NIST 800-171 is a security standard that defines how nonfederal organizations must protect Controlled Unclassified Information (CUI) stored, processed, or transmitted on their own systems. Published by the National Institute of Standards and Technology as Special Publication 800-171, it exists because the federal government routinely shares sensitive-but-unclassified data with contractors, universities, and service providers, and needs a consistent baseline for how that data is safeguarded once it leaves federal control. If you do business with the Department of Defense and handle CUI, NIST 800-171 is not a best-practice suggestion. It is a contractual and legal obligation.
What Is NIST 800-171 and What Is CUI?
Controlled Unclassified Information is government-created or government-owned information that is sensitive enough to require protection under law, regulation, or policy, but that does not rise to the level of classified national security information. Think export-controlled technical drawings, contract deliverables, personnel records, or research data tied to a federal award. NIST 800-171 provides the security requirements an organization must implement to keep that information confidential when it lives outside federal systems. A closely related but separate document, NIST 800-171A, does not add requirements at all. Instead it tells assessors how to evaluate whether each requirement has been met, breaking every requirement into discrete assessment objectives that must each be satisfied (NIST, 2024). Keeping this distinction straight matters: 800-171 is what to do, and 800-171A is how compliance is judged.
Key distinction: NIST SP 800-171 contains the security requirements, while NIST SP 800-171A contains the assessment procedures. Under 800-171A, each assessment objective for a requirement must be found MET (or Not Applicable) for the overall requirement to be scored as satisfied (NIST, 2024).
Who Must Comply with NIST 800-171?
Compliance is triggered by contract language, not by company size. The most common trigger is DFARS clause 252.204-7012, which the Department of Defense flows down into contracts and subcontracts that involve covered defense information. Any organization that stores, processes, or transmits CUI under such a contract must implement NIST 800-171, and the obligation flows all the way down the supply chain to subcontractors. In practice this captures a vast ecosystem: prime defense contractors, machine shops, IT service providers, cloud vendors, and research institutions. Beyond DoD, other federal agencies increasingly reference 800-171 when they share CUI. If a federal customer sends you sensitive information and your contract points to the standard, you are on the hook.
- DoD prime contractors and every subcontractor tier that handles CUI
- Manufacturers and suppliers holding export-controlled or covered defense information
- Managed service providers and cloud hosts that store or process CUI on behalf of contractors
- Universities and research institutions receiving CUI under federal awards
- Any nonfederal organization whose contract includes DFARS 252.204-7012 and involves CUI
The Requirement Families
NIST 800-171 organizes its requirements into families, each covering a domain of security control. Under Revision 2 there were 110 requirements across 14 families, and that structure still underpins most active DoD contracts today. Revision 3 reorganized the standard into 17 families, adding Planning, System and Services Acquisition, and Supply Chain Risk Management to reflect how modern threats move through vendors and software (NIST, 2024). The families below reflect the Revision 3 structure, but the domains they cover will look familiar to anyone who has worked with the earlier version.
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment and Monitoring
- System and Communications Protection
- System and Information Integrity
- Planning (added in Revision 3)
- System and Services Acquisition (added in Revision 3)
- Supply Chain Risk Management (added in Revision 3)
If your team is already familiar with the broader NIST control catalog, these families will resonate, because 800-171 is derived from a tailored subset of NIST 800-53. We cover that parent catalog in our companion article on the NIST 800-53 control families, which is worth reading alongside this guide to understand where 800-171 requirements originate.
What Changed in Revision 3
NIST published the final version of SP 800-171 Revision 3 on May 14, 2024, its first major update since Revision 2 landed in 2020. The headline numbers can be misleading. The top-level requirement count actually dropped from 110 to 97 as NIST eliminated outdated and redundant items and consolidated others (NIST, 2024). At the same time, the number of assessment objectives in the companion 800-171A rose from 320 to 390, meaning the verification burden increased even as the requirement list got shorter (NIST, 2024). Revision 3 also introduced organization-defined parameters, which let agencies specify values such as password length or log retention periods, giving federal customers more say in how strictly each control is tuned.
Timing note for defense contractors: the DFARS 252.204-7012 assessment methodology and CMMC 2.0 Level 2 are currently built on the 110 requirements of Revision 2 (NIST, 2020). Revision 3 is finalized, but its adoption into DoD contract requirements is being phased in, so confirm which revision a given contract references before you scope your work.
The Link to CMMC, DFARS, and Your SPRS Score
This is where NIST 800-171 becomes concrete for defense contractors. DFARS 252.204-7012 requires you to implement the standard, and a companion clause requires you to perform a self-assessment and report the result. That result is a numeric SPRS score, submitted to the Department of Defense through the Supplier Performance Risk System. The scoring model starts at a perfect 110, with points deducted for each unmet requirement, producing a range from -203 to +110. A current SPRS score is effectively a prerequisite for contract award, and it must be kept up to date as your environment changes.
The Cybersecurity Maturity Model Certification (CMMC) program adds a verification layer on top of all of this. If NIST 800-171 is the rulebook and the SPRS score is your self-graded homework, CMMC is the proctored exam. CMMC 2.0 Level 2 is built directly on the same 110 NIST 800-171 requirements, but instead of self-attestation it typically requires assessment by an accredited third party. Under CMMC, a partial score can earn conditional certification if remaining gaps are captured in a plan of action and closed within a defined window. We walk through the full certification journey in our CMMC 2.0 defense contractor roadmap, which pairs naturally with this guide for organizations preparing for that assessment.
How to Become Compliant
Achieving compliance is a documentation-heavy, evidence-driven exercise. The goal is to be able to demonstrate, requirement by requirement, that your safeguards are implemented correctly and operating as intended. The following steps sequence the work in the order most organizations find manageable.
- Scope your CUI environment: identify where CUI is received, stored, processed, and transmitted, and draw a clear system boundary around it.
- Develop a System Security Plan (SSP) describing that boundary and how each requirement is implemented; the SSP is itself a required control and the foundational assessment document.
- Run a gap assessment against every requirement using NIST 800-171A, evaluating each assessment objective as MET or not.
- Build a Plan of Action and Milestones (POA&M) for every gap, recording the remediation plan, the responsible owner, and a target completion date.
- Remediate the gaps, prioritizing the requirements that carry the heaviest SPRS point deductions and the greatest real risk to CUI.
- Calculate and submit your SPRS score, then keep it current as systems and controls change.
- Maintain evidence continuously and prepare for third-party assessment where CMMC Level 2 applies.
Grounding this work in a repeatable risk process pays off, because 800-171 assumes you understand your threats and prioritize accordingly. Our practical NIST 800-30 risk assessment guide shows how to identify and rate the risks to CUI, and for smaller teams our walkthrough of the NIST Risk Management Framework for small enterprises explains how to run this program without a large dedicated staff. Treat compliance as an ongoing operating discipline rather than a one-time project, and the annual SPRS refresh and eventual CMMC assessment become routine rather than fire drills.
The stakes are rising. CMMC assessment obligations are being phased into defense contracts, and most organizations report needing twelve to eighteen months to reach Level 2 readiness from a standing start. Beginning your SSP and gap assessment now, rather than when a contract clause forces the issue, is the single most reliable way to avoid being locked out of federal work. NIST 800-171 is demanding, but it is also finite and well documented, and organizations that approach it methodically consistently get there.