Skip to main content
Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
Framework guide · ~11 min read · Updated June 2026

NIST 800-171

NIST SP 800-171 is the US standard for protecting Controlled Unclassified Information (CUI) on non-federal systems. It defines 110 security requirements across 14 families and is required of Department of Defense contractors under DFARS 252.204-7012. It is also the basis of CMMC Level 2.

Author
NIST
Protects
CUI
Requirements
110 (Rev 2)
Families
14
See NIST 800-171 softwareHow it relates to CMMC
01 · Definition

What is NIST 800-171?

NIST SP 800-171 is a publication from the US National Institute of Standards and Technology titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." It defines the security requirements a contractor or other non-federal organisation must meet when Controlled Unclassified Information lives on its systems.

The need is simple: a great deal of sensitive government information sits on systems the government does not own, the laptops, servers, and cloud tenants of its contractors. NIST 800-171 sets a consistent bar for protecting that information wherever it goes. Revision 2 organises 110 requirements into 14 families; Revision 3, published in 2024, updated and restructured them.

"The requirements protect the confidentiality of CUI in nonfederal systems and organizations."

NIST SP 800-171
02 · Scope

Why it exists and who must comply

NIST 800-171 became a compliance obligation primarily through the defense supply chain, but its reach is widening across the federal government.

The anchor is the DFARS clause 252.204-7012, which requires Department of Defense contractors to safeguard CUI by implementing NIST 800-171 and to report cyber incidents. If your DoD contract involves CUI, this clause flows down to you and your subcontractors.

Compliance therefore reaches far beyond traditional defense primes: manufacturers, IT and managed-service providers, engineering firms, and universities all fall in scope when they handle CUI. Other federal agencies increasingly reference 800-171 as well, so the standard is becoming a baseline for working with the US government, not just the DoD.

03 · The requirements

The 14 families of requirements

Revision 2 groups its 110 requirements into 14 families. Each family covers a domain of security, and together they describe a baseline for protecting CUI.

01Access Control
02Awareness and Training
03Audit and Accountability
04Configuration Management
05Identification and Authentication
06Incident Response
07Maintenance
08Media Protection
09Personnel Security
10Physical Protection
11Risk Assessment
12Security Assessment
13System and Communications Protection
14System and Information Integrity
04 · Measurement

The SPRS score

For DoD work, compliance is measured by a number. Using the DoD Assessment Methodology, a contractor scores its implementation of the 110 requirements and posts the result to the Supplier Performance Risk System (SPRS).

You start at 110, meaning every requirement is met, and subtract weighted points for each requirement that is not, so the score can fall well below 110 and even go negative. Because contracting officers check the SPRS score, it has become the de facto headline metric of 800-171 compliance, and improving it is the practical goal of most remediation plans.

Start at 110, subtract for gaps

A perfect implementation scores 110; each unmet requirement deducts weighted points.

05 · Versions

Revision 2, Revision 3, and 800-172

Revision 2 (2020) is the version most contracts and CMMC Level 2 have referenced, with its 110 requirements across 14 families. Revision 3, published by NIST in 2024, updated and restructured the requirements, refined the tailoring, and aligned more closely with the latest 800-53 controls.

Because the transition between revisions takes time to flow into contracts and the DoD program, always confirm which revision your specific contract requires. Separately, NIST SP 800-172 adds enhanced requirements for defending CUI against advanced persistent threats; those enhanced requirements underpin CMMC Level 3.

Check your contract.The revision and the required CMMC level are specified in the contract language, so treat any general statement about "110 requirements" as the Rev 2 baseline and verify against your actual obligation.

06 · The bigger picture

How NIST 800-171 relates to CMMC

The two are tightly linked but distinct. NIST 800-171 is the standard, the requirements themselves. CMMC is the certification program that verifies a contractor actually meets them. CMMC Level 2 is built directly on the 110 requirements of 800-171.

For years, DFARS required contractors to implement 800-171 and to self-attest. CMMC adds assessment and, for most CUI contracts, independent third-party certification, closing the verification gap. So the work you do to satisfy 800-171 is the same work that gets you through a CMMC Level 2 assessment. For the certification side, see our guide to CMMC.

07 · Implementation

How to comply with NIST 800-171

Six steps from CUI discovery to a maintained posture. Scoping the CUI boundary (step 2) is the biggest lever on effort and on your SPRS score.

  1. 1

    Find your CUI

    Identify where Controlled Unclassified Information enters, lives, and flows in your environment. The CUI boundary defines the scope of everything that follows.

  2. 2

    Scope the system

    Define the in-scope assets and, where possible, segment CUI into an enclave. A tight boundary dramatically reduces the number of systems that must meet all the requirements.

  3. 3

    Assess against the requirements

    Evaluate your environment against each of the 110 requirements, mark them met or not met, and identify the gaps. This is also how you calculate your SPRS score.

  4. 4

    Write the System Security Plan

    Document how each requirement is met in a System Security Plan (SSP). A current SSP is mandatory and is the reference an assessor or auditor works from.

  5. 5

    Remediate and track a POA&M

    Close gaps, and for the ones you cannot close immediately, record a Plan of Action and Milestones with owners and target dates, then drive them to completion.

  6. 6

    Score, report, and maintain

    Post your assessment score to SPRS as required, keep the SSP and evidence current, and re-assess after material changes. Compliance is a posture to maintain, not a one-time project.

Score and close the gaps
Run 800-171 as a scored, tracked assessment.

RiskWatch ships a pre-built NIST 800-171 assessment that calculates your SPRS-aligned score, generates the System Security Plan, tracks POA&M items to closure, and cross-maps to CMMC and the other frameworks you run.

NIST 800-171 softwareFree 800-171 checklist
08 · Frequently asked

NIST 800-171, answered

The questions contractors ask most when CUI lands in a contract.

What is NIST 800-171?
NIST SP 800-171 is a US government publication titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." It defines the security requirements that contractors, universities, and other non-federal organisations must meet to protect Controlled Unclassified Information (CUI) when it lives on their systems. It is most prominently required of US Department of Defense contractors through the DFARS clause 252.204-7012.
Who has to comply with NIST 800-171?
Any non-federal organisation that stores, processes, or transmits Controlled Unclassified Information on behalf of a federal agency. In practice that means defense contractors and subcontractors under DFARS 252.204-7012, and a growing range of other federal contractors as agencies adopt the standard. If your contract involves CUI, you almost certainly need to meet 800-171.
How many requirements are in NIST 800-171?
Revision 2 of NIST SP 800-171 contains 110 security requirements organised into 14 families. Revision 3, published in 2024, updated and restructured the requirements and tailoring criteria. For Department of Defense work, the 110 requirements of the version referenced in your contract remain the basis of both the SPRS self-assessment and CMMC Level 2, so always confirm which revision your contract specifies.
What are the 14 families of NIST 800-171?
The 14 families are: Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment; System and Communications Protection; and System and Information Integrity. Each family groups related security requirements.
What is CUI?
Controlled Unclassified Information (CUI) is government-created or government-owned information that is not classified but still requires safeguarding or dissemination controls under law, regulation, or government-wide policy. Examples in the defense context include controlled technical information and export-controlled data. Protecting CUI in non-federal systems is the entire purpose of NIST 800-171.
What is an SPRS score?
SPRS is the Supplier Performance Risk System, where DoD contractors must post a self-assessment score reflecting their implementation of NIST 800-171. Using the DoD Assessment Methodology, you start at 110 (all requirements met) and subtract weighted points for each unmet requirement, so the score can be well below 110 or even negative. The score is a snapshot of your compliance posture and is checked when awarding contracts.
What is the difference between NIST 800-171 and CMMC?
NIST 800-171 is the standard, the set of requirements for protecting CUI. CMMC (Cybersecurity Maturity Model Certification) is the DoD program that verifies a contractor meets it. CMMC Level 2 is built directly on the 110 requirements of 800-171 and, for most CUI contracts, adds a third-party assessment. So you implement 800-171, and CMMC certifies that you did. See our guide to CMMC for the certification side.
What is the difference between NIST 800-171 and 800-53?
NIST 800-53 is the comprehensive control catalogue for federal information systems, used for FISMA and FedRAMP. NIST 800-171 is a focused subset, derived from 800-53, that applies to Controlled Unclassified Information on non-federal systems. In short, 800-53 is for the government's own systems, and 800-171 tailors the relevant protections for the contractors and partners that handle CUI on the government's behalf.
Primary references
From the standard to a defensible score

Turn NIST 800-171 into a scored, tracked plan.

A pre-built 800-171 assessment with SPRS-aligned scoring, a generated System Security Plan, POA&M tracking, and cross-mapping to CMMC. 30-day free trial, no credit card.

See NIST 800-171 softwareHow it relates to CMMC

No credit card required · 30-day free trial · Cancel anytime

Request a Demo