NIST Special Publication 800-171 (NIST SP 800-171)
NIST SP 800-171 is the cybersecurity standard for protecting Controlled Unclassified Information (CUI) on nonfederal systems, prescribing 110 specific security controls that DoD contractors must meet as a contract-eligibility threshold.
What Is NIST SP 800-171?
NIST SP 800-171, officially titled "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is a publication of the National Institute of Standards and Technology that establishes security requirements for nonfederal systems that store, process, or transmit Controlled Unclassified Information (CUI). It was first published in 2015 and has been revised multiple times, with Revision 3 published in May 2024.
The standard contains 110 security controls organized into 14 families covering access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. DoD contractors handling CUI must implement these controls under DFARS 252.204-7012, and failure to comply puts current contracts and future awards at risk.
Key Characteristics
NIST SP 800-171 has several defining characteristics. It applies to nonfederal systems, meaning contractor-owned IT infrastructure, cloud environments, and any system outside federal direct control.
It governs CUI specifically, a category broader than classified information but still sensitive enough to warrant protection. The standard prescribes 110 distinct controls, each with a unique identifier (such as 3.1.1 for Access Control limitations) and a defined implementation requirement.
Compliance is self-attested in most cases, with contractors uploading their score to the Supplier Performance Risk System (SPRS). Higher-risk contracts may require third-party assessment under CMMC (Cybersecurity Maturity Model Certification).
The DoD treats NIST SP 800-171 compliance as a flowdown clause, meaning prime contractors must ensure their subcontractors also meet the standard if they handle CUI.
How It Works in Government Contracting
NIST SP 800-171 compliance affects federal contractors at three points. First, at proposal time, the contractor must self-assess against the 110 controls, calculate a SPRS score (out of 110, with deductions for each control not fully implemented), and upload that score to SPRS before bidding on any DoD solicitation involving CUI.
Second, during contract performance, the contractor must maintain compliance and implement a System Security Plan (SSP) plus Plan of Action and Milestones (POA&M) for any control gaps. Third, during incident response, any cyber incident affecting CUI must be reported to DoD within 72 hours via DIBNet under DFARS 252.204-7012.
Failure at any of these points can void the award, trigger a stop-work order, or initiate a False Claims Act investigation if the self-attested SPRS score is later found to be inaccurate.
Real-World Example
A mid-sized aerospace engineering firm bids on a $40 million DoD subcontract that requires handling technical data marked as CUI. The firm self-assesses against the 110 controls in NIST SP 800-171 Revision 2, identifies gaps in 18 controls, and calculates a SPRS score of 86 out of 110.
The firm uploads the score to SPRS, documents the gaps in a Plan of Action and Milestones, and submits the proposal. The prime contractor reviews the SPRS score during subcontractor selection and asks for the POA&M before flowing down the contract.
The firm closes 12 of the 18 control gaps within six months, raising its SPRS score to 98, and earns the subcontract. Without the documented remediation path, the prime would have selected a competitor with a stronger compliance profile.
Regulatory Framework
NIST SP 800-171 is implemented in federal contracting through several authorities. DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires DoD contractors to implement NIST SP 800-171 and report cyber incidents within 72 hours.
DFARS 252.204-7019 and 252.204-7020 require SPRS score upload and basic assessment for any contract involving CUI. The CMMC framework, formalized in 32 CFR Part 170 (final rule effective December 16, 2024), builds on NIST SP 800-171 by adding third-party assessment requirements at higher maturity levels. Beyond DoD, civilian agencies are increasingly adopting NIST SP 800-171 through FAR 52.204-21 and the forthcoming FAR CUI rule.
Why It Matters for Contractors
NIST SP 800-171 compliance has become a hard threshold for federal work in three respects. Bid eligibility: DoD primes will not even consider subcontractors who have not uploaded a SPRS score, and an inaccurate score creates False Claims Act exposure as a knowing misrepresentation.
Award retention: contracts can be terminated for default if the contractor cannot demonstrate ongoing compliance during performance, and a cyber incident report under DFARS 7012 triggers immediate scrutiny of the SPRS score and SSP. Past performance: a documented compliance failure or incident lingers in CPARS and DSBS records for years, hurting future captures.
Strategic contractors treat NIST SP 800-171 as a continuous program rather than a point-in-time exercise: they maintain the SSP as a living document, run quarterly internal assessments, and budget for incremental control improvements each year.
Common Misconceptions
Only large defense primes need to comply.
They do not. Any contractor or subcontractor at any tier that handles CUI on a nonfederal system is in scope, including small businesses pursuing first-tier DoD work. The flowdown clause in DFARS 252.204-7012 reaches all the way to the bottom of the subcontract chain.
A SPRS score of 110 (perfect) is required to win awards.
It is not, today. Contractors can submit scores below 110 if they have a documented POA&M for the missing controls. However, CMMC Level 2 third-party assessments under 32 CFR Part 170 do require full implementation for many DoD contracts, so the bar is rising for any contract that handles CUI.
NIST SP 800-171 is the same as NIST SP 800-53.
It is not. NIST SP 800-53 governs federal systems and is much more extensive (over 1,000 controls). NIST SP 800-171 is a derivative tailored for nonfederal systems handling CUI. Confusing the two leads to over-engineered or under-scoped compliance programs.
Frequently Asked Questions
What is the difference between NIST SP 800-171 and CMMC?
NIST SP 800-171 is the underlying technical standard (110 security controls). CMMC is the DoD assessment framework that audits contractors against NIST SP 800-171 at varying maturity levels. CMMC Level 1 covers basic cybersecurity hygiene; Level 2 (the most common) requires implementation of all 110 NIST SP 800-171 controls and is subject to third-party assessment for many contracts; Level 3 adds NIST SP 800-172 advanced controls for the most sensitive programs.
How is the SPRS score calculated?
The SPRS basic assessment methodology starts at 110 (full compliance with all 110 controls) and deducts points for each control not fully implemented. Some controls are worth 5 points (most critical), others 3 points, and others 1 point. A contractor with 18 control gaps in single-point controls and one gap in a 5-point control would have a score of 110 minus 23, or 87. The score is uploaded to SPRS along with a date of self-assessment.
How often must NIST SP 800-171 compliance be reassessed?
DoD requires the SPRS basic assessment to be no more than three years old at the time of contract award. Strategic contractors run internal self-assessments annually and update the SPRS score whenever significant control changes occur, since a stale score can trigger competitive disadvantage and audit scrutiny.
What happens after a cyber incident affecting CUI?
Under DFARS 252.204-7012, the contractor must report the incident via the DIBNet portal within 72 hours, preserve images of affected systems for at least 90 days, provide the DoD with access to the incident response findings, and cooperate with any subsequent DoD damage assessment. The contractor must also implement remediation and update its SPRS score and SSP if necessary.
Does NIST SP 800-171 apply to civilian agency contracts?
Increasingly, yes. FAR 52.204-21 already requires basic safeguarding for federal contract information across civilian agencies. The forthcoming FAR CUI rule will extend NIST SP 800-171-style requirements to civilian contracts handling CUI. DoD contracts remain the most stringent and most actively enforced, but the standard is becoming a federal baseline.
Related Government Contracting Topics
Controlled Unclassified Information (CUI): The category of sensitive but unclassified federal information that NIST SP 800-171 is designed to protect on nonfederal systems.
Cybersecurity Maturity Model Certification (CMMC): The DoD assessment framework that audits contractors against NIST SP 800-171 at varying maturity levels.
DFARS 252.204-7012: The DoD contract clause requiring NIST SP 800-171 compliance and 72-hour cyber incident reporting.
Defense Federal Acquisition Regulation Supplement: The DoD supplement to the FAR that contains the cybersecurity flowdown clauses.
Federal Acquisition Regulation (FAR): The civilian baseline containing FAR 52.204-21 and the forthcoming CUI rule that will extend NIST SP 800-171 government-wide.
Federal Risk and Authorization Management Program (FedRAMP): The federal cloud security authorization program; cloud providers often align with NIST SP 800-171 and 800-53.
Information Security (InfoSec): The broader discipline that includes NIST SP 800-171 compliance for contractors handling sensitive federal data.
Authority to Operate (ATO): Government approval to operate an information system; nonfederal systems handling CUI rely on NIST SP 800-171 in lieu of an ATO.
Plan of Action and Milestones (POA&M): The structured remediation plan contractors use to track and close NIST SP 800-171 control gaps.
International Traffic in Arms Regulations (ITAR): Export control regulations frequently relevant alongside NIST SP 800-171 for defense technical data.
How LotusPetal AI Helps
LotusPetal AI's capture and proposal automation platform reads incoming DoD solicitations, flags NIST SP 800-171 and DFARS 7012 requirements, and pulls your latest SPRS score and POA&M into the proposal automatically. Compliance teams maintain a single source of truth for control implementation status; capture managers see at intake whether the opportunity is within the firm's current SPRS profile.