verified_user
Standardful
Cybersecurity

NIST 800-171 Rev 3: The Contractor's Guide to Protecting CUI

If you handle Controlled Unclassified Information for a US federal agency, NIST SP 800-171 is the rulebook. Here's what Revision 3 changed, how it connects to CMMC and DFARS, and how to actually get your SPRS score up.

calendar_today May 31, 2026schedule 13 min readperson Standardful Team

If you've ever bid on a federal contract and hit a clause about "DFARS 252.204-7012" or a required "SPRS score," you've already bumped into NIST SP 800-171. And if you're like most subcontractors, your first reaction was probably: "I have to do what now?"

Here's the thing — 800-171 isn't optional theater. It's the baseline the US government uses to decide whether you're allowed to touch sensitive-but-unclassified data. Get it wrong and you don't just fail an audit; you can lose the contract or, in the worst cases, face False Claims Act liability for misrepresenting your security. With Revision 3 now in play and CMMC enforcement ramping up, it's worth understanding what this thing actually asks of you.

What 800-171 Is For

NIST Special Publication 800-171 exists to answer one question: how should a non-federal organization protect Controlled Unclassified Information (CUI) when it lives on the contractor's own systems?

CUI is the layer of government information that isn't classified but still shouldn't be floating around freely — think technical drawings, specs, logistics data, research, certain personally identifiable info. When a federal agency (especially the DoD) shares that data with you to do the work, they need assurance you won't leak it. 800-171 is that assurance, written as a set of security requirements.

It's published by NIST — the same agency behind the broader NIST Cybersecurity Framework. But where the CSF is a flexible, risk-based framework you tailor to yourself, 800-171 is a concrete checklist of requirements you either meet or you don't.

What Revision 3 Changed

Revision 2 had been the standard for years. Revision 3, finalized in May 2024, was the first major overhaul, and it changed enough to matter:

  • The structure was reorganized. The old version had 110 requirements across 14 families. Rev 3 restructured the families (adding Planning, System and Services Acquisition, and Supply Chain Risk Management concepts) and recounted the requirements. The headline number shifted, but more importantly the content moved around — don't assume your Rev 2 mapping still lines up.
  • Tailoring became explicit. Rev 3 introduced "organization-defined parameters" (ODPs) — places where you (or the agency) set specific values, like how often you review accounts or how long sessions can idle. More flexibility, but also more decisions you have to document.
  • It pulled closer to 800-53. The requirements were re-derived from the moderate baseline of NIST SP 800-53 Rev 5, tightening the link between the contractor standard and the federal control catalog.
  • Some withdrawn, some added. A handful of requirements were merged or dropped as redundant, and others were added or strengthened — notably around supply chain and system/services acquisition.

If you certified against Rev 2, budget real time for a gap analysis. The delta is not cosmetic.

How It Connects to CMMC and DFARS (the Web You're Actually In)

This is where contractors get confused, so let's untangle the acronyms.

  • DFARS 252.204-7012 is the contract clause that requires you to implement 800-171 if you handle CUI for the DoD. It's been around since 2017. It also requires you to report cyber incidents within 72 hours.
  • DFARS 252.204-7019/7020 require you to do a self-assessment against 800-171 and post your score in SPRS (the Supplier Performance Risk System).
  • CMMC 2.0 — the Cybersecurity Maturity Model Certification — is the verification layer on top. CMMC Level 2 is essentially "you actually implemented all of 800-171, and we're going to check." For many contracts, instead of just self-attesting, you'll need a third-party assessment (C3PAO) to prove it.

So the relationship is: 800-171 is the controls. DFARS is the contractual obligation to implement them. CMMC is how the DoD verifies you did. They're not competing standards — they're the same security requirements seen from three angles.

The SPRS Score: How Self-Assessment Actually Works

Here's the part contractors most need to understand operationally.

You assess yourself against the 800-171 requirements and calculate a score using NIST's DoD Assessment Methodology. It starts at 110 (under Rev 2's count) and you subtract points for each requirement you haven't fully met — some requirements are worth 1 point, others 3 or 5 depending on how critical they are. A perfect implementation is 110. It's entirely possible to have a negative score if you're missing a lot of the high-value controls.

That number goes into SPRS, and contracting officers see it. A low or negative score doesn't automatically disqualify you, but it's a visible signal — and falsely claiming a high score you can't back up is exactly the kind of thing that draws False Claims Act enforcement. Several contractors have settled for millions over inflated self-assessments. Be honest about your score.

The Control Families (Plain-English Tour)

Without drowning in the full list, the requirements cluster around themes you'd recognize from any solid security program:

  • Access Control — who can get to CUI, least privilege, remote access limits
  • Identification & Authentication — strong, unique identities; multi-factor authentication
  • Audit & Accountability — logging what happens and being able to review it
  • Configuration Management — known-good baselines, change control
  • Incident Response — detect, report (72 hours!), and recover
  • Media Protection — encrypting and sanitizing drives, USBs, backups
  • System & Communications Protection — encryption in transit, network segmentation, boundary defense
  • System & Information Integrity — patching, malware defense, monitoring
  • Plus families for awareness/training, maintenance, personnel security, physical protection, risk assessment, and (new emphasis in Rev 3) supply chain and acquisition

The recurring traps for contractors: MFA everywhere CUI is accessed, FIPS-validated encryption (not just "encrypted" — validated), comprehensive logging, and properly segregating CUI instead of letting it sprinkle across the whole network.

A Realistic Path to Compliance

  1. Scope it. Figure out exactly where CUI lives, flows, and is stored. The smaller and more isolated your CUI environment (an "enclave"), the cheaper everything downstream gets. This single decision drives your whole budget.
  2. Gap assessment against Rev 3. Map current state to each requirement. Be brutally honest — this feeds your SPRS score.
  3. Write the SSP and POA&M. A System Security Plan documents how you meet each requirement. A Plan of Action & Milestones documents what you haven't met yet and when you'll fix it. Assessors live in these two documents.
  4. Remediate the high-value gaps first. MFA, encryption, logging, and access control move your score the most.
  5. Calculate and post your SPRS score. Honestly.
  6. Prep for CMMC assessment if your contracts require Level 2 certification rather than self-attestation.

FAQ

Is 800-171 only for the DoD? It originated for DoD CUI but applies broadly — any federal agency sharing CUI can require it, and DFARS makes it contractual for defense work. CMMC is specifically a DoD program.

Rev 2 or Rev 3 — which do I need? It depends on your contract. Agencies are transitioning to Rev 3, but the clause in your contract governs. Many organizations are assessing against Rev 3 now to get ahead of the shift. Check your contract language and ask your contracting officer.

Do I need a third party, or can I self-assess? 800-171 itself is self-assessed (posted to SPRS). Whether you also need third-party CMMC certification depends on the contract's CMMC level requirement. Level 1 and some Level 2 are self-attested; many Level 2 contracts require a C3PAO assessment.

Can I have open items and still win contracts? A POA&M lets you document unmet requirements with a remediation timeline, and limited POA&Ms are allowed under CMMC for certain lower-weighted controls. But the highest-value requirements generally can't sit on a POA&M indefinitely.

How long does compliance take? For an organization starting cold, six months to a year is realistic, driven mostly by how messy your CUI scope is. Tightly scoped enclaves go faster.

The Bottom Line

NIST 800-171 is the price of admission for handling government CUI, and Revision 3 raised the bar while adding flexibility. The contractors who struggle are the ones who treat it as a one-time paperwork exercise. The ones who do well scope their CUI tightly, document honestly in their SSP and POA&M, keep their SPRS score real, and build toward CMMC 2.0 verification as a natural extension rather than a separate fire drill.

Start with scope, be honest about your score, and the rest is just disciplined execution.

References

  1. NIST SP 800-171 Rev 3 — National Institute of Standards and Technology (May 2024)
  2. NIST SP 800-171A Rev 3 (Assessment Procedures) — NIST
  3. DFARS 252.204-7012 — Defense Federal Acquisition Regulation Supplement
  4. CMMC Program — U.S. Department of Defense CIO
  5. Supplier Performance Risk System (SPRS) — U.S. Department of Defense

Related Topics

NIST 800-171CUICMMCDFARSDefense ContractorsCybersecurity

Related Standards

verified

NIST SP 800-171

Protecting Controlled Unclassified Information

verified

CMMC 2.0

Cybersecurity Maturity Model Certification

verified

NIST CSF 2.0

NIST Cybersecurity Framework 2.0

arrow_back Back to Blog