NIST 800-171 Compliance Raleigh NC

What NIST SP 800-171 actually is

NIST Special Publication 800-171 is the federal standard for protecting Controlled Unclassified Information (CUI) when it is stored, processed, or transmitted on non-federal systems. If you are not a federal agency but you do business with one, and that business touches CUI, this publication is the rulebook you are expected to follow.

The document was first published in 2015. It became binding for defense contractors on December 31, 2017, when the Department of Defense completed the phase-in of DFARS clause 252.204-7012. That clause requires every covered contract to flow the 800-171 obligation down to every subcontractor that handles CUI. If you are a North Carolina machine shop building brackets for a Raleigh prime, and those drawings are marked CUI, you are in scope. If you are a Durham software house writing code for a Navy program, you are in scope. If you are a Cary accounting firm processing defense program payroll data, you are in scope.

Over the last two years the obligation has expanded well beyond DoD. The proposed FAR rule on CUI extends similar protection requirements across civilian agency contracts, which means NASA, DOE, HHS, and GSA vendors are being pulled into the same gravity well. If you thought 800-171 was a defense-only problem, the 2026 procurement reality says otherwise.

How 800-171 differs from 800-53

NIST 800-53 is the much larger control catalog that federal agencies themselves use to protect their own systems. It contains over a thousand controls and enhancements organized across roughly twenty families. NIST 800-171 is the tailored, smaller set derived from the moderate baseline of 800-53, stripped down to what a contractor reasonably needs to protect CUI in a commercial environment. Same DNA, different audience. Agencies run 800-53. Contractors run 800-171. If you see a vendor talking about implementing 800-53 at a 20-person machine shop, that is almost always the wrong framework for the wrong buyer.

Petronella covers both. If you want the agency-side reference, see our NIST 800-53 overview. For the contractor path, keep reading.

Who has to comply

Three questions determine your scope.

1. Does your contract contain DFARS 252.204-7012? If yes, you owe 800-171. Read the clause carefully. Flowdown is mandatory, so if you pass any CUI to a subcontractor, your contract with them must require 800-171 as well.
2. Does your contract contain DFARS 252.204-7019, 7020, or 7021? These are the CMMC-era clauses. 7019 requires a current SPRS score. 7020 gives the government assessment rights. 7021 is the CMMC requirement itself, phasing into contracts through 2028.
3. Does your solicitation say CUI will be provided? A lot of North Carolina subcontractors think they do not hold CUI when they actually do. Engineering drawings with export-controlled technology, procurement forecasts for weapons systems, unclassified research data funded under a DoD grant at NC State, UNC, or Duke, and even some logistics data can all be CUI.

If you answered yes to any of these, you are in scope. The bigger question is not whether but how deeply. A contractor whose entire business is CUI data has a much larger environment to lock down than a contractor that touches CUI through one project in one department. Scoping decisions shape every downstream cost, and they are one of the first places a qualified assessor earns their fee.

The 14 control families, explained

NIST 800-171 organizes its 110 security requirements into 14 families. Each family covers a different slice of the security program. Below is a working engineer's view of what each family really demands and where contractors typically trip.

Counted up, that is 22 + 3 + 9 + 9 + 11 + 3 + 6 + 9 + 2 + 6 + 3 + 4 + 16 + 7 = 110 requirements. Every one of them needs a status in your System Security Plan. Every one contributes to your SPRS score, with certain controls carrying heavier weight when missing.

Rev 2 versus Rev 3

NIST published Revision 3 of 800-171 in May 2024. If you have been working on 800-171 for any length of time, most of your muscle memory is built around Rev 2, which DoD continues to recognize for CMMC Level 2 in most contracts as of this writing. Here is how to think about the two.

What Rev 3 changed

• Reworded most controls for clarity. Some went from plain English to more prescriptive language. A handful went the other way.
• Added and removed specific requirements. The headline count shifted from 110 to a slightly different composition. Some Rev 2 controls were withdrawn, and new controls on supply chain risk management and planning were introduced.
• Introduced organization-defined parameters (ODPs), which force contractors to make explicit local decisions like password length and session timeout, and document them in the SSP.
• Replaced the separate enhancement appendix with tailoring guidance folded into the main body.
• Aligned more closely with the Rev 5 format of 800-53 for easier cross-referencing.

Practical impact on North Carolina contractors

DoD's CMMC program rule, codified at 32 CFR Part 170, pegs CMMC Level 2 to NIST 800-171 Rev 2 for the foreseeable future. A separate DFARS rule will eventually update the contract clause to pin to a specific revision. Until that DFARS rule is final, Rev 2 is the authoritative text for CMMC Level 2 assessments. If your contract officer or prime tells you otherwise, ask for the clause reference in writing.

That does not mean Rev 3 is irrelevant. If you are building a new program now, Petronella generally recommends designing controls to satisfy both Rev 2 and Rev 3 where they differ, so you are not rewriting your SSP in 2027. The incremental cost is small. The cost of reworking a mature program to catch up later is not.

How 800-171 relates to CMMC Level 2

The Cybersecurity Maturity Model Certification is the Defense Department's audit and certification regime on top of 800-171. CMMC does not add a new control framework. It adds assessment rigor. CMMC Level 2 is effectively 800-171 with a certification attached.

Three assessment paths

Decide your path early. A shop that scopes for self-assessment and then gets surprised by a C3PAO requirement mid-contract has a bad quarter. Our CMMC compliance guide walks through how the levels and assessment types map to typical North Carolina contract work. For the operational certification program, see our CMMC compliance service page.

The System Security Plan

The SSP is the single most important document you will produce. Think of it as the operating manual for the security of the CUI environment. When an assessor shows up, they will live inside this document for the first half-day. Every control status, every scope boundary, every inherited responsibility should be traceable from the SSP.

What belongs in a real SSP

• System boundary description with network diagrams. Show every asset inside scope and where the boundary sits.
• Data flow diagrams for CUI. Show where it enters the environment, where it is stored, how it moves, and where it leaves.
• Inventory of systems, roles, and responsibilities.
• Control-by-control implementation narrative for all 110 requirements. For each control, describe what is implemented, who is responsible, what technology supports it, and what evidence proves it.
• Shared responsibility mapping when using cloud services like Microsoft 365 GCC High, AWS GovCloud, or a managed security provider. Make the inherited controls explicit.
• Reference to your POA&M for anything not fully implemented.
• Version control and review cadence.

Scoping: enclave versus whole-company

Most small and mid-sized contractors are better served by an enclave approach. An enclave is a carved-out environment that holds all the CUI. Everything else the company does stays outside. Enclaves are usually built on Microsoft 365 GCC High or a GovCloud-hosted workspace, with a handful of dedicated laptops, a network segment, and a defined list of users. The rest of the business runs normal commercial infrastructure.

Whole-company scope pulls every user, every laptop, and every server into the CUI boundary. That is expensive, slow to change, and politically hard to maintain. It only makes sense when almost every employee touches CUI daily. For Raleigh, Durham, and RTP-based subcontractors where CUI work is a slice of revenue, the enclave pattern produces a faster, cheaper, and more defensible outcome.

SSP mistakes Petronella sees most often

• Copy-paste control narratives that describe generic best practices rather than what the contractor actually does.
• Missing or out-of-date network diagrams. Network changed six months ago. SSP still shows the old topology.
• No scoping rationale. Assessors want to understand why the boundary is where it is.
• Shared responsibility gaps with cloud platforms. Contractor assumed Microsoft did X. Microsoft did not.
• SSP not signed or dated by an authorizing official.

The POA&M

The Plan of Action and Milestones is the companion document to the SSP. It tracks every control that is not yet fully implemented and the plan to close the gap. Done right, a POA&M is an honest project plan with owners and dates. Done wrong, it is a graveyard where bad controls go to die.

What CMMC Level 2 allows on a POA&M

CMMC rules permit a POA&M under two strict conditions. First, the contractor must score at least 88 out of 110 points at the time of assessment. Second, only certain controls may be POA&Med, and only those worth one point in the DoD scoring rubric. High-weight controls (three-point and five-point items) must be fully implemented at the time of the assessment. They cannot be deferred.

POA&M closeout

When a POA&M item is completed, a closeout assessment is required within 180 days of the initial assessment to verify the control is now implemented. If you miss that window, the certification is revoked and you start over. Plan your closeout sprint before the assessor walks out the door. Do not treat the 180-day window as comfortable runway.

Writing a POA&M that survives scrutiny

• One row per control gap. No bundled rows.
• Named owner, not a group. People close items. Teams lose them.
• Specific milestone dates, not "Q3".
• Evidence definition upfront. Know what proof you will show at closeout before you start work.
• Reviewed monthly with leadership. A quarterly review is too slow to catch slippage.

The SPRS score explained

The Supplier Performance Risk System is the DoD database where contractors self-report their 800-171 implementation status. Under DFARS 252.204-7019, you must have a current score in SPRS to be considered for contracts that carry the clause. No score, no award.

How scoring works

You start with 110 points. For each of the 110 controls, you subtract points if the control is not fully implemented. The subtraction weights are defined in the DoD Assessment Methodology.

The math gives a theoretical maximum of 110 and a theoretical minimum of negative 203. Yes, negative. A contractor who has implemented essentially nothing of the high-weight controls lands deep below zero. Most first-pass self-assessments from contractors who have not yet done real work on 800-171 score between -100 and +40.

How the score is submitted

The contractor's authorized representative logs into SPRS and enters the score, the date of assessment, the CAGE code of the assessed entity, and the scope. The current CMMC rule also requires an affirmation that the score is accurate. The score is visible to contracting officers across DoD. Misrepresenting it is a False Claims Act risk. Do not round up.

What a useful score looks like

For the self-assessment path, DoD wants to see movement toward 110. Anything below 88 effectively disqualifies you under the new CMMC rule because 88 is the minimum to be eligible for a POA&M pathway. Contractors targeting C3PAO assessment should be at 110 or at 88+ with a clean POA&M on allowable one-point items only.

Implementation roadmap

Here is the sequence Petronella Technology Group uses with North Carolina clients, from first conversation to SPRS-ready score.

Phase 1: Scoping and gap assessment

Two to four weeks. Interview stakeholders, identify CUI flows, decide enclave versus full-environment scope, inventory systems and data, and score every control against current state. The output is a gap register with a baseline SPRS score. A lot of clients are surprised by this number. That is normal and useful. You cannot fix what you have not measured.

Phase 2: SSP drafting

Four to eight weeks, running in parallel with early remediation. Document the environment as it is intended to exist post-remediation. The SSP becomes the north star for technical work. Every engineer working on the program should be able to point to an SSP section and know what they are building.

Phase 3: Technical remediation

Three to six months for most contractors. This is where the money goes. Common sprints include:

• Identity and access. Deploy modern MFA everywhere, separate privileged and non-privileged accounts, move to conditional access.
• Endpoint. Configure EDR, patching, disk encryption (FIPS-validated), and USB control on every in-scope laptop and server.
• Network. Segment the CUI enclave, stand up a next-generation firewall with logging, configure VPN with FIPS-validated cryptography for remote work.
• Logging and monitoring. Centralize logs, set retention, build a minimal SIEM capability, document the review process.
• Email and productivity. Migrate CUI communications to GCC High or an approved enclave. Commercial Microsoft 365 is not sufficient for CUI transmission.
• Backup and recovery. Encrypted backups, tested restoration, incident-response ready.

Phase 4: POA&M and re-score

Two to four weeks. Build the POA&M for any unresolved one-point controls, run a final internal assessment against the now-remediated environment, and submit the new SPRS score. If you are going to C3PAO, schedule the assessment.

Realistic timelines

A contractor starting from scratch with 20 to 50 users typically reaches 110 in six to twelve months of focused work. Contractors with mature commercial IT already in place can often move faster because many technical controls are partly in place. Contractors on legacy on-premises infrastructure with weak identity usually take longer because so much foundational work is required first.

Pitfalls to avoid

• Starting with tools instead of scope. Every product vendor will tell you their platform solves 800-171. No product does. Scope first, then choose tools.
• Skipping the SSP. Some contractors try to remediate directly from a gap spreadsheet. The SSP is not optional. Assessors grade on it.
• Treating commercial Microsoft 365 as CUI-ready. It is not. GCC High, GCC, or an equivalent FedRAMP Moderate or High environment is the practical requirement for email and productivity with CUI.
• Ignoring the flowdown to subcontractors. If you share CUI with a subcontractor, you own their compliance posture through your contract.
• Building a perfect environment and forgetting to document it. Assessors want evidence, not vibes.

What Petronella Technology Group does

Petronella is a Raleigh-based cybersecurity and compliance firm that has been helping North Carolina organizations since 2002. Our entire team is CMMC-RP certified. Craig Petronella holds CMMC-RP, CCNA, CWNE, and DFE #604180 credentials. Blake Rea, Justin Summers, and Jonathan Wood are CMMC-RP certified. We are PPSB accredited and have held BBB A+ standing since 2003.

Readiness assessment

Two-week scoped engagement. We interview your team, trace CUI flows, score all 110 controls, and deliver a baseline SPRS score and gap register. Clients use this to set budget and executive expectations before any remediation begins.

SSP authoring

We draft and maintain the System Security Plan, including network and data flow diagrams, control narratives, scoping rationale, and shared responsibility matrices with cloud platforms. We write SSPs that read like they came from an engineer who has lived in the environment, because that is exactly what we are.

POA&M management

We build the POA&M during the readiness phase and then run a standing monthly cadence with your team until it is closed out. Milestones track to specific dates, owners, and evidence artifacts.

Scoped remediation sprints

We deliver hands-on technical remediation across identity, endpoint, network, logging, email, and backup domains. Where you already have capable internal IT, we augment. Where you do not, we bring the platform and run it.

C3PAO preparation

For contractors going through a Certified Third Party Assessment, we run mock assessments against the real objective evidence the C3PAO will request, fix what the mock finds, and staff the actual assessment alongside your team. We are not a C3PAO, which means we have no conflict representing you as your consultant.

Related services

Petronella's compliance work extends across frameworks. See our HIPAA compliance program for healthcare and healthcare-adjacent clients, our broader cybersecurity services for organizations whose risk picture extends past any single framework, and CMMC compliance for contractors moving toward Level 2 certification. Headquarters is 5540 Centerview Dr, Raleigh NC. Phone (919) 348-4912.

Frequently asked questions

Do I need 800-171 if I do not hold CUI?

Check your contract clauses first. DFARS 252.204-7012 is required in covered contracts even if no CUI has yet been provided, because the clause also governs what happens if CUI is provided later, plus the 72-hour cyber incident reporting obligation that applies whenever a covered defense information event occurs. If the clause is in your contract, you owe 800-171 posture. If the clause is not in your contract and your prime has not flowed it down, you are not directly obligated, but you should read every flowdown clause carefully. Most primes are now flowing 7012 and 7019 aggressively, including to suppliers who handle only Federal Contract Information.

What is the difference between CUI and FCI?

Federal Contract Information is information provided by or generated for the government under a contract, not intended for public release, but not subject to special controls. FCI triggers FAR 52.204-21, which has 17 basic safeguarding requirements and maps to CMMC Level 1. Controlled Unclassified Information is a specific category that the government has determined requires protection under law, regulation, or government-wide policy. CUI triggers DFARS 252.204-7012 and 800-171, and maps to CMMC Level 2. You can have FCI without CUI. If you have CUI, you also have FCI by definition.

How do I know my SPRS score?

You compute it yourself using the DoD Assessment Methodology and submit it through SPRS. The government does not calculate it for you. Your authorized company representative logs into SPRS with a Procurement Integrated Enterprise Environment account, enters the score, the assessment date, the CAGE code, and the assessment scope. Current rules also require you to affirm the score in SPRS annually.

What if I fail a C3PAO assessment?

Failure can mean several things. If the score is below 88, the assessment fails outright and you cannot use the POA&M pathway. You remediate and reassess. If the score is 88 or above but has allowable one-point gaps, you get a conditional certification and 180 days to close the POA&M and pass a closeout assessment. If a high-weight control is not implemented, you cannot POA&M it. You fix it and reassess.

How long does implementation really take?

For a North Carolina contractor with 20 to 75 users starting from typical commercial IT, six to twelve months is the realistic band. Contractors who already run a mature security program often move in four to six months. Contractors with significant legacy infrastructure, multiple business units, or unresolved identity problems may need twelve to eighteen months. The number one variable is executive commitment to scope decisions early. Scope indecision kills more programs than any technical problem.

Can we use Microsoft 365 commercial for CUI?

No, not for storage, processing, or transmission of CUI. CUI workloads need an environment that meets FedRAMP Moderate baseline and supports the DFARS 252.204-7012 requirements around cloud. Practical options are Microsoft 365 GCC High, Microsoft 365 GCC in some cases, AWS GovCloud, or a private-cloud equivalent. GCC High is the most common choice for small and mid-sized DoD contractors because its identity model maps cleanly to how most contractors already work.

Do we need to retire our commercial environment?

Almost never. The enclave pattern keeps commercial Microsoft 365 or Google Workspace for day-to-day business, accounting, marketing, and HR, and stands up a separate GCC High or GovCloud enclave for the CUI-handling team. Most of the company never sees the enclave. Total cost is typically far lower than a full migration.

We are a subcontractor. Does the prime have to give us CUI?

Primes are not obligated to share CUI with you, and many choose not to when they can avoid it. If you do not receive CUI, your obligation under 800-171 is reduced. That said, if the contract says you will receive CUI, or if the flowdown clause is in your contract regardless, you should prepare as if CUI will arrive. Better to be ready early than to find out you cannot start work on day one.

How does a university or research organization in North Carolina handle this?

Research organizations handling DoD-funded work with CUI are fully in scope. North Carolina has a large population of DoD-funded researchers at NC State, UNC, Duke, and the Research Triangle Institute, plus a long tail of smaller contract research organizations and startups. The typical solution is a research enclave, often built on GCC High or an internal FedRAMP-authorized platform, with a defined list of researchers and a strict data-handling policy. Petronella has worked with Triangle-area research clients on exactly this pattern.

Does Rev 3 change my current compliance work?

Not for existing CMMC Level 2 obligations, which are pinned to Rev 2. It may shape how you build new controls going forward so that you are not reworking the SSP when DFARS updates. Petronella typically drafts new work to satisfy both revisions where they diverge, so clients have a smoother path to future revisions.

How much does all of this cost?

Costs vary widely. A small contractor with a tight enclave scope can reach 110 with roughly $40,000 to $80,000 of first-year consulting and technology effort, plus ongoing tool subscriptions. A mid-sized contractor with broader scope and legacy infrastructure commonly invests $120,000 to $300,000 in the first year. C3PAO assessment fees are separate and depend on scope, typically ranging from $25,000 to $90,000 for a Level 2 certification assessment. Petronella provides fixed-fee scoping and readiness engagements so you see the number before committing to remediation.

Ready to move forward?

If you hold or will hold CUI, the clock on DFARS 252.204-7012, 7019, 7020, and the CMMC Level 2 phase-in is already running. Every month of delay compresses the remediation timeline and raises the cost of reaching a score that makes you award-eligible.

Petronella Technology Group runs readiness assessments that tell you exactly where you stand today and what it takes to reach a defensible SPRS score. We work with North Carolina primes, subcontractors, research partners, and the broader Triangle defense ecosystem from our Raleigh office at 5540 Centerview Dr.

Call (919) 348-4912 to speak with our team, or request a scoped consultation and we will follow up within one business day.