NIST SP 800-171 is the federal standard for protecting Controlled Unclassified Information (CUI) when it lives on a contractor’s systems instead of a government one. If you sell IT, software, or technical services to the Department of Defense and you touch CUI, the DFARS 252.204-7012 clause turns that standard into a contractual obligation — and your implementation gets scored and posted in SPRS. This page walks through what the standard actually requires, the 14 control families, the 110 requirements, and how it connects to CMMC, without the consultant fog. BrandShyp bids federal and state IT work every week and maintains its own 800-171 posture, so this is the map we use ourselves.
What NIST 800-171 Actually Is
A control catalog for protecting government data that sits on your network — not theirs.
NIST Special Publication 800-171 is a catalog of security requirements published by the National Institute of Standards and Technology. Its single job is to protect the confidentiality of Controlled Unclassified Information (CUI) when that information is stored, processed, or transmitted on a nonfederal system — meaning a contractor’s laptops, servers, and cloud tenants rather than a federal agency’s own systems.
CUI is government-created or government-owned information that is sensitive but not classified — think technical drawings, export-controlled data, contract deliverables, and certain personally identifiable information. If your firm receives that kind of data to do the work, 800-171 is the floor the government expects you to meet. To go deeper on what counts as CUI and how it gets marked, see our guide to Controlled Unclassified Information.
The 14 Control Families & 110 Requirements
Revision 2 organizes everything into 14 families and 110 individual security requirements.
In Revision 2 — the version DoD’s contractual machinery is built around — the 800-171 requirements are grouped into 14 control families, totaling 110 security requirements. Each requirement is a specific, assessable control. The families are:
Access Control
Limit system access to authorized users, processes, and devices.
Awareness & Training
Make sure staff understand the risks and their security responsibilities.
Audit & Accountability
Create, protect, and review system audit logs.
Configuration Management
Establish and enforce secure baseline configurations.
Identification & Authentication
Verify the identity of users and devices before granting access.
Incident Response
Detect, report, and respond to security incidents.
Maintenance
Perform system maintenance securely and control maintenance tools.
Media Protection
Protect, sanitize, and control physical and digital media holding CUI.
Personnel Security
Screen individuals and protect CUI during personnel actions.
Physical Protection
Limit physical access to systems, equipment, and operating environments.
Risk Assessment
Assess risk to operations and assets, including vulnerability scanning.
Security Assessment
Assess controls, build plans of action, and monitor on an ongoing basis.
System & Communications Protection
Monitor and protect data at the system boundary and in transit.
System & Information Integrity
Identify, report, and correct flaws; protect against malicious code.
DFARS 252.204-7012, SPRS & CMMC
How a NIST publication becomes a binding requirement on your DoD contract.
800-171 by itself is guidance. DFARS clause 252.204-7012 is what makes it mandatory: any DoD contractor whose covered systems handle CUI must implement the 800-171 security requirements. The clause does not name a specific revision — it points to the version of 800-171 in effect at the time the solicitation is issued. Two companion clauses — 252.204-7019 and 252.204-7020 — require you to have a current self-assessment on file and authorize DoD to verify it.
The SPRS Score (out of 110)
You assess yourself against the DoD Assessment Methodology, which assigns weighted point values to each unmet requirement and produces a score with a maximum of 110. That score is posted in the Supplier Performance Risk System (SPRS) so contracting officers can see it before award. Not every gap costs the same, and a low score can go negative. Our SPRS calculator walks you through the weighting.
How CMMC Fits
The Cybersecurity Maturity Model Certification (CMMC) program adds third-party verification on top of 800-171. CMMC Level 2 requirements mirror the 110 requirements of 800-171 Revision 2. CMMC began phasing into DoD contracts on November 10, 2025 over a multi-year rollout — and where a self-attestation used to be enough, many CUI contracts will require an independent third-party assessment. See our explainer on what CMMC is for the details and timeline.
The SSP and POA&M You Must Maintain
Two documents are non-negotiable — and assessors will ask for both.
System Security Plan (SSP)
The SSP describes your system boundary, how each of the 110 requirements is implemented, and the environment that handles CUI. It is the single source of truth an assessor reads first. If it’s vague or out of date, your whole posture looks weak — even if your controls are sound.
Plan of Action & Milestones (POA&M)
The POA&M tracks every requirement you have not fully met, with a remediation plan and target dates. It’s how you show good-faith progress. Honesty here matters: a clean SSP with an empty POA&M while real gaps exist is worse than an accurate one that shows work in flight.
Revision 2 vs. Revision 3 — read this before you file anything
In 2024, NIST published Revision 3 of 800-171, which reorganizes the controls (Rev 3 expands to 17 families and introduces organization-defined parameters) and withdrew Revision 2 as a NIST publication. That is a NIST lifecycle change, not an automatic contract change. DoD’s contractual baseline is still the 110-requirement, 14-family Revision 2 model — scored in SPRS and mirrored in CMMC Level 2. Two things keep Rev 2 operative: DoD issued a class deviation directing continued use of Revision 2 under DFARS 252.204-7012 until Rev 3 is adopted through rulemaking, and the CMMC program rule (32 CFR Part 170) incorporates 800-171 Revision 2 (Feb. 2020) by reference. Until those rules are updated, Rev 2 is the version you implement and get scored against.
BrandShyp serves IT contractors nationwide and at overseas and embassy posts — we bid this work every week and run our own 800-171 program, so we read these clauses for a living, not in the abstract. If you’re staring at a DFARS clause and unsure where to start, talk to us.