What Is NIST SP 800-171 and Who Needs It?
If you're a federal contractor and you handle government data, NIST SP 800-171 is almost certainly a legal requirement in your contracts — whether or not you know it. Here's what it actually means.
What Is NIST SP 800-171?
NIST Special Publication 800-171, titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is a cybersecurity standard published by the National Institute of Standards and Technology. It defines 110 security requirements across 14 control families that non-federal organizations must implement when handling Controlled Unclassified Information (CUI) on behalf of federal agencies.
In plain English: if you're a contractor, subcontractor, or supplier that receives, creates, stores, or processes government-designated sensitive information on your own IT systems (not on government systems), NIST SP 800-171 tells you exactly how to protect it.
The current version is Rev 2 (published January 2020), which is what CMMC 2.0 Level 2 is based on. NIST published a Rev 3 draft in 2023, but Rev 2 remains the operative version for CMMC compliance as of 2026.
What Is CUI?
CUI (Controlled Unclassified Information) is government-created or government-owned information that requires safeguarding but isn't classified. It's designated by federal agencies under Executive Order 13556 and managed by the National Archives CUI Registry.
Common types of CUI that DC contractors handle:
If you're unsure whether you handle CUI, check your contracts for references to DFARS 252.204-7012. If that clause is present, you handle CUI and NIST SP 800-171 applies.
Who Must Comply with NIST SP 800-171?
NIST SP 800-171 is required for:
DoD prime contractors
Any company with a DoD contract that includes DFARS 252.204-7012. This is an extremely common clause in defense contracts.
DoD subcontractors
Prime contractors must flow down DFARS 252.204-7012 to subcontractors who handle CUI. Being a subcontractor doesn't exempt you.
Non-DoD federal contractors
Other federal agencies are implementing similar CUI requirements under FAR 4.19. GSA, DHS, DoE, and DoJ have issued or are developing similar requirements.
Suppliers in the defense supply chain
If you supply components, software, or services that touch a defense program — even if you don't think you handle CUI directly — review your contracts carefully.
The 14 Control Families (Plain English)
NIST SP 800-171 organizes its 110 requirements into 14 families. Here's what each one actually means:
22 req.
Access Control
Who can access what. Least privilege, separation of duties, remote access controls.
3 req.
Awareness & Training
Security awareness training for all users and role-based training for privileged users.
9 req.
Audit & Accountability
Logging user actions, reviewing logs, protecting audit records from tampering.
9 req.
Assessment, Authorization & Monitoring
Periodically assessing controls, developing system security plans, connecting only to approved external systems.
9 req.
Configuration Management
Baseline configurations, tracking changes, removing unauthorized software.
11 req.
Identification & Authentication
MFA for privileged users and remote access, password complexity and management.
3 req.
Incident Response
Incident response capability, reporting incidents, testing your IR plan.
6 req.
Maintenance
Controlling who performs maintenance, sanitizing equipment before off-site maintenance.
9 req.
Media Protection
Controlling access to media containing CUI, sanitizing media before disposal.
6 req.
Physical Protection
Physical access controls, managing visitors, protecting systems in public areas.
2 req.
Personnel Security
Screening individuals before access, protecting CUI during and after personnel terminations.
3 req.
Risk Assessment
Periodic risk assessments, vulnerability scanning and remediation.
3 req.
System & Services Acquisition
Security requirements in contracts with third-party providers, supply chain risk management.
16 req.
System & Communications Protection
Network segmentation, encryption of CUI in transit and at rest, boundary protection.
7 req.
System & Information Integrity
Malware protection, security alert monitoring, patching, data input validation.
The SPRS Score — Your Compliance Report Card
When you assess your NIST SP 800-171 compliance, you calculate a score based on the scoring methodology in NIST SP 800-171A and submit it to the Supplier Performance Risk System (SPRS) at sprs.apps.mil. This is a mandatory requirement under DFARS 252.204-7019.
The scoring works as follows: you start with a maximum score of 110 points. Each unimplemented requirement deducts points based on its weight (1, 3, or 5 points). The minimum possible score is -203.
Industry Reality Check
A DoD IG audit found that the average SPRS score self-submitted by contractors was -25, meaning the average contractor had more than 100 unimplemented requirements. Many contractors were submitting self-assessments without actually completing them.
False submissions now carry False Claims Act exposure — with penalties up to $27,894 per claim. DoD is actively pursuing contractors with fraudulent SPRS scores.
How NIST SP 800-171 Connects to CMMC 2.0
CMMC 2.0 Level 2 is essentially third-party verification of NIST SP 800-171. All 110 CMMC Level 2 practices are drawn directly from NIST SP 800-171 Rev 2 — there are no additional CMMC-unique requirements at Level 2 (unlike CMMC 1.0 which added 20 unique practices).
| Requirement | NIST SP 800-171 | CMMC 2.0 Level 2 |
|---|---|---|
| Practice count | 110 | 110 (identical) |
| Verification method | Self-attestation to SPRS | Self-attestation OR C3PAO third-party assessment |
| SSP required | Yes | Yes |
| POA&M allowed | Yes | Yes (with milestones) |
| Framework basis | NIST SP 800-53 (subset) | NIST SP 800-171 Rev 2 |
If you're already working toward NIST SP 800-171 compliance, you're simultaneously working toward CMMC Level 2 readiness. The difference is whether DoD requires a third-party C3PAO assessment or accepts self-attestation for your specific contracts.
SSP & POA&M — The Two Documents You Need
System Security Plan (SSP)
The SSP describes your system boundary (what systems are in scope), the CUI you handle, and how each of the 110 security requirements is implemented. It's the primary document that C3PAO assessors and DCSA government assessors review. A well-written SSP that accurately describes your implementations is critical — assessors have seen thousands of them and immediately recognize copy-paste jobs that don't reflect reality.
Plan of Action & Milestones (POA&M)
For any requirement not yet fully implemented, the POA&M documents what you plan to do, when, and who's responsible. CMMC 2.0 allows POA&Ms — you don't need 100% implementation before the assessment — but high-value requirements (those weighted at 5 points in the SPRS scoring) must be addressed within 180 days of the assessment. A credible POA&M with realistic milestones is treated differently than a wishful list with no resources behind it.
Getting Started with NIST SP 800-171
For most DC defense contractors, the right starting point is a structured NIST SP 800-171 assessment — evaluating all 110 requirements against your actual systems, calculating a defensible SPRS score, and identifying the gaps in priority order.
Thorium LLC conducts NIST SP 800-171 assessments aligned with the assessment procedures in NIST SP 800-171A, produces your SSP and POA&M, calculates your SPRS score, and prepares you for C3PAO assessment if your contracts require it.