What is NIST 800-171?

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev2 is a set of cybersecurity guidelines that define how Controlled Unclassified Information (CUI) should be protected in non-federal systems. The Department of Defense (DoD), General Services Administration (GSA), and NASA require, or are planning to require, contractors and subcontractors to implement these controls to safeguard sensitive information shared with the federal government.

NIST 800-171 serves as the foundation for the Cybersecurity Maturity Model Certification (CMMC), which builds upon its requirements to ensure compliance within the Defense Industrial Base (DIB). If you’re a government contractor handling CUI, you must meet these standards to win and maintain DoD contracts.

Why is NIST 800-171 Important?

Required for DoD Contracts

Since DFARS 252.204-7012 mandates compliance with NIST 800-171, contractors must implement these requirements to be eligible for Department of Defense contracts.

Foundation of CMMC

CMMC Level 2 is directly based on NIST 800-171, meaning that full compliance is necessary for companies seeking CMMC Level 2 certification.

Protects Sensitive Government Data

NIST 800-171 establishes strong cybersecurity best practices to protect sensitive CUI from cyber threats and adversaries.

THE BASICS OF DFARS

DFARS are a set of regulations designed to ensure defense contractors maintain adequate cybersecurity measures. We cover the ins and outs of DFARS requirements here.  

  • DFARS 252.204-7012: safeguard to cover defense information which contractors and subcontractors must implement in NIST SP 800-171. 
  • DFARS 252.204-7019: requires companies maintain a record of NIST 800-171 compliance within the Supplier Performance Risk System (SPRS). 
  • DFARS 252.204-7020: requires companies provide Government access to facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.

NIST 800-171 and CMMC: What’s the Connection?

NIST 800-171 and CMMC
  • CMMC Level 2 includes all 110 security requirements from NIST 800-171 Rev 2. If your business already follows NIST 800-171, you’re well on your way to achieving CMMC Level 2 certification.
  • However, CMMC adds an independent assessment requirement for most contractors handling CUI. Unlike NIST 800-171, which relies on self-attestation, CMMC Level 2 requires a third-party assessment (C3PAO) to verify compliance.


What About NIST 800-171 Rev 3?

  • The new revision (Rev 3) introduces additional protections against advanced persistent threats (APTs), but DoD contractors must still comply with Rev 2 until the DoD updates CMMC requirements.

     

Getting Started with NIST 800-171 Compliance

First, check out our article, “What is SPRS” for a quick guide on SPRS, how to create an account, and how to submit your data. SPRS is a risk management tool that helps organizations meet Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7019 and 252.204-7012 compliance. Once you have established the appropriate account access in the SPRS, it’s time to take the assessment. Often – when a company commences completion of the self-assessment, they aren’t sure what to do and may not understand what is being asked with the controls.

The simple answer is – a company should determine if each control is implemented, partially implemented, or not implemented. The assessment score starts at a perfect 110, and points are deducted for each area of deficiency for a possible score of negative 203. The controls are weighted at 1 point, 3 points, or 5 points, depending on their criticality. 

Steps to Achieve NIST 800-171 Compliance

  • Conduct a Gap Assessment – Identify security gaps using NIST SP 800-171A (the official assessment guide).
  • Develop a System Security Plan (SSP) – Document your security policies and procedures.
  • Implement Security Controls – Address all 110 controls across people, processes, and technology.
  • Create a Plan of Action & Milestones (POA&M) – If gaps exist, document how you'll fix them.
  • Submit a Self-Assessment to SPRS – If seeking CMMC Level 2, prepare for an external assessment.

Confused by what the controls are asking?

To complete the assessment, it is imperative that your organization understands what the controls mean in order to determine if they are implemented in your environment. This can be tricky if you aren’t a cyber pro. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) curated a list of the top NIST 800-171 requirements that have been determined as other than satisfied (OTS) during DIBCAC assessments.

Non-compliant controls

Below, find a deep dive into four of those most commonly non-compliant controls to help you get on track; Multi-factor authentication, Risk Assessment, Incident Response, and FIPS Validated Encryption.

1. Identification and Authentication (IA) 3.5.3 – Multi-Factor Authentication
To protect CUI, it’s important to limit access to authorized users, to do this effectively you need to verify the identity of those users. That is where multi-factor authentication comes into play. Multi-factor Authentication is the means used to confirm the identity of a user, process, or device, a system which requires more than one distinct authentication factor for successful authentication. Multi-factor authentication includes three factors; something you know, such as passwords and personal identification numbers; something you have, such as a cryptographic identification device token; or something you are, such as biometrics. Authentication uses two or more different factors to achieve authentication.

 

2. Risk Assessment (RA) 3.11.1 – Periodically Assess Risk
The DoD expects organizations handling CUI to annually assess organizational risk as a means of keeping information safe. So, what are the best practices your organization should consider implementing to comply with this control? First, the control references “periodic” assessments. These should be conducted at a minimum of an annual basis to support the development of a risk management plan. Consider the following as part of your risk assessment process:

  • Assess and mitigate cybersecurity risks to ensure protection of networks and data against potential threats.
  • Evaluatethe nature of the data being processed and stored and the potential threats against that data.
  • Develop, tailor, and implement mitigation strategies to the identified risks and include measures such as security controls and contingency plans.
  • Monitor the environment for changes that could impact data security.
  •  

 

3. Incident Response (IR) 3.6.3 – Test Your Incident Response Capabilities
The Incident Response requirements within the NIST 800-171A and Cybersecurity Maturity Model Certification (CMMC) v2.0 framework requires an organization seeking certification to establish and test an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.

With ever-evolving threats, incident response testing capabilities have become necessary components of information security programs. IR testing can include tabletop exercise, functional exercises, and tests which simulate attacks to examine your incident response procedures: 

  • Tabletop Exercises are facilitated, discussion-based exercises where personnel meet to discuss roles, responsibilities, coordination, and decision-making of a given scenario.
  • Functional Exercises allow personnel to validate their readiness for emergencies by performing their duties in a simulated environment.
  • Testsare evaluation tools that use quantifiable metrics to validate the operability of an IT system or system component in an operational environment. A test is conducted in as close to an operational environment as possible.

 

4. System Communications & Protection (SC) 3.13.11 – FIPS Validated Encryption

This is number one on DIBCAC’s list of most commonly non-compliant controls, and for good reason. A FIPS-validated cryptographic module is one that has been tested and approved by a NIST-approved laboratory per the Federal Information Processing Standard (FIPS) 140-2 U.S. Government standard. The NIST 800-171 control 3.13. 11 requires FIPS-validated cryptography to be used when protecting the Controlled Unclassified Information – whether you are storing it in your system(s) or transmitting it across the internet. Cryptography is the use of mathematical algorithms to ensure secure data communication. Encryption is the process of applying a cryptographic algorithm on data to transform into a new form that only an authorized party is able to understand. It’s like wrapping that sensitive information up in a bubble so that only desired and authorized recipients of the data can access it.

So, how do you comply with this standard?  You will need to implement FIPS Validated Encryption in your systems that handle CUI. You will need to document this in policy, process and procedural documents – AND in your System Security Plan. BitLocker is an example of a FIPS-validated system, but it requires a setting before encryption that ensures that the encryption meets the standards set forth by FIPS 140-2.

Still struggling, let Alluvionic help.

We’ve helped dozens of companies complete the NIST Basic Assessment. Our experts guide you through each control, assess your score, document compliance, and provide clear next steps.

If you’re looking to learn more, check out our articles on the basics of CMMC or What is SPRS.

Get CMMC Ready Today

Contact

  • This field is for validation purposes and should be left unchanged.

Read From Our Blog

We Treat Client Successes as Our Own

"The diversity of skills and expertise of the Alluvionic team proved invaluable in helping ITI tackle new government flow-downs and certifications. From tailored gap analysis to compliance efforts, Alluvionic’s custom and comprehensive approach has helped place ITI in a solid position to continue growing its business."
Kevin Speed
Kevin SpeedITI Engineering Senior Vice President
"I'm impressed with how thorough your process is. Also the support received after has been wonderful. Helping us to understand a topic that nobody in our organization was familiar with."
Ed West
Ed West President and COO
“We appreciate and value the expertise and project management experience Alluvionic brings to the table.”
John Infantolino
John InfantolinoVice President of Enterprise Business Systems
"Team is excellent to work with and demonstrates superior technical knowledge. We have never been disappointed when working with them over the past 5 years."
Shawn Gallagher
Shawn GallagherPresident and Co-Owner
"The team was fantastic and made our lives easier!"
Kelli Diaz
Kelli Diaz30 FSS USSF
"Really appreciate the patience and extra effort working with our exact need."
Paul Hill
Paul HillForeman
“The knowledge and professionalism provided by every Alluvionic employee is second to none.”
Tina Leighty
Tina LeightyPMP, AEA, CMMI-A, Director, Quality Compliance for Millennium Engineering and Integration Company
"Ricardo and the team at Alluvionic are top-notch engineers. System Innovation Group has worked closely with the team and found that they always come through even when given what may be considered unrealistic goals. I strongly recommend them for all your mechanical and program management support requirements."
Shawn Gallagher
Shawn GallagherPresident, System Innovation Group, LLC
"We at ITI know we can always count on Alluvionic to assist us in preparing for new flowdowns and certifications that are ever-changing in the aerospace defense industry. The Alluvionic team is knowledgeable, responsive, and committed to continual process improvement."
Caity Ayers
Caity Ayers Project Manager

Download Our Project Assurance® Checklist

It’s simple. A project that gets off on the right foot is likely to take a successful journey. So why do so many projects fail? Use this checklist to assure your project succeeds from the beginning.

Download the Checklist Now

Whether you need project management, process improvement, cybersecurity,  product development, training, or government services,  Alluvionic has the expertise to provide Peace of Mind and Project Assurance®.

Schedule an assessment with us

Set Your Business Up For Success

The race to compliance has already begun—don’t fall behind. Alluvionic’s experts provide cybersecurity support and focused change management. We minimize disruptions, ensure smooth adoption, and set your business up for success.
authorized-training-partner_large
pmi_logo_ogShare
US Marshal Department of Justice
US Department of Homeland Security
US Department of Defense
Army Logo
Emblem_of_the_United_States_Navy
Seal_of_the_United_States_Space_Force
Seal_of_the_U.S._Department_of_the_Air_Force
SBA _8(a)
SBA_WOSB
SBA_EDWOSB
Untitled design (3)
WBE_Seal_CMYK (2)
IBM_logo®_pos_blue60_RGB
GSA-Logo
CMMIin
sewp-1
8(a) STARS III Logo
smartsheet
CyberAB-RPO-Badge-2022-Transparent-BG
isaca
ISO Logo_Alluvionic
230302-F-F3456-0011
NIWC_Atlantic_Logo

Privacy Policy

© 2025 Alluvionic

PMI®, PMP®, CAPM® and PMBoK® are registered marks of the Project Management Institute

NAICS Codes: 541611, 541330, 541511, 541512 ,541519, 541613, 541614, 541618, 541990, 561990, 611420, 611430, 813910, 813920

Where are you on your CMMC Journey?

Get Started
Main Menu
Start Your Project

DOWNLOAD OUR PROJECT ASSURANCE® CHECKLIST

Fill out the form below to access our checklist that will ensure your project's success!