NIST SP 800-171 Compliance: Complete Guide to Requirements and Controls

Winning a Department of Defense (DoD) contract often comes down to a single question: can you protect Controlled Unclassified Information (CUI) consistently and credibly across your environment?

NIST Special Publication 800-171 (NIST SP 800-171) is the framework that answers how. It defines 110 security requirements in Revision 2—organized into 14 control families—and provides the baseline for protecting CUI in nonfederal systems. Revision 3 consolidates these into 97 requirements across 17 families and strengthens alignment with other federal guidance.

This guide breaks down the control families, explains who must comply, walks through the compliance process step by step, and shows how NIST 800-171 connects to DFARS and CMMC. It closes with how Drata helps teams operationalize NIST 800-171 and stay ready for assessments.

What Is NIST SP 800-171?

NIST SP 800-171 is a cybersecurity framework published by the National Institute of Standards and Technology (NIST) to protect the confidentiality of Controlled Unclassified Information in nonfederal information systems and organizations. It applies to contractors, universities, research institutions, and state or local governments that process, store, or transmit CUI on behalf of the U.S. government.

NIST 800-171 requirements are performance-based and intended to fit into existing nonfederal systems. They build on control language from NIST SP 800-53, but are tailored specifically to CUI in nonfederal environments.

What Is Controlled Unclassified Information?

Controlled Unclassified Information refers to sensitive information that requires safeguarding or dissemination controls, but is not classified under executive order. Before CUI, federal agencies used dozens of different markings and handling procedures for similar types of information, leading to inconsistent protections and confusion across partners.

The CUI designation standardizes how nonfederal organizations handle this information under federal contracts and agreements.

CUI Categories and Examples

Common CUI categories include:

• Export-controlled information (e.g., technical data subject to ITAR or EAR)

• Proprietary business information (e.g., contract details, pricing, procurement-sensitive data)

• Privacy information (e.g., personally identifiable information from federal programs)

• Law enforcement sensitive data (e.g., investigation details shared with contractors)

• Critical infrastructure information (e.g., details about federal systems or facilities)

Where CUI Appears in Your Environment

CUI rarely sits in just one system. It often shows up in email, file shares, cloud storage, engineering repositories, ticketing systems, knowledge bases, and collaboration tools. It also flows through your supply chain to subcontractors and service providers.

Mapping where CUI lives, how it moves, and who can access it is the first step in scoping NIST 800-171 and identifying which systems fall under the framework.

Who Must Comply With NIST 800-171?

NIST 800-171 applies to nonfederal organizations that handle CUI on behalf of the federal government. If federal contracts, grants, or agreements require you to protect CUI, NIST 800-171 is typically the baseline.

Federal Contractors and Subcontractors

Any organization in the DoD supply chain that handles CUI is expected to implement NIST 800-171 requirements. That extends to subcontractors at all tiers. If CUI flows down to you, so do the obligations.

Other Organizations Handling CUI

Beyond defense contractors, NIST 800-171 also applies when universities, research institutions, state and local governments, and other partners process CUI under federal contracts or agreements.

DFARS and NIST 800-171

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 makes NIST 800-171 a contractual requirement for many DoD contractors and subcontractors. The clause also requires reporting certain cyber incidents within 72 hours of discovery.

In practice:

• DFARS 252.204-7012 is the contractual clause that requires you to protect CUI.

• NIST SP 800-171 defines the security requirements.

• NIST SP 800-171A provides assessment procedures and objectives.

• SPRS (Supplier Performance Risk System) is where DoD contractors submit self-assessment scores.

Contracting officers review SPRS scores as part of source selection, so inaccurate or unsupported scores can create both contractual and enforcement risk.

NIST 800-171 and CMMC

The Cybersecurity Maturity Model Certification (CMMC) builds directly on NIST 800-171. CMMC Level 2 maps to NIST 800-171 requirements and adds a formal assessment layer for certain contracts.

Key points:

• NIST 800-171 allows self-assessment and SPRS self-reporting.

• CMMC Level 2 still relies on NIST 800-171 controls, but some contracts require a Certified Third-Party Assessment Organization C3PAO assessment every three years.

• Achieving and maintaining NIST 800-171 alignment is a core step toward meeting CMMC Level 2 expectations.

As of today, CMMC program materials reference NIST 800-171 Revision 2. Organizations should monitor official DoD guidance for when and how CMMC will move to Revision 3.

NIST SP 800-171 Security Requirements

NIST 800-171 requirements fall into three main buckets:

1. Basic security requirements

2. Derived security requirements

3. Documentation and governance artifacts like the System Security Plan (SSP) and Plan of Action and Milestones (POA&M)

Basic Security Requirements

Basic requirements are high-level statements derived from FIPS 200. They describe what you need to achieve, such as limiting system access to authorized users or protecting CUI in transit and at rest.

Derived Security Requirements

Derived requirements are more specific controls, largely based on NIST SP 800-53. They describe how to implement protections, such as enforcing least privilege, separating duties, controlling remote access, and monitoring audit logs.

System Security Plan (SSP)

The SSP is the primary document that explains how your organization implements each NIST 800-171 requirement. It defines system boundaries, describes the operating environment, and documents how controls work in practice. Assessors rely heavily on your SSP to understand your implementation and verify alignment.

Plan of Action and Milestones (POA&M)

The POA&M tracks gaps between your current state and full implementation. It lists unimplemented or partially implemented requirements, remediation steps, responsible parties, and target completion dates. A well-maintained POA&M demonstrates that you understand your gaps and are actively working to close them.

NIST 800-171 Control Families

NIST 800-171 Revision 2 organizes requirements into 14 control families that cover the full lifecycle of protecting CUI:

• Access Control (AC): Limit system access to authorized users, processes, and devices; enforce least privilege and manage remote access.

• Awareness and Training (AT): Ensure personnel understand their security responsibilities through role-based training and ongoing awareness.

• Audit and Accountability (AU): Generate, protect, and retain audit records that can trace actions to individual users.

• Configuration Management (CM): Establish and maintain secure configurations, and control changes across system lifecycles.

• Identification and Authentication (IA): Verify user and device identity, including multi-factor authentication where required.

• Incident Response (IR): Detect, analyze, contain, and recover from incidents, with documented procedures and reporting.

• Maintenance (MA): Control maintenance activities and personnel, including remote maintenance sessions.

• Media Protection (MP): Protect and sanitize media containing CUI, including storage, transport, reuse, and disposal.

• Personnel Security (PS): Screen individuals before granting access and protect CUI during personnel changes.

• Physical Protection (PE): Limit physical access to systems, equipment, and facilities where CUI is processed.

• Risk Assessment (RA): Periodically assess risk, perform vulnerability scans, and analyze findings.

• Security Assessment and Monitoring (CA): Assess controls periodically and monitor systems for deficiencies.

• System and Communications Protection (SC): Monitor and protect communications at system boundaries using cryptographic and network protections.

• System and Information Integrity (SI): Identify and remediate system flaws and protect against malicious code and unauthorized changes.

NIST 800-171 Revision 3 refines and reorganizes requirements, and introduces three additional families—Planning, Supply Chain Risk Management, and System and Services Acquisition—to better address organization-level and supply chain risks.

How to Achieve NIST 800-171 Compliance

NIST 800-171 can feel complex, but the work becomes manageable when you break it into clear steps. The sequence below reflects common best practice and aligns with NIST guidance and DoD assessment expectations.

1. Identify Your CUI Environment

Start by determining what CUI you handle, where it resides, and how it flows across systems, users, and vendors. Clearly define the system boundary for CUI; this scope drives which assets, accounts, and processes must meet NIST 800-171 requirements.

2. Conduct a Gap Assessment

Compare your current controls against NIST 800-171 requirements. Identify which requirements are fully implemented, partially implemented, or not implemented at all. Use NIST SP 800-171A assessment objectives to make your evaluation more concrete and repeatable.

3. Develop Your System Security Plan

Document how you implement each requirement, including technical, administrative, and physical controls. Describe system architecture, data flows, and any shared responsibility with cloud or service providers. Your SSP should be specific enough that an independent assessor can understand your implementation without guesswork.

4. Implement Required Security Controls

Address the gaps you identified, prioritizing by risk and contractual timelines. Some requirements may call for new technical controls (such as MFA, implemented by security controls (such as MFA, implemented by only 27% of defense contractors, or endpoint protection), while others focus on policies, procedures, or training. Coordinate with system owners, IT, and security teams so implementation is consistent across the CUI boundary.

5. Create and Maintain a POA&M

Track remaining gaps and remediation work in a POA&M. For each item, capture the affected requirement, risk context, remediation steps, ownership, and target completion date. Update the POA&M as you make progress so that your internal stakeholders and assessors both see an accurate picture of outstanding work.

6. Perform a Self-Assessment Using NIST Scoring

Use the DoD Assessment Methodology to calculate your SPRS score. You start at 110, then subtract based on which requirements are not fully implemented. Tie each deduction to documented evidence in your SSP and POA&M so you can defend your score during reviews.

7. Submit Assessment Scores to SPRS

Submit your self-assessment score to the Supplier Performance Risk System and keep it current. DoD expects at least annual affirmation and updates when your security posture or CUI environment changes significantly.

NIST 800-171 Revision 2 vs. Revision 3

NIST SP 800-171 Revision 3, finalized in 2024, updates and consolidates requirements while improving alignment with NIST SP 800-53 and other federal cybersecurity policies.

Key Changes in Revision 3

Revision 3:

• Refines and consolidates some requirements to reduce redundancy.

• Introduces organization-defined parameters (ODPs) so organizations can tailor certain controls to context.

• Places greater emphasis on organization-level requirements and supply chain security.

• Aligns more closely with NIST SP 800-53, making it easier to map controls across frameworks.

Transition Considerations

As of now, many DoD contracts and CMMC materials reference NIST 800-171 Revision 2, while Revision 3 represents the latest NIST guidance. Most organizations will prioritize Rev 2 compliance to meet contractual obligations, while beginning to design controls that are compatible with Rev 3 to simplify future transitions.

Penalties and Business Impact of Non-Compliance

NIST 800-171 is not an optional best practice for organizations handling CUI under applicable contracts. Failure to implement required safeguards can lead to loss of current contracts, exclusion from future DoD work, and potential False Claims Act liability if you misrepresent your posture.

Because NIST 800-171 underpins CMMC and interacts with other frameworks like NIST 800-53 and NIST CSF, gaps can also affect your broader security and compliance posture.

How Drata Supports NIST 800-171

Drata provides the Agentic Trust Management Platform that helps organizations align with NIST 800-171 and maintain continuous readiness across frameworks—not just at audit time. Within Drata, dedicated NIST 800-171 Rev. 2 and Rev. 3 framework mappings are available to help teams organize requirements, connect them to controls, and monitor progress.

At a high level, Drata helps you:

• Map and manage NIST 800-171 requirements. Track requirements and assessment objectives from NIST 800-171 and 800-171A in a single workspace, with ownership, status, and due dates.

• Centralize and monitor controls. Use Drata’s control library and automation to continuously monitor key technical and administrative controls that support NIST 800-171, and surface issues that require follow-up.

• Unify evidence and audit artifacts. Store and organize evidence, SSP content, and POA&M details in one place so you can respond to self-assessments, SPRS-related reviews, and other evaluations with less manual effort. For CUI and other regulated artifacts, many organizations use Drata as the governance layer—linking out to secure enclaves where sensitive data is stored instead of placing CUI directly in Drata.

• Connect NIST 800-171 to risk and third-party oversight. Link requirements to risks and third-party vendors so you can see where CUI-related risk exists, how it’'s mitigated, and which suppliers must align with your expectations.

• Share your posture with stakeholders. Use Drata’s Trust Center and Trust Library capabilities to publish approved NIST 800-171 documentation and alignment summaries securely to customers, prime contractors, or partners, with controlled access and auditability.

Because Drata is a governance and automation platform—not a FedRAMP Moderate or CMMC-certified enclave—it should not be used to store CUI itself. Many customers instead keep CUI and regulated evidence in a FedRAMP-authorized or equivalent environment and reference those artifacts from Drata.

To learn more about how Drata supports NIST 800-171, visit the NIST 800-171 product page or request a demo.

FAQs About NIST SP 800-171 Compliance