- NIST 800-171: What It Is and How to Comply
- What Is NIST 800-171?
- Who Must Comply with NIST 800-171?
- Why Is NIST 800-171 Important?
- How NIST 800-171 Relates to CMMC, DFARS, and NIST 800-53, ISO 27001, and FedRAMP
- NIST 800-171 Requirements and Control Families
- How NIST 800-171 Is Assessed and Scored
- How to Comply with NIST 800-171
- How to Simplify NIST 800-171 Compliance
- Key Takeaways
-
NIST 800-171 FAQs
- What is NIST 800-171?
- Who needs to comply with NIST 800-171?
- What is the difference between NIST 800-171 Rev 2 and Rev 3?
- Is NIST 800-171 the same as CMMC?
- What is the difference between NIST 800-171 and NIST 800-53?
- How is NIST 800-171 compliance measured?
- How do you become NIST 800-171 compliant?
- Is NIST 800-171 a certification?
NIST 800-171: What It Is and How to Comply
NIST SP 800-171 is the U.S. government standard for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Published in May 2024, NIST SP 800-171 Rev 3 is the most current version of the standard. It includes a specific subset of 97 individual NIST SP 800-53 security controls across 17 families. Still, most organizations use NIST SP 800-171 Rev 2.
NIST 800-171 compliance is required for federal contractors and subcontractors under the Defense Federal Acquisition Regulation Supplement (DFARS). Also administered by the Department of Defense (DoD), the Cybersecurity Maturity Model Certification (CMMC) program adds a certification layer on top.
Often, that pressure is why suppliers who have never run a formal security program suddenly need one. To demonstrate compliance, organizations must assess their own systems against 800-171 security controls, document evidence of their existence, and attest to their effectiveness.
On July 13, 2026, the the DoD suspended CMMC implementation of Phase II requirements, originally scheduled for November 10, 2026. During the 60-day review period, all Phase I requirements remain firmly in place, and the DoD will enforce security compliance with NIST SP 800-171 Rev 2 via self-assessments and select government-led assessments.
This guide covers what NIST 800-171 is, what it requires, who must comply, and how it relates to other frameworks. It also explains how the 800-171 standard is structured, how to assess compliance with its requirements, and how simplify the entire process with a NIST 800-171 tool. For step-by-step instructions, see our NIST 800-171 assessment guide. Or, check out our full list of NIST 800-171 controls and requirements for the complete breakdown.
What Is NIST 800-171?
NIST SP 800-171 is the U.S. federal standard that defines security requirements for protecting nonfederal systems that process, store, or transmit Controlled Unclassified Information (CUI). Published in May 2024, NIST 800-171 Revision 3 is the most current version of the standard.
NIST SP 800-171 defines security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. The most current version of 800-171 is Revision 3, published in May, 2024. It includes a subset of 97 security controls across 17 families derived from NIST 800-53. Most often, NIST 800-171 requirements apply to federal contractors and subcontractors, primarily DoD suppliers.
Developed by the National Institute of Standards and Technology (NIST) — the U.S. government body responsible for federal cybersecurity standards — the publication’s full title is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” Derived from NIST SP 800-53 — the master catalog of security and privacy controls for federal information systems — 800-171 is a focused subset of those requirements for nonfederal organizations.
When Rev 3 superseded Revision 2 (published in 2021), NIST replaced its 110 controls across 14 families with 97 controls across 17 families. Still, most organizations use NIST 800-171 Rev 2 because the Department of Defense (DoD) explicitly requires it (over Rev 3) to prove security compliance. Organizations subject to CMMC Level 2 must demonstrate 800-171 compliance as a condition of doing business with the DoD.
NIST 800-171 compliance is driven by:
- DFARS clause 252.204-7012: Requires defense contractors handling CUI to meet the standard.
- CMMC: Provides the certification framework for verifying that compliance.
For a complete list of the NIST 800-171 families, see our controls and requirements guide. Or, check out NIST SP 800-171A, a companion assessment document from NIST that defines the procedures for checking each requirement.
What Is CUI?
Controlled Unclassified Information, or CUI, is unclassified information that still requires safeguarding under federal rules. Created by Executive Order 13556 in 2010, the CUI program standardized this definition across the executive branch. In 2026, the National Archives (NARA) maintains a CUI Registry that defines what qualifies as CUI today.
Under the Defense Federal Acquisition Regulation Supplement (DFARS), system components that process, store, or transmit CUI must meet NIST 800-171 as the minimum standard. More specifically, DFARS 252.204-7012 is the clause that requires covered contractor systems to meet its security requirements. Some non-DoD agencies even impose the standard through their own contract clauses.
Examples of CUI include:
- Critical Infrastructure: Critical Energy Infrastructure Information, Information Systems Vulnerability Information, Physical Security, SAFETY Act Information, etc.
- Defense: Controlled Technical Information, DoD Critical Infrastructure Security Information, Privileged Safety Information, etc.
- Financial: Bank Secrecy, Budget, Consumer Complaint Information, Electronic Funds Transfer, General Financial Information, International Financial Institutions, etc.
- Legal: Administrative Proceedings, Federal Grand Jury, Legislative Materials, Prior Arrest, Protective Order, Witness Protection, etc.
- Privacy: General Privacy, Health Information, Student Records, etc.
- Statistical: Statistical Information, US Census, etc.
Unlike CUI, Federal Contract Information (FCI) is a lower tier of contract information. Systems that handle only FCI follow FAR 52.204-21 (the Federal Acquisition Regulation clause on basic safeguarding) and its 15 basic requirements. For more on scoping FCI and CUI for NIST 800-171 and CMMC, check out our complete guide.
Who Must Comply with NIST 800-171?
Any nonfederal organization that processes, stores, or transmits CUI under a federal contract, grant, or agreement must comply with NIST 800-171. Most often, that includes federal contractors and subcontractors.
Examples of organizations that must comply with NIST 800-171 include:
- Defense contractors and their subcontractors across the DoD supply chain
- Other federal contractors working with agencies like GSA and NASA
- Manufacturers in federal supply chains
- Universities and research institutions with federal research data
- Small businesses (no exemption)
However, because the obligation is triggered by contract flow-down and not company size, there is no small-business exemption for NIST 800-171. If a prime contractor’s award carries the requirement, it flows down to subcontractors at every tier that touches CUI under DFARS 252.204-7020.
Why Is NIST 800-171 Important?
NIST SP 800-171 matters because it is legally enforceable, and the consequences of non-compliance are growing. Because DFARS makes NIST 800-171 the definition of “adequate security” for CUI, meeting the standard is a condition of the contract, not a nice-to-have.
DFARS also requires contractors to keep a current DoD assessment score on file in the Supplier Performance Risk System (SPRS) to be eligible for award. Such assessments come at three levels:
- A Basic self-assessment the contractor performs itself
- Medium and High assessments the Government conducts
NIST SP 800-171A guides the assessment procedures. Assessment scores range from —203 to 110, and a low or negative score signals how many requirements remain unimplemented.
As of 2026, the U.S. government has pursued False Claims Act settlements against contractors that misstated their 800-171 or SPRS compliance. For example, in March 2025, MORSECORP paid $4.6 million to settle allegations that it had not implemented all required controls while representing itself as compliant. Even though roughly 78% of the required NIST 800-171 controls were not in place, the company had self-reported an SPRS score of 104.
How NIST 800-171 Relates to CMMC, DFARS, and NIST 800-53, ISO 27001, and FedRAMP
NIST 800-171 is best understood by its relationships to the frameworks around it, because contractors rarely deal with it in isolation. Other standards, frameworks, and certifications related to 800-171 include:
- NIST 800-53 is the parent catalog. NIST 800-171 is a tailored subset of 800-53’s controls, scoped specifically to protecting CUI on nonfederal systems — 800-53 governs federal agencies and 800-171 governs the contractors that handle federal CUI.
- CMMC is the verification layer. CMMC Level 2 is built on the NIST 800-171 controls and adds a third-party assessment (3PAO) instead of relying only on self-attestation.
- DFARS is the contractual mechanism. DFARS clauses are what obligate a defense contractor to meet NIST 800-171 in the first place.
- ISO 27001 is a separate information security standard that organizations often weigh alongside NIST 800-171.
- FedRAMP is the federal program for authorizing cloud services, and it comes up when contractors host CUI in the cloud.
NIST 800-171 Requirements and Control Families
NIST SP 800-171 organizes its security practices into control families, grouping requirements together by domain. Requirements are performance-based, describing the security outcome to achieve rather than naming a specific product or technology to buy.
But the exact control count for 800-171 depends on the revision:
- NIST 800-171 Revision 2 defines 110 security requirements across 14 families
- NIST 800-171 Revision 3 defines 97 security requirements across 17 families
Because the DoD still uses NIST SP 800-171 Rev 2 to enforce compliance, knowing the requirements for both standards is important. The following table includes a complete list of NIST 800-171 control families and requirements across both revisions (Rev 2 and Rev 3).
| ID | Control Family | Requirement | Revision |
| AC | Access Control | Limit system access to authorized users and processes | Both |
| AT | Awareness and Training | Make staff aware of risks and trained on procedures | Both |
| AU | Audit and Accountability | Create and protect records of system activity | Both |
| CA | Security Assessment and Monitoring | Assess controls and monitor them over time | Both |
| CM | Configuration Management | Establish and maintain secure system baselines | Both |
| IA | Identification and Authentication | Verify the identity of users and devices | Both |
| IR | Incident Response | Detect, report, and respond to security incidents | Both |
| MA | Maintenance | Control how systems are maintained and serviced | Both |
| MP | Media Protection | Protect media that holds CUI | Both |
| PE | Physical Protection | Restrict physical access to systems and facilities | Both |
| PL | Planning | Document security plans | Revision 3 |
| PS | Personnel Security | Screen personnel and protect CUI during staffing changes | Both |
| RA | Risk Assessment | Identify and evaluate risk to systems and CUI | Both |
| SA | System and Services Acquisition | Build security into systems and acquired services | Revision 3 |
| SC | System and Communications Protection | Protect information as it is transmitted and stored | Both |
| SI | System and Information Integrity | Maintain the integrity of systems and information | Both |
| SR | Supply Chain Risk Management | Manage risk introduced through the supply chain | Revision 3 |
Even though Revision 3 is the most current version of NIST 800-171, Rev 2 is still in use by the DoD to enforce security compliance in 2026.
NIST 800-171 Rev 2 vs. Rev 3
Published in May of 2024, NIST 800-171 Revision 3 is the most current version of the standard, but NIST 800-171 Revision 2, published in 2021, is often more relevant. Differences between the two revisions include:
- Security controls: Rev 2 defines 110 security controls; Rev 3 defines 97.
- Control families: Rev 2 includes 14 control families; Rev 3 includes 17, adding Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR).
- Organization-defined parameters (ODPs): ODPs are the values an organization or agency sets for certain requirements (e.g., specific password length or timeout); Rev 3 lists 49 in Appendix D.
Shortly after NIST published 800-171 Rev 3, the DoD issued a class deviation that keeps Rev 2 in force for compliance, with no fixed end date. In the meantime, contractors should continue to assess and score against Rev 2.
In fact, submitting a Rev 3-based score in its place will produces an invalid SPRS entry. The practical guidance most practitioners give is to keep assessing and scoring against Rev 2 today, while mapping programs to Rev 3 in parallel, so they’re ready when the deviation lifts.
How NIST 800-171 Is Assessed and Scored
NIST 800-171 compliance is measured with an assessment score that’s submitted to the SPRS. Based on the DoD Assessment Methodology, that score gives contracting officers a better understanding of a supplier’s risk posture.
Organizations start at 110 points and subtract a weighted value for each requirement they have not met. The resulting score can fall as low as -203 and reach as high as 110.
The methodology also defines three assessment levels that differ by who performs them:
| Level | Who Performs It | Confidence |
| Basic | Contractor self-assessment | Low |
| Medium | Government, using SP 800-171A | Medium |
| High | Government (DCMA, DIBCAC), using SP 800-171A | High |
Under DFARS 252.204-7019, contractors need a current assessment — no more than three years old — to be eligible for award. Importantly, SPRS stores the scoring information, but the Basic assessment itself is performed outside the system. For more, our NIST 800-171 assessment guide walks through scoring in detail.
How to Comply with NIST 800-171
Complying with NIST SP 800-171 means implementing the standard’s requirements and documenting the evidence. Usually, that work involves a few steps:
- Scope the CUI environment. Identify which systems process, store, or transmit CUI.
- Build a System Security Plan (SSP). Document how each requirement is met (using the NIST SSP template).
- Assess each requirement. Score the CUI environment against the DoD Assessment Methodology.
- Record gaps in a POA&M. Track unmet requirements in a Plan of Action and Milestones (using the NIST POA&M template).
- Submit the score to SPRS. Calculate the final score and post it.
Timelines run long for teams with real gaps. Full implementation for a mid-size contractor commonly takes 12 to 24 months, with most of the effort going to documentation and high-weight technical controls. Deeper how-to coverage lives in the compliance guide. Adjacent pages cover consultants and services, compliance software, certification and training, and the NIST 800-171 and CMMC template pack.
How to Simplify NIST 800-171 Compliance
Most NIST 800-171 programs are spread across systems and business units, and the work lives in scattered spreadsheets. Instead, organizations need one place to connect the assessment, the evidence, and the remediation work.
Isora GRC is the GRC Assessment Platform™ that gives security teams a single connected workspace to run assessments, manage assets and vendors, track risks, and prove compliance. Key capabilities include:
- Assessment management. Run 800-171 assessments from one place with campaign-based targeting, live progress tracking, and real-time scoring.
- Questionnaires and surveys. Access a pre-built questionnaire library covering common frameworks like NIST, CIS, HIPPA, GLBA, and HECVAT. Upload control evidence inline and link it to each question, without training users.
- Risk management. Get assessment findings that auto-populate a risk register with full lineage from questionnaire to control to framework to risk. Assign an owner and a remediation status for each entry.
- Reports and scorecards. Generate scorecards and reports directly from live assessment data, with drill-down to individual responses and evidence for an audit-ready record.
Isora GRC helps teams assess against 800-171, organize evidence, and track remediation. It does not implement the controls, guarantee an SPRS score, or issue a CMMC certification.
See the GRC Assessment Platform in action →
Key Takeaways
NIST 800-171 is the U.S. government standard for protecting Controlled Unclassified Information on the systems of contractors and other nonfederal organizations. Revision 3 (May 2024) is the current edition, but most defense contractors still assess against Rev 2 today. For anyone in a federal or defense supply chain that touches CUI, it is a contractual requirement rather than an option.
The first move for any team is to confirm whether the organization handles CUI, then check which revision its contracts name before assessing. From there, document the environment in an SSP, score each requirement against the DoD methodology, record gaps in a POA&M, and submit the score to SPRS.
From here, our controls and requirements page explains exactly what the standard asks for, and our compliance guidewalks through the actual work.
Ready to run and evidence NIST 800-171 compliance in one place?
See the GRC Assessment Platform in action →
NIST 800-171 FAQs
What is NIST 800-171?
NIST 800-171 is a NIST publication that specifies security requirements for protecting Controlled Unclassified Information (CUI) stored, processed, or transmitted by nonfederal organizations. The current version, Revision 3, was published in May 2024 and contains 97 requirements across 17 families (NIST, 2024). It is most commonly required of Department of Defense contractors under DFARS clause 252.204-7012.
Who needs to comply with NIST 800-171?
Nonfederal organizations that process, store, or transmit CUI on behalf of a federal agency must comply, most commonly Department of Defense contractors and their subcontractors. DFARS clause 252.204-7012 makes the requirements contractual, and the obligation flows down to subcontractors under DFARS 252.204-7020 (NIST, 2016). Other nonfederal organizations that handle CUI under a federal contract are also in scope, including under non-DoD agency clauses such as the DHS HSAR 3052.204-72.
What is the difference between NIST 800-171 Rev 2 and Rev 3?
Revision 2 (2021) contains 110 controls across 14 families, while Revision 3 (May 2024) reorganizes these into 97 requirements across 17 families, adding the Planning, System and Services Acquisition, and Supply Chain Risk Management families (Crowell & Moring, 2024). Revision 3 also introduces 49 organization-defined parameters in Appendix D. Even so, DoD Class Deviation 2024-O0013 (May 2024) keeps Revision 2 in force for DFARS assessments, so most contractors still assess against Rev 2 today.
Is NIST 800-171 the same as CMMC?
No. NIST 800-171 is the set of security requirements; CMMC (Cybersecurity Maturity Model Certification) is the DoD program that verifies a contractor has met them. CMMC Level 2 uses NIST 800-171 as its technical baseline (Emgage, 2025). Compliance with 800-171 is self-attested through an SPRS score, while CMMC Level 2 adds a third-party certification layer.
What is the difference between NIST 800-171 and NIST 800-53?
NIST 800-171 is a tailored subset of NIST 800-53. NIST derived the 800-171 requirements from the 800-53 moderate control baseline, removing controls that are uniquely federal or not related to protecting CUI confidentiality (NIST, 2024). NIST 800-53 is the full control catalog used by federal agencies, while 800-171 is the focused CUI subset that nonfederal organizations meet.
How is NIST 800-171 compliance measured?
NIST 800-171 compliance is measured with a DoD assessment score submitted to the Supplier Performance Risk System (SPRS). Using the DoD Assessment Methodology, an organization starts at 110 points and subtracts a weighted value for each unmet requirement, producing a score that can range from -203 to 110 (DoD, 2020). Basic assessments are contractor self-assessments; Medium and High assessments are performed by the government through DCMA DIBCAC.
How do you become NIST 800-171 compliant?
Becoming compliant means implementing the applicable requirements and documenting them. Organizations scope which systems handle CUI, complete a System Security Plan (SSP), assess each requirement against the DoD methodology, record gaps in a Plan of Action and Milestones (POA&M), and submit the resulting score to SPRS. Full implementation for a mid-size contractor with real gaps commonly takes 12 to 24 months.
Is NIST 800-171 a certification?
No. NIST 800-171 is a set of security requirements, not a certification a company can obtain. Compliance is self-attested through a score submitted to SPRS under DFARS 252.204-7020, not awarded by NIST or an auditor (Emgage, 2025). The third-party certification layer built on 800-171 is CMMC Level 2.
This content is for informational purposes only and does not constitute legal or compliance advice. See our full disclaimer.