NIST SP 800-171 is the federal standard that defines how non-government organizations should protect Controlled Unclassified Information. Understanding what it is helps you understand what CMMC is asking you to do.
NIST — the National Institute of Standards and Technology — is a U.S. government agency that produces standards, guidelines, and best practices. They write everything from definitions of physical units (like the kilogram) to cybersecurity standards adopted across the federal government.
NIST Special Publication 800-171 is one of those documents. Specifically, it's a set of 110 security requirements that non-federal organizations must meet when they store, process, or transmit Controlled Unclassified Information on behalf of a federal agency. The full title is "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations."
It's important to understand: 800-171 itself is not a law. It's a publication. It becomes mandatory through contract clauses — most notably DFARS 252.204-7012 for DoD contractors, and now CMMC for the certification program built on top of it.
The Department of Defense didn't invent CMMC's technical requirements from scratch. Instead, it took the existing NIST 800-171 standard — which DoD contractors had already been required to follow under DFARS — and wrapped a certification and assessment program around it.
For most defense contractors, this means CMMC Level 2 compliance is functionally the same as 800-171 compliance, with the addition of formal third-party assessment by a C3PAO. The 110 requirements you'll be assessed against are the 110 requirements in NIST 800-171.
That's why understanding 800-171 directly matters: it's the source of truth. Everything in your SSP, POA&M, and assessment traces back to specific requirements in this single publication.
NIST 800-171 organizes its 110 requirements into 14 thematic groups called control families. Each family addresses a specific area of security practice — like access control, audit logging, or media handling.
See plain-English summaries of every control → Browse the 110 controls
NIST 800-171 has gone through several revisions since its first publication. The two you'll hear about are Revision 2 (released in 2020) and Revision 3 (finalized in 2024). Most contractors are still transitioning.
Revision 2 was the operative version for years and is what most existing SSPs were drafted against. It contained 110 controls organized in a slightly different structure.
Revision 3 is the current version. It restructured several requirements, removed some that were determined to be non-federal-organization responsibilities, added new ones reflecting modern threats, and clarified language across the board. The total count remained 110.
CMMC Level 2 assessments are aligned with NIST 800-171 Rev 3. If your SSP was written against Rev 2, you'll need to update it to reflect Rev 3 structure and language before assessment. Baseline generates documentation against Rev 3 by default.
NIST publishes several cybersecurity standards, and they're often confused. Here's how 800-171 relates to its closest siblings.
The big sibling. A comprehensive catalog of 1,000+ security and privacy controls used by federal agencies for their own systems. 800-171 was largely derived from a tailored subset of 800-53.
The standard you care about. 110 requirements drawn from 800-53 and tailored for non-federal organizations handling CUI. The technical foundation of CMMC Level 2.
Enhanced requirements that go beyond 800-171 for protecting CUI in particularly high-risk situations. This is the technical basis for CMMC Level 3.
800-171 sits in the middle: more rigorous than commercial standards like ISO 27001 or SOC 2, less prescriptive than 800-53. It's specifically designed for the contractor segment of the federal supply chain.
For a small defense contractor, NIST 800-171 isn't a document you read once and file away. It defines the specific things you must implement, document, and prove during an assessment.
Practically, here's how it appears in compliance work:
Your System Security Plan must address each of the 110 controls and describe your current state — what you've implemented, what's partially in place, and what hasn't been addressed yet. The structure of the SSP follows the structure of 800-171. Honest documentation of gaps is expected and accepted; the SSP is a description of reality, not a claim of compliance.
Your POA&M lists every control where you're not yet fully compliant, along with your plan to close the gap. The control IDs come straight from 800-171.
Your SPRS score is calculated based on which 800-171 controls you've implemented. The maximum score is 110.
A C3PAO assessor walks through your environment evaluating each of the 110 requirements. They use the assessment objectives in NIST SP 800-171A — a companion document — to test whether your implementation actually meets the requirement.
Knowing 800-171 is essentially knowing CMMC Level 2 from the technical side. The CMMC program adds structure, certification, and enforcement; the technical requirements are 800-171.
Take the guided readiness interview. Walk away with a score against all 110 controls, a gap list, and a draft of the documents CMMC requires.