← All posts

What Is NIST 800-171? Requirements Explained for Defense Contractors

cmmccompliance

NIST SP 800-171 is a publication from the National Institute of Standards and Technology that defines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. If you are a defense contractor handling CUI, these 110 security requirements are what your systems must meet.

NIST 800-171 is not new. DFARS 252.204-7012 has required compliance since 2017. What changed is enforcement. CMMC Level 2 maps directly to these 110 requirements and now requires independent verification through a C3PAO assessment.

Who must comply

If your company processes, stores, or transmits CUI for a federal agency, you fall under the NIST 800-171 umbrella. This requirement cascades through the entire federal supply chain:

  • Prime contractors who hold a direct contract with the DoD
  • Subcontractors hired by primes who need access to CUI
  • Suppliers and vendors at any tier who handle CUI to do their work

The obligation flows down from the prime contractor. If your contract includes the DFARS 252.204-7012 clause, you are required to implement every security control in NIST 800-171.

Your company’s size does not matter. A five-person machine shop receiving schematics marked as CUI has the same responsibility to protect that data as a major aerospace prime. Even encrypting the data does not change this. You can read more about why encrypted CUI is still CUI.

How NIST 800-171 connects to CMMC and DFARS

These three frameworks work together:

DFARS 252.204-7012 is the contract clause. It requires defense contractors to provide “adequate security” for CUI and report cyber incidents to the DoD within 72 hours. It references NIST 800-171 as the security standard.

NIST 800-171 is the standard. It defines the 110 security requirements across 14 control families. It tells you what you need to implement.

CMMC Level 2 is the verification. It maps one-to-one to the 110 NIST 800-171 requirements. A C3PAO assesses whether you actually implemented them, replacing the old self-attestation model.

If someone asks whether you need NIST 800-171, CMMC, or DFARS compliance, the answer is all three. DFARS is the legal obligation, NIST 800-171 is the technical standard, and CMMC is the audit.

NIST 800-171 vs NIST 800-53

NIST SP 800-53 is the full catalog of security controls the federal government uses for its own internal systems. It is massive and covers every possible security measure a government agency might need.

NIST SP 800-171 pulls a subset of those controls and tailors them for non-federal organizations. Its sole purpose is to protect CUI when it leaves government networks. You are responsible for the 110 requirements in 800-171, not the full 800-53 catalog.

Revision 2 vs Revision 3

Revision 2 of NIST SP 800-171 is the current standard for CMMC Level 2. Revision 3 was finalized in May 2024 and introduces stricter, government-mandated parameters for certain controls (replacing the contractor-defined settings allowed under Rev 2).

The DoD has issued a class deviation keeping contractors aligned with Revision 2 for now. Expect Revision 3 to become the baseline in a future CMMC update.

The 14 control families

NIST 800-171 organizes its 110 requirements into 14 families. Here is what each one covers and why it matters for your systems.

Access Control (AC) /22 requirements

The largest family. Covers who can access what, how access is granted, and how it is revoked. Key requirements:

  • Limit system access to authorized users (AC-1)
  • Enforce least privilege (AC-2)
  • Require MFA for network and local access (AC-3)
  • Control remote access sessions (AC-17)

What your assessor checks: User account management, role-based access, MFA enforcement, session timeouts. If a former employee still has an active account, that is a finding.

Awareness and Training (AT) /3 requirements

Ensure personnel understand their security responsibilities. Key requirements:

  • Provide security awareness training
  • Train personnel on recognizing and reporting threats
  • Provide role-based training for privileged users

What your assessor checks: Training records, frequency of training, whether privileged users receive additional training.

Audit and Accountability (AU) /9 requirements

Create, protect, and review audit logs. Key requirements:

  • Define auditable events (AU-2)
  • Ensure audit records contain sufficient detail (AU-3)
  • Protect audit logs from unauthorized modification (AU-9)
  • Review and analyze logs for indicators of compromise (AU-6)

What your assessor checks: Log coverage, log retention, log immutability, evidence of regular log review. This is where most email and file storage systems fail. For specifics, read CMMC Level 2 Email Controls: What Your C3PAO Will Ask.

Configuration Management (CM) /9 requirements

Establish and maintain secure configurations. Key requirements:

  • Establish baseline configurations
  • Track and control changes
  • Restrict unauthorized software
  • Define and enforce security configuration settings

What your assessor checks: Documented baselines, change management processes, software whitelisting or blacklisting.

Identification and Authentication (IA) /11 requirements

Verify user identities before granting access. Key requirements:

  • Uniquely identify and authenticate users (IA-2)
  • Enforce password complexity and rotation (IA-5)
  • Use MFA for privileged and network access (IA-2)

What your assessor checks: Password policy settings, MFA configuration, whether shared accounts exist (they should not).

Incident Response (IR) /3 requirements

Prepare for, detect, and respond to security incidents. Key requirements:

  • Establish incident response capability
  • Test incident response plans
  • Report incidents to appropriate authorities

What your assessor checks: Documented incident response plan, evidence of drills, ability to detect and report within 72 hours per DFARS. For details on the 72-hour requirement, read DFARS 72-Hour Cyber Incident Reporting.

Maintenance (MA) /6 requirements

Perform maintenance securely. Key requirements:

  • Perform maintenance on systems in a timely manner
  • Control maintenance tools
  • Supervise maintenance personnel without clearance

What your assessor checks: Patch management records, maintenance logs, controls on maintenance tools.

Media Protection (MP) /9 requirements

Protect CUI on storage media. Key requirements:

  • Protect system media containing CUI
  • Mark media with CUI designations
  • Control access to media
  • Sanitize media before disposal or reuse

What your assessor checks: Encryption on removable media, data destruction procedures, media handling policies.

Personnel Security (PS) /2 requirements

Screen and manage personnel with access to CUI. Key requirements:

  • Screen individuals before granting access
  • Protect CUI during personnel actions (termination, transfer)

What your assessor checks: Background check processes, account deactivation procedures when employees leave.

Physical Protection (PE) /6 requirements

Control physical access to systems and facilities. Key requirements:

  • Limit physical access to authorized individuals
  • Maintain visitor logs
  • Control and manage physical access devices (keys, badges)

What your assessor checks: Facility access controls, visitor management, security camera coverage.

Risk Assessment (RA) /3 requirements

Identify and manage risk. Key requirements:

  • Conduct periodic risk assessments
  • Scan for vulnerabilities
  • Remediate vulnerabilities in a timely manner

What your assessor checks: Risk assessment documentation, vulnerability scan results, remediation timelines.

Security Assessment (CA) /4 requirements

Evaluate and improve security controls. Key requirements:

  • Periodically assess security controls
  • Develop and implement plans of action for deficiencies
  • Monitor security controls on an ongoing basis

What your assessor checks: Your System Security Plan (SSP), Plans of Action and Milestones (POA&Ms), evidence of ongoing monitoring.

System and Communications Protection (SC) /16 requirements

Protect data in transit and at rest. Key requirements:

  • Monitor and control communications at system boundaries (SC-7)
  • Use encryption to protect CUI in transit (SC-8)
  • Use FIPS-validated cryptography (SC-13)
  • Protect CUI at rest (SC-28)

What your assessor checks: TLS enforcement, FIPS 140-2/3 validated encryption modules, DLP policies, boundary protection. This family directly affects your choice of email and storage provider.

System and Information Integrity (SI) /7 requirements

Detect and correct flaws. Key requirements:

  • Identify and correct information system flaws
  • Provide protection from malicious code
  • Monitor system security alerts
  • Perform periodic security scans

What your assessor checks: Patch management, antimalware deployment, security alerting configuration.

What most contractors get wrong

Treating it as an IT project. NIST 800-171 covers organizational processes, not just technology. Training, personnel security, physical access, and risk assessment are all non-technical.

Ignoring the SSP. The System Security Plan documents how every requirement is implemented. Without it, you cannot pass an assessment. It is the single most important document in your compliance program.

Assuming their tools are compliant. Commercial Office 365, Google Workspace, and Dropbox do not meet NIST 800-171 requirements out of the box. Compliance requires specific configurations, add-ons, or purpose-built platforms. Read CMMC Compliant Email Pricing in 2026 for a cost comparison.

Thinking a POA&M is enough. Under CMMC, you must prove that controls are fully implemented. A POA&M is only for tracking minor, low-risk findings or documenting a temporary fix. You cannot pass a CMMC assessment with major gaps sitting on a POA&M.

Waiting until the assessment is scheduled. Remediation takes time. If your email system, file storage, or access controls have gaps, fixing them is measured in weeks or months, not days.

How to get compliant

Phase 1: Scope your CUI environment

You cannot protect what you do not know you have. Trace every piece of CUI through your organization: email attachments, shared drives, cloud storage, local laptops, applications. A well-defined scope prevents both unprotected data and wasted effort on systems that are not in scope.

Phase 2: Run a gap analysis

Go through each of the 110 requirements and document whether you meet them, partially meet them, or do not meet them. The output is a control-by-control report showing exactly where you pass and where you fail.

Phase 3: Build your SSP and POA&M

System Security Plan (SSP): For every requirement, describe how your organization implements it. Be specific. “We use encryption” is not sufficient. “All email in transit is encrypted using TLS 1.2 with FIPS 140-3 validated modules” is.

Plan of Action and Milestones (POA&M): For every gap, document the plan to close it: what needs to change, who is responsible, and the deadline.

An assessor will ask for both of these immediately. They are the first things a C3PAO reviews.

Phase 4: Implement and document

Follow your POA&M and close gaps. Every new policy, tool deployment, and training session becomes evidence that updates your SSP. Fix your CUI boundary first. Email and file storage are usually the highest-risk gaps and the fastest to close.

NIST 800-171 is the standard your CMMC assessment is built on. Understanding it is not optional. It is the foundation of everything else in your compliance program.

Your email and storage are the fastest gaps to close

Most of the 110 requirements involve organizational processes that take time to build. But your email and file storage can be compliant this week. IRONKEEP bundles encrypted email, file storage, calendar, and contacts under one authorization boundary that maps to NIST 800-171 controls out of the box. Zero operator access, FIPS 140-3 encryption, US-only infrastructure. No GCC High tenant rebuild. No $200K migration. Lock in founding member pricing before we launch.

Get early access

Be first in line when we launch. Founding member pricing and a free CMMC Level 2 readiness checklist included.