What is NIST 800-171? A Guide for Defense Contractors

NIST Special Publication 800-171 is the foundational cybersecurity standard for defense contractors. If your organization handles Controlled Unclassified Information (CUI) on behalf of the federal government, you are required to implement its 110 security requirements. It's not optional and it's not new, but enforcement is finally catching up to the requirement.

Understanding NIST 800-171 may feel a bit complicated, but it’s necessary as it’s the technical blueprint for protecting the kind of sensitive information that adversaries are actively trying to steal from America's defense supply chain.

NIST 800-171 Overview

Published by the National Institute of Standards and Technology (NIST), SP 800-171 was first released in 2015 and has been updated since. It defines the security requirements that non-federal organizations must meet when handling CUI, which is information that isn't classified but is still sensitive enough to require protection.

The standard is built around 14 security domains, which cover everything from who has access to how your systems are set up and managed. They’re also designed to cover how you detect and respond to threats, and even how you protect data on physical media. Each domain contains a set of specific, testable requirements, with 110 in total.

NIST 800-171 is referenced directly in DFARS 252.204-7012, the defense acquisition clause that makes these requirements contractually binding. It is also the technical baseline for CMMC Level 2. If you're pursuing CMMC certification, you're essentially working toward full implementation of NIST 800-171, and if you need a partner for certification then we’d love to talk.

The Relationship Between NIST 800-171, DFARS, and CMMC

DFARS 252.204-7012 requires defense contractors to implement NIST 800-171, while CMMC Level 2 verifies that you've actually done it. Think of NIST 800-171 as the what, DFARS as the legal obligation to do it, and CMMC as the mechanism that proves you did.

The 110 Security Requirements by Domain

NIST 800-171 organizes its requirements into 14 domains. Here's what each one covers, and why it matters for defense contractors:

Access Control (AC): 22 requirements

These controls limit who can access your systems, data, and CUI. They cover user account management, least privilege, remote access controls, and CUI system boundaries.

This is where contractors typically have the most gaps due to over-privileged accounts, shared credentials, and poorly-controlled remote access, all common problems in SMB environments where speed and efficiency often overshadow security best practices.

Awareness and Training (AT): 3 requirements

These controls require that users are trained on their security responsibilities and that the training is documented. This includes CUI handling awareness, phishing recognition, and insider threat awareness. It’s only three requirements, but they're foundational; a user who doesn't know how to handle CUI securely undermines every technical control you've built. Think of it like having a door that can lock but no one ever locks it. The intention doesn’t matter if best practices aren’t followed by everyone on the team.

Audit and Accountability (AU): 9 requirements

These controls require logging of system activity: who accessed what, when, from where — and protection of those logs. Audit logs are your forensic record. Without them, you can't detect a breach, prove clean operations to an assessor, or meet your DFARS incident reporting obligations. You may be doing everything right, but these audit logs are the proof.

Configuration Management (CM): 9 requirements

These requirements establish and enforce secure configuration baselines for your systems, control what software is allowed to run on them, and manage changes. Misconfiguration is the leading cause of cloud security incidents. For on-premises environments, unmanaged configurations are equally dangerous.

Identification and Authentication (IA): 11 requirements

This domain requires multi-factor authentication (MFA) for access to privileged accounts (both remote or local) as well as remote access to non-privileged accounts. It also covers strong password policies and management of system and service accounts. MFA is non-negotiable under 800-171 and under the threat landscape facing defense contractors today (and is really a good idea for safe internet use in general).

Incident Response (IR): 3 requirements

These controls require an incident response (IR) plan, the capability to execute it, and testing. Critically, the DFARS clause that references 800-171 adds a 72-hour reporting obligation when CUI systems are compromised, and your IR capability needs to be fast enough to meet or beat that clock.

Maintenance (MA): 6 requirements

These controls dictate how maintenance is performed on systems handling CUI, particularly in regard to remote maintenance. In the past, attackers have used maintenance access pathways to gain persistent footholds, and this domain exists because those pathways need to be controlled and logged.

Media Protection (MP): 9 requirements

This domain governs CUI on removable media such as USB drives, external hard drives, and printed materials. The nine requirements cover access controls, transport protections, and sanitization before disposal. Even though you don’t encounter much physical media in your everyday life anymore, it’s still a significant exfiltration vector, particularly for insider threats. The fact that it’s rare makes it even more likely to be overlooked, which is why this domain is so important.

Personnel Security (PS): 2 requirements

These two requirements cover the screening of individuals prior to granting access along with termination procedures. It sounds small, but access that isn't properly revoked when someone leaves an organization is a persistent vulnerability that assessors look for.

Physical Protection (PE): 6 requirements

This domain controls physical access to systems and devices that handle CUI. For most SMBs, this means controlled access to server rooms, workstations, and any physical media. These things are often overlooked in the rush to focus on technical controls.

Risk Assessment (RA): 3 requirements

These controls require periodic risk assessments and vulnerability scans. This is where you prove you're actively looking for weaknesses, not just assuming nothing is wrong.

The Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) is essential context for this domain. Maintained by the federal government, this catalog is a list of all real-world vulnerabilities that have been exploited in the wild.

Security Assessment (CA): 4 requirements

This domain requires a System Security Plan (SSP), periodic assessment of the controls in that plan, and a Plan of Action & Milestones (POA&M) for addressing gaps. This domain is the documentation spine of your entire CMMC program.

System and Communications Protection (SC): 16 requirements

This covers network architecture, segmentation, encryption in transit, and communications boundary protections. These requirements are where your network segmentation strategy, particularly around CUI systems, gets defined and documented.

System and Information Integrity (SI): 7 requirements

These requirements cover malware protection, security alerts, patching, and monitoring. Your endpoint protection, SIEM, and patch management program are all included here. This domain is also where the need of your SOC’s real-time threat visibility is defined.

What RADICL Sees in the Field

Across our DIB customers, AU (audit logging) and AC (access control) are typically the domains with the most systemic gaps. Organizations often have gaps in logging coverage for in-scope systems, inadequate monitoring capabilities, or both. Access control failures (such as over-privileged users, shared accounts, or the lack of clearly separated duties) are very common. These two domains are where our experts typically start.

Want to see how CMMC ready you are? Let's talk.

Self-Assessment, SPRS Scoring, and POA&M

Every defense contractor subject to DFARS 252.204-7012 has compliance requirements they must meet. This could mean CMMC Level 1, 2, or 3. For CMMC Level 1, you’re required to do a self-assessment against requirements aligned to FAR 52.204-21. For CMMC Level 2, you do a C3PAO certification against NIST SP 800-171 R2 every three years with annual self-assessments in the intervening years. Level 2 self-assessment scores must be submitted to the Supplier Performance Risk System (SPRS), but Level 1 does not use any scoring system. You either attest to meeting the controls or not.

The scoring system for Level 2 works like this: you start at 110 points. Each unimplemented requirement deducts a specific point value, ranging from 1 to 5 points depending on the requirement's weight. A perfect SPRS score is 110. Most contractors, when assessed honestly, score significantly lower than that. Specific contracts may accept a lower score, and contractors with open gaps can still pursue a Conditional Level 2 status with an active POA&M, but there is no defined minimum score threshold.

How the SPRS Score is Calculated

NIST 800-171 DoD Assessment Methodology (the assessment guide companion to 800-171) defines the point weight for each requirement. High-weight requirements, like MFA (IA.L2-3.5.3) at 5 points, have an outsized impact on your score. Implementing high-value requirements first is the fastest path to significantly improving your score.

The Plan of Action & Milestones (POA&M)

A POA&M documents the requirements you haven't yet fully implemented, along with milestones and timelines for closing those gaps. Under CMMC 2.0, a POA&M can support a conditional assessment outcome, which means you can be assessed before you've closed every gap, as long as you have a credible, active remediation plan.

A good POA&M is specific, dated, and realistic. Assessors and contracting officers who review it are looking for evidence that you understand your gaps and have a real actionable plan to close them. That means avoiding vague boilerplate language that lists every open finding with a “TBD” due date.

POA&Ms are only permitted in very limited circumstances, and you must have a passing score of 88 to be eligible for one. Even then, only 1 point requirements are able to be included.

How NIST 800-171 Maps to CMMC Level 2

Achieving CMMC Level 2 requires implementation of all 110 NIST SP 800-171 Rev 2 requirements. The mapping is essentially 1:1 because every CMMC Level 2 practice corresponds to a NIST 800-171 requirement. The difference lies in the fact that CMMC adds a verification layer: a C3PAO independently assesses whether you've actually implemented what you claim.

If you're building your NIST 800-171 compliance program now, you're simultaneously building your CMMC Level 2 readiness because the work is the same. CMMC just adds external accountability.

RADICL's Take

We focus on getting our customers to a perfect 110 SPRS score, so generally advise not relying on a POA&M. Every day, we help defense contractors build NIST 800-171 programs that are designed to be assessed, not just documented. That means closing real gaps instead of papering over them. Our gap assessment gives you an accurate baseline score, a prioritized remediation roadmap, and the SSP and POA&M you'll need for a C3PAO assessment.

Ready to get started?

Frequently Asked Questions

Is NIST 800-171 compliance mandatory for all defense contractors?

If your contract includes DFARS clause 252.204-7012 and you handle CUI, then yes: implementation of NIST 800-171 is contractually required. Level 1 contractors (FCI only, no CUI) operate under a lighter set of requirements from FAR 52.204-21. When in doubt, check your contract's DFARS clauses or ask your contracting officer.

What's the difference between NIST 800-171 and NIST 800-53?

NIST 800-53 is the full federal security control catalog. It’s comprehensive, designed for federal agencies, and significantly larger (including over 1,000 controls across all baselines). NIST 800-171 is a tailored subset of 800-53, designed specifically for non-federal organizations handling CUI. If 800-53 is the entire encyclopedia, 800-171 is the chapter that applies to defense contractors.

How long does it take to implement NIST 800-171?

For a small contractor with limited existing controls, 9-12 months is a realistic timeline for full implementation. Organizations with more mature security programs can often close gaps in 4-6 months. The bottleneck is usually not knowing where the gaps are, which is why it’s so important to start with an honest gap assessment.

Can we self-assess, or do we need a third party?

For DFARS compliance purposes, self-assessment and SPRS score submission is required and sufficient, with no third party needed for the self-assessment itself. For CMMC Level 2 certification on contracts that require it, most contractors will need a C3PAO assessment. The two things are separate: your SPRS self-assessment is ongoing while your CMMC assessment is a certification milestone.

What's the penalty for non-compliance?

The consequences range from contract ineligibility (you can't be awarded or renewed) to legal liability under the False Claims Act if you submit a materially false SPRS score or DFARS attestation. And this isn’t just a theoretical threat: the Department of Justice has actively pursued False Claims Act cases against defense contractors who certified compliance they didn't have. It’s wise to be honest and approach certification through the correct methods to avoid losing a contract or being hit with a hefty fine.