What is NIST 800-171 and who has to comply?

NIST SP 800-171 is the security standard for protecting Controlled Unclassified Information (CUI) on nonfederal systems — its 110 Rev 2 controls across 14 families. Any organization handling CUI under a federal contract must comply, which in defense means any contractor or subcontractor whose contract includes DFARS 252.204-7012 — the majority of the roughly 76,600 CUI-handling organizations in the Defense Industrial Base.

How does NIST 800-171 relate to CMMC?

CMMC Level 2 is the 110 NIST 800-171 Rev 2 controls, with the assessment and certification machinery layered on top. Implementing 800-171 is implementing CMMC Level 2 — the controls are identical. The difference is that CMMC adds third-party (C3PAO) assessment and a certificate, where 800-171 on its own has historically been self-assessed and reported as a SPRS score.

What is a SPRS score and how is it calculated?

The Supplier Performance Risk System (SPRS) score is the NIST 800-171 self-assessment figure DFARS requires contractors to submit. It starts at 110 and subtracts weighted points for each control not fully implemented — controls are worth 1, 3, or 5 points based on security impact. A perfect implementation scores 110. Contracting officers check the score before award, and False Claims Act enforcement now scrutinizes scores that are materially higher than an honest assessment would produce.

Should we implement 800-171 Rev 2 or Rev 3?

Build to Rev 2 — it's the current assessable baseline and what C3PAOs assess against through the first wave of CMMC Phase 2 enforcement. NIST has published Rev 3, and DoD staged the transition by releasing Organization-Defined Parameters, with rulemaking expected late 2026 to early 2027. Track the Rev 3 delta (it adds Planning, System and Services Acquisition, and Supply Chain Risk Management families), but don't redesign your environment for it yet.

How many controls are in NIST 800-171?

Revision 2 — the current assessable baseline — has 110 controls across 14 families. Revision 3 restructures the catalog and adds three families (Planning, System and Services Acquisition, Supply Chain Risk Management) aligning more closely with NIST 800-53 Rev 5, but CMMC Level 2 is still assessed against the Rev 2 set of 110.

Is NIST 800-171 the same as NIST 800-53?

No, but they're related. NIST 800-171 (110 controls) is a tailored subset derived from the NIST 800-53 Moderate baseline (1,000+ controls), focused on protecting CUI on nonfederal systems. 800-171 underpins CMMC for defense contractors; 800-53 underpins FedRAMP and DoD authorizations for cloud services. See our NIST 800-171 vs 800-53 comparison for the full breakdown.

← Frameworks · DEFENSE · CUI

NIST SP 800-171 — the 110 controls every CUI-handling contractor lives by.

NIST 800-171 is the security standard for protecting Controlled Unclassified Information on nonfederal systems. Its 110 controls (Revision 2) are the technical substance of CMMC Level 2 and the basis of every SPRS self-assessment score. We design, implement, and document 800-171 programs to assessor grade — the same work that carries straight into a C3PAO assessment.

Book a scoping call →

110

Controls in Rev 2

Control families

Rev 3

Transition staged for 2026-27

What is NIST 800-171?

NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," defines the security requirements that contractors must meet when they store, process, or transmit Controlled Unclassified Information (CUI) on their own systems.

Revision 2 — the current assessable baseline — contains 110 controls across 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

800-171 was derived from the NIST 800-53 Moderate baseline, tailored down to the controls relevant to protecting CUI when it lives outside federal systems. It is the standard that DFARS 252.204-7012 requires defense contractors to implement, and the technical substance that CMMC Level 2 assesses.

Who needs to comply with 800-171?

Any organization that handles Controlled Unclassified Information under a federal contract. In the defense world, that means any contractor or subcontractor whose contract includes DFARS 252.204-7012 — which, in practice, is the majority of the roughly 76,600 organizations in the CUI-handling Defense Industrial Base.

The reach extends through the supply chain. A prime contractor flows the requirement down to subcontractors at any tier that touches CUI. A small machine shop, a software vendor, a logistics provider — if CUI passes through their systems, 800-171 applies.

Beyond DoD, NIST 800-171 is becoming the default federal CUI baseline. GSA's 2026 civilian-contractor CUI rule draws on the same 800-171 foundation, meaning contractors serving civilian agencies are increasingly subject to equivalent requirements.

800-171 and SPRS scoring

DFARS requires contractors to submit a NIST 800-171 self-assessment score to the Supplier Performance Risk System (SPRS). The score starts at 110 and subtracts weighted points for each control not fully implemented — some controls are worth 1 point, others 3 or 5, reflecting their security impact. A perfect implementation scores 110; significant gaps can produce sharply negative scores.

The SPRS score is what contracting officers check before award, and it is the figure that False Claims Act enforcement now scrutinizes. A self-asserted score materially higher than what an honest assessment would produce is, in the Department of Justice's reading, a false claim — actionable even without a breach. Six cyber-fraud settlements have landed in FY26 to date, on top of seven in 2025.

We treat the SPRS score as an output of a real assessment, not a number to optimize. A defensible score is one you could re-derive in front of an assessor.

The Rev 2 to Rev 3 transition

NIST published 800-171 Revision 3, but CMMC Level 2 is still assessed against Revision 2. DoD staged the Rev 3 transition by publishing Organization-Defined Parameters ahead of formal rulemaking, and practitioner consensus now expects Rev 3 rulemaking in late 2026 to early 2027.

Rev 3 restructures the catalog: it adds three control families — Planning (PL), System and Services Acquisition (SA), and Supply Chain Risk Management (SR) — aligning more closely with NIST 800-53 Rev 5, and introduces Organization-Defined Parameters that let organizations specify implementation details.

The practical guidance for 2026: build to Rev 2, because that is what C3PAOs assess against through the first wave of CMMC Phase 2 enforcement. But track the Rev 3 delta — Tier-1 primes are starting to ask subs about Rev 3 readiness in pre-award evaluations even where Rev 2 remains the contractual baseline.

Why Fortinetics for NIST 800-171

The program that carries into CMMC. Implementing 800-171 well is implementing CMMC Level 2 well — the 110 controls are identical. We design the program once, to assessor grade, so the same evidence and documentation support both the SPRS score and a C3PAO assessment. No throwaway work.

Authorship-level CMMC knowledge. A member of our team contributed to the CMMC standard at the Department of Defense in 2019. The 800-171-to-CMMC relationship is not abstract to us; we helped shape how the controls are assessed.

Evidence-as-byproduct design. A defensible 800-171 posture produces audit-grade artifacts as a byproduct of operations, not a reconstruction exercise at assessment time. That discipline is the difference between a score you can defend and a score that invites scrutiny.

Honest SPRS scoring. We score against reality, not aspiration. A score we help you submit is one you could re-derive in front of a C3PAO or, if it comes to it, a DOJ inquiry.

Recent regulatory changes

What changed in NIST 800-171, recently.

May 2026

NIST 800-171 Rev 3 rulemaking window tightens to late 2026 / early 2027

Practitioner consensus across Q2 2026 trade press converged on a late-2026-to-early-2027 rulemaking timeline for the Rev 2 to Rev 3 transition — meaningfully tighter than the prior 'timeline unknown' framing. CMMC Level 2 remains Rev 2-assessed for now, but primes are asking subs about Rev 3 readiness.
Read more →
March 2026

GSA CUI rule extends the 800-171 baseline to civilian contractors

GSA's March 2026 Controlled Unclassified Information rule draws on the same NIST 800-171 foundation, beginning to emerge a CMMC-like regime for federal civilian agency contracts. NIST 800-171 is becoming the default federal CUI baseline, not just a DoD obligation.
Read more →
December 2025

DOJ False Claims Act enforcement targets false SPRS scores

The first subcontractor-level FCA settlement landed in December 2025. FCA liability attaches to the SPRS self-attestation itself — a score materially higher than an honest assessment would produce is actionable even without a breach. Six further cyber-fraud settlements have landed in FY26 to date.
Read more →

Frequently asked

Questions we get about NIST 800-171.

What is NIST 800-171 and who has to comply?: NIST SP 800-171 is the security standard for protecting Controlled Unclassified Information (CUI) on nonfederal systems — its 110 Rev 2 controls across 14 families. Any organization handling CUI under a federal contract must comply, which in defense means any contractor or subcontractor whose contract includes DFARS 252.204-7012 — the majority of the roughly 76,600 CUI-handling organizations in the Defense Industrial Base.
How does NIST 800-171 relate to CMMC?: CMMC Level 2 is the 110 NIST 800-171 Rev 2 controls, with the assessment and certification machinery layered on top. Implementing 800-171 is implementing CMMC Level 2 — the controls are identical. The difference is that CMMC adds third-party (C3PAO) assessment and a certificate, where 800-171 on its own has historically been self-assessed and reported as a SPRS score.
What is a SPRS score and how is it calculated?: The Supplier Performance Risk System (SPRS) score is the NIST 800-171 self-assessment figure DFARS requires contractors to submit. It starts at 110 and subtracts weighted points for each control not fully implemented — controls are worth 1, 3, or 5 points based on security impact. A perfect implementation scores 110. Contracting officers check the score before award, and False Claims Act enforcement now scrutinizes scores that are materially higher than an honest assessment would produce.
Should we implement 800-171 Rev 2 or Rev 3?: Build to Rev 2 — it's the current assessable baseline and what C3PAOs assess against through the first wave of CMMC Phase 2 enforcement. NIST has published Rev 3, and DoD staged the transition by releasing Organization-Defined Parameters, with rulemaking expected late 2026 to early 2027. Track the Rev 3 delta (it adds Planning, System and Services Acquisition, and Supply Chain Risk Management families), but don't redesign your environment for it yet.
How many controls are in NIST 800-171?: Revision 2 — the current assessable baseline — has 110 controls across 14 families. Revision 3 restructures the catalog and adds three families (Planning, System and Services Acquisition, Supply Chain Risk Management) aligning more closely with NIST 800-53 Rev 5, but CMMC Level 2 is still assessed against the Rev 2 set of 110.
Is NIST 800-171 the same as NIST 800-53?: No, but they're related. NIST 800-171 (110 controls) is a tailored subset derived from the NIST 800-53 Moderate baseline (1,000+ controls), focused on protecting CUI on nonfederal systems. 800-171 underpins CMMC for defense contractors; 800-53 underpins FedRAMP and DoD authorizations for cloud services. See our NIST 800-171 vs 800-53 comparison for the full breakdown.

NIST 800-171 insights

CMMC · 8 min read

CMMC Level 2 timeline: what 6 to 9 months actually looks like

CMMC · 8 min read

CMMC self-assessment vs C3PAO: which path applies, and when it matters

CMMC · 9 min read

CMMC POA&M done right: what to include, anonymized examples, and what assessors accept

CMMC · 8 min read

Designing a CUI enclave: seven architectural mistakes that survive through implementation

CMMC · 10 min read

How defense primes actually evaluate CMMC-certified subcontractors — beyond the SPRS score

CMMC · 7 min read

DFARS 252.204-7012: the 72-hour reporting gap most contractors miss until their first incident

Case studies

Defense Industrial Base · 8 mo

CMMC Level 2 certification with a perfect 110/110 assessor score for a defense subcontractor

Software · 6 mo

Zero to CMMC Level 2 certification in six months: greenfield IT buildout for a venture-backed startup

Tools & comparisons

Practitioner apps

Free reference and calculator apps for NIST 800-171 and the controls around it.

Compare frameworks

Side-by-side reads — versions, tiers, and adjacent standards, decided plainly.

Readiness quizzes

Self-assess your NIST 800-171 posture in about five minutes.

Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific NIST 800-171 target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →