If you’re working toward CMMC Level 2 certification, there’s one document that should be your north star:
NIST Special Publication 800-171 (Rev. 2)
Officially titled: “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
For companies handling Controlled Unclassified Information (CUI) — everything from technical drawings and defense system specs to research reports and proprietary manufacturing data — this framework outlines the 110 security controls you need to implement.
In this blog post, we’ll cover:
- What NIST 800-171 is
- How it fits into CMMC Level 2
- The 14 control families
- Why this framework matters for your business
- How to get compliant
What Is NIST SP 800-171 & Why Does It Matter?
NIST SP 800-171 is a cybersecurity standard developed by the National Institute of Standards and Technology (NIST). It was created to help contractors secure CUI when stored, processed, or transmitted on nonfederal information systems.
Originally enforced through DFARS 252.204-7012, the controls in NIST 800-171 have now been fully adopted into CMMC Level 2.
“If you’re pursuing CMMC Level 2, you’re really pursuing NIST 800-171 compliance — that’s the foundation.”
— Grant Eckstrom, vCISO – Succurri
Without full NIST 800-171 compliance, you risk failing CMMC audits and losing eligibility for DoD contracts.
CMMC Level 2 = Full NIST 800-171 Implementation
The DoD made it clear: CMMC Level 2 is a direct mapping to NIST SP 800-171.
That means:
- You must implement all 110 controls
- You must complete a System Security Plan (SSP)
- You must document your security posture and self-score (if applicable)
- Most contracts will require a third-party audit by a Certified Third-Party Assessment Organization (C3PAO) every 3 years
- You must affirm compliance annually
If your company is not actively implementing 800-171 controls — and you handle CUI — you are likely already noncompliant under DFARS and at risk under upcoming CMMC requirements.
The 14 Control Families in NIST 800-171
With NIST 800-171 Rev 3 on the horizon, staying up to date with evolving requirements is critical. The 110 controls are organized into 14 security domains. Here’s a simplified breakdown:
| Access Control | Who can access systems/data — and how |
| Awareness & Training | Employee education on security and threats |
| Audit & Accountability | Track user actions; retain audit logs |
| Configuration Management | Standardize and secure system settings |
| Identification & Authentication | Verify identities; use strong credentials |
| Incident Response | Prepare for, detect, and recover from attacks |
| Maintenance | Secure maintenance of systems and software |
| Media Protection | Control and dispose of physical/digital media |
| Personnel Security | Vetting and offboarding of personnel |
| Physical Protection | Restrict physical access to systems |
| Risk Assessment | Identify and evaluate cyber risks |
| Security Assessment | Review controls and improve regularly |
| System & Comms Protection | Secure your data in transit and at rest |
| System & Info Integrity | Detect and respond to system tampering |
Each family contains multiple controls — for example, the Access Control domain includes 22 individual requirements. These go beyond basics like password management and dive into granular controls such as session timeout configurations, remote access restrictions, and separation of duties.
What Makes NIST 800-171 Compliance Challenging?
Here’s where many businesses struggle:
Documentation Deficiencies
Your IT team may be doing “most” of what NIST 800 171 requires — but if you can’t prove it, you’ll fail an audit. Assessors need policies, procedures, evidence, and an SSP. Your NIST SP 800-171 DoD assessment may include both internal and third-party reviews, depending on contract requirements.
Lack of Security Culture
Cybersecurity training, user awareness, and incident response readiness are frequently overlooked. Many companies are technically strong, but operationally unprepared.
Legacy Systems
Outdated infrastructure cannot often support encryption, multi-factor authentication, or centralized logging — all mandatory under 800-171.
Poor Internal Scoping
Businesses often attempt to secure their entire IT environment when they only need to secure their CUI enclave. Bad scoping = wasted effort or audit failure.
Where to Start
As a NIST 800-171 compliance contractor, your business needs to demonstrate full implementation of the 110 required controls. Here’s how to get started:
- Identify if You Handle CUI
Ask yourself: Do any of your DoD contracts involve CUI? If yes — NIST 800-171 applies. If you’re unsure, consult your prime contractor or contracting officer.
- Perform a Gap Assessment
Map your current controls against the 110 requirements. Identify what’s in place, what’s missing, and where improvements are needed.
- Create a System Security Plan (SSP)
This document outlines how your organization meets (or plans to meet) each control. It’s the centerpiece of your compliance efforts — and mandatory for CMMC Level 2.
- Remediate and Implement
Upgrade technology, write or revise policies, segment your network, enforce MFA, conduct training, and implement logging tools.
- Document Evidence
Start collecting artifacts: login logs, training rosters, access control policies, vulnerability scan results, audit logs, encryption settings, and more.
- Consider a Pre-Assessment
Before you invite a C3PAO for the real audit, many companies conduct a mock assessment to catch issues in advance. A pre-audit NIST SP 800-171 assessment helps identify weaknesses and prioritize remediation before a formal CMMC audit.
Working with a NIST 800-171 compliance consultant can help streamline readiness and reduce your audit risk.
How Long Does It Take to Get Compliant?
Most organizations require 6–12+ months to fully implement the 800-171 controls — depending on:
- Current cyber maturity
- Size and complexity of the IT environment
- Availability of internal expertise
- Level of CUI exposure
Starting now is essential, especially given the October 2025 rollout of CMMC in new contracts.
Get Ahead with NIST 800-171 Compliance
Achieving NIST 800-171 compliance is no longer optional for contractors handling Controlled Unclassified Information. With CMMC 2.0 audits on the horizon and enforcement ramping up, your security practices must be proactive, auditable, and aligned with federal standards.
Whether you’re navigating NIST SP 800-171 Rev 2, preparing for Rev 3, or simply need a NIST 800-171 compliance checklist to get started, taking action now sets your business up for long-term success.
Succurri’s NIST 800-171 compliance services are tailored to small and mid-sized DoD contractors—helping you reduce risk, improve documentation, and meet contract requirements with confidence.
Schedule a readiness review today and take the first step toward audit-ready compliance.
Final Thoughts from Succurri
“If you’re waiting for CMMC to become mandatory before starting on NIST 800-171 — you’re already behind. The sooner you start, the better positioned you are to win and keep DoD contracts.”
— Grant Eckstrom, vCISO – Succurri
At Succurri, we’ve helped dozens of DoD contractors design their security programs around NIST 800-171. Whether you’re starting from scratch or just need help closing the final gaps, our team can help you prepare for a successful CMMC Level 2 audit. Visit our Managed IT Services page to find out more about our services.
More Helpful Readings:
- Succurri IT Threat Glossary: Understanding for Your Business Success
