What is NIST SP 800-171?

Key takeaways

• 800-171 specifies 110 controls organized into 14 control families, each addressing a specific aspect of CUI protection.
• Compliance is required for any non-federal organization handling CUI under a DoD contract through the DFARS 252.204-7012 clause; other federal agencies increasingly reference 800-171 for equivalent handling.
• The 110 controls map to specific NIST SP 800-53 controls and to most other major frameworks (NIST CSF 2.0, ISO 27001, CIS Controls).
• The two compliance artifacts are the System Security Plan (SSP) and the Plan of Action and Milestones (POA&M). Both are required deliverables under DFARS and CMMC.
• ARG audits manufacturers against 800-171 controls as part of the integrated engagement, producing SSP and POA&M scaffolding as a byproduct.

What is Controlled Unclassified Information (CUI), and who handles it?

Controlled Unclassified Information (CUI) is unclassified federal information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. CUI is not classified (Top Secret, Secret, Confidential); it is unclassified information whose protection is nonetheless mandated.

For manufacturers, the most common CUI categories include:

• Technical drawings and specifications. CAD files, BoMs, process specifications, manufacturing instructions for federal programs.
• Export-controlled technical data. Information subject to ITAR or EAR controls.
• Procurement-sensitive information. Information about competitive procurements, source selection material, contract pricing.
• Critical infrastructure information. Information about federal critical infrastructure facilities and systems.
• Privacy-related information. Personal information of federal employees, contractors, or beneficiaries.

CUI handling obligations flow from the prime contractor to subcontractors through contractual flow-downs. A tier-2 manufacturer machining parts for a tier-1 defense contractor's federal program handles CUI even though their direct customer is the prime, not the federal government. The flow-down requires the subcontractor to implement 800-171 controls on systems that process, store, or transmit the CUI.

The CUI Registry maintained by the National Archives lists the official CUI categories. The contract documentation specifies which categories apply to the work.

The 14 control families of NIST SP 800-171

800-171 organizes its 110 controls into 14 families, each addressing a specific aspect of information protection. The families are:

1. Access Control (AC) — 22 controls. Who can access CUI, how access is authenticated, how access is managed over time, how privileged access is controlled.
2. Awareness and Training (AT) — 3 controls. Security awareness for all users, role-based training for users with significant security responsibilities.
3. Audit and Accountability (AU) — 9 controls. Event logging, log review, log protection, log retention.
4. Configuration Management (CM) — 9 controls. Baseline configurations, change control, security-relevant configuration settings.
5. Identification and Authentication (IA) — 11 controls. User identification, authentication mechanisms, multi-factor authentication. See What is phishing-resistant MFA?.
6. Incident Response (IR) — 3 controls. Incident handling, reporting, testing. See What is an incident response plan (IRP)?.
7. Maintenance (MA) — 6 controls. Controlled maintenance, maintenance tools, off-site maintenance, maintenance personnel.
8. Media Protection (MP) — 9 controls. Marking, storage, transport, sanitization, and disposal of media containing CUI.
9. Physical Protection (PE) — 6 controls. Physical access authorization, monitoring of physical access, visitor controls. See What is a physical security audit?.
10. Personnel Security (PS) — 2 controls. Background screening, personnel termination procedures.
11. Risk Assessment (RA) — 3 controls. Periodic risk assessment, vulnerability scanning, vulnerability response.
12. Security Assessment (CA) — 4 controls. Security control assessment, plan of action and milestones, system security plan.
13. System and Communications Protection (SC) — 16 controls. Boundary protection, separation of user functions, cryptographic protection, denial of service protection.
14. System and Information Integrity (SI) — 7 controls. Flaw remediation, malicious code protection, monitoring, system alerts.

(Numbers reflect Rev 2; Rev 3 reorganized some families and changed counts. The framework structure is similar.)

Each control has implementation guidance and a derived security requirement. The 14 families together produce a comprehensive picture of how CUI moves through the environment and what protections apply at each step.

Why manufacturers struggle most with the access control and audit families

Across mid-market manufacturer engagements, two families consistently produce the most findings: Access Control (AC) and Audit and Accountability (AU).

Access Control struggles. The AC family requires named accounts, role-based access, least privilege, separation of duties, session lock, MFA, and remote access controls. Mid-market manufacturers typically have:

• Shared accounts on engineering workstations.
• Privilege creep accumulating over years.
• Limited MFA coverage (and push-based where MFA exists). See What is MFA fatigue (push bombing)?.
• Remote access for vendors and contractors with weak governance.
• No documented role-based access structure.

Each of these maps to a specific 800-171 control gap. The remediation is achievable; it requires sustained work.

Audit and Accountability struggles. The AU family requires event logging, log retention (typically 90+ days), log protection, and log review. Mid-market manufacturers typically have:

• Logging configured on some systems and not others.
• Retention measured in days rather than months.
• No log review process.
• No log protection (logs writable by the same accounts that produce the events).

The AU family is where compliance budget is most often underestimated. Logging at 800-171 depth requires a SIEM or equivalent log management capability that mid-market organizations frequently do not have.

The other families produce findings too, but at lower rates. AC and AU are the structural gap categories.

Examples of 800-171 gaps in real assessments

Patterns from ARG engagements at defense-supplier manufacturers preparing for CMMC Level 2:

• CUI flow not documented. The CUI enclave boundary is informal. CUI emails, CAD files, and engineering documents move between systems without controlled flow. CMMC scope balloons because the assessor cannot identify where CUI lives.
• MFA not on all required systems. Email has MFA; the engineering SaaS does not; the VPN does; the file server requires only password. 800-171 control 3.5.3 requires MFA on remote access; the gap is uneven coverage.
• Audit logs retained for 30 days or less. 800-171 expects retention sufficient for forensic investigation. Thirty days is below the threshold the assessors typically expect; 90 to 365 days is more defensible.
• Audit log review is informal. Logs exist; nobody reviews them. AU-6 requires review and analysis of audit records; "we have logs" is not sufficient evidence.
• Physical access logs not retained for CUI areas. Badge logs exist but retention is short or undocumented; visitor logs are paper-based with no controlled retention. PE-6 expects monitored physical access with retained records.
• Configuration baselines absent. CM-2 requires documented baseline configurations for organizational systems. Most mid-market manufacturers do not have them.
• Incident response plan exists but is generic. IR-1 through IR-3 require organization-specific incident response plans with named roles. Templates from the internet do not satisfy.
• Vulnerability scanning is annual or absent. RA-5 expects vulnerability scanning. The cadence is not specified, but annual is below the practice the assessors expect.
• Supplier flow-down incomplete. The manufacturer's own suppliers are not flowed CMMC-equivalent requirements. 3.13.13 expects controls over information flowing to and from external systems.

Each gap maps to a specific control and a specific remediation effort. The full backlog can be sized once the gap analysis is complete.

How to build an SSP (System Security Plan) and POA&M

The SSP and POA&M are the two principal compliance artifacts under 800-171 and CMMC. Both are required deliverables; both are reviewed by assessors.

System Security Plan (SSP). Documents the in-scope environment and how each 800-171 control is implemented. Typical structure:

1. System identification. What systems are in scope, what they do, what CUI they handle.
2. System boundary. Where the in-scope environment begins and ends. Network diagrams, data-flow diagrams, asset inventory.
3. System environment. Operational environment, user community, system interconnections.
4. Roles and responsibilities. Named roles with security responsibilities. Authorizing official, system owner, information system security manager, system administrator.
5. Control implementation statements. For each of the 110 controls, a description of how the organization implements (or plans to implement) the control. Reference to specific configuration, policy, process, or compensating control.
6. POA&M reference. Where controls are not fully implemented, reference to the POA&M item that tracks the remediation.

The SSP is a living document. It updates as the environment changes; it is reviewed annually at minimum.

Plan of Action and Milestones (POA&M). Tracks gaps not yet closed. Each POA&M entry:

1. Control reference. Which 800-171 control(s) the gap affects.
2. Description. Specific nature of the gap.
3. Remediation plan. Steps to close the gap.
4. Resources required. Funding, personnel, time.
5. Milestones. Sub-deliverables with target dates.
6. Target completion date. When the gap will be closed.
7. Status. Current status, last review date, owner.

POA&M items have target dates; assessors expect those dates to be honored. A POA&M item that slips repeatedly without justification is a finding in itself.

Together, SSP and POA&M produce a complete view of the environment's 800-171 posture: what is implemented, what is in progress, and where the gaps are.

Best practices for ongoing 800-171 compliance

1. Scope tightly to the CUI enclave. A narrow enclave is cheaper to maintain. Broad scope makes every system a compliance target.
2. Maintain SSP and POA&M as live documents. Update both with material changes, not annually-in-panic.
3. Internal assessment annually. A self-assessment cycle, ideally with a qualified outside reviewer, surfaces drift before it becomes a CMMC finding.
4. Pair with broader security work. 800-171 controls overlap substantially with NIST CSF 2.0, CIS Controls, and ISO 27001 controls. Avoid duplicating effort by maintaining a single source of truth that maps to multiple frameworks.
5. Train named roles, not generic users. Security awareness for everyone (AT-2); role-based training for users with significant security responsibilities (AT-3). The role-based training is where 800-171 expectations bite hardest.
6. Build evidence capture into operations. Logs, screenshots, configuration exports, training records, policy acknowledgments. Captured continuously rather than reconstructed before an assessment.
7. Plan for Rev 2 to Rev 3 transition. Contract clauses will move from Rev 2 to Rev 3 across 2025-2027. Manufacturers should track which version their contracts reference and plan for the transition.
8. Coordinate with prime contractors. Primes are the source of CUI flow and the source of the contract clauses that flow CMMC requirements. Working closely with the prime's compliance team produces alignment and reduces the risk of late surprises.

NIST 800-171 FAQs

Is 800-171 the same as CMMC?

800-171 is the control catalog. CMMC Level 2 is the assessment program built on top of those controls. A manufacturer can comply with 800-171 without participating in CMMC; a manufacturer in CMMC Level 2 must implement 800-171. CMMC adds the assessment requirement; 800-171 is the substance. See What is CMMC 2.0?.

What is the difference between Rev 2 and Rev 3?

Rev 2 (2020) is the version most current CMMC and DFARS implementations reference. Rev 3 (2024) restructured the catalog, added some controls, removed others, and harmonized with NIST SP 800-53 Rev 5. Manufacturers should track the version their contract clauses reference; in practice, the transition from Rev 2 to Rev 3 is phasing in over 2025-2027 and most contracts still reference Rev 2 at the start of that window.

Does 800-171 apply to commercial work, or only DoD?

Primarily federal. 800-171 was written for non-federal entities handling federal CUI; the DFARS 252.204-7012 clause is the DoD vehicle for flow-down. Other agencies (GSA, NASA, civilian agencies) increasingly reference 800-171 for similar handling requirements. Commercial customers sometimes reference 800-171 as a security baseline, but the formal applicability is federal.

How long does an 800-171 readiness project take?

Twelve to twenty-four months for a mid-market manufacturer starting from a baseline IT security program. Six to twelve months for a manufacturer with most controls already in place that needs documentation and remediation of specific gaps. The timeline is dominated by remediation work, not by documentation.

How ARG audits manufacturers against 800-171 controls

ARG audits 800-171 compliance as part of the integrated on-site engagement. The work is led by David Ashby, with technical-control assessment from James Wall.

The audit covers all 14 control families:

• Access Control and Identification/Authentication. Account hygiene, MFA coverage, privilege model, remote access governance, vendor account management.
• Audit and Accountability. Logging coverage, retention, review process, log protection. Coverage of identity, endpoint, network, and OT logs.
• Configuration Management. Baseline documentation, change control, security-relevant settings.
• Incident Response. Plan maturity, tabletop testing, reporting procedures.
• Maintenance and Media Protection. Maintenance tool controls, off-site maintenance procedures, media handling and disposal.
• Physical Protection. Physical access controls, visitor management, monitoring of physical access to CUI areas.
• Personnel Security. Background screening, termination procedures.
• Risk Assessment and Security Assessment. Risk assessment cadence, vulnerability scanning, control assessment, SSP/POA&M maintenance.
• System and Communications Protection. Boundary protection, separation, cryptographic protection.
• System and Information Integrity. Flaw remediation, malicious code protection, monitoring.

Each control is evaluated as fully implemented, partially implemented, or not implemented. Evidence is captured (configuration screenshots, log samples, policy excerpts, observation records) and consolidated into the engagement report.

The output is a 110-control posture map, an SSP draft (or update to the existing SSP), and a POA&M draft for gaps. The client team owns and maintains both documents going forward; ARG's role is to produce the initial scaffolding and validate it through continuous testing during the engagement.

For founding clients, 800-171 audit and SSP/POA&M scaffolding are included when the client portfolio includes defense work. The output feeds directly into CMMC Level 2 readiness without translation.

Apply as a founding client or see how the engagement works for the full delivery cycle.