NIST SP 800-171: Requirements, compliance checklist, and CMMC guide

What is NIST SP 800-171?

NIST SP 800-171 is a cybersecurity framework published by the National Institute of Standards and Technology (NIST) for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. It includes 110 security requirements across 14 control families and is required for many Department of Defense (DoD) contractors under DFARS 252.204-7012.

In simple terms, what is NIST SP 800-171? It is the baseline security standard that DoD contractors must follow when handling CUI in nonfederal environments.

The framework forms the foundation of CMMC Level 2 requirements, making compliance critical for organizations working within the defense supply chain. NIST SP 800-171 Rev. 3, released in 2024, also expands security guidance and introduces updated control recommendations to address evolving cyber threats, although many active contracts still reference Rev. 2.

According to a 2024 CyberSheath readiness study, only 4% of surveyed defense contractors believed they were fully prepared for CMMC certification, highlighting major compliance gaps across the industry.

NIST SP 800-171 at a glance

NIST SP 800-171 simplified

At its core, NIST SP 800-171 is a security checklist designed to help organizations protect CUI in nonfederal systems and environments.

The framework outlines the security controls contractors must implement across areas such as access control, authentication, encryption, incident response, monitoring, and employee security practices. These requirements help reduce the risk of unauthorized access, data breaches, and supply chain compromise.

Organizations are also expected to assess their implementation status, document gaps, and calculate an SPRS score based on the DoD assessment methodology. Under CMMC 2.0, many contractors must now go beyond self-attestation and demonstrate compliance through formal assessments and supporting documentation.

The following sections break down the 14 requirement families, encryption requirements, compliance checklist, assessment process, and practical steps needed to achieve and maintain NIST SP 800-171 compliance.

How does NIST SP 800-171 support CMMC compliance?

NIST SP 800-171 forms the foundation of CMMC Level 2 requirements for organizations handling CUI within the DIB. In practice, the 110 security requirements in NIST SP 800-171 are the same controls assessed under CMMC Level 2. The key difference is that CMMC introduces formal verification through self-assessments or certified third-party audits.

Before CMMC 2.0, organizations primarily relied on self-attestation and SPRS score submissions to demonstrate compliance with DFARS 252.204-7012. CMMC 2.0 shifts the focus toward verifiable implementation, requiring contractors to prove that controls are properly implemented, documented, and maintained over time.

NIST SP 800-171 vs. CMMC Level 2

Organizations pursuing CMMC Level 2 must still implement the full NIST SP 800-171 requirement set, including access control, incident response, configuration management, and audit logging controls. The difference is that CMMC validates whether those controls are operating effectively through structured assessments.

Depending on the contract type, organizations may follow one of two assessment paths:

• Self-assessment: Used for select Level 2 contracts, with results submitted to SPRS annually.
• Third-party assessment: Conducted by a Certified Third-Party Assessment Organization (C3PAO) every three years for prioritized acquisitions.

For most contractors, achieving CMMC readiness starts with implementing and documenting NIST SP 800-171 requirements effectively.

Who needs to comply with NIST SP 800-171?

NIST SP 800-171 compliance applies to organizations within the DIB that handle, process, store, or transmit CUI as part of a DoD contract. The requirement is driven by DFARS 252.204-7012, which mandates the implementation of NIST SP 800-171 security requirements across the defense supply chain.

Compliance obligations extend beyond prime contractors. Subcontractors, suppliers, and service providers that interact with CUI may also be required to comply, depending on their role in the contract and access to sensitive information.

Organizations that must comply with NIST SP 800-171

Because DFARS requirements flow down through the supply chain, organizations cannot assume compliance obligations apply only to large defense contractors. Any vendor, supplier, or technology provider with access to CUI may need to implement the NIST 800-171 requirements and maintain supporting documentation, including SSPs and POA&Ms.

For many organizations, compliance is not just about meeting contractual obligations. It is also necessary for maintaining eligibility for future DoD contracts and supporting broader supply chain security initiatives.

Exploring the 14 NIST SP 800-171 requirement families

The NIST SP 800-171 checklist is organized into 14 requirement families that collectively help organizations protect CUI across systems, users, networks, and operational processes. These families group the 110 security requirements into key cybersecurity areas that contractors must implement to achieve compliance.

Organizations often struggle most with Access Control and Configuration Management because they require continuous enforcement, strong documentation, and consistent monitoring across complex IT environments.

The 14 NIST SP 800-171 requirement families

Together, these 14 families create the operational foundation for NIST SP 800-171 compliance and CMMC Level 2 readiness. Understanding how the requirements map to your systems, users, and processes is essential for building an effective compliance program.

NIST SP 800-171 encryption requirements

Encryption is a critical part of NIST SP 800-171 compliance because it helps protect CUI from unauthorized access, interception, and disclosure. Organizations handling CUI must implement strong cryptographic controls across systems, devices, applications, and communications.

While NIST SP 800-171 does not prescribe a single encryption tool or vendor, it requires organizations to use secure, validated cryptographic methods that align with federal security expectations.

Key NIST SP 800-171 encryption requirements

1. Use FIPS-validated cryptography

Organizations handling CUI should use cryptographic modules validated under the Federal Information Processing Standards (FIPS) 140 program. FIPS-validated encryption is particularly important for systems supporting DFARS and CMMC requirements.

2. Encrypt data at rest and in transit

CUI should be encrypted both when stored and when transmitted across networks.

• Encryption at rest: Protects stored CUI on endpoints, servers, databases, removable media, and cloud environments.
• Encryption in transit: Protects CUI while it moves across internal or external networks.

3. Use TLS 1.2 or higher

Organizations should use secure communication protocols such as TLS 1.2 or higher to protect network traffic containing CUI. Older protocols and weak cipher suites should be disabled to reduce exposure to known vulnerabilities.

4. Implement strong key management practices

Encryption is only effective if cryptographic keys are managed securely. Organizations should establish controls for:

• Key generation and storage
• Key rotation and expiration
• Access restrictions for encryption keys
• Secure backup and recovery procedures

5. Protect credentials and authentication data

Credentials used to access systems containing CUI should also be protected using secure cryptographic methods. This includes:

• Encrypting stored passwords and authentication secrets
• Using MFA for privileged and remote access
• Securing credential transmission across networks

Encryption controls are closely tied to several NIST SP 800-171 requirement families, including Access Control, Identification and Authentication, and System and Communications Protection. Strong encryption practices also play a major role in improving CMMC Level 2 assessment readiness.

How to become NIST SP 800-171 compliant

Achieving NIST SP 800-171 compliance requires organizations to identify where CUI exists, implement the required security controls, document their security posture, and prepare for ongoing assessments. The process involves both technical implementation and continuous operational oversight.

1. Define the CUI environment

Start by identifying where CUI is stored, processed, or transmitted across your systems, applications, users, devices, and third-party services. Proper scoping helps reduce unnecessary compliance overhead and ensures controls are applied to the correct environments.

2. Conduct a gap assessment

Evaluate your current security posture against the 110 NIST SP 800-171 requirements. A gap assessment helps identify missing controls, policy weaknesses, documentation gaps, and technical deficiencies that need remediation.

3. Create a System Security Plan (SSP)

The SSP documents how your organization implements each NIST SP 800-171 requirement. It should clearly describe system boundaries, security controls, responsible teams, and supporting technologies within the CUI environment.

4. Build a Plan of Action and Milestones (POA&M)

A POA&M tracks compliance gaps, remediation activities, timelines, and ownership. It demonstrates that the organization is actively addressing identified weaknesses and improving security posture over time.

5. Implement required security controls

Deploy and operationalize controls across the 14 requirement families, including:

• Access control and MFA
• Audit logging and monitoring
• Encryption and secure communications
• Vulnerability management
• Incident response
• Configuration management

6. Submit your SPRS score

Organizations handling CUI must submit their NIST SP 800-171 assessment score to the Supplier Performance Risk System (SPRS) as required under DFARS 252.204-7012.

7. Prepare for assessments

Depending on contract requirements, organizations may undergo either a self-assessment or a third-party assessment conducted by a C3PAO under CMMC Level 2 requirements. Preparation typically includes evidence collection, documentation reviews, and internal readiness testing.

8. Maintain continuous compliance

NIST SP 800-171 compliance is not a one-time project. Organizations must continuously monitor controls, update documentation, remediate vulnerabilities, and adapt to evolving requirements such as NIST SP 800-171 Rev 3 updates.

As compliance programs grow more complex, many organizations adopt automation tools to simplify evidence collection, monitor controls continuously, and reduce the operational burden of maintaining compliance over time.

NIST 800-171 compliance checklist

Preparing for NIST SP 800-171 compliance requires organizations to validate both technical controls and supporting documentation across the entire CUI environment. The checklist below covers some of the most important areas organizations should review before submitting SPRS scores or preparing for a CMMC Level 2 assessment.

Organizations should also maintain supporting documentation such as network diagrams, CUI flow diagrams, policies and procedures, risk assessments, and audit evidence to demonstrate ongoing compliance readiness.

NIST SP 800-171 readiness starts here

A practical checklist to help you secure CU, close gaps, and prepare for CMMC assessments.

How to Get a NIST SP 800-171 Assessment

Organizations handling CUI must assess their implementation of NIST SP 800-171 requirements to meet DFARS obligations and prepare for CMMC Level 2 verification. Depending on contract requirements, assessments may be completed internally or through an authorized third party.

1. Self-assessment

Many organizations begin with a self-assessment using the DoD assessment methodology. This process evaluates how effectively the 110 NIST SP 800-171 requirements have been implemented within the CUI environment.

Key steps include:

• Reviewing each requirement against existing controls
• Identifying gaps and incomplete implementations
• Calculating the organization’s assessment score
• Submitting the final SPRS score to the DoD

Self-assessments are still permitted for certain CMMC Level 2 contracts classified as non-prioritized acquisitions.

2. Third-party assessment

Some contracts require a formal third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). These assessments validate whether the organization has fully implemented and maintained the required controls.

Third-party assessments:

• Are mandatory for prioritized Level 2 contracts
• Include evidence reviews, interviews, and technical validation
• Result in formal CMMC certification outcomes
• Typically occur every three years

3. Pre-assessment readiness

Before any assessment, organizations should ensure that documentation, controls, and remediation efforts are fully prepared for review.

Important readiness activities include:

• Completing and maintaining the SSP
• Updating the POA&M with active remediation items
• Conducting internal reviews and mock assessments
• Verifying that security controls are operating effectively
• Ensuring audit evidence is centralized and accessible

Strong preparation helps organizations reduce assessment delays, improve SPRS scoring accuracy, and strengthen overall CMMC readiness.

NIST SP 800-171 vs NIST SP 800-53

Although NIST SP 800-171 and NIST SP 800-53 are closely related, they serve different purposes and apply to different environments. NIST SP 800-171 focuses on protecting CUI in nonfederal systems used by DoD contractors, while NIST SP 800-53 provides a broader catalog of security and privacy controls primarily designed for federal agencies.

In practice, NIST SP 800-171 derives many of its requirements from NIST SP 800-53 but tailors them specifically for nonfederal organizations working with the DoD.

NIST SP 800-171 vs CMMC 2.0

As explained in the earlier comparison table, NIST SP 800-171 and CMMC Level 2 share the same 110 security requirements for protecting CUI. The primary difference lies in how compliance is verified and enforced.

Under DFARS 252.204-7012, organizations were largely responsible for self-assessing their implementation of NIST SP 800-171 requirements and submitting their SPRS scores to the DoD. This model relied heavily on contractor self-attestation.

CMMC 2.0 introduces a formal verification layer on top of NIST SP 800-171. Depending on the contract type and sensitivity of the CUI involved, organizations may need either:

• Annual self-assessments for certain Level 2 programs
• Triennial third-party assessments conducted by a Certified Third-Party Assessment Organization (C3PAO)

CMMC 2.0 also places greater emphasis on audit readiness and supporting documentation, including the SSP, POA&M, policies, procedures, and evidence demonstrating that controls are consistently implemented and maintained over time.

In short, NIST SP 800-171 defines the security requirements, while CMMC 2.0 verifies that those requirements are properly implemented and operational.

NIST SP 800-171 and DFARS 252.204-7012

NIST SP 800-171 and DFARS 252.204-7012 work together as the technical and legal foundations of DoD cybersecurity compliance. In simple terms, DFARS 252.204-7012 is the contractual requirement, while NIST SP 800-171 defines the security controls organizations must implement to protect CUI.

The DFARS clause, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” requires contractors handling CUI to implement the 110 NIST SP 800-171 requirements to provide adequate security for nonfederal systems.

The clause also establishes key compliance obligations, including:

• Performing a NIST SP 800-171 self-assessment using the DoD assessment methodology
• Submitting SPRS scores to the DoD
• Reporting cyber incidents within 72 hours of discovery
• Maintaining security documentation and remediation plans

This relationship is important because compliance with NIST SP 800-171 is not optional for covered contractors. Once DFARS 252.204-7012 is included in a contract, implementing the required controls becomes a contractual obligation tied directly to eligibility for DoD work.

CMMC 2.0 builds on this foundation by adding formal verification and assessment requirements to validate that organizations have properly implemented and maintained these controls.

‍

Documentation required for NIST SP 800-171 compliance

Achieving NIST SP 800-171 compliance requires organizations to maintain detailed, audit-ready documentation that demonstrates how CUI is protected across systems, users, and processes. These records support self-assessments, SPRS score submissions, and CMMC Level 2 assessments.

Here are the key documents required for compliance:

• System Security Plan (SSP): Describes the CUI environment, system boundaries, and how each NIST SP 800-171 requirement is implemented.
• Plan of Action and Milestones (POA&M): Tracks unresolved gaps, remediation timelines, and planned corrective actions.
• CUI flow diagram: Maps how CUI enters, moves through, and exits the environment.
• Network diagram: Shows system architecture, segmentation, and connections between CUI and non-CUI systems.
• Policies and procedures: Documents organizational rules, security controls, and operational processes across all requirement families.
• Incident response plan: Defines how the organization detects, responds to, and recovers from cybersecurity incidents.
• Risk assessment report: Identifies threats, vulnerabilities, and risks affecting the CUI environment.
• Scoping documentation: Defines the assessment boundary and identifies systems, users, and assets connected to CUI.
• External service provider (ESP) documentation: Records shared security responsibilities for cloud providers and third-party services handling CUI.
• Audit and logging documentation: Demonstrates monitoring, log retention, and review processes for security events and activities.

Core compliance documents at a glance

Common challenges in NIST SP 800-171 compliance

Organizations pursuing NIST SP 800-171 compliance and CMMC Level 2 readiness often face challenges related to scoping, documentation, technical implementation, and ongoing maintenance. As Rev 3 adoption increases, many contractors are also preparing for expanded security expectations and evolving assessment requirements.

Many organizations also struggle with balancing technical implementation, audit readiness, and resource constraints simultaneously. Automating evidence collection, monitoring, and documentation management can help reduce operational overhead and improve long-term compliance sustainability.

How Scrut Simplifies NIST SP 800-171 Compliance

Scrut helps organizations simplify and scale NIST SP 800-171 compliance by automating evidence collection, continuously monitoring controls, and centralizing compliance workflows. Instead of managing spreadsheets and manual reviews, teams can maintain stronger visibility across their CUI environment and stay prepared for audits year-round.

Key capabilities include:

• Automated evidence collection: Automatically collect and map evidence across systems, cloud environments, and security tools against NIST SP 800-171 requirements.
• Continuous monitoring: Track control effectiveness in real time and receive alerts when configurations drift from compliance requirements.
• Always audit-ready documentation: Maintain centralized SSPs, POA&Ms, policies, and supporting evidence for ongoing assessment readiness.
• Faster SPRS scoring: Simplify self-assessments and streamline the documentation needed for SPRS score submissions.
• Assessment readiness: Prepare for self-assessments and C3PAO assessments with improved visibility into gaps, remediation progress, and control coverage.

Scrut also helps teams operationalize their NIST 800-171 compliance checklist by reducing manual effort and improving consistency across compliance activities.

Ready to simplify NIST SP 800-171 compliance and prepare for CMMC assessments with confidence? Schedule a demo to see how Scrut helps automate compliance management and maintain continuous audit readiness.