NIST 800-171 Compliance Guide: Controls, SSP Templates, and Certification

We have guided organizations from SPRS scores in the negative hundreds to full NIST 800-171 compliance — and the pattern is always the same. The contractors who succeed start by understanding exactly what each control requires before writing a single policy or configuring a single system.

NIST 800-171 controls form the backbone of cybersecurity compliance for government contractors. If your organization handles Controlled Unclassified Information (CUI) under a Department of Defense contract or subcontract, NIST Special Publication 800-171 defines the 110 security requirements you must implement. These controls are not theoretical recommendations — they are contractual obligations under DFARS clause 252.204-7012 and the foundation for CMMC Level 2 certification.

This guide walks through every aspect of NIST 800-171 compliance: the purpose and scope of the standard, all 14 control families with their specific requirements, how to build and maintain a System Security Plan (SSP), the SPRS scoring methodology, implementation roadmaps by company size, and how NIST 800-171 fits within the broader landscape of CMMC and ISO 27001. By the end, you will have a clear understanding of what compliance requires and a practical path to achieving it.

What Is NIST 800-171?

NIST Special Publication 800-171 — formally titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" — is a security framework published by the National Institute of Standards and Technology. It specifies 110 security requirements that non-federal organizations must implement when processing, storing, or transmitting CUI on behalf of the federal government.

The standard exists because CUI, while not classified, still requires protection from unauthorized disclosure. Examples of CUI include technical drawings for defense systems, export-controlled research data, personally identifiable information collected under federal contracts, and law enforcement-sensitive information. When this data resides in contractor systems, NIST 800-171 ensures those systems meet a consistent security baseline.

Who Must Comply

Any non-federal organization that handles CUI must comply with NIST 800-171. This includes:

• Prime contractors on DoD contracts containing DFARS clause 252.204-7012
• Subcontractors at every tier if CUI flows to their systems
• Research institutions receiving CUI under federal grants
• Cloud service providers hosting CUI (who must also meet FedRAMP Moderate baseline)

The standard applies to all components of your information system that process, store, or transmit CUI, plus any components that provide security protections for those systems. This scoping decision — defining your CUI boundary — is one of the most consequential steps in your compliance journey.

The 14 Control Families

NIST 800-171 organizes its 110 controls into 14 families, each addressing a distinct security domain. Here is an overview of every family with the number of controls and key requirements:

Family	Code	Controls	Key Focus Areas
Access Control	AC	22	Least privilege, account management, remote access, information flow, session controls
Awareness and Training	AT	3	Security awareness training, insider threat awareness, role-based training
Audit and Accountability	AU	9	Event logging, log protection, log review, audit record content, time synchronization
Configuration Management	CM	9	Baseline configurations, change control, least functionality, software restrictions
Identification and Authentication	IA	11	Multi-factor authentication, password management, device identification, cryptographic authentication
Incident Response	IR	3	Incident handling capability, monitoring and reporting, incident response testing
Maintenance	MA	6	Controlled maintenance, maintenance tools, remote maintenance, maintenance personnel
Media Protection	MP	9	Media access, media marking, media storage, media transport, media sanitization
Personnel Security	PS	2	Personnel screening, personnel termination and transfer
Physical Protection	PE	6	Physical access authorization, monitoring, visitor control, emergency access
Risk Assessment	RA	3	Risk assessment execution, vulnerability scanning, vulnerability remediation
Security Assessment	CA	4	Security control assessments, system connections, plans of action, continuous monitoring
System and Communications Protection	SC	16	Boundary protection, CUI encryption, session authenticity, cryptographic mechanisms
System and Information Integrity	SI	7	Flaw remediation, malicious code protection, security alerts, system monitoring

High-Impact Control Areas

While all 110 controls must be addressed, several families consistently require the most effort:

Access Control (22 controls) is the largest family and the one where most organizations have the biggest gaps. Enforcing least privilege across all systems, implementing role-based access, controlling remote access, and establishing information flow enforcement policies requires both technical controls and documented procedures.

System and Communications Protection (16 controls) includes the NIST 800-171 encryption and boundary protection requirements that drive significant infrastructure investment. You must encrypt CUI at rest and in transit, implement boundary protection devices, and establish subnetwork isolation.

Identification and Authentication (11 controls) requires multi-factor authentication for all network and remote access, replay-resistant authentication mechanisms, and device identification. For organizations relying on single-factor authentication, this family alone can require substantial changes.

System Security Plan (SSP) Deep Dive

Your System Security Plan is the cornerstone document for NIST 800-171 compliance. It describes your system environment, documents how you implement each of the 110 controls, and identifies any gaps with associated Plans of Action and Milestones (POA&Ms).

What an SSP Must Contain

A complete NIST 800-171 SSP template includes:

• System description — Name, purpose, environment, architecture diagrams, data flows showing where CUI enters, moves through, and exits your systems
• System boundary — Clear delineation of which components are in scope and which are out of scope, with justification for boundary decisions
• Control implementation statements — For each of the 110 controls, a description of how your organization satisfies the requirement. This is the bulk of the document and must be specific to your environment, not generic boilerplate
• Roles and responsibilities — Who is responsible for implementing, monitoring, and maintaining each control area
• Interconnection details — Any connections to external systems, including those of subcontractors and cloud service providers
• POA&M references — For any controls not yet fully implemented, a reference to the corresponding POA&M entry with remediation timeline

Common SSP Mistakes

The most frequent SSP deficiencies we see include control implementation statements that are too generic ("We use encryption" rather than "We enforce AES-256 encryption for all CUI at rest using BitLocker on endpoints and AWS S3 server-side encryption with KMS-managed keys"), missing or inaccurate system boundary definitions, failure to document inherited controls from cloud service providers, and no evidence linking policies to actual implementation.

Your SSP should be a living document updated whenever your environment changes. Assessors will compare your documented SSP against your actual system configuration, and discrepancies are scored as control failures.

NIST 800-171 Assessment and Certification

SPRS Scoring

The Supplier Performance Risk System (SPRS) score quantifies your NIST 800-171 implementation status on a scale from -203 to 110. Every defense contractor must calculate and submit their score.

The scoring works as follows: you start with 110 points (representing full implementation of all controls). Each unimplemented control has a weighted point value of 1, 3, or 5 based on its security impact. Controls not implemented reduce your score by that value. A score of 110 means all controls are met. A score of -203 means no controls are met (theoretically possible though unlikely in practice).

Controls are weighted based on their impact:

• 5-point controls — High impact on CUI protection (e.g., multi-factor authentication, encryption of CUI, audit logging)
• 3-point controls — Moderate impact (e.g., session lock, information flow enforcement)
• 1-point controls — Lower individual impact but still required (e.g., some physical protection controls)

You must submit your score through SPRS and update it whenever your implementation status changes materially.

Relationship to CMMC Level 2

NIST 800-171 compliance is necessary but not sufficient for CMMC Level 2 certification. The technical controls are identical — CMMC Level 2 maps directly to the 110 NIST 800-171 requirements. However, CMMC adds a verified assessment layer. Where NIST 800-171 allows self-assessment, CMMC Level 2 requires a C3PAO to independently validate your control implementations.

If you are already fully compliant with NIST 800-171 (SPRS score of 110), the CMMC assessment should be a validation exercise rather than a discovery process. Organizations with significant gaps will need to remediate before scheduling their C3PAO assessment. For complete details on the CMMC certification process, see our CMMC requirements guide.

Implementation Roadmap

Achieving NIST 800 compliance follows a predictable path regardless of organization size, though timelines vary significantly based on your starting point.

Phase 1: Scoping and Gap Analysis (2-6 Weeks)

Define your CUI boundary by mapping where CUI enters your environment, how it flows through your systems, where it is stored, and how it exits. Then assess each of the 110 controls against your current state. Categorize each control as fully implemented, partially implemented, or not implemented.

This phase produces your initial SPRS score and a prioritized list of gaps. Focus on high-impact controls (5-point values) first to maximize your score improvement per remediation dollar.

Phase 2: Remediation (2-9 Months)

Address identified gaps through a combination of technical controls, policy development, and process changes. Common remediation activities include:

• Deploying multi-factor authentication across all systems accessing CUI
• Implementing encryption for CUI at rest and in transit
• Establishing audit logging and centralized log management
• Developing and documenting security policies aligned to each control family
• Configuring access controls to enforce least privilege
• Establishing a vulnerability scanning and patch management program

Phase 3: Documentation (1-3 Months, Concurrent with Phase 2)

Build your SSP, POA&Ms for any remaining gaps, and supporting documentation including policies, procedures, and network diagrams. Document your NIST 800-171 SSP template with specific implementation details for each control.

Phase 4: Assessment and Certification (1-2 Months)

Calculate your SPRS score and submit it. If pursuing CMMC Level 2 certification, engage a C3PAO for formal assessment. Conduct a readiness review or mock assessment first to identify any remaining issues.

Timelines by Company Size

Organization Size	Gap Analysis	Remediation	Documentation	Assessment	Total
Small (10-50 employees)	2-3 weeks	2-4 months	1-2 months	2-4 weeks	4-7 months
Mid-market (50-250 employees)	3-4 weeks	4-6 months	2-3 months	3-6 weeks	6-10 months
Enterprise (250+ employees)	4-6 weeks	6-9 months	2-3 months	4-8 weeks	9-14 months

NIST 800-171 vs. CMMC vs. ISO 27001

Organizations pursuing government contracts often need to evaluate multiple compliance frameworks. Here is how NIST SP 800-171 compares to CMMC and ISO 27001:

Dimension	NIST 800-171	CMMC Level 2	ISO 27001
Purpose	Protect CUI in nonfederal systems	Verify CUI protection through certification	Information security management system
Controls	110 specific requirements	Same 110 (maps to NIST 800-171)	93 controls in Annex A (2022 version)
Assessment	Self-assessment (SPRS)	Third-party C3PAO assessment	Accredited certification body audit
Geographic Scope	U.S. federal contractors	U.S. defense contractors	International
Overlap with NIST 800-171	N/A	100% at Level 2	~60-70% control overlap
Validity Period	Continuous (update SPRS as needed)	3 years	3 years (annual surveillance audits)
Relative Investment	Lower (implementation only)	Higher (implementation + assessment)	Moderate (implementation + audit)

If your organization operates in both defense and commercial markets, a multi-framework compliance strategy that addresses NIST 800-171 and ISO 27001 simultaneously can save significant time and cost through shared controls.

For organizations also considering ISO 27001, see our ISO 27001 requirements checklist for a detailed comparison of what that certification entails.

How Agency Can Help

NIST 800-171 compliance is the foundation of your defense contracting eligibility. Whether you are starting from scratch, improving a low SPRS score, or preparing for your CMMC Level 2 assessment, Agency provides structured guidance to get you there efficiently.

Our approach includes comprehensive gap analysis against all 110 controls, prioritized remediation planning based on SPRS score impact, SSP development and documentation support, and assessment preparation with mock assessments to identify issues before your C3PAO arrives.

Ready to assess your NIST 800-171 compliance posture? Contact Agency for a gap analysis and get your roadmap to a score of 110.