NIST SP 800-171 Rev 2 · 110 controls · 14 families

NIST 800-171 compliance — the control catalog every CUI contractor lives by

Whether you are self-attesting an SPRS score today or preparing for a C3PAO assessment tomorrow, the bar is the same: all 110 requirements, implemented and evidenced. MacTech maps every control to your environment so you can stop guessing what 'good' looks like.

Why 800-171 is the foundation of every modern DoD contract

  • DFARS 252.204-7012 has required 800-171 since 2017 — but enforcement was self-attested and routinely ignored.
  • CMMC 2.0 closes that loophole: Level 2 = all 110 controls + third-party assessment by a C3PAO.
  • Even before CMMC reaches your contract, primes are filtering subs on SPRS score — a poor score loses bids today.

01 — The 14 families

All 110 requirements, mapped to 14 control families

Each family covers a discipline area of the security program. The number of requirements is uneven by design — Access Control and System & Communications Protection are the largest, and the ones contractors most often score badly on.

3.1
Access Control
22
controls
3.2
Awareness & Training
3
controls
3.3
Audit & Accountability
9
controls
3.4
Configuration Management
9
controls
3.5
Identification & Authentication
11
controls
3.6
Incident Response
3
controls
3.7
Maintenance
6
controls
3.8
Media Protection
9
controls
3.9
Personnel Security
2
controls
3.10
Physical Protection
6
controls
3.11
Risk Assessment
3
controls
3.12
Security Assessment
4
controls
3.13
System & Communications Protection
16
controls
3.14
System & Information Integrity
7
controls

110 total requirements per NIST SP 800-171 Rev 2. Rev 3, published 2024, restructures the catalog but does not yet apply to DoD contracts; DFARS continues to reference Rev 2.

02 — Implementation

How MacTech implements NIST 800-171

We do not hand you a 110-row spreadsheet. We hand you a system that maps each requirement to specific evidence, inherits everything inheritable, and turns control implementation into an operational practice — not a compliance event.

Boundary first, controls second

We define the CUI boundary before we touch a control. A tight boundary lets you scope 800-171 to a manageable surface; a sprawling boundary turns every requirement into a multi-system implementation.

Inherit everything inheritable

Customers running CUI inside MacTech's enclave inherit a documented set of controls from the underlying FedRAMP-aligned platform — physical security, baseline configuration, network protection, and several others. Shorter SSP, faster assessment.

Evidence on the same surface as the work

Trust Codex links every requirement to the artifacts that prove it. STIG scans, MFA enrollment reports, encryption attestations, training records — all in one place, all keyed to a control ID.

SSP and POAM as living documents

Your SSP regenerates from the evidence library. Your POAM tracks what is open, who owns it, and when it closes. No frantic week of binder-building the month before a C3PAO arrives.

03 — Related

Where 800-171 connects

CMMC Level 2

800-171 is the catalog; Level 2 is the assessed implementation of it.

Supply-chain cyber compliance

How primes vet sub-tier 800-171 posture across a contract portfolio.

CMMC overview

The broader CMMC program and where 800-171 fits.

04 — Questions

NIST 800-171 — frequently asked

What is NIST SP 800-171?

NIST Special Publication 800-171 Rev 2 is a federal control catalog of 110 security requirements organized into 14 families (Access Control, Audit and Accountability, Configuration Management, etc.). It defines the minimum protections non-federal organizations must apply to Controlled Unclassified Information (CUI) when handling it on behalf of the U.S. government.

Is NIST 800-171 mandatory?

For any organization with a contract or subcontract that flows down DFARS 252.204-7012, yes. The clause has been in DoD contracts since 2017 and is the legal hook that requires 800-171 implementation. With the CMMC 2.0 rule, the requirement is now also enforced through third-party assessment, not just contractor self-attestation.

What is the difference between NIST 800-171 and CMMC?

NIST 800-171 is the control catalog — the list of 110 requirements. CMMC is the assessment framework that verifies you actually meet them. CMMC Level 2 implements all 110 NIST 800-171 controls and adds a third-party assessment by a C3PAO. So if you are doing CMMC Level 2, you are doing NIST 800-171.

How many controls are in NIST 800-171?

110 security requirements, grouped into 14 families. Each requirement also has assessment objectives published in NIST SP 800-171A — the document a C3PAO assessor actually scores against. A common contractor mistake is implementing the requirement but not the underlying objectives, then failing the assessment on technicalities.

What is a System Security Plan (SSP) under NIST 800-171?

The SSP is the master document that describes your system, defines its boundary, identifies CUI flows, and explains how each of the 110 controls is implemented. It is the first thing a C3PAO assessor reads and the document everything else (POAM, evidence library, shared-responsibility matrices) ties back to. NIST 800-171 requirement 3.12.4 specifically requires an SSP.

What is a POAM and when is one required?

A Plan of Action and Milestones (POAM) is the tracking document for any control you have not fully implemented. Under the original 800-171 self-assessment model, almost any control could be POAMed. Under CMMC 2.0 Level 2, only a narrow subset of controls (worth fewer SPRS points) can remain on a POAM at certification — and only for 180 days.

What is the SPRS score?

The Supplier Performance Risk System (SPRS) score is a numeric assessment of NIST 800-171 implementation, calculated by deducting points from a starting score of 110 based on the controls you have not yet implemented. Primes increasingly look at SPRS scores when awarding subcontracts, even for contracts that do not formally require CMMC certification yet.

Can I do a NIST 800-171 self-assessment?

For most contracts written before the CMMC 2.0 final rule, yes — you self-assess, post your SPRS score, and re-attest annually. For contracts that flow down CMMC Level 2, you also need a C3PAO assessment every three years. The trajectory is clear: third-party assessment becomes the norm.

Get a real NIST 800-171 readiness picture

A readiness scan gives you a per-family score, a prioritized remediation backlog, and an honest timeline to C3PAO assessment. No 200-row spreadsheets you will never finish.

Run a readiness scanTalk to MacTech