NIST 800-171 Compliance Checklist (2026): The Complete Guide for DoD Contractors

If your company handles Controlled Unclassified Information (CUI) for the U.S. Department of Defense — or for any federal agency that flows DFARS 252.204-7012 down to you — NIST Special Publication 800-171 is not optional. It is the security baseline written into your contract, audited against your SPRS score, and now formalized through CMMC Level 2. This 2026 guide is the working NIST 800-171 compliance checklist our team at Cybrvault uses with small and mid-sized DoD contractors to get from “we know we have to do this” to a defensible, contract-ready program.

"Important: This guide summarizes NIST SP 800-171 Rev. 2 and 32 CFR Part 170 (the CMMC Program Rule) as they stand in 2026. Always validate the latest revision (Rev. 3 is being rolled into CMMC over time) and your specific contract clauses with qualified counsel and your assessor."

What Is NIST 800-171 (and Why It Matters in 2026)

NIST SP 800-171 — “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” — is the federal standard for safeguarding CUI when it lives outside government networks. It contains 110 security requirements across 14 control families. DFARS 252.204-7012 has required defense contractors to implement these controls since 2017, and the CMMC Program Rule (32 CFR Part 170) now operationalizes them: Level 2 of CMMC is, almost line-for-line, the 110 controls of NIST SP 800-171 Rev. 2.

In 2026, three things make this checklist urgent: CMMC Level 2 assessments are actively being scheduled by C3PAOs, DoD contracting officers are pulling SPRS scores before award, and False Claims Act cases tied to inflated self-assessment scores are no longer theoretical. If your contracts touch CUI, you need a real program — not a spreadsheet you updated once in 2019.

Who Must Comply With NIST 800-171?

• DoD prime contractors and subcontractors at any tier that process, store, or transmit CUI.
• Manufacturers, engineering firms, software vendors, IT integrators, logistics providers, and professional services firms supporting DoD programs.
• Civilian agency contractors when the contract includes FAR 52.204-21 plus a CUI-handling clause (e.g., GSA, DOE, NASA, DHS task orders).
• Researchers and universities receiving federal awards that include CUI markings.
• Cloud and managed service providers that store or process CUI on behalf of the above — they must meet FedRAMP Moderate (or equivalent) and inherit the relevant 800-171 controls.

If you only handle Federal Contract Information (FCI) and not CUI, you fall under CMMC Level 1 instead. See our companion guide: CMMC Level 1 Requirements for Small DoD Contractors (2026).

FCI vs. CUI: Know Which One You Have

• FCI (Federal Contract Information): non-public information generated for the government under a contract — SOWs, purchase orders, draft deliverables. Triggers 17 basic safeguards under FAR 52.204-21 / CMMC Level 1.
• CUI (Controlled Unclassified Information): a formally marked category governed by 32 CFR Part 2002. Examples include unclassified technical drawings, ITAR/EAR-controlled data, financial records of DoD programs, and PII collected under federal authority. Triggers all 110 controls of NIST SP 800-171 and CMMC Level 2.

When in doubt, ask your contracting officer to confirm in writing whether CUI is in scope. The wrong assumption here is the single most expensive mistake we see contractors make.

The NIST 800-171 Compliance Checklist: All 14 Families, All 110 Controls

NIST organizes the 110 requirements into 14 families. The checklist below summarizes each family, the high-impact controls within it, and the practical evidence assessors will look for. Use this as your working punch list while building or refreshing your System Security Plan.

1. Access Control (3.1) — 22 controls

• Limit system access to authorized users, processes, and devices (3.1.1, 3.1.2).
• Enforce least privilege and separation of duties for privileged functions (3.1.5, 3.1.4).
• Control remote access sessions and require encryption + MFA (3.1.12, 3.1.13).
• Restrict use of portable storage and external systems (3.1.21).
• Limit and monitor wireless and mobile device access (3.1.16–3.1.18).

2. Awareness and Training (3.2) — 3 controls

• Train all users on security risks, policies, and CUI handling (3.2.1).
• Provide role-based training for admins and security personnel (3.2.2).
• Run an insider threat awareness program (3.2.3).

3. Audit and Accountability (3.3) — 9 controls

• Create, protect, and retain system audit logs sufficient to investigate incidents (3.3.1, 3.3.8).
• Ensure individual accountability — every action traceable to a user (3.3.2).
• Centralize log review and alert on anomalies (3.3.3, 3.3.5).
• Synchronize system clocks using an authoritative time source (3.3.7).

4. Configuration Management (3.4) — 9 controls

• Establish and maintain baseline configurations for all CUI systems (3.4.1).
• Enforce security configuration settings using a hardening guide (CIS, DISA STIG) (3.4.2).
• Track all changes and require approval before deployment (3.4.3, 3.4.4).
• Apply least functionality — disable unneeded ports, protocols, services, and software (3.4.6, 3.4.7).
• Maintain an application allowlist or, at minimum, a deny-by-exception list (3.4.8).

5. Identification and Authentication (3.5) — 11 controls

• Uniquely identify and authenticate every user, process, and device (3.5.1, 3.5.2).
• Require multifactor authentication for ALL privileged accounts and for ALL network access by non-privileged accounts (3.5.3).
• Enforce a strong password policy, store hashed passwords only, and prohibit reuse (3.5.7–3.5.10).
• Use replay-resistant authentication (e.g., Kerberos, modern OIDC, FIDO2) (3.5.4).

6. Incident Response (3.6) — 3 controls

• Maintain a documented incident response capability covering preparation, detection, containment, eradication, and recovery (3.6.1).
• Track and report incidents — DFARS 7012 requires reporting within 72 hours to DC3 (3.6.2).
• Test the IR plan annually with a tabletop or live exercise (3.6.3).

7. Maintenance (3.7) — 6 controls

• Perform and log all maintenance — both routine and emergency (3.7.1, 3.7.2).
• Sanitize equipment before off-site maintenance (3.7.3).
• Check media for malicious code before introducing it to CUI systems (3.7.4).
• Require MFA when remote maintenance is performed (3.7.5).

8. Media Protection (3.8) — 9 controls

• Protect and control digital and paper media containing CUI (3.8.1, 3.8.2).
• Sanitize or destroy media before disposal or reuse — NIST SP 800-88 methods (3.8.3).
• Mark media with CUI markings (3.8.4).
• Encrypt CUI on portable storage devices (3.8.6).
• Control use of removable media and prohibit unidentified media (3.8.7, 3.8.8).

9. Personnel Security (3.9) — 2 controls

• Screen individuals before granting access to CUI (3.9.1).
• Ensure CUI is protected during and after personnel actions (terminations, transfers) (3.9.2).

10. Physical Protection (3.10) — 6 controls

• Limit physical access to CUI systems and the facilities that house them (3.10.1).
• Escort visitors and maintain visitor logs (3.10.3, 3.10.4).
• Protect and monitor the physical facility and support infrastructure (3.10.2).
• Enforce safeguards for alternate work sites — home offices, hotels, customer sites (3.10.6).

11. Risk Assessment (3.11) — 3 controls

• Assess risk to operations, assets, and individuals from CUI processing (3.11.1).
• Scan for vulnerabilities periodically and after significant changes (3.11.2).
• Remediate vulnerabilities in line with risk (3.11.3).

12. Security Assessment (3.12) — 4 controls

• Periodically assess security controls for effectiveness (3.12.1).
• Develop and implement Plans of Action & Milestones (POA&Ms) to remediate gaps (3.12.2).
• Monitor controls on an ongoing basis (3.12.3).
• Develop, document, and update the System Security Plan (SSP) (3.12.4).

13. System and Communications Protection (3.13) — 16 controls

• Monitor, control, and protect communications at external and key internal boundaries (3.13.1).
• Separate user and management functionality (3.13.3).
• Deny network traffic by default and allow by exception (3.13.6).
• Encrypt CUI in transit using FIPS-validated cryptography (3.13.8, 3.13.11).
• Prohibit split tunneling on remote devices (3.13.7).
• Protect the authenticity of communications sessions (3.13.15).
• Encrypt CUI at rest (3.13.16).

14. System and Information Integrity (3.14) — 7 controls

• Identify, report, and correct system flaws in a timely manner — patch management (3.14.1).
• Provide protection from malicious code at appropriate locations (3.14.2).
• Monitor security alerts and advisories and act on them (3.14.3).
• Update malicious-code protection mechanisms when new releases are available (3.14.4).
• Perform periodic scans and real-time scans of files from external sources (3.14.5, 3.14.6).
• Identify unauthorized use of organizational systems (3.14.7).

The Two Documents Every Assessor Will Ask For

System Security Plan (SSP)

The SSP is the master document describing your CUI environment — system boundary, data flows, components, users, and how each of the 110 controls is implemented in your specific environment. NIST SP 800-18 provides the structure; CMMC assessors will use the SSP as the entry point to every assessment. If your SSP is a 6-page Word doc copied from a template, you are not ready. A defensible SSP is typically 60–150 pages with diagrams, control narratives, and references to evidence.

Plan of Action and Milestones (POA&M)

The POA&M tracks every control that is NOT MET, the planned remediation, the owner, and the target completion date. Under CMMC, only a limited subset of controls are POA&M-eligible (and they must be closed within 180 days of conditional certification). Do not POA&M MFA, FIPS-validated crypto, or other high-weight controls — those will block conditional certification entirely.

How the SPRS Score Works

DFARS 252.204-7019/7020 requires contractors to submit a current NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) before award. The scoring methodology starts at 110 and subtracts weighted points (1, 3, or 5) for each unmet control. The maximum score is 110; the minimum is -203.

• Each of the 110 controls is weighted 1, 3, or 5 based on impact (MFA, FIPS crypto, and boundary protection carry the heaviest weights).
• Partial implementation generally counts as NOT MET — there is no half credit, except for limited cases noted in the DoD Assessment Methodology.
• An honest SPRS score is far better than an inflated one. False scores expose the senior official and the company to False Claims Act liability.
• Re-score whenever the environment materially changes and at least annually.

NIST 800-171 vs. CMMC Level 2: How They Connect

• NIST SP 800-171 Rev. 2 = the 110 security requirements.
• CMMC Level 2 = the assessment and certification framework that verifies those 110 requirements, plus a few CMMC-specific assessment objectives.
• Most CMMC Level 2 contracts require a triennial C3PAO assessment; lower-risk contracts may allow annual self-assessment with senior-official affirmation.
• DFARS 252.204-7021 is the contract clause that flows CMMC down to subcontractors.
• NIST SP 800-172 adds 35 enhanced controls for the highest-sensitivity CUI — this maps to CMMC Level 3.

Realistic Costs for a Small or Mid-Sized Contractor

Costs vary widely, but for a 25–100 person contractor with no mature security program, expect total first-year spending in the $75,000–$250,000 range. That typically breaks down as:

• Tooling (EDR, SIEM/log management, MFA, encryption, vulnerability scanner, GRC platform): $25,000–$80,000/yr.
• Microsoft 365 GCC High or AWS GovCloud for the CUI enclave: $40–$70/user/month.
• Consulting & SSP/POA&M development: $30,000–$120,000 one-time.
• C3PAO assessment for CMMC Level 2: $40,000–$150,000 every three years.
• Internal staff time: 200–600 hours in year one.

An enclave strategy — isolating CUI to a dedicated, hardened environment — almost always beats trying to bring the entire company in-scope.

90-Day NIST 800-171 Implementation Roadmap

Days 1–30: Scope, Inventory, Gap Assessment

• Identify every contract that requires DFARS 7012 / CMMC. Get CUI categories in writing.
• Map where CUI is received, processed, stored, transmitted, and destroyed.
• Draw the system boundary. Decide on an enclave vs. enterprise scope.
• Inventory all in-scope assets: endpoints, servers, network gear, SaaS, identities, mobile devices.
• Score the current state of all 110 controls and calculate a baseline SPRS score.

Days 31–60: Implement Controls and Build the SSP

• Stand up the CUI enclave (e.g., Microsoft 365 GCC High + Intune + Defender).
• Enforce MFA everywhere, with phishing-resistant MFA for admins.
• Deploy EDR, centralized logging, and FIPS-validated encryption in transit and at rest.
• Harden endpoints and servers against CIS or DISA STIG baselines.
• Write or refresh the 14 required policies and the SSP narrative for each control.
• Build the POA&M for any control that cannot be fully met in 90 days.

Days 61–90: Self-Assess, Train, Submit, Operationalize

• Run a full internal NIST 800-171 self-assessment using the DoD Assessment Methodology.
• Deliver awareness training to every user and role-based training to admins and IR responders.
• Run a tabletop incident response exercise.
• Submit the SPRS score and the assessment date.
• Schedule the C3PAO assessment if Level 2 certification is required.
• Stand up continuous monitoring: weekly vulnerability scans, monthly access reviews, quarterly POA&M updates.

Common Mistakes That Fail Assessments

• Storing CUI in commercial Microsoft 365 or commercial Google Workspace — neither is authorized for CUI.
• Treating MFA as “mostly on” — assessors verify every account, every entry point, every time.
• Claiming FIPS-validated encryption without a CMVP certificate number to back it up.
• Letting the IT team write the SSP without input from operations, HR, facilities, and legal.
• POA&Ming controls that are not POA&M-eligible under CMMC.
• Forgetting subcontractor flow-down — DFARS 7012 and 7021 must be in every relevant subcontract.
• Inflating the SPRS score because “we’ll fix it before the assessor shows up.”

Helpful Official References

• NIST SP 800-171 Rev. 2 — csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
• NIST SP 800-171A (Assessment Procedures) — csrc.nist.gov/publications/detail/sp/800-171a/final
• NIST SP 800-172 (Enhanced Requirements) — csrc.nist.gov/publications/detail/sp/800-172/final
• DoD CMMC Program — dodcio.defense.gov/CMMC/
• 32 CFR Part 170 (CMMC Program Rule) — ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170
• CUI Registry (National Archives) — archives.gov/cui
• SPRS — sprs.csd.disa.mil
• DoD Assessment Methodology — dodprocurementtoolbox.com

Related Cybrvault Guides

• CMMC Level 1 Requirements for Small DoD Contractors (2026) — /blog/cmmc-level-1-requirements-small-dod-contractors-2026
• DoD SAFE Alternatives in 2026 — /blog/dod-safe-alternatives-2026
• Ransomware Playbook 2026 — /blog/ransomware-playbook-2026
• Zero Trust for Small Business — /blog/zero-trust-for-small-business

How Cybrvault Helps DoD Contractors Get to NIST 800-171 Compliance

Cybrvault Cybersecurity is a Miami-based ethical hacking and compliance firm that helps small and mid-sized DoD contractors across South Florida and the entire United States meet NIST SP 800-171 and CMMC Level 2. We handle scoping, enclave design, SSP and POA&M development, hands-on implementation, mock C3PAO assessments, and ongoing managed compliance. Every engagement starts with a free, confidential discovery call.

Visit https://www.cybrvault.com or call 305-988-9012 to talk through your contracts, your CUI footprint, and the fastest defensible path to a 110-of-110 SPRS score.

Final Thoughts

NIST 800-171 is not a paperwork exercise — it is the security floor for protecting U.S. defense information in private networks. Treat the 110 controls as a real operating standard, build the SSP and POA&M as living documents, score yourself honestly in SPRS, and prepare for CMMC Level 2 the same way you would prepare for an IRS audit: with evidence, discipline, and outside expertise. Do that, and 800-171 stops being a threat to your contracts and starts being a competitive advantage.