If your company works on Department of Defense contracts and handles sensitive government information, NIST 800-171 compliance is not optional — it’s a legal requirement. And with the DoD’s CMMC program now embedded in hundreds of contracts, the rules just got stricter, and enforcement is accelerating. This guide covers what NIST 800-171 requires, how it differs from CMMC, what the new enforcement landscape means for your business, and the steps you need to take right now to protect your contract eligibility.
What is NIST 800-171?
NIST SP 800-171 (Special Publication 800-171) is a set of cybersecurity guidelines published by the National Institute of Standards and Technology (NIST) designed to protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations. First published in 2015, it derives from the broader NIST SP 800-53 framework — the federal government’s primary security standard — but is specifically tailored for companies like yours that handle CUI outside of federal systems.
What is CUI?
Controlled Unclassified Information (CUI) is sensitive information created by or on behalf of the federal government that requires protection under specific laws, regulations, or government-wide policies. While CUI is not classified, its unauthorized disclosure can pose risks to national security. Examples include technical specifications, contract information, and export-controlled data. If your DoD contract includes a DFARS 252.204-7012 clause, you are handling CUI and must comply with NIST 800-171. If it also includes a DFARS 252.204-7021 clause, you are subject to CMMC certification requirements.
NIST 800-171 organizes its requirements into 110 security controls across 14 control families and is evaluated against 320 assessment objectives. The current compliance requirement — including for all CMMC Level 2 assessments — is based on Revision 2. Revision 3 was finalized in May 2024 and introduces meaningful changes, but is not yet mandated. More on that below.
Any organization in the supply chain for the DoD, GSA, NASA, or other federal agencies that handles CUI must implement these requirements.
What’s NIST 800-171 Compliance?
NIST 800-171 compliance means your organization has fully implemented the required 110 security controls to protect CUI. For DoD contractors, it is both a contractual obligation under DFARS 252.204-7012 and the foundation for achieving CMMC Level 2 certification.
NIST 800-171 compliance also requires documentation. Control 3.12.4 mandates a System Security Plan (SSP) — a formal document describing your system boundaries, how each of the 110 controls is implemented, and your relationships with external systems and service providers. Your SSP is the foundational document for any CMMC assessment. Without it, certification is not possible, regardless of how well your technical controls are implemented.
Non-compliance carries real consequences. The DoJ recovered $52 million across nine cybersecurity-related False Claims Act settlements in FY2025 alone. Raytheon settled for $8.5 million after failing to implement a compliant System Security Plan. Georgia Tech settled for $875,000 over unimplemented security controls. Both cases were triggered by whistleblowers. The DoJ’s Civil Cyber-Fraud Initiative is continuing into 2026 with no sign of slowing.
How Does NIST 800-171 Differ from CMMC
NIST 800-171 defines the security requirements. CMMC verifies that you’ve actually implemented them.
Before CMMC, contractors self-attested to NIST 800-171 compliance — essentially grading their own homework. CMMC Level 2 ends self-attestation for most contractors. An accredited C3PAO physically reviews your documentation, interviews your staff, and tests your systems. Over 93% of the approximately 76,000 organizations that handle CUI will need to undergo a C3PAO assessment rather than self-attest.
On scoring: a perfect 110 is required for full certification. However, if you score at least 88 out of 110 (80%), you qualify for conditional certification — a temporary status that allows you to continue pursuing contracts while you remediate remaining gaps. Those gaps must be documented in a Plan of Action and Milestones (POA&M) and resolved within 180 days of your Final Findings briefing with your C3PAO, or your conditional certification is revoked. POA&Ms are only permitted for low-point controls. High-value controls — including multi-factor authentication and encryption — cannot be deferred and must be fully implemented before your assessment begins.
CMMC also introduces an ongoing obligation at every CMMC level, which requires the submission of an annual attestation — signed by a senior company official — confirming continued compliance. This is not a one-time certification. Maintaining compliance and documenting it on an ongoing basis is a permanent requirement.
CMMC is rolling out in phases. Phase 1 began November 10, 2025 and requires CMMC Level 1 or Level 2 self-assessment as a condition of contract award in applicable solicitations. Phase 2 begins November 10, 2026. In addition to Phase 1 requirements, the DoD intends to include the requirement for CMMC Level 2 (C3PAO) status in applicable DoD solicitations and contracts as a condition of contract award. At that point, self-attestation for Level 2 will no longer be sufficient for the vast majority of contractors. With C3PAO assessment slots already filling up and preparation taking 12 to 18 months, the window to act is closing fast.
Bottom line: NIST 800-171 is the rulebook. CMMC is the audit that proves you’re following it — and starting November 2026, that audit is mandatory for most defense contractors handling CUI.
Who is Required to Be NIST 800-171 Compliant?
NIST 800-171 applies to any organization that handles CUI — storing it, processing it, or transmitting it. Under DFARS 252.204-7012, this requirement has applied to defense contractors and their subcontractors since 2017. It also extends to organizations in the supply chain for other federal agencies, including the GSA, NASA, and any agency that generates or shares CUI. This includes prime contractors, subcontractors at every tier of the supply chain, and universities and research institutions with government contracts.
If you’re a smaller contractor or subcontractor, don’t assume NIST 800-171 doesn’t apply to you. Cybercriminals specifically target smaller defense suppliers because they tend to have weaker security than large primes. And as primes face their own CMMC deadlines, many are already flowing down certification requirements to their supply chains — in some cases making Level 2 C3PAO certification a condition of new purchase orders right now.
Read our Guide to CMMC, used by over 5,000 defense contractors
List of NIST 800-171 Controls
NIST 800-171 organizes its 110 security controls into 14 control families. Each family addresses a specific area of cybersecurity. Every control must be addressed — either fully implemented or, where permitted, documented in a POA&M with a clear remediation plan.
| Control Family | What it covers | Controls |
|---|---|---|
| Access Control (AC) | Who can access your systems and data | 22 |
| Awareness and Training (AT) | Ensuring your team understands cybersecurity risks | 3 |
| Audit and Accountability (AU) | Logging and monitoring system activity | 9 |
| Configuration Management (CM) | Keeping system configurations secure and controlled | 9 |
| Identification and Authentication (IA) | Verifying who is accessing your systems | 11 |
| Incident Response (IR) | How you detect and respond to security incidents | 3 |
| Maintenance (MA) | Keeping systems secure during updates and maintenance | 6 |
| Media Protection (MP) | Protecting physical and digital media containing CUI | 9 |
| Personnel Security (PS) | Screening staff and enforcing security policies | 2 |
| Physical Protection (PE) | Controlling physical access to systems and CUI | 6 |
| Risk Assessment (RA) | Identifying and addressing security risks | 3 |
| Security Assessment (CA) | Regularly evaluating your security posture | 4 |
| System and Communications Protection (SC) | Encrypting communications and securing system design | 16 |
| System and Information Integrity (SI) | Detecting and fixing system vulnerabilities | 7 |
NIST 800-171 Rev 2 vs. Rev 3: What You Need to Know
All current CMMC Level 2 assessments are based on NIST 800-171 Revision 2. The DoD has issued a class deviation confirming Rev 2 remains the compliance baseline until further notice.
NIST 800-171 Revision 3 was finalized in May 2024 and introduces significant changes: consolidating from 110 controls to 97, adding three new control families, expanding the use of organizationally defined parameters (ODPs), and aligning more closely with NIST 800-53. The DoD has not announced an official transition date but is expected to provide 12 to 24 months advance notice when it does.
Bottom line: Get compliant with Rev 2 now. Start reviewing Rev 3’s structure so the transition doesn’t disrupt your compliance program.
It’s also worth noting that some international defense compliance standards are already based on NIST 800-171 Rev 3. Canada’s CPCSC program is built on NIST 800-171 Rev 3 and will require it when Level 2 certification is mandated, expected in 2027. If your business operates across borders, getting ahead of Rev 3 now will position you well for that transition.
NIST 800-171 Compliance Checklist: 7 Steps to Get Started
Full NIST 800-171 compliance typically takes 12 to 18 months. Start immediately to protect your contract eligibility.
Step 1: Familiarize yourself with NIST 800-171 and CMMC
Understand the 110 controls, the 14 control families, and how CMMC Level 2 maps directly to NIST 800-171 Rev 2. The DoD’s CMMC website and the Cyber AB’s website are the authoritative sources for program updates. Your defense contract will specify which CMMC level applies — any organization handling CUI needs at least Level 2, and over 93% of those will require a C3PAO assessment rather than self-attestation.
Step 2: Scope your compliance boundary
Identify which systems, people, and processes touch CUI. If only part of your organization handles CUI, create a separate CUI enclave to limit your compliance scope. A smaller boundary means a simpler, faster, and less expensive assessment. Note that External Service Providers — including MSPs that deliver security services such as SIEM, antivirus, or MFA — fall within your compliance boundary and will be subject to assessment.
Step 3: Adopt a secure file-sharing and email solution for CUI
Email and file sharing are the primary ways CUI is transmitted and the most common source of compliance gaps. Standard commercial tools — Microsoft 365 Commercial, Gmail, Google Drive, Dropbox — do not meet CMMC Level 2 requirements for handling CUI. Your Cloud Service Provider must meet FedRAMP Moderate Baseline or Equivalent standards, comply with DFARS 252.204-7012 (c)-(g), and use FIPS validated encryption. When evaluating file-sharing solutions for NIST 800-171 compliance, don’t accept a CSP’s self-attestation—ask for documented evidence of their FedRAMP equivalency and FIPS certification.
Step 4: Develop your compliance documentation
Build your System Security Plan (SSP), standard operating procedures for each of the 14 control families, and POA&Ms for any gaps. Your SSP is the foundational document for your C3PAO assessment and a prerequisite for any DoD contract consideration. Without a complete SSP, certification is not possible.
Step 5: Conduct your NIST 800-171 self-assessment
Use NIST SP 800-171A — the companion assessment guide — to evaluate your compliance across all 110 controls and 320 assessment objectives. Calculate your SPRS score and submit it to the DoD. Contracting officers check your SPRS record before award — a missing, outdated, or inflated score is a disqualifier and, in the case of intentional misrepresentation, a False Claims Act liability.
Step 6: Get expert help if you need it
Most small and mid-size contractors don’t have a full-time cybersecurity team. Consider working with a Registered Practitioner Organization (RPO), Managed Service Provider (MSP), or C3PAO for a mock assessment approximately three months before your official assessment. A mock assessment simulates the formal evaluation and identifies remaining gaps before the real thing. Note that if a C3PAO conducts your mock assessment, they cannot serve as your official assessor due to conflict of interest rules.
Step 7: Schedule your C3PAO assessment now
As of February 2026, only 1,042 of the estimated 76,598 organizations that need Level 2 C3PAO certification have completed it — roughly 1.4%. Meanwhile only 88 authorized C3PAOs exist to serve them, with wait times already exceeding 18 months for new clients. With Phase 2 hitting November 10, 2026, contact accredited C3PAOs now. Waiting any longer risks missing the deadline entirely.
Frequently Asked Questions
How long does NIST 800-171 compliance take?How long does NIST 800-171 compliance take?
Most organizations require 12 to 18 months to achieve full compliance. Experienced C3PAOs estimate that small to midsize organizations with the right technology platform and documentation support can complete CMMC Level 2 preparation in 6 to 12 months. Starting immediately is the only way to protect your contract eligibility ahead of the November 2026 Phase 2 deadline.
What is NIST 800-171 Rev 3?
NIST 800-171 Revision 3 is the latest version of the NIST 800-171 framework, finalized in May 2024. It consolidates the original 110 controls down to 97, adds three new control families, and introduces organizationally defined parameters (ODPs) that give organizations more flexibility in implementation. However, Rev 3 is not yet required — all current CMMC Level 2 assessments continue to use Revision 2. The DoD has not announced an official transition date, but is expected to provide 12 to 24 months advance notice when it does.
What is an SPRS score?
Your SPRS (Supplier Performance Risk System) score reflects your self-assessed compliance with NIST 800-171. Scores range from -203 to 110. A score of 110 means all controls are implemented. You are required to submit this score to the DoD, and contracting officers check it before award. Submitting an inflated score is a False Claims Act violation — MORSECORP settled for $4.6 million after submitting a self-assessed score of 104 when their actual consultant-assessed score was -142.
What happens if I’m not NIST 800-171 compliant?
Non-compliance can result in loss of DoD contract eligibility, withholding of contract payments, and legal liability under the False Claims Act. The DoJ’s Civil Cyber-Fraud Initiative actively pursues contractors who misrepresent their compliance status. FY2025 saw $52 million recovered across nine settlements. Non-compliance is not a theoretical risk — it is an active enforcement priority.
Does NIST 800-171 apply to subcontractors?
Yes. DFARS 252.204-7012 requires prime contractors to flow down NIST 800-171 requirements to any subcontractor that handles CUI. Primes are increasingly enforcing this ahead of the Phase 2 deadline, with some already requiring Level 2 C3PAO certification as a condition of new purchase orders. Being a subcontractor does not exempt you — it may mean your deadline arrives earlier than November 2026.
How much does CMMC Level 2 compliance cost?
Costs vary widely depending on your organization’s size, current security posture, and the scope of your CUI environment. Assessment fees alone ranged from $75,000 to $150,000 in 2026. Technology, documentation, and consulting costs add to that. PreVeil customers save an average of 75% compared to Microsoft GCC High for email and file sharing. For a personalized estimate, use PreVeil’s
For a personalized estimate, use PreVeil’s CMMC Level 2 Cost Calculator: preveil.com/cmmc-cost-calculator
What NIST 800-171 compliance companies can help?
PreVeil is a robust NIST 800-171 and CMMC compliance platform built specifically for small and mid-size defense contractors. For a detailed breakdown of how PreVeil helps organizations achieve compliance — including a full Shared Responsibility Matrix and case studies of contractors who achieved 110/110 — download our Guide to Achieving CMMC Compliance. Other options include Registered Practitioner Organizations (RPOs) for consulting and readiness assessments, Managed Service Providers (MSPs) for implementing technical controls, and accredited C3PAOs for official certification assessments.
How PreVeil Helps you Meet NIST 800-171 Compliance
PreVeil is a robust Email and file-sharing platform designed to meet the strict requirements of NIST 800-171 and CMMC compliance. It combines a secure technology platform, assessment-ready compliance documentation, and a vetted partner network — everything most small and mid-size defense contractors need to get certified.
Today, over 3,000 defense contractors trust PreVeil for their compliance needs. Over 60 organizations — including defense contractors, higher education institutions, MSPs, and C3PAOs — have achieved a perfect score of 110 out of 110 on their CMMC Level 2 assessments using PreVeil.
Talk to a PreVeil compliance expert today and find out how quickly your organization can get on the path to NIST 800-171 and CMMC certification: preveil.com/free-compliance-meeting
