NIST SP 800-171 Compliance Guide: Protecting CUI for DoD Contractors
TL;DR
- NIST SP 800-171 Rev. 3 (published May 2024) organizes CUI security requirements into 17 control families -- three more than Revision 2, adding Planning, Assessment/Authorization/Monitoring, System and Services Acquisition, and Supply Chain Risk Management.
- Any organization that processes, stores, or transmits Controlled Unclassified Information (CUI) under a DoD contract must implement these requirements; there is no size exemption.
- CMMC 2.0 (final rule effective December 16, 2024) is the enforcement mechanism: Level 2 requires either a self-assessment or a third-party C3PAO assessment covering all NIST 800-171 controls, depending on the contract.
- Your SPRS score (range: -203 to 110) must be submitted before contract award. False submissions carry False Claims Act liability.
- CMMC assessments through at least 2026 still use Revision 2 controls; the transition timeline to Rev. 3 has not been formally announced by the DoD as of this writing.
Who This Is For
This guide is written for compliance officers, IT security managers, and contract administrators at organizations in the Defense Industrial Base (DIB) that handle CUI. It covers the full compliance lifecycle: scoping, the 17 control families, assessment options, SPRS scoring, CMMC alignment, and common gaps. If you are evaluating whether you are in scope, start with the "What Is CUI" section below.
What Is CUI and Who Is In Scope?
CUI stands for Controlled Unclassified Information. The National Archives CUI Registry maintains 20 category groupings -- from Defense and Export Control to Law Enforcement, Privacy, and Tax -- that define what counts as CUI. The common thread is information the federal government generates or possesses that requires safeguarding by law, regulation, or government-wide policy, but that does not meet the threshold for classified information.
For DoD contractors, the trigger is DFARS clause 252.204-7012, which requires any organization that processes, stores, or transmits covered defense information on nonfederal systems to implement the controls in NIST SP 800-171 and report cyber incidents within 72 hours of discovery. The clause applies to:
- Prime contractors holding direct DoD contracts
- Subcontractors at any tier that handle CUI as part of their scope of work
- Cloud service providers that store or process CUI on behalf of contractors
- Research institutions receiving DoD funding where the funded work involves CUI
There is no employee-count exemption. A five-person engineering firm with a subcontract that includes CUI technical drawings has the same obligation as a large defense prime. Scope reduction -- moving CUI into a dedicated enclave rather than spreading it across your entire network -- is the most effective way to reduce the number of systems subject to the requirements.
NIST SP 800-171 Rev. 3: The 17 Control Families
NIST SP 800-171 Revision 3, published in May 2024, reorganized and expanded the original 14 control families to 17. The three additions address gaps that had been identified in Rev. 2: formal program planning, supply chain security, and a consolidated authorization and monitoring function.
The 17 families are:
| # | Control Family | What It Covers |
|---|---|---|
| 1 | Access Control | Limit system access to authorized users; restrict what they can do |
| 2 | Awareness and Training | Ensure personnel understand security risks and responsibilities |
| 3 | Audit and Accountability | Create, protect, and review logs to trace user activity |
| 4 | Assessment, Authorization and Monitoring | Verify controls work; authorize systems; monitor continuously (new in Rev. 3) |
| 5 | Configuration Management | Establish and maintain baseline configurations |
| 6 | Identification and Authentication | Verify identity before granting access |
| 7 | Incident Response | Prepare for, detect, and contain security incidents |
| 8 | Maintenance | Perform timely maintenance with appropriate access controls |
| 9 | Media Protection | Protect CUI on digital and physical media |
| 10 | Physical and Environmental Protection | Limit physical access; protect infrastructure |
| 11 | Planning | Document system boundaries and security measures in an SSP (new in Rev. 3) |
| 12 | Personnel Security | Screen individuals before access; manage offboarding |
| 13 | Risk Assessment | Identify and evaluate risks to CUI systems |
| 14 | System and Services Acquisition | Apply security requirements to acquisitions and third-party services (new in Rev. 3) |
| 15 | System and Communications Protection | Monitor and protect communications at system boundaries |
| 16 | System and Information Integrity | Identify, report, and correct system flaws |
| 17 | Supply Chain Risk Management | Identify and address risks from suppliers and service providers (new in Rev. 3) |
Important: CMMC assessments in 2026 still map to the Revision 2 control set (14 families, 110 controls). Revision 3 is the current NIST standard, but the DoD has not yet published a formal transition timeline for CMMC alignment to Rev. 3. Organizations should build programs against Rev. 3 for long-term compliance posture while tracking the DoD's CMMC rulemaking for transition dates.
NIST 800-171 vs. NIST 800-53: The Practical Difference
NIST 800-171's requirements were drawn from NIST SP 800-53, the comprehensive control catalog for federal information systems. The two serve different audiences:
| Aspect | NIST SP 800-171 | NIST SP 800-53 |
|---|---|---|
| Intended for | Nonfederal organizations handling CUI | Federal agencies and their systems |
| Controls | 110 (Rev. 2) / expanded in Rev. 3 | 1,000+ |
| Mandating regulation | DFARS 252.204-7012 | FISMA |
| Assessment guide | NIST SP 800-171A | NIST SP 800-53A |
| Applies to | CUI only | All federal information types |
If your organization contracts directly with a federal agency (outside DoD) or operates a cloud product seeking FedRAMP authorization, 800-53 is the relevant framework. For DoD CUI work, 800-171 is your standard.
Organizations that straddle both worlds -- a cloud product used by federal agencies and by DoD contractors -- often map their control library to both simultaneously. The overlap is significant: most 800-171 requirements have direct counterparts in 800-53.
How CMMC 2.0 Enforces 800-171
Before CMMC, contractors self-attested compliance in SPRS with no external verification. The DoD's CMMC 2.0 program changed that. The CMMC final rule took effect on December 16, 2024, establishing three levels:
Level 1 (Foundational): 15 basic safeguarding practices from FAR 52.204-21. Self-assessment only. Applies to organizations handling Federal Contract Information (FCI) but not CUI.
Level 2 (Advanced): The full 110-control NIST SP 800-171 Rev. 2 requirement. Assessment type depends on the contract:
- Self-assessment for contracts where the DoD determines CUI is not critical program information
- Third-party assessment by a C3PAO (Certified Third-Party Assessment Organization) for contracts involving critical CUI
Level 3 (Expert): NIST 800-171 plus a subset of NIST SP 800-172 enhanced requirements. Government-led assessment by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center).
The phased CMMC rollout began in 2025. New contracts and contract renewals are progressively incorporating CMMC requirements. Contractors should check their solicitations for CMMC clauses and confirm the required level with their contracting officer.
SPRS Score: What It Is and Why It Matters
The Supplier Performance Risk System (SPRS) is where contractors submit their self-assessment score. The scoring methodology assigns negative point values to each unimplemented control -- the maximum achievable score is 110 (all controls met), and scores can go as low as -203 if no controls are in place.
Before each assessment, contractors must:
- Complete a self-assessment using NIST SP 800-171A Rev. 3 as the assessment guide
- Calculate the SPRS score based on control status
- Submit the score to SPRS with an affirmation from a senior company official
That affirmation creates legal exposure. The DoD's Civil Cyber-Fraud Initiative, launched in 2021, uses the False Claims Act to pursue contractors that knowingly misrepresent their SPRS scores. Score submissions should reflect actual control status.
Plans of Action and Milestones (POA&Ms)
No organization achieves 110/110 on first assessment. POA&Ms are the formal mechanism for documenting unmet controls and the plan to close them. Under CMMC 2.0, POA&Ms are permitted at assessment time, but with constraints:
- Controls with high-value point weights cannot be open on a POA&M at certification time (the exact list is specified in DoD CMMC policy guidance)
- Open POA&Ms must be closed within 180 days of the assessment date
- POA&M status is tracked in SPRS alongside the base score
A POA&M entry requires: the specific control reference, a description of the deficiency, the planned remediation action, the responsible owner, and a target completion date. Vague entries ("we will fix MFA") without specifics do not satisfy the requirement.
Building a Compliance Program: A Practical Roadmap
Step 1: Scope the CUI Environment
Map where CUI enters your organization, where it is stored, how it moves, and who touches it. A tightly scoped CUI enclave reduces the number of systems subject to assessment. Many organizations reduce their scope significantly by consolidating CUI handling into a dedicated enclave rather than allowing CUI to exist across their full network.
Document the boundary in your System Security Plan (SSP). The SSP is the foundational document for any CMMC assessment -- it describes the system boundary, the people who operate it, and how each control is implemented.
Step 2: Run a Gap Assessment Against All Controls
Use NIST SP 800-171A Rev. 3 as your assessment guide. It provides specific assessment procedures for each requirement: the objects to examine, the individuals to interview, and the tests to conduct. Record each control as Met, Not Met, or Partially Met. Partial credit is not awarded in SPRS scoring -- a partially met control scores as not met.
Step 3: Build the SSP
The SSP covers: system name and purpose, CUI categories processed, system boundary diagram, user roles and access levels, and implementation status for each control. For controls that are not yet met, the SSP references the corresponding POA&M entry.
Step 4: Create POA&Ms for Every Gap
Each gap gets a POA&M entry with a specific remediation action, owner, and target date. Keep target dates realistic -- a POA&M that slips repeatedly is a red flag during assessment.
Step 5: Implement the Controls
Prioritize by SPRS point weight. MFA (control 3.5.3) carries one of the highest individual point values. System and communications protection and audit/accountability controls are also high-weight families. Technical implementation typically requires:
- Phishing-resistant MFA for all access to CUI systems (VPN, RDP, SSH, SaaS)
- Audit logging with a SIEM or log management solution and defined review procedures
- Encryption of CUI at rest and in transit
- Endpoint detection and response (EDR) on CUI systems
- Formal incident response plan with documented testing
Step 6: Assess and Maintain
CMMC certifications are valid for three years, but the standard requires continuous monitoring. Update your SSP and SPRS score after significant system changes, security incidents, or organizational restructuring. Conduct an internal review against all 110 controls at least annually.
Self-Assessment vs. C3PAO Assessment
The DoD determines which assessment type your contract requires. The determining factor is the sensitivity of the CUI involved.
Self-assessment applies when the DoD designates the CUI as non-critical. You conduct the assessment, calculate your score, and submit it with a senior official affirmation. The Civil Cyber-Fraud Initiative has shown that false submissions are pursued -- treat this as a legal filing, not a box-check.
C3PAO assessment is required when the CUI is designated as critical program information. An accredited C3PAO assessor reviews your SSP, interviews staff, examines technical configurations, and tests controls on-site. C3PAO assessors are accredited through the Cyber AB. As of early 2026, scheduling a C3PAO assessment typically requires three to six months of lead time due to assessor availability.
Control overlap with other frameworks. Organizations holding ISO 27001 certifications will find significant control overlap: NIST 800-171's access control, audit, configuration, and incident response requirements map closely to ISO 27001 Annex A controls. This does not reduce the assessment requirement, but it does reduce the implementation work for organizations that have already built a documented control environment.
The Five Most Common Compliance Gaps
Based on publicly available C3PAO assessment findings and DIBCAC assessment reports, these five gaps appear most frequently:
1. Incomplete MFA deployment. Control 3.5.3 requires MFA for privileged and non-privileged accounts accessing CUI systems. Organizations frequently have MFA on VPN but skip it for local administrator logins, RDP sessions, or cloud applications that hold CUI. Every access path to CUI systems needs MFA -- not just the primary remote access method.
2. Audit logs exist but are not reviewed. Controls 3.3.1 and 3.3.2 require both generating logs and reviewing them. A SIEM configured to ingest logs but with no alert rules and no review schedule fails the review requirement. Define a review frequency, assign it to a named role, and document the review results.
3. CUI is not formally marked. Personnel handling CUI need to know what they are handling. A marking policy, training program, and technical implementation (document headers, email subject-line markings) are required. The National Archives CUI Registry specifies the approved marking formats for each CUI category.
4. The SSP is either absent or stale. Some contractors do not have a written SSP at all. Others have one that was written three years ago and does not reflect the current environment. Assign SSP ownership to a named individual with a defined review cycle tied to your change management process.
5. Incident response plans are not tested. Control 3.6.3 requires testing the incident response capability. A documented plan that has never been exercised does not satisfy the testing requirement. Tabletop exercises with documented results meet the standard. Schedule one annually and record the date, participants, scenario, and any plan updates that result.
Cost and Timeline: Realistic Expectations
The cost ranges below are general market observations for small to mid-size contractors. They are not sourced from a published study because no authoritative benchmark survey exists for this specific cost category -- treat them as order-of-magnitude guidance only, and get itemized quotes from at least three consultants and vendors before budgeting.
| Category | Typical Range (50-500 employee org) |
|---|---|
| Gap assessment (consultant-led) | Varies by scope and assessor |
| SSP and POA&M development | Varies by existing documentation maturity |
| Technical remediation (MFA, SIEM, encryption) | Varies by current state |
| GRC platform (annual subscription) | Varies by platform and tier |
| C3PAO assessment (Level 2) | Varies by assessor and scope size |
For timeline: the gap analysis, SSP, and initial remediation planning phase typically takes two to three months. Full technical implementation and policy rollout for an organization starting from a low baseline takes six to twelve months. C3PAO scheduling adds another three to six months. Plan for twelve to eighteen months from kickoff to certification readiness if you are starting with significant gaps.
Organizations that have already built SOC 2 or ISO 27001 programs have documented control environments that reduce both assessment prep time and implementation work.
Mini-FAQ
What happens if I fail a CMMC Level 2 assessment? You receive a detailed findings report. You can remediate and request a reassessment, at your cost. You cannot bid on contracts requiring the failed certification level while remediation is in progress. C3PAOs generally advise waiting at least 90 days before reassessment to allow adequate remediation and evidence collection time.
Does using Microsoft 365 GCC High or AWS GovCloud make me compliant? These platforms are built to meet FedRAMP High baseline controls, which covers many NIST 800-171 requirements at the infrastructure layer. You still own the controls related to user access management, device configuration, incident response, and training. A compliant cloud platform addresses the infrastructure-layer controls; it does not address your organizational controls.
Is NIST 800-171 compliance the same as CMMC Level 2? The technical controls are the same: CMMC Level 2 maps to the 110 controls in NIST 800-171 Rev. 2. The difference is verification. 800-171 compliance was historically self-attested. CMMC Level 2 adds formal verification through an enhanced self-assessment (with senior official affirmation and SPRS submission) or a C3PAO assessment, depending on contract requirements.
How often must I reassess? CMMC certifications are valid for three years. NIST 800-171 requires periodic security assessments (control 3.12.1) and updates when your environment changes. As a practical minimum, conduct a full internal assessment annually and update your SPRS score after any material change to your CUI environment.
Do subcontractors have the same obligations as prime contractors? Yes, if they handle CUI. The required CMMC level flows down through the contract: if the prime contract specifies CMMC Level 2, every subcontractor that handles CUI under that contract must also achieve Level 2. Prime contractors are increasingly making CMMC certification a condition of subcontract award.
What is Revision 3, and do I need to comply with it now? NIST SP 800-171 Rev. 3 was published in May 2024 and adds three control families (17 total vs. 14 in Rev. 2), including Supply Chain Risk Management. CMMC assessments through at least 2026 still use Rev. 2 controls. The DoD has not published a transition date for Rev. 3 alignment in CMMC. Build your program against Rev. 3 now -- the new families reflect genuine security requirements -- but your formal CMMC assessment will be scored against Rev. 2 until the DoD announces otherwise.
Sources used
- National Archives CUI Registry — accessed 2026-05-12
- NIST SP 800-171 Revision 3 — accessed 2026-05-12
- NIST SP 800-53 — accessed 2026-05-12
- CMMC final rule — accessed 2026-05-12
- NIST SP 800-171A Rev. 3 — accessed 2026-05-12
- Civil Cyber-Fraud Initiative — accessed 2026-05-12
- Cyber AB — accessed 2026-05-12
- FedRAMP High — accessed 2026-05-12
Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
