NIST SP 800-171 Compliance Guide for Government Contractors (2026)
NIST Special Publication 800-171 defines the security requirements that government contractors must implement to protect Controlled Unclassified Information (CUI). With 110 requirements across 14 control families, it is the foundation of CMMC Level 2 and a prerequisite for most DoD contracts.
This guide covers what NIST 800-171 requires, who must comply, how assessments work, and what documentation you need to prepare.
100M+ government records · 300+ gov/news sources · Updated hourly
What Is NIST SP 800-171?
NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” was developed by the National Institute of Standards and Technology to provide a standardized set of security requirements for protecting sensitive government information that resides outside of federal systems.
Unlike classified information, which has its own extensive protection framework, CUI encompasses a broad range of sensitive but unclassified data — technical drawings, export-controlled data, personally identifiable information, law enforcement sensitive data, and more. Before NIST 800-171, there was no consistent standard for how contractors should protect this information.
The publication is organized around 14 families of security requirements, totaling 110 individual requirements. These families map to fundamental security domains: who can access data, how systems are configured, how incidents are handled, and how the overall security posture is maintained.
Who Must Comply?
NIST 800-171 compliance is required for any nonfederal organization that processes, stores, or transmits CUI on behalf of a federal agency. In practice, this means:
- Defense contractors and subcontractors handling CUI (mandated via DFARS 252.204-7012)
- Contractors working with export-controlled technical data (ITAR/EAR)
- IT service providers and managed security providers supporting federal contractors
- Cloud service providers hosting CUI data for government clients
- Research institutions receiving federal funding that involves CUI
- Any organization in the supply chain that touches CUI, regardless of tier
The scope is broader than many contractors realize. If a prime contractor flows CUI down to a subcontractor, that subcontractor must also comply with NIST 800-171. This cascading requirement extends through every tier of the supply chain.
110 Requirements Across 14 Families
NIST 800-171 Rev 2 organizes its 110 security requirements into 14 families. Each family addresses a distinct area of information security. Access Control is the largest family with 22 requirements, while Personnel Security has only 2.
Access Control
22 reqFamily 3.1
Limit system access to authorized users, processes, and devices. Control information flow between systems and enforce separation of duties.
Awareness and Training
3 reqFamily 3.2
Ensure personnel are aware of security risks and trained in their responsibilities for protecting CUI.
Audit and Accountability
9 reqFamily 3.3
Create, protect, and retain audit records. Ensure actions can be traced to individual users.
Configuration Management
9 reqFamily 3.4
Establish and maintain baseline configurations. Control and monitor changes to organizational systems.
Identification and Authentication
11 reqFamily 3.5
Identify and authenticate users, processes, and devices before granting access. Enforce multi-factor authentication.
Incident Response
3 reqFamily 3.6
Establish incident handling capabilities including preparation, detection, analysis, containment, and recovery.
Maintenance
6 reqFamily 3.7
Perform timely maintenance on systems. Control tools, techniques, and personnel used for maintenance.
Media Protection
9 reqFamily 3.8
Protect, sanitize, and control system media containing CUI. Limit access to authorized users.
Personnel Security
2 reqFamily 3.9
Screen individuals before granting access to CUI. Protect CUI during personnel actions like termination or transfer.
Physical Protection
6 reqFamily 3.10
Limit physical access to systems, equipment, and operating environments. Protect and monitor the physical facility.
Risk Assessment
3 reqFamily 3.11
Periodically assess risk to operations, assets, and individuals. Scan for vulnerabilities and remediate them.
Security Assessment
4 reqFamily 3.12
Periodically assess security controls, develop and implement plans of action, and monitor controls continuously.
System and Communications Protection
16 reqFamily 3.13
Monitor and protect communications at system boundaries. Implement cryptographic mechanisms for CUI in transit and at rest.
System and Information Integrity
7 reqFamily 3.14
Identify, report, and correct system flaws. Protect against malicious code and monitor security alerts.
Assessment Methodology
NIST SP 800-171A provides the assessment procedures for evaluating compliance with each of the 110 requirements. Each requirement has associated assessment objectives and examination, interview, and test methods. Assessments can be conducted at three depths:
Basic Assessment
A basic assessment involves reviewing documentation such as the System Security Plan (SSP) and organizational policies. It verifies that security requirements are documented and that the organization has policies in place. This is the minimum depth used for SPRS self-assessments.
Medium Assessment
A medium assessment adds interviews with key personnel responsible for implementing security controls. Assessors verify not only that policies exist but that staff understand and can describe how controls are implemented in practice. This depth is common in DoD medium-assurance assessments.
High Assessment
A high assessment includes testing of security controls to verify they function as intended. Assessors actively test technical implementations, review system configurations, examine logs, and validate that controls are operating effectively. CMMC Level 2 C3PAO assessments operate at this depth.
For DoD contractors, self-assessment results are submitted to the Supplier Performance Risk System (SPRS). Your SPRS score quantifies your compliance level: a perfect score is 110 (all requirements implemented), and each unimplemented requirement reduces the score by 1, 3, or 5 points depending on its assessed weight. Contracting officers can view your SPRS score when evaluating proposals.
System Security Plan (SSP) and POA&M
Two documents are central to NIST 800-171 compliance: the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). Both are required under DFARS 252.204-7012, and both are heavily scrutinized during CMMC assessments.
System Security Plan (SSP)
The SSP describes your system boundaries, the environment where CUI is processed, and how each of the 110 security requirements is implemented. It should include:
- System boundary and scope definition
- Network architecture diagrams showing CUI data flows
- Hardware and software inventory within scope
- Roles and responsibilities for security implementation
- Detailed description of how each requirement is met
- Interconnections with external systems
Plan of Action & Milestones (POA&M)
The POA&M documents security requirements that are not yet fully implemented, along with your remediation plan. For each open item, include:
- The specific requirement that is not met
- Description of the current implementation gap
- Planned remediation actions
- Resources required (budget, personnel, tools)
- Milestone dates for completion
- Risk level while the gap remains open
Under CMMC 2.0, POA&M items must be closed within 180 days of your assessment. Certain high-priority requirements cannot be placed on a POA&M at all — they must be fully implemented at the time of assessment. This is a significant change from the more permissive self-attestation approach.
DFARS 252.204-7012: Safeguarding CUI
DFARS clause 252.204-7012 (“Safeguarding Covered Defense Information and Cyber Incident Reporting”) is the contractual mechanism that mandates NIST 800-171 compliance for DoD contractors. This clause has been in effect since December 2017 and appears in virtually all DoD contracts that involve CUI.
Key obligations under this clause include:
- Implementing all 110 NIST 800-171 security requirements on systems that process, store, or transmit Covered Defense Information (CDI)
- Reporting cyber incidents to the DoD within 72 hours of discovery
- Preserving and protecting forensic images and malicious software for at least 90 days
- Providing access to equipment and information necessary for DoD forensic analysis
- Flowing the clause down to subcontractors whose work involves CDI
The clause also requires contractors to use cloud service providers that meet FedRAMP Moderate baseline (or equivalent) when CUI is stored in the cloud. This has significant implications for organizations using cloud-based collaboration tools, email, and storage.
Relationship to CMMC Level 2
CMMC Level 2 maps directly to the 110 security requirements in NIST SP 800-171 Rev 2. If you are already fully compliant with NIST 800-171, you are well-positioned for CMMC Level 2 certification. The critical difference is the verification mechanism.
Under DFARS 252.204-7012, compliance was based on self-attestation — contractors assessed themselves, calculated an SPRS score, and submitted it. CMMC replaces this with independent verification. For most contracts involving CUI, a CMMC Third-Party Assessment Organization (C3PAO) must verify your compliance.
Organizations that have been diligently implementing NIST 800-171 and maintaining accurate SSPs will find the CMMC transition manageable. Those that inflated their SPRS scores or deferred remediation face a more challenging path, as C3PAO assessors will test actual implementation rather than accepting documentation at face value.
Frequently Asked Questions
What is NIST SP 800-171 and who must comply?
NIST SP 800-171 is a set of 110 security requirements published by the National Institute of Standards and Technology for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Any contractor that processes, stores, or transmits CUI on behalf of a federal agency must comply, as mandated by DFARS clause 252.204-7012 for DoD contracts.
How does NIST 800-171 relate to CMMC?
CMMC Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Rev 2. The key difference is that CMMC requires third-party verification through a C3PAO assessment, whereas NIST 800-171 compliance historically relied on self-attestation and SPRS scoring. Achieving full NIST 800-171 compliance positions you for CMMC Level 2 certification.
What is an SPRS score and how is it calculated?
The Supplier Performance Risk System (SPRS) score reflects your level of NIST 800-171 implementation. A perfect score is 110 (all requirements met). Each unmet requirement reduces your score by 1, 3, or 5 points depending on its assessed weight. The minimum acceptable score for DoD contracts is typically -203 (all requirements unmet), but contracting officers may set higher thresholds in solicitations.
Can I have a POA&M for unmet NIST 800-171 requirements?
Yes. A Plan of Action and Milestones (POA&M) documents requirements you have not yet fully implemented, along with your remediation plan and timeline. However, under CMMC 2.0, POA&M items must be closed within 180 days of assessment, and certain critical requirements cannot be on a POA&M at all.
Find Contracts Requiring NIST 800-171 Compliance
Search across SAM.gov, FPDS, and USAspending for DoD contracts referencing DFARS 252.204-7012 and NIST 800-171. Filter by agency, NAICS code, and set-aside type.