NIST 800-171

If you hold a contract with a DFARS 252.204-7012 clause, NIST SP 800-171 already applies to you, and it has since 2017. Every contractor with that clause has been self-attesting to the 110 controls since then, and a surprising share of the Wichita-area suppliers we assess either didn't know the clause was in their contract or attested to a number their environment doesn't support.

That gap used to be invisible. CMMC is the Department of Defense's mechanism for verifying what contractors have been claiming all along, and the control set underneath CMMC Level 2 is the same NIST 800-171 you were already supposed to meet. The work to get compliant is the same work whether your destination is a defensible self-attestation or a third-party certification. The full CMMC picture lives on our CMMC Readiness Services page. This page is about the standard itself.

What NIST 800-171 actually is

NIST Special Publication 800-171 defines how Controlled Unclassified Information (CUI) has to be protected when it lives on systems outside the federal government, which is to say, on yours. It's organized into 110 security requirements across 14 families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

The baseline you build to today is Revision 2. NIST has published Revision 3, but DoD has reserved it for future rulemaking, so Revision 2 remains the contractual standard. If a vendor is selling you a Revision 3 readiness project right now, ask why.

Some requirements are technical (multi-factor authentication, encryption, logging). Many are not. A large share of the 110 are policies, procedures, and documented practices that an assessor verifies by reading documents and interviewing your people rather than scanning your network. Contractors who treat 800-171 as a pure technology project usually pass the technical controls and fail the paperwork.

The self-attestation trap

Under DFARS 252.204-7019 and 7020, contractors submit a self-assessment score to the government's Supplier Performance Risk System (SPRS). The scoring runs from a perfect 110 downward, and unimplemented controls subtract points, some of them heavily. Primes can see your score when they make sourcing decisions.

Here's the part that catches people. That score is a representation to the federal government, and the Department of Justice has pursued contractors over inaccurate cybersecurity attestations under the False Claims Act through its Civil Cyber-Fraud Initiative, announced in October 2021. The contractors carrying real risk aren't the ones with low honest scores. Risk concentrates on the business that typed in a high number years ago, never built the System Security Plan to back it, and has been winning work on it since.

We've walked into both situations on prospect assessments here in Southcentral Kansas. A low score with a real remediation plan is a fixable position. A 110 on file with nothing behind it is a liability the business hasn't priced yet.

What an engagement looks like

The work follows the same arc as our CMMC readiness engagements, because the standard underneath is the same. A gap analysis scores your environment against the 110 controls and produces an honest baseline. We build or fix the System Security Plan so it describes the network you actually run. A Plan of Action and Milestones covers what's not yet in place, with real dates. Then we implement, the technical controls and the documented practices both, and your SPRS score gets corrected to a number you can defend. One thing we tell contractors going in, because almost nobody expects it: the technical controls are usually not the hard part. Across the readiness work we run, the SSP and the evidence package take longer than the firewall work more often than the other way around. Budget your patience accordingly. And one thing to know about us: CybertronIT is a Registered Provider Organization under the CyberAB. We prepare contractors and partner with them through assessment. The assessment itself belongs to a C3PAO, a separate and independent organization.

The difference from a CMMC engagement is the destination. If your contracts only require self-attestation, the finish line is an accurate score and the artifacts to support it. If a C3PAO assessment is coming, the same work continues into pretest. Starting with 800-171 and stepping up to CMMC later repeats nothing, because the control set doesn't change.

One thing we hold the line on: we don't do this work as a standalone project while another firm runs your network. The SSP and the live systems have to be operated by the same team or the documentation drifts from reality within weeks, and the next audit or score review is where that shows up. NIST 800-171 work is bundled with Managed IT Services on one engagement.

Where CUI hides

The most expensive 800-171 mistake isn't a missing control. It's not knowing CUI is in your environment at all. Drawings with distribution statements, specs received by email, quality records tied to a defense program, even purchase orders can carry it. Here's how it actually happens. A drawing arrives from a prime contractor, gets attached to an ERP record, copied into a quality folder, and emailed to a supplier for a quote. One file just expanded your assessment boundary across four systems, and nobody made a decision about any of it.

So the first real task is tracing where CUI actually lives and moves in your business, because that boundary determines which systems have to meet the requirements. Scope it too tight and the assessment finds systems you missed. Go the other way and you're paying to harden machines that never needed protecting. We do the scoping before anyone talks about tools, because getting it wrong sets the price of everything downstream.

The boundary question is also showing up in a newer form. The same file that spreads through your ERP and email will end up pasted into an AI tool sooner or later, and where that model runs decides whether your CUI stayed protected. Our guide on using AI under CMMC covers the three places a model can run and which one fits controlled data.

Where to start

A short call is enough to find out where you stand. Bring your contract clauses if you have them, and your current SPRS score if you know it. We'll tell you whether your attestation position is defensible, what the real gaps look like, and what a realistic timeline is. If you don't know whether you have CUI, that's the first question we'll help you answer, and it costs you thirty minutes.

Frequently asked questions

1. Is NIST 800-171 the same thing as CMMC?

No, but they're joined at the hip. NIST 800-171 is the control standard, the 110 requirements for protecting CUI. CMMC is the DoD's program for verifying contractors actually meet it, by self-assessment or by third-party assessment depending on the contract. Build to 800-171 properly and you've done the substance of CMMC Level 2. The certification layer on top is evidence, interviews, and process, conducted by a C3PAO. We're an RPO, the role that prepares you, never the assessor.

2. We submitted an SPRS score years ago. Are we done?

You're done if the score still matches your environment and you have the System Security Plan and evidence to back it. Most scores we review on prospect assessments don't meet that bar. Environments change, people leave, and a score that was optimistic in 2021 is a liability in 2026, because primes can see it and the government can act on it. An honest re-score with a remediation plan is a far better position than a stale high number.

3. We only handle FCI, not CUI. Does 800-171 apply?

If you genuinely handle only Federal Contract Information, your obligation is the 15 basic safeguarding requirements in FAR 52.204-21, which maps to CMMC Level 1, not the full 110. The catch is the word genuinely. You'd be surprised how often a contractor who believes they're FCI-only turns out to have CUI sitting in old emails and drawing folders. We verify which side of the line you're on before anything else.

4. What does it cost to get compliant?

It depends on your starting posture, how widely CUI has spread through your environment, and how much of the work is documentation versus new technical controls. Scoping the CUI boundary is what sets the number, which is why we do that first and put a real estimate against your situation on the exploratory call. As a rule, contractors who start before a deadline pay less than contractors who start after one.

5. Can you fix our score while we keep our current IT provider?

No. The documentation and the live systems have to be owned by the same team or they drift apart, and the gap lands on you at the worst possible time. If you have an MSP you're committed to, the honest conversation is about timing and whether the contracts at stake justify a switch.