 require an operational incident response capability — meaning a documented plan tested at least annually and a process for reporting cyber incidents to DoD within 72 hours. Many SMBs have no written incident response plan at all. A two-page documented procedure that identifies who calls whom, how to preserve system images, and how to submit the DIBNet incident report satisfies the basic requirement. The 72-hour reporting window is contractual — missing it compounds the original incident with a DFARS violation.
5. Network Segmentation (3.13.1, 3.13.3)
Requirements 3.13.1 and 3.13.3 require boundary protection and network segmentation — CUI systems should not be on the same flat network as guest Wi-Fi, production floor equipment, or internet-connected devices without appropriate controls. Many SMBs run a single flat network with no VLAN separation, no firewall between internal segments, and no CUI boundary definition. Basic network segmentation (a separate VLAN for CUI systems, firewall rules, and access control lists) can be implemented cost-effectively even in small facilities.
6. Configuration Management (3.4.1, 3.4.2)
Baseline configurations must be established and maintained for all CUI systems (3.4.1), and configuration changes must be controlled (3.4.2). Many SMBs have never documented a baseline configuration — systems are often built by whoever is available and configuration drift is common. CIS Benchmarks provide free baseline configuration guides for Windows, Linux, and cloud environments. Implementing a configuration management tool (even Group Policy at the small end) and documenting the baseline satisfies the core requirement.
Enterprise SIEM tools, MDR services, and full SOC contracts are appropriate for large primes — not a 15-person machine shop. The controls must be implemented and documented, but implementation can be simple. A documented policy, a configured Windows Group Policy, and a biweekly log review spreadsheet can satisfy the requirement. What assessors look for is evidence that you thought about the control and implemented something. GUIDANCE
Timeline and Cost Estimates for SMBs
The investment required depends on your starting point. Here is a realistic breakdown for a 10-50 person defense contractor starting from minimal security controls.
| Phase | Timeline | Activities | Estimated Cost |
|---|---|---|---|
| Phase 1: Assess | Weeks 1–4 | Asset inventory, SSP drafting, gap assessment using 800-171A, SPRS baseline score | $5K–$15K (consulting) or DIY with templates |
| Phase 2: Quick Wins | Weeks 4–10 | MFA rollout, BitLocker/FileVault, patching schedule, basic log collection, IR plan draft | $2K–$8K (tools + IT labor) |
| Phase 3: Structural | Weeks 10–22 | Network segmentation, SIEM deployment, configuration baselines, access control audit, media protection | $10K–$40K (depending on network complexity) |
| Phase 4: Validate | Weeks 22–26 | Internal or third-party validation, POA&M finalization, SPRS score update, SSP sign-off | $3K–$10K (validation review) |
Total SMB Investment Range
A realistic total for a 10-50 person contractor going from minimal controls to a defensible SPRS score above 90: $20,000–$75,000 in year one, with ongoing annual costs of $10,000–$25,000 for tooling, training, and annual reassessment. Companies that already have SOC 2 or ISO 27001 controls in place will be at the lower end. Companies starting from zero — no MFA, no log management, flat network — will be at the higher end, often due to network infrastructure costs.
Small businesses may be eligible to use SBIR/STTR Phase I or Phase II funds to support CUI system development that meets NIST 800-171 requirements. Additionally, some states have cybersecurity grant programs specifically for defense suppliers. Check with your PTAC (Procurement Technical Assistance Center) for state-specific options. GUIDANCE
Get the NIST 800-171 Implementation Checklist
A prioritized, 110-item checklist organized by control family — with plain-English explanations and evidence examples.
How DefenseBizStack Tools Help
Navigating NIST 800-171 compliance is easier when you have the right visibility into your readiness and the contract landscape. Here is how our tools map to the compliance process.
CMMC Readiness Assessment
Our CMMC Readiness Assessment walks you through all 14 NIST 800-171 control families with targeted questions and scores your readiness across each domain. It mirrors the self-assessment structure of NIST SP 800-171A. The output is a domain-by-domain gap report with prioritized remediation recommendations — a starting point for your SSP and POA&M. It is free and takes about 10 minutes.
Pulse Stack — Contract & Regulatory Monitoring
The Pulse Stack monitors SAM.gov for contracts in your NAICS codes and flags opportunities that include DFARS 252.204-7012, CMMC Level 2, or CUI-handling requirements. If you are tracking which new DoD solicitations will require NIST 800-171 compliance, Pulse gives you early visibility so you can plan implementation timelines before bid deadlines.
Bid Matcher
The Bid Matcher surfaces active DoD contract opportunities aligned to your capabilities. For each opportunity, you can see whether CMMC or CUI requirements are present — so you do not discover a compliance requirement after you have already committed to a bid. Knowing what compliance level a contract requires before you respond is the first step in realistic proposal planning.
Know Your NIST 800-171 Gap Before Your Customer Does
A 10-minute assessment. No login required. You get a scored breakdown by control family and a prioritized remediation list you can take into your SSP process.
Start Free Assessment →Frequently Asked Questions
What is NIST SP 800-171 and who must comply?
NIST SP 800-171 specifies 110 security requirements across 14 control families for protecting CUI in nonfederal systems. Any company that handles CUI under a DoD, federal civilian, or intelligence community contract must comply. The contractual trigger is DFARS clause 252.204-7012, which is flowed down from primes to subcontractors — so even a small sub-tier supplier that touches CUI is subject to all 110 requirements. Compliance is not optional: failure can result in contract loss, False Claims Act liability, and debarment.
What is the difference between NIST 800-171 and CMMC Level 2?
CMMC Level 2 is built directly on NIST SP 800-171 Rev 2. The 110 CMMC Level 2 practices map 1-to-1 to the 110 NIST 800-171 requirements. The difference is enforcement: NIST 800-171 compliance is self-attested (you submit a SPRS score), while CMMC Level 2 for critical programs requires a third-party assessment by a Certified Third-Party Assessor Organization (C3PAO). If your contract requires CMMC Level 2 with a C3PAO assessment, meeting NIST 800-171 now gets you most of the way there.
What is SPRS and how do I submit my score?
SPRS (Supplier Performance Risk System) is the DoD portal where contractors submit their NIST SP 800-171 self-assessment score. The score ranges from -203 to 110. To submit: complete your self-assessment against all 110 requirements, calculate your score using the DoD Assessment Methodology, then log in to sprs.us and navigate to Assessments > NIST SP 800-171 DoD Assessment. Enter your score, assessment date, and POA&M completion date. Your contracting officer can see your SPRS score — a very low or missing score is a red flag at award time.
What are the most common NIST 800-171 gaps for small defense contractors?
The top gaps are: (1) Multi-Factor Authentication — 3.5.3 requires MFA for privileged accounts and remote access. (2) Encryption at rest — 3.13.16 requires encrypting CUI on mobile devices and removable media. (3) Audit logging — 3.3.1 and 3.3.2 require generating and reviewing system audit logs. (4) Incident response plan — 3.6.1 and 3.6.2 require a documented IR capability. (5) Network segmentation — 3.13.1 and 3.13.3 require boundary protection and CUI system isolation. Addressing MFA, encryption, and audit logging first gives the highest score improvement for the least cost.
What is a System Security Plan (SSP) and is it required?
An SSP describes how your organization implements (or plans to implement) each of the 110 NIST 800-171 requirements. DFARS 252.204-7012 requires contractors to have an SSP. It documents your system boundary, data flows, hardware inventory, and the controls in place. During a government assessment or C3PAO CMMC audit, the SSP is the first document requested. A working SSP lets you identify gaps and build your POA&M from an honest baseline. NIST and OUSD(A&S) both publish template SSPs.
How long does it take an SMB to achieve NIST 800-171 compliance?
For a 10-50 person company starting from minimal controls: 3-6 months is realistic with focused effort. Month 1: scoping, asset inventory, SSP draft, gap assessment. Months 2-3: implement quick wins (MFA, encryption, patching, log collection). Months 3-5: close harder gaps (network segmentation, incident response plan, SIEM). Month 6: validate, score, submit to SPRS, finalize POA&M. Companies with SOC 2 or ISO 27001 controls already in place can often achieve a score above 100 within 60-90 days. Starting from zero: plan 6-12 months for a defensible score.