Why NIST SP 800-171 Matters
NIST Special Publication 800-171 defines the 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. If your contracts include DFARS clause 252.204-7012, you are already contractually obligated to implement it — independent of CMMC. CMMC Level 2 simply adds verification: a third-party assessment confirming the controls are actually in place.
That makes 800-171 the center of gravity for defense-contractor cybersecurity. Implement it well and CMMC certification becomes a validation exercise. Implement it on paper only, and you carry both assessment risk and False Claims Act exposure.
The 14 Control Families
The requirements span fourteen families: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. You can explore every control — and track your own implementation status — with our free NIST 800-171 compliance tracker.
How XNOR Helps
- Control implementation — hands-on engineering across on-prem, Azure, AWS, and hybrid environments: MFA, FIPS-validated encryption, logging and SIEM, segmentation, endpoint hardening
- System Security Plan (SSP) — the document every assessment lives or dies on, written to reflect how your environment actually operates
- POA&M development — open items documented with milestones and owners, structured the way DoD expects
- Policy & procedure library — right-sized policies that your team will actually follow, mapped to control requirements
- SPRS scoring & submission — a defensible score under the DoD assessment methodology
- Shared-responsibility analysis — sorting out what your MSP, GCC High tenant, or cloud provider covers versus what remains yours
Not sure which controls you're missing? Start with a gap analysis. Already remediated? Validate with a mock assessment.
Frequently Asked Questions
Is NIST 800-171 the same as CMMC Level 2?
CMMC Level 2 adopts the 110 NIST SP 800-171 requirements wholesale. The difference is verification: 800-171 compliance has historically been self-attested, while CMMC Level 2 adds third-party assessment for most contracts involving CUI.
Do we need NIST 800-171 if we only handle FCI, not CUI?
If you only handle Federal Contract Information, CMMC Level 1's 17 basic safeguarding practices apply instead. But many contractors underestimate where CUI actually exists in their environment — a scoping review settles the question definitively.
What is Revision 3, and which version applies to us?
NIST published SP 800-171 Revision 3, but DoD has specified Revision 2 as the basis for current CMMC assessments and DFARS compliance. We build programs against Rev 2 requirements while keeping an eye on the transition path so your investment carries forward.