1. What Is NIST 800-171? (Plain English for SMB Owners)
NIST SP 800-171 is a set of cybersecurity requirements your company must meet to handle Controlled Unclassified Information (CUI) — government data that isn't classified but is sensitive enough to require protection. Think technical drawings, contract performance data, export-controlled specs, procurement-sensitive information.
If you're a defense contractor and your contract includes DFARS clause 252.204-7012, you are legally required to comply. That clause flows down — so even if you're a sub-tier supplier who never touches DoD directly, if your prime flows the clause into your subcontract, you're bound by the same requirements.
NIST 800-171 is not voluntary guidance. DFARS 252.204-7012 makes it a contract requirement. Failure to comply can result in contract termination, False Claims Act liability, and loss of future contract eligibility.
Revision 3 of NIST SP 800-171 was finalized in May 2024. It restructures the framework — 17 control families instead of 14, 97 base requirements instead of 110, and introduces organization-defined parameters (ODPs) that give contractors flexibility but require explicit documentation. Most online guides still cover Rev 2. That's the gap this guide fills.
For the relationship between NIST 800-171 and CMMC Level 2, see our CMMC Level 2 requirements guide. For the Rev 2 foundational baseline, see our NIST 800-171 compliance guide. For the four DFARS cybersecurity clauses that make NIST 800-171 a contract requirement — including the 72-hour incident reporting rule and False Claims Act risk — see our DFARS Cybersecurity Clauses Guide.
2. Rev 2 → Rev 3: What Changed
Rev 3 is the most significant update to NIST 800-171 since the framework's initial publication. Here's what's different:
| Attribute | Rev 2 (2020) | Rev 3 (May 2024) | Impact on SMBs |
|---|---|---|---|
| Control families | 14 families | 17 families | Three new families require new policies |
| Requirement count | 110 requirements | 97 base requirements | Fewer base reqs but ODPs expand scope |
| Organization-defined parameters | Not present | Present in many requirements | Must be defined & documented in SSP |
| Alignment to NIST 800-53 | Rev 4 mapping | Rev 5 mapping (full alignment) | Better overlap with federal baselines |
| Enhanced requirements | Not included | References to NIST SP 800-172 | High-value asset contractors may need 800-172 |
| Supply chain requirements | Minimal (SA family only) | New SCRM (SR) family | Vendor screening now explicit |
| Planning requirements | Minimal (CA family) | New Planning (PL) family | Formal security planning documentation required |
| CMMC alignment | CMMC L2 maps 1-to-1 | CMMC still on Rev 2 (as of 2026) | Track both versions for overlapping contracts |
| SPRS scoring model | 110 pts max, -203 min | Unchanged (still uses Rev 2 model) | SPRS not yet updated for Rev 3 |
CMMC Level 2 still uses NIST 800-171 Rev 2. If your contract requires CMMC certification, you must maintain Rev 2 compliance for that program. Rev 3 compliance may be separately required by DFARS 252.204-7012 depending on your contract language. Run both in parallel until DoD updates CMMC to Rev 3.
The Three New Control Families
The biggest structural change in Rev 3 is the addition of three control families that have no direct Rev 2 counterpart:
- Planning (PL) — Requires formal security planning, rules of behavior, and information security architecture documentation. In Rev 2, this was partially covered under Security Assessment (CA). Now it's explicit.
- System and Services Acquisition (SA) — Security requirements for software, systems, and services you procure. Includes supply chain-adjacent concerns around developer security practices and external service providers.
- Supply Chain Risk Management (SR) — A dedicated family for managing cybersecurity risks in your supply chain. Requires a SCRM plan, vendor risk assessment, and supply chain criteria in procurement decisions.
The technical control families you already know — Access Control, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity — all carry over. Control numbers changed but the underlying security intent is the same.
3. The 17 Control Families Rev 3
Rev 3 organizes security requirements into 17 families identified by two-letter codes. The three families marked NEW have no direct Rev 2 equivalent and require fresh implementation work regardless of your current compliance posture.
Access Control
Limit system access to authorized users and to the types of transactions they're permitted to execute. Includes least privilege, remote access controls, CUI flow enforcement, and access to publicly accessible systems.
SMB tip: Start with role-based access reviews + documented access approval process.
Awareness & Training
Ensure personnel understand security risks and their responsibilities. Provide role-based training for users with elevated privileges. Document training completion.
SMB tip: Annual security awareness training + documented records satisfies most AT requirements.
Audit & Accountability
Create, protect, and retain system audit logs. Review and analyze logs for anomalies. Provide non-repudiation capability. Protect audit information from unauthorized access/modification.
SMB tip: A cloud SIEM (e.g., Microsoft Sentinel, Sumo Logic) handles log collection, retention, and alerting.
Security Assessment
Periodically assess security controls, develop and implement plans of action, monitor systems on an ongoing basis, and develop connections/agreements for external systems.
SMB tip: Annual internal assessment + maintained POA&M satisfies CA. Use NIST SP 800-171A as your assessment guide.
Configuration Management
Establish and maintain baseline configurations, control changes, restrict software installation, apply least functionality, and restrict user-installed software.
SMB tip: Document your baseline config, enable auto-updates, and block unauthorized software installs via MDM policy.
Identification & Authentication
Identify and authenticate users, devices, and processes. Enforce multi-factor authentication for privileged and remote access. Manage authenticator lifecycle (passwords, tokens, certificates).
SMB tip: MFA for all remote access and admin accounts is the single highest-value IA control. Use Okta, Duo, or Microsoft Authenticator.
Incident Response
Establish incident response capability, track/document/report incidents, and test response capability. DFARS 252.204-7012 also requires reporting CUI breaches to DoD within 72 hours.
SMB tip: A documented IR plan + tabletop exercise once/year satisfies IR. Keep DoD DCSA contact info current.
Maintenance
Perform maintenance on organizational systems, provide controls on tools and personnel, and sanitize equipment before offsite maintenance or disposal.
SMB tip: Maintain a maintenance log. Remote maintenance sessions must use MFA and be logged.
Media Protection
Protect system media (digital and physical), limit access to CUI on media, sanitize or destroy media before disposal or reuse, and encrypt CUI on portable storage.
SMB tip: Encrypt all USB drives and laptops that can store CUI. Use BitLocker or FileVault. Document media sanitization/disposal.
Physical Protection
Limit physical access to systems and CUI to authorized individuals. Escort visitors and monitor physical access. Protect and monitor physical facility infrastructure.
SMB tip: Keyed/badge access to server rooms + visitor log satisfies most PE requirements for small offices.
Planning
Develop, document, and update a system security plan (SSP) that describes system boundaries, operational environments, and the implementation of security requirements. Establish rules of behavior for CUI system users.
SMB tip: Your SSP is the anchor document for the entire framework. Rev 3 makes PL explicit — if you had an SSP under Rev 2, update it to cover Rev 3 structure and ODPs.
Personnel Security
Screen individuals before authorizing access to organizational systems. Ensure CUI is protected during and after personnel actions (transfers, terminations).
SMB tip: Background checks before CUI system access + documented offboarding checklist (revoke access same day).
Risk Assessment
Periodically assess risk to operations and assets. Scan for vulnerabilities, remediate them, and update the risk assessment when significant changes occur.
SMB tip: Annual vulnerability scan (Tenable Nessus, Qualys, or equivalent) + documented risk assessment narrative. Patch critical CVEs within 30 days.
System & Services Acquisition
Include security requirements in acquisition contracts. Require developers to follow secure development practices. Evaluate security functions of acquired software. Address developer-provided documentation and training.
SMB tip: Add security language to software/service vendor contracts. Require SOC 2 or equivalent from SaaS vendors that process CUI.
System & Communications Protection
Monitor, control, and protect communications at external boundaries and key internal boundaries. Implement architectural designs, software development techniques, and systems engineering principles promoting security. Encrypt CUI in transit and at rest.
SMB tip: Largest family by requirement count. Prioritize: TLS 1.2+ for all CUI in transit, network segmentation for CUI systems, DNS filtering.
System & Information Integrity
Identify, report, and correct flaws. Protect systems from malicious code. Monitor systems to detect attacks and indicators of compromise. Update malicious code protection mechanisms.
SMB tip: Endpoint detection & response (EDR) tool + active patch management + email filtering covers most SI requirements.
Supply Chain Risk Management
Establish a SCRM plan. Assess supply chain risks for critical systems components. Address supply chain risk in acquisition strategies and contracts. Notify the organization of supply chain risks.
SMB tip: Document your top 10 technology vendors, assess each for cybersecurity posture, add SCRM language to vendor contracts. A simple vendor risk register satisfies the baseline.
SC (System & Communications Protection) carries the most requirements in Rev 3 — and the heaviest score impact when missing. Focus here first for maximum SPRS score improvement. The three new families (PL, SA, SR) are policy-heavy and technology-light — new documentation, not new tools.
4. Organization-Defined Parameters (ODPs): What They Are and How to Handle Them
ODPs are one of the biggest practical changes in Rev 3 for SMBs. They're placeholders within requirements where you must define specific values based on your environment. NIST identified that many security decisions are context-dependent — what's appropriate for a 5,000-person defense prime is different from what's appropriate for a 12-person machine shop.
Example of an ODP in Practice
A Rev 3 requirement might read: "Review and update the security assessment plan [organization-defined frequency]." You must define the frequency — annually, semi-annually, after major system changes — and document that definition in your SSP.
If a requirement contains an ODP and you haven't defined it in your SSP, the requirement is technically unmet even if your technical controls are in place. Assessors look for ODP documentation before verifying technical implementation. Set your ODPs first.
How to Handle ODPs for Your SSP
- Download the NIST SP 800-171 Rev 3 document from csrc.nist.gov — it lists all ODPs alongside each requirement.
- Go through each ODP and define a value that fits your environment and risk tolerance.
- Document every ODP definition in your SSP — either inline with each requirement or in a dedicated ODP table appendix.
- Set conservative values where you're uncertain — you can tighten them over time, but starting too loose creates risk.
- Revisit ODPs annually or after major system changes.
Frequency of audit log review: weekly at minimum. Password length: 12+ characters. Vulnerability scanning frequency: quarterly. Security assessment frequency: annually. Account lock-out after failed attempts: 5 attempts. These are defensible defaults — document your rationale in the SSP.
5. Implementation Roadmap: 4 Phases for SMBs
Don't try to implement all 17 families simultaneously. This 4-phase approach prioritizes by risk reduction per dollar and gets you to a defensible SPRS score faster.
Foundation & Gap Assessment
Scope your CUI environment. Build asset inventory. Define ODPs. Draft or update SSP. Gap-assess all 97 requirements. Build POA&M for gaps.
Quick Win Controls
MFA for all remote/admin access. Full disk encryption on all endpoints. Patch cadence enforcement. Basic log collection and retention. Background check process for new hires.
Harder Technical Controls
Network segmentation for CUI systems. SIEM or log aggregation. Incident response plan and tabletop. Vulnerability scanning program. Supply chain vendor register.
Validation & Submission
Final self-assessment against 800-171A. Update SSP and POA&M. Submit SPRS score. Schedule annual review cadence. Document new Rev 3 families (PL, SA, SR).
Phase 1 Checklist: Foundation Work
- Define your CUI boundary Identify every system, device, and location that touches CUI. This is your assessment scope — don't over-scope (expensive) or under-scope (non-compliant).
- Build your asset inventory Hardware (servers, workstations, mobile), software, network devices, and external services. Document what processes CUI and where it flows.
- Define all ODPs Go through every Rev 3 requirement that contains an organization-defined parameter. Set and document your values before writing any SSP content.
- Draft your System Security Plan (SSP) System boundary narrative, data flows, hardware/software inventory, description of each control or plan for implementation. Use NIST's SSP template as your starting point.
- Conduct gap assessment using NIST SP 800-171A Assess each of the 97 requirements using the assessment objectives in 800-171A. Score each as MET, PARTIALLY MET, or NOT MET.
- Build your POA&M Every NOT MET and PARTIALLY MET requirement needs a Plan of Action and Milestones with owner, target date, and mitigation description.
Check Your CMMC Readiness Right Now
Our free 10-minute assessment covers all 17 control families and shows you exactly where your gaps are — scored and prioritized by impact.
Start Free Assessment → View NIST 800-171 Checklist6. SPRS Score Connection
The Supplier Performance Risk System (SPRS) is DoD's portal where you submit your NIST SP 800-171 self-assessment score. It's publicly visible to contracting officers — a low or missing score is an immediate red flag during source selection.
As of 2026, SPRS uses the DoD Assessment Methodology based on NIST SP 800-171 Rev 2 (110 requirements, max score 110, minimum –203). The methodology has not yet been updated for Rev 3. Submit and maintain your Rev 2 SPRS score. Track your Rev 3 compliance separately while you wait for DoD to update the methodology.
How SPRS Scoring Works (Rev 2 Model)
You start at 110 and subtract points for each unimplemented requirement based on its weighted value in the DoD Assessment Methodology. Requirements worth more points have higher score impact when missing. The result is your SPRS self-assessment score.
- Score of 110: All 110 requirements fully implemented
- Score of 88–109: Good posture, minor gaps
- Score of 50–87: Significant gaps — POA&M required
- Score below 50: High risk — expect scrutiny from COs and primes
- Score of –203: Maximum deficiency (no requirements met)
For the full SPRS submission walkthrough and score calculation methodology, see our SPRS Score Guide.
Preparing for the Rev 3 Score Transition
When DoD updates SPRS to Rev 3, the scoring model will change. The 97 base requirements will carry new weights. To prepare now:
- Document your Rev 3 compliance status alongside your Rev 2 SPRS score
- Address the three new families (PL, SA, SR) proactively — they'll be scored when the update comes
- Maintain your SSP in Rev 3 structure so the transition requires updating scores, not rebuilding documentation
7. Cost Estimates for SMBs
NIST 800-171 Rev 3 compliance costs vary widely based on your starting point. Below are realistic estimates for a 10–50 person defense contractor starting from minimal security controls.
| Category | Typical Solution | Annual Cost | Priority |
|---|---|---|---|
| Multi-Factor Authentication | Microsoft Entra ID P1, Duo, or Okta | $3–8k/yr | Critical |
| Endpoint Detection & Response | CrowdStrike Falcon Go, SentinelOne, Microsoft Defender | $5–15k/yr | Critical |
| Encryption (endpoints) | BitLocker (Windows), FileVault (Mac) — often included | $0–2k/yr | Critical |
| SIEM / Log Management | Microsoft Sentinel, Sumo Logic, Splunk Cloud | $6–20k/yr | High |
| Vulnerability Scanning | Tenable.io, Qualys, Rapid7 | $3–10k/yr | High |
| Email Security | Proofpoint Essentials, Mimecast, Defender for O365 | $3–8k/yr | High |
| SSP / Documentation | In-house with NIST templates, or consultant | $5–25k one-time | High |
| Network Segmentation | VLAN setup, firewall rules for CUI segment | $2–10k one-time | Medium |
| SCRM Documentation (Rev 3 new) | Vendor risk register + contract language review | $2–8k one-time | Medium |
| Compliance Consultant / MSSP | CMMC-AB registered practitioner, cybersecurity MSSP | $20–80k/yr | Optional |
Total realistic range: $30,000–$80,000 first year (technology + documentation), $15,000–$40,000 ongoing annually. Companies already on Microsoft 365 E3/E5 get MFA, EDR, and SIEM capabilities bundled — cutting costs significantly.
Microsoft 365 Business Premium (~$22/user/month) includes Entra ID P1 (MFA), Microsoft Defender for Endpoint (EDR), and Microsoft Sentinel capability. For a 20-person company, that's ~$5,280/year covering three of the most expensive line items. Evaluate your existing M365 license first before purchasing standalone tools.
8. Top 5 Common NIST 800-171 Rev 3 Mistakes
- Treating ODPs as optional. Every requirement that contains an organization-defined parameter is incomplete until the parameter is explicitly documented. Assessors look for ODP documentation first — an implemented control without a documented ODP is still a finding.
- Assuming Rev 2 compliance covers Rev 3. It doesn't. Rev 3 restructured requirements, introduced ODPs, and added three new families. A perfect Rev 2 score does not mean Rev 3 compliance. Map your existing controls to the new requirement numbering.
- Ignoring the three new families (PL, SA, SR). These are the most commonly missed. They're policy-heavy (SSP, rules of behavior, vendor risk register, acquisition language) — not technology-heavy. But they're required.
- Conflating CMMC with Rev 3. CMMC Level 2 still uses Rev 2. If your contract requires CMMC certification, you need to maintain Rev 2 compliance for that program. Maintain them in parallel; don't let Rev 3 work cannibalize your Rev 2 SPRS score.
- Using an outdated SSP template. Rev 3 changed requirement numbering across all 17 families. A Rev 2 SSP template will have wrong control numbers, missing ODPs, and no coverage for PL, SA, or SR. Download the current Rev 3 templates from NIST.
DFARS 252.204-7012 references compliance with NIST SP 800-171 — some contracting officers are beginning to interpret that as requiring Rev 3. Check your specific contract language. If your contract says "most current version," Rev 3 compliance may already be required for new task orders.
Get Compliance Deadline Alerts
CMMC enforcement dates, DFARS updates, and Rev 3 scoring changes — sent to your inbox when they happen.
9. FAQ: NIST 800-171 Rev 3
What is NIST 800-171 Rev 3 and when did it become effective?
NIST SP 800-171 Revision 3 was finalized by NIST in May 2024. It restructured the framework from 14 to 17 control families, changed from 110 to 97 base requirements, and introduced organization-defined parameters (ODPs). As of 2026, CMMC Level 2 still references Rev 2. For DFARS 252.204-7012 compliance, check your specific contract language — some contracts reference "most current version," which would point to Rev 3.
Does CMMC Level 2 use NIST 800-171 Rev 2 or Rev 3?
CMMC Level 2 is based on NIST SP 800-171 Rev 2 (110 practices) as of 2026. The CMMC rule (32 CFR Part 170) was finalized before Rev 3 and has not yet been updated. For CMMC assessments, compliance is measured against Rev 2. Track Rev 3 compliance separately for DFARS purposes, and watch for DoD updates as they move toward aligning CMMC with Rev 3.
How many requirements does NIST 800-171 Rev 3 have?
97 base security requirements across 17 control families. This is a reduction from Rev 2's 110, but organization-defined parameters (ODPs) create additional documentation requirements within those 97. The effective compliance burden is similar to Rev 2 when you account for the three new families and ODP documentation.
What are organization-defined parameters (ODPs) and why do they matter?
ODPs are placeholders within requirements where you must define specific values (frequencies, thresholds, types). Every ODP must be documented in your System Security Plan. An unset ODP means the requirement is technically unmet — even if your technical controls are in place. Prioritize ODP definition before any technical implementation work.
Does SPRS scoring change under NIST 800-171 Rev 3?
As of 2026, no. SPRS still uses the DoD Assessment Methodology based on Rev 2 (110 requirements, max 110, min –203). SPRS has not been updated for Rev 3's 97-requirement structure. Continue submitting Rev 2-based SPRS scores. When SPRS is updated, the methodology and weights will change — begin documenting Rev 3 compliance now so the transition is a score update, not a full rebuild.
What are the three new control families in Rev 3?
Planning (PL) — formal security planning, SSP, and rules of behavior. System and Services Acquisition (SA) — security requirements in procurement, developer security practices, and external service providers. Supply Chain Risk Management (SR) — SCRM plan, vendor risk assessment, and supply chain criteria in acquisition. All three are policy and documentation heavy; the technology requirements are minimal.
How long does Rev 3 implementation take for a small business?
4–8 months for a 10–50 person company starting from minimal controls. Companies with solid Rev 2 compliance already in place can typically address Rev 3 gaps (ODPs, new families, re-mapping) within 60–90 additional days. Phase 1 (scoping, SSP, ODPs, gap assessment) takes 4–6 weeks. Technical controls in Phases 2–3 take 3–5 months. Final validation and SPRS submission is 2–4 weeks.
What does Supply Chain Risk Management require under NIST 800-171 Rev 3?
The SR family requires: a documented SCRM plan, risk assessment of critical component suppliers, supply chain risk criteria in acquisition decisions, and supply chain risk notifications. For SMBs: maintain a vendor register of key technology suppliers, complete basic risk questionnaires, and include cybersecurity language in vendor contracts. A simple documented process satisfies the baseline — third-party supplier audits are not required.
How do I start Rev 3 compliance if I'm already Rev 2 compliant?
Four steps: (1) Map your existing Rev 2 controls to the new Rev 3 requirement numbering — most map cleanly. (2) Add ODP definitions to your SSP for every requirement containing an organization-defined parameter. (3) Document coverage for the three new families: PL (update/create your SSP), SA (add security language to vendor contracts), SR (build a vendor risk register). (4) Update your SPRS score if needed once SPRS adopts Rev 3. Your existing technical controls don't change — the gap is documentation and the three new families.
This guide covers NIST 800-171 Rev 3. For the complete compliance picture: CMMC Level 2 requirements · NIST 800-171 Rev 2 baseline · SPRS scoring walkthrough · C3PAO assessment guide · subcontractor compliance.