NIST 800-171: A Business Guide for Defense Contractors

NIST SP 800-171 is the security framework underlying CMMC Level 2 and applicable to any business handling Controlled Unclassified Information (CUI) for federal contracts. The current revision (Rev 3, finalized 2024) defines 110 security requirements across 14 control families. For defense contractors and federal civilian contractors, NIST 800-171 alignment isn't optional — it's required by FAR/DFARS clauses in covering contracts. Here's a practical overview.

Who's Subject to NIST 800-171

The framework applies to non-federal organizations that process, store, or transmit CUI in support of federal contracts. The scope is broader than just "defense contractors":

Department of Defense prime and subcontractors
NASA and other federal civilian agency contractors handling CUI
Research institutions handling controlled research data
Universities receiving federal funding for sensitive work
Cleared facilities under National Industrial Security Program
Subcontractors at any tier handling CUI for federal work

If your contracts reference DFARS 252.204-7012, NIST 800-171 applies. Even if not explicitly referenced, handling CUI typically triggers obligations.

Defense contractor IT manager reviewing NIST 800-171 control families with implementation status, plan of action, and System Security Plan documentation for CUI environment

The 14 Control Families

NIST 800-171 organizes requirements into families that parallel NIST SP 800-53:

Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity

Each family contains multiple specific controls — 110 total in Rev 3. The control text is prescriptive about what's required but flexible about how to implement.

The System Security Plan (SSP)

The foundational compliance document is the System Security Plan — written documentation of how each of the 110 controls is implemented for the in-scope environment. The SSP should specifically describe:

The system boundary and what's in scope
For each control, how it's implemented (technical details, not generic statements)
Any controls where implementation is partial or compensated
Service providers handling parts of the environment and their responsibilities
Operational processes supporting the controls

The SSP, paired with a Plan of Action and Milestones (POA&M) documenting any gaps and the timeline for closing them, is what gets reviewed during assessment.

The Self-Assessment and Scoring

DoD contractors are required to submit self-assessment scores to the Supplier Performance Risk System (SPRS). The scoring methodology assigns weights to controls — implementing all 110 produces a score of 110. Gaps reduce the score, sometimes by 3 or 5 points per significant gap. Scores below 110 trigger additional scrutiny in contract evaluations.

The implication: self-assessment honesty matters. Inflating the score creates contract risk if later discovered through DCMA audits or CMMC assessments.

The CMMC Connection

CMMC Level 2 essentially formalizes NIST 800-171 with third-party assessment. The differences:

CMMC requires assessment by certified third party (C3PAO), not self-assessment
CMMC adds maturity processes beyond the basic controls
CMMC creates a formal certification with reciprocity across contracts
CMMC introduces specific levels (1, 2, 3) with different control sets

For businesses already aligned with NIST 800-171, CMMC Level 2 certification is mostly a matter of preparing for external assessment. For businesses without NIST 800-171 alignment, CMMC adds substantial work.

The Practical Implementation Sequence

For businesses starting NIST 800-171 implementation:

Identify what CUI you actually handle and where it lives
Define the system boundary — what's in scope for the controls
Conduct a gap assessment against the 110 controls
Build the System Security Plan documenting current state
Build the POA&M documenting gaps and remediation timeline
Implement the highest-priority gaps (typically identity, access control, audit logging, incident response)
Submit self-assessment score to SPRS
Maintain ongoing compliance with periodic re-assessment
Prepare for CMMC assessment if Level 2 certification will be required

The Specific Gaps Most Common in Practice

Frequent gaps in NIST 800-171 implementations: incomplete audit logging configuration, MFA not enforced on all CUI-accessing accounts, incident response plan documented but not tested, configuration management for system components inconsistent, service provider oversight documentation thin. Each of these can be addressed; together they often constitute 70%+ of the gap-closing work. If you're scoping NIST 800-171 implementation for your business, a free 30-minute conversation can frame the priority steps.

About Leonidas

Leonidas is a managed IT services provider, cybersecurity consulting firm, and unified communications consultancy serving businesses across industries. We offer free 30-minute assessments. Contact us or call 850-614-9343.