NIST SP 800-171 Requirements & Compliance Guide

NIST Special Publication 800-171 defines 110 security requirements that contractors must meet when handling Controlled Unclassified Information. It's the technical foundation of CMMC Level 2 and the benchmark most DoD supply chain companies are measured against, whether they know it or not.

See the 14 Control Families CMMC Resource Page
By the numbers
110
Security requirements across 14 control families
110
Requirements that map directly to CMMC Level 2
14
Control families covering access, audit, incident response, and more
110
Points possible on the DoD self-assessment scoring model, starting from 110 with deductions for each unmet requirement

What is NIST SP 800-171?

NIST Special Publication 800-171, published by the National Institute of Standards and Technology, defines the security requirements that non-federal organizations must meet when they create, process, store, or transmit Controlled Unclassified Information (CUI) on their own systems.

CUI is government-owned information that isn't classified but still requires protection under law or regulation. For manufacturers, CUI commonly includes technical drawings and specifications, contract performance data, export-controlled information under ITAR and EAR, procurement-sensitive data, and any information a DoD contract designates as requiring protection.

The publication was originally developed to address a clear gap: contractors and suppliers handling sensitive government information were using their own systems with no consistent security baseline. Before 800-171, there was no standardized way to verify that a supplier was actually protecting the information the government entrusted to them.

800-171 closes that gap by defining exactly what controls are required, organized into 14 families that cover every major dimension of security. It doesn't tell you which tools to buy. It defines what outcomes your environment must achieve.

The current version in effect is NIST SP 800-171 Revision 2. Revision 3 has been finalized by NIST, and DoD is evaluating how it will integrate into future CMMC requirements. For now, Revision 2 is what assessors use.
Read the official publication at NIST.gov →

How 800-171 connects to other requirements

CMMC Level 2

CMMC Level 2 is essentially a verified implementation of all 110 NIST 800-171 requirements. If you achieve full 800-171 compliance, you've done the technical work for Level 2 certification.
Learn about CMMC →

CIRCIA Incident Reporting

CISA's final rule under CIRCIA, expected May 2026, requires incident response capabilities that align with NIST 800-171's Incident Response family. Organizations implementing 800-171 correctly are building those capabilities now.

Prime Contractor Flow-Downs

Many large primes include 800-171 compliance as a condition of subcontracting, independent of formal CMMC requirements. These obligations arrive through contracts, not rulemaking.

DFARS Clause 252.204-7012

This Defense Federal Acquisition Regulation clause has required contractors to "adequately implement" 800-171 since 2017. Many manufacturers have had this obligation for years without fully satisfying it.

Not sure whether 800-171 applies to your operation? If you're in the DoD supply chain and handle any information that isn't publicly available, there's a reasonable chance it does. A free scoping conversation with STACK will tell you where you stand.
Schedule a Free Consultation

What 800-171 actually requires

The 110 requirements in 800-171 are organized into 14 families, each covering a distinct dimension of security. Here's what each family requires and what it means in practice for a manufacturing environment.

How requirements are counted

Each of the 110 requirements is worth one point in the DoD's scoring model. Your starting score is 110. Every unmet requirement reduces the score, with some failures carrying a larger deduction than others. A score of 110 means full compliance. Anything below triggers scrutiny in a CMMC assessment. The score isn't self-reported on its honor system any more. Level 2 requires a third-party assessor to verify it.

3.1 — Access Control 22 requirements

Who can get in, and what they can touch

This is the largest family. It covers who has access to your systems, what they're authorized to do, and how access is controlled and monitored. The principle of least privilege is central: users and processes should only have access to what they need to do their job. Remote access, mobile devices, and shared accounts all fall here.

User access controls Least privilege Remote access Wireless access Mobile devices
3.2 — Awareness and Training 3 requirements

Does your team know how to recognize and respond to threats?

Security tools don't prevent phishing. Trained people do. This family requires that everyone with access to your systems understands their security responsibilities and the risks they face. That means documented, recurring security awareness training and role-specific training for people with elevated privileges or access.

Security awareness training Role-based training Insider threat awareness
3.3 — Audit and Accountability 9 requirements

Can you tell what happened and who did it?

Every significant action on your systems should be logged, and those logs should be protected and reviewed. If you experience an incident, audit logs are what investigators use to understand what happened, when, how far the attacker got, and what they accessed. This family also requires that users know their activity is being monitored.

Audit log creation Log protection Log review User activity tracking
3.4 — Configuration Management 9 requirements

Are your systems set up securely from the start?

Default configurations on software and hardware are almost always insecure. This family requires baseline configurations for systems, documented and enforced, with changes tracked and controlled. In manufacturing, this includes production systems and any equipment with a digital interface. Unauthorized software, open ports, and default passwords all represent failures here.

Baseline configurations Change control Software inventory Least functionality
3.5 — Identification and Authentication 11 requirements

Do you know for certain who is accessing your systems?

Every user, device, and process that accesses your systems must be uniquely identified and authenticated. This family covers password policies, multi-factor authentication, and how shared or service accounts are managed. Weak or reused passwords are among the most common entry points for manufacturing ransomware and BEC. MFA for privileged accounts is explicitly required.

Multi-factor authentication Password complexity Service accounts Device authentication
3.6 — Incident Response 3 requirements

Do you have a plan that your team has actually practiced?

This family requires a documented incident response capability: a plan, defined roles, a process for containing and recovering from incidents, and evidence that you've tested it. In Michigan, this connects to the MC3 (Michigan Cyber Command Center) reporting process and, soon, to CIRCIA's 72-hour federal reporting requirement. A plan that exists only in a document doesn't satisfy this family.

Incident response plan Response testing Incident tracking
3.7 — Maintenance 6 requirements

Is maintenance of your systems done securely?

System maintenance, including vendor remote access for support, must be controlled and monitored. This is especially relevant for manufacturers whose OT equipment is maintained remotely by vendors. Uncontrolled vendor access is one of the most exploited entry points in manufacturing environments. This family requires that maintenance is authorized, logged, and reviewed.

Maintenance controls Remote maintenance Maintenance logging Equipment sanitization
3.8 — Media Protection 9 requirements

How do you handle physical and digital media containing CUI?

CUI isn't just on servers. It can be on USB drives, printed documents, laptops, portable drives, and decommissioned equipment. This family requires that media containing CUI is controlled, labeled, protected during transport, and sanitized or destroyed before disposal. This is a common gap in manufacturing environments where portable media moves between systems regularly.

Media access controls Media marking Media transport Media sanitization Media disposal
3.9 — Personnel Security 2 requirements

Are the people with access to CUI appropriately screened?

This is the smallest family by requirement count, but it covers a meaningful risk. Personnel with access to CUI should be vetted before that access is granted, and access should be terminated promptly and completely when someone leaves. The insider threat risk to manufacturing organizations is real, and this family requires that organizations address it systematically.

Personnel screening Access termination
3.10 — Physical Protection 6 requirements

Can unauthorized people physically access your systems or CUI?

Physical security is part of 800-171. Systems, equipment, and environments that process or store CUI must be physically protected from unauthorized access. This includes facility access controls, visitor management, and monitoring of physical environments. For manufacturers, this extends to the shop floor when production systems process or store contract-related data.

Physical access controls Visitor management Physical monitoring Equipment protection
3.11 — Risk Assessment 3 requirements

Do you understand and document your risk?

Organizations must periodically assess the risk to their operations, assets, and individuals from the operation of their systems. This means identifying threats, evaluating vulnerabilities, and making informed decisions about what to address first. An undocumented risk assessment doesn't satisfy this family. A STACK gap analysis directly addresses these requirements.

Risk assessment process Vulnerability scanning Risk remediation
3.12 — Security Assessment 4 requirements

Do you regularly evaluate whether your controls are working?

Implementing controls isn't enough. You need to verify they're working as intended, identify and remediate deficiencies, and maintain a System Security Plan (SSP) that documents your security posture. The SSP is one of the most critical artifacts for CMMC assessment. It must be current, accurate, and reference every 800-171 requirement with evidence of how it's met.

System Security Plan (SSP) Control testing Plan of Action (POAM) Ongoing monitoring
3.13 — System and Communications Protection 16 requirements

Is CUI protected in transit and across system boundaries?

The second-largest family. This covers how information is protected as it moves across your network, between systems, and outside your organization. Network segmentation, encryption of data in transit, monitoring of communications at external boundaries, and protection against network attacks all fall here. For manufacturers with connected OT environments, segmentation between IT and OT is directly addressed by this family.

Network segmentation Data-in-transit encryption Boundary protection Network monitoring Session encryption
3.14 — System and Information Integrity 7 requirements

Can you identify and respond to threats in your environment?

This family covers the detection side: antimalware, security alerts, monitoring for anomalous activity, and patching known vulnerabilities in a timely manner. The CISA Known Exploited Vulnerabilities catalog is directly relevant here. If a vulnerability in your environment appears on the CISA KEV list, 800-171 requires you to address it. Manufacturers with legacy systems and infrequent patching cycles are often significantly exposed in this family.

Anti-malware Security alerts Patch management Anomaly detection
Want to know which of these 14 families are your biggest gaps? A STACK gap analysis evaluates your current environment against every 800-171 requirement and gives you a prioritized remediation list. Start with a free consultation to understand what the process involves.
Request a Gap Analysis Free Consultation First

The Self-Assessment Score and why your SSP matters

The Department of Defense uses a scoring methodology for 800-171 self-assessments. Organizations start with a score of 110 and deduct points for each unmet requirement. Some requirements carry a one-point deduction. Others carry a five-point deduction. A few critical requirements, particularly in access control and identification and authentication, carry a larger deduction if they're missing entirely.

The score isn't just a performance metric. Under DFARS clause 252.204-7020, contractors are required to submit their 800-171 assessment score to the Supplier Performance Risk System (SPRS) database. Contracting officers can see your score. A score of 110 represents full compliance. A score below 110 requires a Plan of Action and Milestones (POAM) documenting how and when you'll address the gaps.

The System Security Plan (SSP) is the document that makes all of this auditable. The SSP describes your system boundary, the CUI in your environment, and how each of the 110 requirements is met. It's not a one-time document. It needs to stay current as your systems change. CMMC Level 2 assessors will spend significant time on your SSP during the assessment process.

Under CMMC 2.0, self-attestation isn't sufficient for most contracts involving CUI. A Certified Third-Party Assessment Organization (C3PAO) must independently verify your controls. STACK, as a Registered Practitioner Organization, prepares you for that process.

1

Scope your environment

Identify where CUI exists in your organization: which systems process it, store it, or transmit it. This boundary defines what the assessment covers. Overscopping wastes resources. Underscopping creates compliance risk.

2

Conduct a gap analysis

Evaluate your current controls against each of the 110 requirements. Document which are fully met, partially met, or not yet addressed. The gap analysis produces your starting score and your remediation roadmap.

3

Build or update your SSP

The System Security Plan documents how each requirement is met within your specific environment. It needs to be specific, current, and supported by evidence. Generic SSPs won't survive assessor scrutiny.

4

Remediate and document

Address gaps in priority order. For anything that can't be remediated immediately, document it in a Plan of Action and Milestones (POAM) with realistic completion dates. The POAM is reviewed during CMMC assessment.

5

Submit to SPRS

Upload your self-assessment score to the Supplier Performance Risk System database. Contracting officers use this data. An accurate, improving score demonstrates good faith progress. A missing or falsified score is a contractual and legal liability.

6

Prepare for third-party assessment

For CMMC Level 2, a C3PAO will independently assess your environment. STACK prepares you for this process through pre-assessment reviews, documentation support, and evidence collection so there are no surprises during the formal assessment.

110

Full Compliance

All 110 requirements are met. This is the target for CMMC Level 2 and the standard for most DoD contracts involving CUI. No POAM required at this score.

88–109

Partial Compliance

Some gaps exist. A POAM is required documenting how remaining gaps will be addressed. Depending on the contract, this may be acceptable with a credible remediation plan and timeline.

Below 88

Significant Gaps

Material gaps in security controls. CMMC assessment at this score is high risk. The gap analysis and remediation process should be the immediate priority before pursuing certification.

Don't know your current 800-171 score? Most manufacturers in the DoD supply chain don't. A gap analysis is how you find out, and how you build the plan to get to 110. Start with a free consultation.
Schedule a Free Consultation Request a Gap Analysis

NIST 800-171 questions we hear often

Answers to the questions manufacturers ask when they're getting started with 800-171 compliance or preparing for CMMC assessment.

What's the difference between 800-171, 800-172, and the NIST Cybersecurity Framework?

NIST SP 800-171 applies to contractors handling CUI on non-federal systems. It's the baseline for CMMC Level 2. NIST SP 800-172 is an enhanced set of requirements that builds on 800-171 and applies to the highest-priority programs, corresponding to CMMC Level 3. The NIST Cybersecurity Framework (CSF) is a voluntary, broader framework for any organization looking to improve its cybersecurity posture. It's not directly tied to government contracting requirements the way 800-171 is. If you're in the DoD supply chain, 800-171 is what matters.

We already have IT security policies. Does that satisfy 800-171?

Policies are necessary but not sufficient. 800-171 requires that controls be documented, implemented, and evidence-supported, not just described in a policy document. A gap analysis will compare your existing documentation and technical controls against each of the 110 requirements. In most cases, organizations that believe they're in reasonably good shape find meaningful gaps, particularly in audit logging, configuration management, and incident response documentation.

How long does it take to achieve full compliance?

It depends significantly on your starting point. Organizations with mature IT programs and some existing documentation may be able to close gaps and build an audit-ready SSP in three to six months. Organizations starting from a low baseline, or with legacy OT environments that require segmentation work, should plan for longer. The most important thing is not to wait until a contract requires it. Starting early gives you the most time to address remediation without deadline pressure.

Do we have to meet all 110 requirements, or just some of them?

The target is all 110. However, the reality of most organizations is that full compliance is achieved through a remediation process, not all at once. A POAM documents the path to full compliance and is an accepted part of the process as long as it's credible and actively maintained. That said, some requirements are considered critical by assessors, particularly around access control and authentication, and gaps in those areas carry more weight during an assessment than gaps in lower-priority families.

Is 800-171 only for manufacturers in the defense supply chain?

No, though defense contractors are the most common context. Any non-federal organization that handles CUI can be subject to 800-171 requirements. This includes contractors in aerospace, research, healthcare, energy, and other sectors with federal relationships. For manufacturers specifically, the most common trigger is a DoD contract or a subcontract to a prime that has DoD work. The CMMC resource page covers who's in scope in more detail.

What happens if we submit an inaccurate self-assessment score to SPRS?

Submitting a falsified or inflated SPRS score creates significant legal exposure. The Department of Justice has pursued False Claims Act cases against contractors who misrepresented their cybersecurity compliance posture. Fines and debarment are possible outcomes. Beyond legal risk, a score that doesn't reflect your actual posture creates security risk that affects both your organization and the government information you're responsible for protecting. An honest score with a credible POAM is always the better position.

How does 800-171 connect to CIRCIA and incident reporting?

The Incident Response family (3.6) in 800-171 requires a documented and tested incident response capability. CIRCIA, with a final rule expected from CISA in May 2026, will require covered critical infrastructure entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. Organizations that have implemented 800-171's Incident Response requirements will have the procedures, documentation, and communication channels in place to meet CIRCIA's timelines. Michigan businesses should also be familiar with the MC3 reporting process at 877-MI-CYBER for state-level incident coordination.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment