DEFENSE CONTRACTOR COMPLIANCE
What Is NIST 800-171? A Plain-English Guide for Defense Contractors
The federal security standard behind CUI and CMMC, explained without the jargon — the 110 controls, who must comply, and how it connects to CMMC.
⏱ 7 min read
What Is NIST 800-171, Exactly?
NIST 800-171 (formally NIST Special Publication 800-171) is a document by the National Institute of Standards and Technology that outlines how non-federal organizations should protect Controlled Unclassified Information (CUI). CUI is government information that is not classified but must be safeguarded — think technical drawings, specifications, logistics data, and other sensitive information shared with contractors.
The standard exists because the federal government depends on a vast network of privately owned companies. Those firms handle and store sensitive data on their own systems, and NIST 800-171 is the minimum security all of them should have.
In its simplest terms, NIST 800-171 is a list of 110 security requirements divided into 14 families. Together they form a practical, defense-in-depth outline — not a list of products to buy.
The 14 Control Families at a Glance
Each family covers a different area of cybersecurity. The six below drive most of the remediation effort for contractors new to the standard:
- Access Control — who can reach CUI and when.
- Identification & Authentication — verifying users, with multi-factor authentication.
- Audit & Accountability — recording activity to investigate incidents.
- Configuration Management — keeping systems hardened and consistent.
- Incident Response — detecting, reporting, and recovering from breaches.
- System & Communications Protection — network segmentation and encryption.
The remaining families cover awareness training, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, and system integrity.
In 2024 NIST published Revision 3, restructuring the requirements. Most DoD contracts still reference Revision 2 — confirm which version your contract requires.
Revision numbering matters. Before you invest in remediation or documentation, verify the revision cited in your contract so your System Security Plan maps to the right control set.
Who Must Adhere to NIST 800-171?
Any organization that processes, stores, or transmits CUI for the federal government is expected to comply. The obligation flows downward through the supply chain.
Defense Contractors & Subcontractors
Every tier of the supply chain that processes, stores, or transmits CUI on behalf of the federal government.
DFARS 252.204-7012 Holders
Firms carrying this clause in their contracts inherit the NIST 800-171 obligation by reference.
Civilian-Agency Vendors
Vendors working with civilian agencies that impose similar CUI safeguarding requirements.
Primes Flowing It Down
When a prime passes you CUI, you inherit the requirement — even as a small subcontractor.
NIST 800-171 vs. CMMC: Their Relationship
This is the part that confuses people most. NIST 800-171 and CMMC are not competing standards — they are layers of the same system.
- The standard is NIST 800-171: the 110 requirements.
- The enforcement mechanism is CMMC: it verifies that you have actually met those requirements.
Level 2 of CMMC is built on the 110 NIST 800-171 controls. The difference is accountability. Contractors were previously allowed to self-report NIST 800-171 compliance, and many overstated their readiness. CMMC introduces independent, third-party evaluation so the DoD can trust that protections are not merely on paper.
How to Begin to Comply
Compliance is a process, not a purchase. An intelligent path looks like this — and many organizations underestimate the documentation burden at steps 3 and 4.
Know what sensitive data you process and where it lives across your environment.
Compare your current state against the 110 requirements to find what’s missing.
Document how every requirement is met in your System Security Plan.
List any unmet requirements with owners and due dates in a Plan of Action & Milestones.
Enter your score in the Supplier Performance Risk System so the DoD can gauge supplier risk.
Keep controls operating and re-baseline whenever systems, vendors, or staff change.
Get NIST 800-171 Right the First Time
NIST 800-171 may seem daunting, but it is manageable with the right plan and partner. Since CMMC Level 2 is built on the standard, everything you do now to meet these 110 requirements directly prepares you for certification. If you handle CUI and aren’t sure where you stand, our compliance team helps DoD contractors across DC, Maryland, and Northern Virginia map their gaps and build a realistic roadmap.
Frequently Asked Questions
It is evidence that your organization has deployed the 110 security requirements that safeguard Controlled Unclassified Information, documented them in a System Security Plan, and can prove that protection to the government.
NIST 800-171 is the security standard (the 110 controls). CMMC is the certification program that confirms you have implemented them — Level 2 of CMMC is built on NIST 800-171.
In Revision 2 there are 110 security requirements across 14 families. In 2024 they were revised and restructured as Revision 3, so confirm which version your contract references.
Any organization that processes, stores, or transmits CUI for the federal government — including prime contractors, subcontractors, and vendors with DFARS 252.204-7012 in their contracts.
Get NIST 800-171 Right the First Time
Since CMMC Level 2 is built on the standard, everything you do now to meet these 110 requirements directly prepares you for certification. If you handle CUI and aren’t sure where you stand, our compliance team helps DoD contractors across DC, Maryland, and Northern Virginia map their gaps and build a realistic roadmap.