NIST 800-171 Compliance Guide: Protecting CUI in 2026

NIST 800-171 compliance is required for any organization handling Controlled Unclassified Information (CUI) for the U.S. federal government. The average DoD contractor NIST 800-171 compliance self-assessment score is 87 out of 110. That gap threatens both national security and contract eligibility.

This NIST 800-171 compliance guide covers the 14 control families, assessment options, CMMC alignment, and how to build a program that protects CUI rather than just checking boxes.

What Is NIST 800-171 and Who Needs NIST 800-171 Compliance?

NIST Special Publication 800-171 defines security requirements for protecting CUI in nonfederal systems. CUI includes sensitive government information that requires safeguarding: technical drawings for defense systems, export-controlled research data, personnel records, or law enforcement sensitive information.

The requirement to comply with NIST 800-171 originates from DFARS clause 252.204-7012, which the Department of Defense began including in contracts starting in late 2017. Any organization that processes, stores, or transmits CUI as part of a DoD contract must implement the 110 security controls defined in NIST 800-171 Revision 2. This applies to:

Prime contractors holding direct DoD contracts
Subcontractors at any tier who handle CUI
Cloud service providers that store CUI on behalf of contractors
Research institutions receiving DoD funding that involves CUI

A common misconception is that small businesses with fewer than 50 employees get an exemption. They do not. The standard applies regardless of organization size. According to the DoD's Office of the Under Secretary of Defense for Acquisition and Sustainment, roughly 300,000 companies in the Defense Industrial Base (DIB) are subject to these requirements.

📝 Note

NIST 800-171 Revision 3 was finalized in May 2024 with significant structural changes. However, CMMC assessments through 2026 continue to reference Revision 2. Monitor the NIST Computer Security Resource Center for transition timelines.

The 14 Control Families of NIST 800-171

NIST 800-171 organizes its 110 security requirements into 14 control families. Each family addresses a distinct area of information security. Here is a breakdown with the number of controls in each:

Access Control (22 controls): Restrict system access to authorized users and limit what those users can do. This is the largest family and the one where most contractors have gaps.
Awareness and Training (3 controls): Ensure personnel understand security risks and their responsibilities.
Audit and Accountability (9 controls): Create, protect, and review system logs to trace user activity.
Configuration Management (9 controls): Establish and maintain baseline configurations for systems.
Identification and Authentication (11 controls): Verify the identity of users, devices, and processes before granting access.
Incident Response (3 controls): Prepare for, detect, and respond to security incidents.
Maintenance (6 controls): Perform timely system maintenance with proper controls.
Media Protection (9 controls): Protect CUI stored on digital and physical media.
Personnel Security (2 controls): Screen individuals before granting access and manage transfers or terminations.
Physical Protection (6 controls): Limit physical access to systems and protect physical infrastructure.
Risk Assessment (3 controls): Periodically assess risk to organizational operations and assets.
Security Assessment (4 controls): Periodically assess security controls and correct deficiencies.
System and Communications Protection (16 controls): Monitor and protect communications at system boundaries.
System and Information Integrity (7 controls): Identify, report, and correct system flaws in a timely manner.

The weight of each control is not equal. Access Control, Identification and Authentication, and System and Communications Protection together account for nearly 45% of all requirements. If you are prioritizing remediation, start there. For a broader look at federal security controls, our guide on NIST 800-53 controls covers the parent framework that NIST 800-171 derives from.

NIST 800-171 vs NIST 800-53: Key Differences

Contractors frequently confuse NIST 800-171 with NIST 800-53, and the confusion is understandable. NIST 800-171's 110 controls were derived directly from NIST 800-53's much larger catalog (over 1,000 controls). The critical difference is audience and scope.

| Aspect | NIST 800-171 | NIST 800-53 | |--------|-------------|-------------| | Intended for | Nonfederal organizations handling CUI | Federal agencies and their information systems | | Number of controls | 110 | 1,000+ | | Mandated by | DFARS 252.204-7012 | FISMA | | Assessment framework | CMMC / NIST SP 800-171A | FedRAMP / Agency ATO | | Applies to | CUI only | All federal information types |

If your organization only handles CUI through DoD contracts, NIST 800-171 is your standard. If you operate federal information systems directly, or if you are pursuing FedRAMP authorization for a cloud product, NIST 800-53 is the relevant framework. Many organizations that work across both federal and commercial sectors find value in mapping their controls to both standards simultaneously. Our overview of the NIST Cybersecurity Framework can help you build a unified approach.

The CMMC Connection to NIST 800-171 Compliance

The Cybersecurity Maturity Model Certification (CMMC) program is the DoD's enforcement mechanism for NIST 800-171 compliance. Before CMMC, compliance was entirely self-attested. Contractors could claim full compliance in SPRS without any external verification. The DoD recognized this honor system was not working.

CMMC 2.0, with its final rule effective December 16, 2024, establishes three levels:

Level 1 (Foundational): 15 basic safeguarding practices from FAR 52.204-21. Self-assessment only. Applies to organizations handling Federal Contract Information (FCI) but not CUI.
Level 2 (Advanced): All 110 NIST 800-171 controls. Requires either self-assessment or third-party assessment by a C3PAO (Certified Third-Party Assessment Organization), depending on the contract.
Level 3 (Expert): NIST 800-171 controls plus a subset of NIST 800-172 enhanced controls. Requires government-led assessment by DIBCAC.

For most contractors handling CUI, Level 2 is the target. The DoD began including CMMC Level 2 requirements in select contracts in Q1 2025, with broader rollout continuing through 2026. By 2028, virtually all DoD contracts involving CUI will require a verified CMMC Level 2 certification.

⚠ Warning

Do not wait for a CMMC requirement to appear in your contracts before starting compliance work. The assessment process, from gap analysis to C3PAO certification, typically takes 12 to 18 months. Organizations that start late risk losing contract eligibility.

How to Achieve NIST 800-171 Compliance Step by Step

Based on my experience guiding dozens of organizations through the NIST 800-171 compliance process, here is a practical roadmap:

Step 1: Scope your CUI environment. Identify exactly where CUI enters your organization, where it is stored, how it is processed, and who has access. Reducing your CUI boundary reduces your compliance burden. Many organizations cut their scope by 40% or more simply by consolidating CUI into a dedicated enclave.

Step 2: Conduct a gap assessment against all 110 controls. Use NIST SP 800-171A as your assessment guide. Document the status of every control as "Met," "Not Met," or "Partially Met." Be honest. Your SPRS score depends on accurate self-reporting.

Step 3: Build a System Security Plan (SSP). The SSP describes your system boundaries, how each control is implemented, and who is responsible. This document is mandatory and will be reviewed during any CMMC assessment.

Step 4: Create Plans of Action and Milestones (POA&Ms). For every control that is not fully met, document what you will do to close the gap, who owns it, and when it will be completed. CMMC allows limited POA&Ms at assessment time, but they must be closed within 180 days.

Step 5: Implement technical and administrative controls. Deploy MFA, encrypt CUI at rest and in transit, configure audit logging, establish incident response procedures, train your staff. Using a GRC platform can centralize your documentation and track control implementation.

Step 6: Assess and maintain. Compliance is continuous. Conduct internal assessments at least annually, and update your SSP whenever your environment changes. Our cybersecurity compliance checklist provides a structured approach to ongoing monitoring.

Self-Assessment vs Third-Party Assessment

Under CMMC 2.0, the DoD determines which assessment type your contract requires. The distinction matters significantly for cost and preparation.

Self-assessment applies to Level 1 and some Level 2 contracts where the CUI is not considered critical to national security. You conduct your own assessment, calculate your SPRS score, and submit it. An authorized senior official must affirm the accuracy of the score. False claims carry liability under the False Claims Act, and the DoD's enforcement posture has tightened considerably since the launch of the Civil Cyber-Fraud Initiative in 2021.

Third-party assessment (C3PAO) is required for Level 2 contracts involving CUI that the DoD deems critical. A C3PAO assessor will review your SSP, interview staff, examine technical configurations, and test controls over a multi-day onsite visit. As of early 2026, there are approximately 60 authorized C3PAOs, and scheduling backlogs run 3 to 6 months in advance.

If your organization also maintains SOC 2 or ISO 27001 certifications, you will find significant control overlap. Roughly 60% of NIST 800-171 controls map directly to ISO 27001 Annex A controls. Leveraging existing compliance investments reduces both cost and effort.

Common NIST 800-171 Compliance Gaps and How to Close Them

After reviewing hundreds of contractor SSPs, these are the five NIST 800-171 compliance gaps I encounter most frequently:

1. Multi-factor authentication (MFA) not fully deployed. Control 3.5.3 requires MFA for both local and network access to privileged accounts, and for network access to non-privileged accounts. Many organizations have MFA for VPN but skip it for local admin logins or cloud applications. Fix: Deploy MFA across all access paths to CUI systems, including RDP, SSH, and SaaS applications.

2. Audit log retention and review. Controls 3.3.1 and 3.3.2 require creating and retaining audit logs and regularly reviewing them. "We have logs but nobody looks at them" is not compliant. Fix: Implement a SIEM or log management solution with automated alerting and weekly review procedures.

3. Incomplete CUI marking and handling procedures. Organizations often know they handle CUI but have not formalized how CUI is identified, marked, stored, and destroyed. Fix: Develop a CUI handling policy, train all personnel, and implement technical markings (headers, footers, metadata tags) on CUI documents.

4. Missing or outdated System Security Plan. The SSP is the cornerstone document for any CMMC assessment. A surprising number of contractors either lack one entirely or have a version that does not reflect their current environment. Fix: Assign SSP ownership to a specific individual, update it quarterly, and tie updates to your change management process.

5. No formal incident response plan tested through exercises. Having an incident response plan on paper satisfies part of the requirement. But control 3.6.3 requires testing the plan. Fix: Conduct tabletop exercises at least annually, document the results, and update the plan based on lessons learned.

💡 Pro Tip

Start your remediation with the controls that carry the highest point values in the SPRS scoring methodology. Failing to implement MFA (3.5.3) costs you 5 points alone. Addressing the top 10 highest-weighted controls can move your SPRS score by 30 or more points.

Cost and Timeline Expectations

Budget is always the uncomfortable conversation. Here are realistic numbers based on current market rates for small to mid-size contractors (50 to 500 employees):

| Cost Category | Estimated Range | |---------------|----------------| | Gap assessment (consultant-led) | $15,000 to $40,000 | | SSP and POA&M development | $10,000 to $25,000 | | Technical remediation (MFA, SIEM, encryption) | $30,000 to $150,000+ | | GRC platform (annual) | $5,000 to $30,000 | | C3PAO assessment (Level 2) | $50,000 to $120,000 | | Annual maintenance and monitoring | $20,000 to $60,000 |

Total first-year investment for a mid-size contractor typically lands between $100,000 and $300,000. Organizations that already have ISO 27001 or SOC 2 programs in place can expect to spend 30 to 40% less because of control reuse.

For timeline, plan on 12 to 18 months from kickoff to C3PAO assessment readiness. The breakdown usually looks like this:

Months 1-2: Scoping and gap assessment
Months 3-5: SSP development and remediation planning
Months 5-12: Technical implementation and policy rollout
Months 12-14: Internal assessment and readiness review
Months 14-18: C3PAO scheduling and formal assessment

Organizations that try to compress this timeline below 9 months almost always produce documentation that does not hold up under C3PAO scrutiny. Do it right the first time.

Frequently Asked Questions

What happens if I fail a CMMC assessment?

You receive a report detailing which controls were not met. You can remediate the findings and request a reassessment, but you will need to pay for the reassessment separately. During the remediation period, you cannot bid on contracts that require the certification level you failed. Most C3PAOs recommend waiting at least 90 days before reassessment to allow time for proper remediation and evidence collection.

Can I use a cloud provider like Microsoft 365 GCC High for CUI?

Yes, and many contractors do. Microsoft 365 GCC High and AWS GovCloud are both designed to meet the FedRAMP High baseline, which satisfies many NIST 800-171 controls at the infrastructure level. However, using a compliant cloud does not make you compliant automatically. You still own controls related to access management, user training, incident response, and configuration of the platform. Expect a compliant cloud environment to cover roughly 40 to 50% of NIST 800-171 controls, leaving the rest as your responsibility.

Is NIST 800-171 compliance the same as CMMC Level 2?

The technical controls are identical. CMMC Level 2 maps directly to the 110 controls in NIST 800-171 Revision 2. The difference is the assessment and certification mechanism. NIST 800-171 compliance is self-attested (historically). CMMC Level 2 adds formal verification through either an enhanced self-assessment or a C3PAO assessment, depending on the contract requirements.

How often do I need to reassess?

CMMC certifications are valid for three years. However, NIST 800-171 requires ongoing security assessments (control 3.12.1), and your SPRS score must be updated whenever your security posture changes. Practically speaking, conduct a thorough internal review at least annually, and update your SSP and SPRS score after any significant system changes, security incidents, or organizational restructuring.

Do subcontractors need the same level of compliance as prime contractors?

Subcontractors must comply with NIST 800-171 if they handle CUI as part of their subcontract work. The required CMMC level flows down through the contract. If the prime contract requires CMMC Level 2, any subcontractor handling CUI must also achieve Level 2. This is one of the most frequently overlooked aspects of supply chain compliance. Prime contractors are increasingly requiring CMMC certification as a condition of subcontract award, so address this early in your supplier management process.