Skip to main content
Compliance & Risk

NIST 800-171 Compliance

Assessment, System Security Plan, SPRS scoring, and remediation against the 110 NIST SP 800-171 controls that underpin CMMC Level 2 and DFARS 252.204-7012.

NIST SP 800-171 is the standard for protecting Controlled Unclassified Information (CUI) in non-federal systems - 110 security controls across 14 families.

DFARS 252.204-7012 has required defense contractors to implement NIST 800-171 since 2017, including a self-assessed SPRS score submitted to the DoD Supplier Performance Risk System. If your contract carries the 7012 clause, a current score must be on file, and misrepresenting it is a False Claims Act risk.

CMMC Level 2 assesses these same 110 controls, so your 800-171 work is the foundation of CMMC. If certification is your goal, see our CMMC compliance services or read the CMMC 2.0 compliance guide.

What's included

110-Control Assessment

We assess your environment against all 110 NIST SP 800-171 controls across the 14 control families and produce a prioritized deficiency list.

SPRS Score Calculation & Submission

We calculate your NIST 800-171 self-assessment score and prepare it for submission to the DoD Supplier Performance Risk System (SPRS).

System Security Plan (SSP)

We author or co-develop the SSP that documents how each of the 110 controls is implemented across your environment.

Plan of Action & Milestones (POA&M)

For controls not yet met, we build a POA&M with owners, remediation steps, and target dates to close each gap.

Remediation

MFA, audit logging, encryption, and access control implemented to close real control gaps rather than paper over them.

Continuous Monitoring

Managed SOC monitoring, log retention, and recurring evidence so your posture and SPRS score hold between assessments.

Who needs NIST 800-171

DoD Contractors

Contractors and subcontractors handling Controlled Unclassified Information (CUI) under DFARS 252.204-7012.

CMMC Level 2

Organizations pursuing CMMC Level 2, which assesses the same 110 NIST 800-171 controls.

Frequently asked questions

What is NIST 800-171?

NIST SP 800-171 is the standard for protecting Controlled Unclassified Information (CUI) in non-federal systems. It defines 110 security controls across 14 families - such as Access Control, Audit and Accountability, and Incident Response - that a contractor must implement to safeguard CUI.

How does NIST 800-171 relate to CMMC?

CMMC Level 2 assesses the same 110 NIST SP 800-171 controls. That makes 800-171 the technical foundation of CMMC: the SSP, POA&M, remediation, and evidence you build for 800-171 are the same artifacts a CMMC Level 2 assessment evaluates.

What is an SPRS score?

An SPRS score is a self-assessed NIST 800-171 score, ranging from -203 to 110, that defense contractors submit to the DoD Supplier Performance Risk System (SPRS). It reflects how many of the 110 controls you have implemented, and DoD requires a current score to be on file for contracts carrying DFARS 252.204-7012.

What is the difference between DFARS 252.204-7012 and 7021?

DFARS 252.204-7012 has required defense contractors to implement NIST SP 800-171 and report a self-assessed SPRS score since 2017. DFARS 252.204-7021 is the clause that requires the third-party verified CMMC certification level as a condition of award. In short: 7012 drives 800-171 self-assessment, 7021 drives CMMC certification.

How many controls are in NIST 800-171?

NIST SP 800-171 defines 110 security controls organized across 14 control families, including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, and System and Communications Protection.

Can a managed SOC help satisfy NIST 800-171?

Yes. A managed SOC directly supports the Audit and Accountability and Incident Response families - providing continuous monitoring, log retention, and documented response evidence that assessors expect to see when reviewing those controls.

Know your SPRS score

We assess your posture against all 110 controls, calculate your SPRS score, and give you a prioritized remediation roadmap - no commitment required.

Request an 800-171 Assessment Call (443) 409-5426

Free Risk Assessment

25 questions across 5 security domains. Get a personalized PDF report emailed to you instantly.

Build the 800-171 foundation for CMMC

The 110 controls behind your SPRS score are the same controls a CMMC Level 2 assessment evaluates. Getting 800-171 right now is the fastest path to CMMC-ready.

Talk to Our Compliance Team

Get NIST 800-171 Compliance Pricing

We scope every engagement to your environment and team size. Get a written quote within one business day - no obligation, no lengthy sales process.

(443) 409-5426

Quote delivered within 1 business day. Annual and monthly terms available.