NIST 800-171 Requirements: What Contractors Must Know in 2026

Posted: March 3, 2026 to Compliance.

NIST 800-171 Requirements: What Contractors Must Know in 2026

NIST Special Publication 800-171 is the cybersecurity standard that every defense contractor handling Controlled Unclassified Information (CUI) must implement. With CMMC assessments now underway and the Department of Defense actively enforcing compliance, understanding the 110 security requirements in NIST 800-171 is no longer optional. It is a prerequisite for doing business with the federal government.

This guide provides a practical overview of all 14 control families, explains how the requirements connect to CMMC, and outlines what contractors need to do to prepare for assessment in 2026.

What Is NIST SP 800-171?

NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," was developed by the National Institute of Standards and Technology to standardize how non-federal organizations protect CUI. The standard was first published in 2015 and revised in February 2020 (Revision 2), with Revision 3 published in May 2024.

CUI is information created or possessed by the government (or created by a contractor on behalf of the government) that requires safeguarding but is not classified. Examples include technical drawings, test results, personnel records, contract performance data, export-controlled information, and law enforcement sensitive data.

If your organization holds a DoD contract with DFARS clause 252.204-7012, you are required to implement NIST 800-171. The same requirements form the technical foundation of CMMC Level 2.

The 14 Control Families

NIST 800-171 Revision 2 organizes its 110 requirements into 14 families. Here is what each family covers and what your organization needs to have in place.

1. Access Control (AC) - 22 Requirements

Access Control is the largest family and addresses who can access CUI and under what conditions. Requirements include:

• Limiting system access to authorized users and transactions
• Controlling the flow of CUI between systems and networks
• Separating duties to reduce the risk of malicious activity
• Employing least privilege principles
• Controlling remote access sessions
• Controlling access via mobile devices
• Encrypting CUI on mobile devices and remote access sessions

This family often requires the most work. Organizations must implement role-based access control (RBAC), session management, network segmentation, and VPN solutions with strong authentication.

2. Awareness and Training (AT) - 3 Requirements

Personnel must understand their security responsibilities. Requirements cover:

• Providing security awareness training to all users
• Training personnel on recognizing and reporting insider threats
• Providing role-based security training to individuals with specific security responsibilities

Document all training, maintain attendance records, and refresh training at least annually. Training must be specific to your environment and the types of CUI you handle.

3. Audit and Accountability (AU) - 9 Requirements

Audit requirements ensure that system activity involving CUI can be traced and reviewed. Key requirements:

• Creating and retaining system audit logs sufficient to enable monitoring, analysis, and investigation
• Ensuring audit processing does not fail silently
• Reviewing and updating audited events
• Alerting on audit process failures
• Correlating audit records across systems
• Protecting audit information and audit tools from unauthorized access

In practice, this means deploying a centralized logging solution (SIEM), configuring systems to log security-relevant events, and establishing regular log review procedures.

4. Configuration Management (CM) - 9 Requirements

Configuration management ensures systems are deployed and maintained in a secure state:

• Establishing and maintaining baseline configurations for systems
• Implementing change control processes
• Analyzing the security impact of changes before implementation
• Enforcing security configuration settings across systems
• Restricting, disabling, or preventing unauthorized software
• Tracking and controlling user-installed software

5. Identification and Authentication (IA) - 11 Requirements

Identity and authentication controls verify that users and devices are who they claim to be:

• Uniquely identifying and authenticating all users
• Authenticating devices before establishing connections
• Implementing multi-factor authentication for network and remote access
• Employing replay-resistant authentication mechanisms
• Preventing identifier reuse and managing inactive identifiers
• Enforcing minimum password complexity and change requirements
• Storing and transmitting only cryptographically protected passwords
• Obscuring authentication feedback

Multi-factor authentication is one of the most impactful requirements. It must be implemented for all remote access and for all privileged accounts at minimum.

6. Incident Response (IR) - 3 Requirements

Incident response requirements mandate formal preparation for security events:

• Establishing an incident response capability including preparation, detection, analysis, containment, recovery, and user response activities
• Tracking, documenting, and reporting incidents
• Testing incident response capability

Your incident response plan must address CUI-specific scenarios, include notification procedures for the DoD (typically within 72 hours), and be tested through regular tabletop exercises.

7. Maintenance (MA) - 6 Requirements

Maintenance controls govern how systems are maintained and who performs maintenance:

• Performing maintenance on organizational systems in a timely manner
• Providing effective controls on maintenance tools and media
• Requiring MFA for establishing remote maintenance sessions and terminating them when complete
• Supervising maintenance activities when performed by personnel without required access authorization

8. Media Protection (MP) - 9 Requirements

Media protection addresses how CUI stored on digital and physical media is secured:

• Protecting and controlling system media (digital and paper) containing CUI
• Limiting access to CUI on media to authorized users
• Sanitizing or destroying media before disposal or reuse
• Marking media with CUI distribution limitations and handling caveats
• Controlling access to media containing CUI during transport
• Implementing cryptographic protections for CUI stored on digital media during transport

9. Personnel Security (PS) - 2 Requirements

Personnel security covers the people side of the equation:

• Screening individuals prior to authorizing access to systems containing CUI
• Ensuring CUI is protected during and after personnel actions such as terminations and transfers

This means conducting background checks, immediately revoking access upon termination, and retrieving all organizational assets from departing employees.

10. Physical Protection (PE) - 6 Requirements

Physical protection secures the facilities and hardware where CUI resides:

• Limiting physical access to systems and facilities to authorized individuals
• Escorting visitors and monitoring visitor activity
• Maintaining audit logs of physical access
• Managing physical access devices (keys, badges, combinations)
• Protecting and monitoring the physical facility and support infrastructure
• Controlling physical access at alternate work sites

11. Risk Assessment (RA) - 3 Requirements

Risk assessment establishes the foundation for prioritizing security investments:

• Periodically assessing the risk to organizational operations, assets, and individuals
• Scanning for vulnerabilities in systems and applications and remediating identified vulnerabilities

Risk assessments should be conducted at least annually and whenever significant changes occur. Vulnerability scanning should be performed at regular intervals, ideally monthly.

12. Security Assessment (CA) - 4 Requirements

Security assessment addresses how you evaluate and maintain your security posture:

• Developing, documenting, and periodically updating your System Security Plan (SSP)
• Periodically assessing security controls to determine effectiveness
• Developing and implementing plans of action to address deficiencies and reduce vulnerabilities
• Monitoring security controls on an ongoing basis

Your SSP is arguably the most important document in your NIST 800-171 compliance program. It describes your system boundary, how each requirement is met, and who is responsible. Use our SPRS Score Calculator to assess your current compliance level.

13. System and Communications Protection (SC) - 16 Requirements

This family addresses network and communications security:

• Monitoring, controlling, and protecting communications at system boundaries
• Employing architectural designs and software development techniques that promote effective security
• Separating user and management functionality
• Preventing unauthorized and unintended information transfer
• Implementing network segmentation for publicly accessible systems
• Implementing cryptographic protections for CUI confidentiality
• Prohibiting remote activation of collaborative computing devices
• Controlling and monitoring mobile code
• Establishing and managing cryptographic keys
• Employing FIPS-validated cryptography

Network segmentation and encryption are critical. CUI must be encrypted in transit (minimum TLS 1.2) and at rest, using FIPS 140-2 validated cryptographic modules.

14. System and Information Integrity (SI) - 7 Requirements

System integrity ensures your systems remain trustworthy and detect threats:

• Identifying, reporting, and correcting system flaws in a timely manner
• Providing protection from malicious code at designated locations
• Monitoring system security alerts and taking appropriate action
• Updating malicious code protection mechanisms as new releases become available
• Performing periodic and real-time scans of the system
• Monitoring systems to detect attacks and indicators of potential attacks
• Identifying unauthorized use of systems

NIST 800-171 and CMMC: How They Connect

CMMC Level 2 maps directly to all 110 requirements in NIST 800-171 Revision 2. If you achieve full compliance with 800-171, you have met the technical requirements for CMMC Level 2. The difference is that CMMC adds a verification layer: instead of self-attesting compliance, most contractors will need to demonstrate it through a C3PAO assessment.

For contractors pursuing CMMC, your NIST 800-171 compliance program (SSP, POA&M, and implemented controls) forms the evidence package you will present to assessors. Investing in thorough 800-171 implementation now is directly investing in your CMMC readiness. Learn more in our CMMC Compliance Guide.

SPRS Scoring: Where Do You Stand?

The Supplier Performance Risk System (SPRS) score quantifies your compliance with NIST 800-171. A perfect score is 110 (all requirements met). Each unmet requirement subtracts points based on severity, with the minimum possible score being -203.

Since November 2020, contractors have been required to submit their SPRS score before being eligible for contract awards. Your score is calculated during your self-assessment and must be entered into SPRS along with the date of your assessment, the scope, and the name of the assessing official.

A low SPRS score does not automatically disqualify you from contracts, but it does indicate significant gaps that must be addressed in your POA&M. Use our free SPRS Score Calculator to determine your current score.

Preparing for Assessment in 2026

If you are planning for a CMMC assessment or need to update your SPRS score, here is what to prioritize:

• Complete your SSP: Document every requirement, how it is met (or why it is not yet met), and maintain supporting evidence
• Close POA&M items: Assessors will scrutinize open items. Every unmet requirement weakens your position
• Implement MFA everywhere: This is the single most common gap we see and one of the easiest to close
• Deploy SIEM or centralized logging: Audit requirements are difficult to meet without a centralized solution
• Encrypt everything: CUI at rest, in transit, and on portable media. Use FIPS-validated modules
• Train your team: Document training with dates, attendance, and content covered
• Test your IR plan: Conduct a tabletop exercise and document the results

Frequently Asked Questions

What is the difference between NIST 800-171 and NIST 800-53?

NIST 800-53 is the comprehensive security control catalog for federal information systems, containing over 1,000 controls. NIST 800-171 is a subset derived from 800-53 that applies specifically to non-federal organizations handling CUI. The 110 requirements in 800-171 are tailored versions of 800-53 controls, focusing on what is practical and appropriate for private sector organizations.

Is NIST 800-171 Revision 3 required yet?

As of early 2026, CMMC Level 2 assessments are based on NIST 800-171 Revision 2. The DoD has indicated that Revision 3 will be incorporated into future CMMC updates, but the transition timeline has not been finalized. Contractors should implement Revision 2 now while monitoring Revision 3 developments. Building your compliance program on Revision 2 will position you well for the transition, as most Revision 3 changes refine rather than fundamentally alter the requirements.

How much does NIST 800-171 compliance cost?

Costs depend heavily on your starting point and environment size. For a small contractor (25-50 users), typical costs range from $50,000 to $200,000 for initial compliance, including gap assessment, remediation, and documentation. Ongoing maintenance runs $30,000 to $80,000 annually. Larger or more complex environments can cost significantly more. These costs should be weighed against the value of your DoD contracts.

Can I outsource NIST 800-171 compliance?

You can outsource the technical implementation and management of many controls to a managed security service provider (MSSP) or MSP, but your organization retains ultimate responsibility for compliance. Organizational policies, employee training, physical security, and oversight cannot be fully delegated. Choose a provider experienced in NIST 800-171 and ensure responsibilities are clearly documented.

Need help implementing NIST 800-171 or preparing for your CMMC assessment? Petronella Technology Group has helped dozens of defense contractors achieve compliance. We provide gap assessments, remediation support, SSP development, and assessment preparation. Call (919) 348-4912 or visit our NIST 800-171 compliance page to schedule a free consultation.