NIST SP 800-53 vs. NIST SP 800-171: Complete Control Mapping and Comparison Guide

Origins and Purpose: Why Two Frameworks Exist

NIST SP 800-53 was first published in 2005 as part of the Risk Management Framework (RMF) mandated by the Federal Information Security Modernization Act (FISMA). Its purpose is comprehensive: provide a catalog of controls that federal agencies select from based on the sensitivity of their systems, categorized as Low, Moderate, or High impact per FIPS 199. Revision 5, published in September 2020, added supply chain risk management controls, privacy controls integrated alongside security controls, and outcome-based language that makes controls applicable to any type of system, not just traditional IT.

SP 800-171 emerged in 2015 to address a different problem. Federal agencies had long protected classified information under established frameworks, but CUI, the broad category of sensitive-but-unclassified government information, flowed freely to contractors, universities, and research labs with no consistent protection standard. Executive Order 13556 (2010) established the CUI program, and NIST was tasked with creating a security standard for CUI when it resides on non-federal systems. The result was SP 800-171, published in June 2015, which extracted and tailored controls from the 800-53 Moderate baseline to create a set of requirements that non-federal organizations could implement without the full apparatus of federal RMF processes.

The distinction matters for practical compliance planning. A federal agency running its own information system must implement NIST SP 800-53 controls selected through the RMF process described in SP 800-37. A defense contractor handling CUI must implement SP 800-171 requirements and demonstrate compliance through self-assessment (SPRS scoring) or third-party CMMC assessment. PTG's compliance team, led by Craig Petronella (CMMC Registered Practitioner, Licensed Digital Forensic Examiner #604180, with 23+ years in cybersecurity), helps organizations determine which framework applies to their specific contractual and regulatory situation.

The Derivation Process: How 800-171 Was Built from 800-53

Understanding the derivation process is critical because it explains both what is in SP 800-171 and, equally important, what was excluded and why. NIST followed a systematic, documented process:

Step 1: Start with the 800-53 Moderate Baseline

The 800-53 Moderate baseline contains approximately 325 controls (the exact count varies depending on how control enhancements are counted). NIST selected the Moderate baseline because CUI is categorized at the Moderate impact level for confidentiality. This baseline represents the starting point for the derivation, not the Low or High baseline.

Step 2: Remove Controls Not Directly Related to Protecting CUI Confidentiality

NIST removed controls from the Moderate baseline that address integrity and availability objectives but do not directly contribute to protecting the confidentiality of CUI. SP 800-171 focuses specifically on confidentiality because that is the primary security objective for CUI. Integrity and availability are addressed only to the extent they support confidentiality protections.

Step 3: Remove Controls Expected of Federal Agencies Only (NFO Controls)

A significant category of removed controls are those labeled "NFO" (Not For Organizations). These are controls that the federal government is uniquely responsible for, such as:

• Security planning (PL family): Federal agencies must develop formal System Security Plans following specific federal templates; non-federal organizations are not required to follow these federal processes, though PTG recommends maintaining equivalent documentation.
• Program management (PM family): Controls like PM-1 (Information Security Program Plan) and PM-9 (Risk Management Strategy) apply to federal agency programs, not individual contractor systems.
• Certification and accreditation processes: The formal Authorization to Operate (ATO) process under RMF is a federal responsibility.
• Public access controls: Controls governing publicly accessible federal systems do not apply to contractor environments handling CUI.

Step 4: Remove Controls Satisfied by Non-IT Policies (FED Controls)

Controls designated "FED" are those where the federal government addresses the requirement through policy, regulation, or other non-technical means that apply to federal employees and operations. Non-federal organizations handle these requirements through their own corporate policies, employment agreements, and business processes rather than through specific security controls. Examples include personnel security screening requirements tied to federal hiring processes and certain physical security controls specific to federal facilities.

Step 5: Tailor Remaining Controls into Requirements

The controls that survived these filters were rewritten as "security requirements" rather than "controls." The language was adjusted to be appropriate for non-federal organizations. Organization-defined parameters that appear in 800-53 controls (where agencies insert their own values) were either given specific values or described in terms that non-federal organizations could interpret for their environments.

The result: 110 security requirements in 14 families, derived from the original 20 families and approximately 325 Moderate baseline controls. Appendix D of SP 800-171 Rev. 2 provides the complete mapping showing exactly which 800-53 controls map to each 800-171 requirement, as well as listing every 800-53 Moderate control that was excluded and the rationale (NFO or FED) for its exclusion.

Control Family Mapping: 800-53 to 800-171

SP 800-53 Rev. 5 organizes controls into 20 families. SP 800-171 Rev. 2 uses 14 families. The following table maps each 800-171 family to its corresponding 800-53 family (or families), shows the number of requirements in each, and indicates which 800-53 families have no representation in 800-171.

800-171 Family	800-171 Req. Count	800-53 Source Family	800-53 Family ID	Notes
Access Control	22	Access Control	AC	Largest family; covers account management, access enforcement, remote access, wireless
Awareness and Training	3	Awareness and Training	AT	Requires security awareness training and role-based training
Audit and Accountability	9	Audit and Accountability	AU	Audit logging, review, analysis, and protection of audit records
Configuration Management	9	Configuration Management	CM	Baseline configurations, change control, least functionality
Identification and Authentication	11	Identification and Authentication	IA	Multi-factor authentication, password management, authenticator management
Incident Response	3	Incident Response	IR	Incident handling, reporting, and response testing
Maintenance	6	Maintenance	MA	System maintenance, nonlocal maintenance, maintenance personnel
Media Protection	9	Media Protection	MP	Media access, marking, storage, transport, sanitization (see also SP 800-88)
Personnel Security	2	Personnel Security	PS	Personnel screening and personnel termination/transfer
Physical Protection	6	Physical and Environmental Protection	PE	Physical access, visitor control, alternate work sites; environmental controls largely excluded
Risk Assessment	3	Risk Assessment	RA	Risk assessments and vulnerability scanning (see also SP 800-30)
Security Assessment	4	Security Assessment and Authorization	CA	Security assessments, system connections, POA&M management
System and Communications Protection	16	System and Communications Protection	SC	Boundary protection, cryptographic protections, session management
System and Information Integrity	7	System and Information Integrity	SI	Flaw remediation, malicious code protection, monitoring, alerts

800-53 Families With No 800-171 Equivalent

Six of the 20 SP 800-53 control families have no corresponding family in SP 800-171. These were excluded primarily because they address federal agency program-level responsibilities or functions not directly tied to protecting CUI confidentiality on non-federal systems:

800-53 Family	Family ID	Reason for Exclusion
Planning	PL	Federal system security planning processes; NFO designation
Program Management	PM	Agency-level program oversight; NFO designation
Personally Identifiable Information Processing and Transparency	PT	Privacy-specific controls added in Rev. 5; not part of CUI confidentiality scope
Supply Chain Risk Management	SR	New in 800-53 Rev. 5; 800-171 Rev. 2 predates this addition (see also SP 800-161)
Contingency Planning	CP	Availability-focused; CUI protection emphasizes confidentiality
System and Services Acquisition	SA	Federal procurement and development lifecycle controls; largely NFO

It is important to note that while these families are not represented as formal requirements in SP 800-171, organizations with mature security programs should still address contingency planning, supply chain risk, and privacy as part of their broader risk management strategy. PTG advises clients to implement controls from these families voluntarily, particularly SR (Supply Chain Risk Management) and CP (Contingency Planning), because CMMC assessors and DoD contracting officers increasingly expect evidence of these practices even when they are not scored requirements.

Detailed Control-Level Mapping: Key Examples

The following table illustrates specific control-to-requirement mappings to demonstrate how 800-53 controls translate into 800-171 requirements. This is not exhaustive (the full mapping contains 110 entries) but covers the most commonly assessed areas.

800-53 Control	800-53 Control Name	800-171 Requirement	800-171 Requirement Name
AC-2	Account Management	3.1.1	Limit system access to authorized users
AC-3	Access Enforcement	3.1.2	Limit system access to authorized functions and transactions
AC-4	Information Flow Enforcement	3.1.3	Control the flow of CUI in accordance with approved authorizations
AC-17	Remote Access	3.1.12	Monitor and control remote access sessions
AC-17(2)	Remote Access | Cryptographic Protection	3.1.13	Employ cryptographic mechanisms to protect remote access confidentiality
AU-2	Event Logging	3.3.1	Create and retain system audit logs
AU-6	Audit Record Review, Analysis, and Reporting	3.3.5	Correlate audit record review, analysis, and reporting
CM-2	Baseline Configuration	3.4.1	Establish and maintain baseline configurations
CM-6	Configuration Settings	3.4.2	Establish and enforce security configuration settings
IA-2	Identification and Authentication (Organizational Users)	3.5.1	Identify system users, processes, and devices
IA-2(1)	Multi-Factor Authentication to Privileged Accounts	3.5.3	Use multi-factor authentication for local and network access to privileged accounts
IR-2	Incident Response Training	3.6.1	Establish operational incident-handling capability
SC-7	Boundary Protection	3.13.1	Monitor, control, and protect communications at external boundaries
SC-8	Transmission Confidentiality and Integrity	3.13.8	Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission
SI-2	Flaw Remediation	3.14.1	Identify, report, and correct system flaws in a timely manner
SI-3	Malicious Code Protection	3.14.2	Provide protection from malicious code at designated locations

The complete mapping for all 110 requirements is available in our open-source repository at github.com/capetron/nist-800-53-vs-800-171-mapping, which includes downloadable spreadsheets, checklists, and automated mapping tools that organizations can use for their own compliance efforts.

Practical Implications: When You Need 800-53 vs. 800-171

Choosing the correct framework is not a matter of preference; it is determined by your organization type, the data you handle, and the contracts or regulations that govern your operations.

You Need NIST SP 800-53 If:

• You are a federal agency or operate a federal information system
• You are a cloud service provider seeking FedRAMP authorization
• Your system processes, stores, or transmits federal data subject to FISMA
• You provide services under a contract that specifically requires 800-53 compliance (common in intelligence community and some civilian agency contracts)
• You are implementing the Risk Management Framework per SP 800-37

You Need NIST SP 800-171 If:

• You are a defense contractor or subcontractor handling CUI
• Your contract includes DFARS clause 252.204-7012
• You are preparing for CMMC Level 2 certification
• You are a university or research institution receiving DoD funding that involves CUI
• You handle CUI under any federal contract that references the NARA CUI Registry categories

You May Need Both If:

• You are a cloud service provider that holds FedRAMP authorization AND serves defense contractors who store CUI in your environment
• You are a large contractor with both federal information system operations (requiring 800-53) and separate non-federal CUI processing systems (requiring 800-171)
• Your organization provides shared services to federal agencies while also operating contractor systems handling CUI

PTG's compliance assessment begins with a scoping session to identify exactly which frameworks apply to each of your systems. Craig Petronella (Cisco CCNA, CWNE, Amazon #1 Best-Selling Author of 14+ cybersecurity books) and the PTG team map your data flows, contract requirements, and system boundaries to determine the precise compliance obligations, preventing the common and costly mistake of applying the wrong framework or over-implementing controls that do not apply. Call 919-348-4912 to schedule a free compliance scoping session.

CMMC Level 2 and the SP 800-171 Connection

The Cybersecurity Maturity Model Certification (CMMC) program, administered by the Department of Defense, directly ties CMMC Level 2 requirements to SP 800-171 Rev. 2. Specifically, the 110 practices required for CMMC Level 2 certification are identical to the 110 security requirements in SP 800-171 Rev. 2. This is not a coincidence or a loose alignment; the CMMC Level 2 assessment methodology evaluates implementation of each SP 800-171 requirement using the assessment procedures defined in SP 800-171A.

The practical chain of derivation is: SP 800-53 Moderate baseline feeds into SP 800-171, and SP 800-171 feeds into CMMC Level 2. Organizations that understand this lineage can leverage their 800-171 compliance work directly for CMMC certification without duplicating effort. PTG's patented compliance technology stack automates this traceability, generating documentation that satisfies both the SP 800-171 self-assessment (for SPRS scoring) and the CMMC Level 2 assessment simultaneously.

DFARS 252.204-7012 and the 800-171 Mandate

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," is the contractual mechanism that makes SP 800-171 compliance mandatory for defense contractors. This clause requires contractors to:

1. Implement the 110 security requirements in SP 800-171 on all covered contractor information systems
2. Report cyber incidents to the DoD within 72 hours via the DIBNet portal
3. Flow down the same requirements to subcontractors who handle CUI
4. Submit a self-assessment score to the Supplier Performance Risk System (SPRS)

The SPRS score ranges from -203 to 110. A perfect score of 110 means full implementation of all 800-171 requirements. Each unimplemented requirement carries a weighted point deduction based on the severity of the gap. DoD contracting officers review SPRS scores before contract award, and scores below certain thresholds can disqualify bidders. PTG helps contractors calculate accurate SPRS scores and build Plans of Action and Milestones (POA&Ms) for any gaps, using AI-powered gap analysis that maps current controls to 800-171 requirements and identifies the shortest path to a competitive score.

SP 800-171 Revision 3: What Changed

NIST published SP 800-171 Revision 3 in May 2024, representing a significant structural change from Revision 2. Key changes include:

• Alignment with 800-53 Rev. 5: Rev. 3 updates the control mappings to align with SP 800-53 Revision 5, incorporating new control families and updated control language. Rev. 2 was based on SP 800-53 Rev. 4.
• Reorganized control families: Rev. 3 restructures the 14 families and adjusts the number of requirements. The total count changes from 110 to approximately 97 requirements, though many existing requirements were consolidated rather than removed.
• New Organization-Defined Parameters (ODPs): Rev. 3 introduces ODPs that allow organizations to tailor certain parameter values to their specific environments, similar to how 800-53 uses organization-defined parameters.
• Enhanced requirements: Several areas received strengthened requirements, including supply chain risk management, secure software development practices, and privacy protections that were absent in Rev. 2.
• Assessment procedures updated: SP 800-171A Rev. 3 provides updated assessment procedures aligned with the new requirement structure.

The DoD has indicated that CMMC Level 2 will continue to reference SP 800-171 Rev. 2 for the initial rollout of the CMMC program, with a future transition to Rev. 3 requirements. Organizations should begin familiarizing themselves with Rev. 3 changes now while maintaining their Rev. 2 compliance posture. PTG's AI-powered mapping tools can perform a delta analysis between Rev. 2 and Rev. 3 requirements, identifying which of your current controls already satisfy Rev. 3 requirements and where new implementation work will be needed when the transition occurs.

Side-by-Side Framework Comparison

Attribute	NIST SP 800-53 Rev. 5	NIST SP 800-171 Rev. 2
Primary audience	Federal agencies and their information systems	Non-federal organizations handling CUI
Number of controls/requirements	1,000+ controls across 20 families	110 requirements across 14 families
Impact levels	Low, Moderate, High baselines (selectable)	Derived from Moderate baseline only
Scope	Confidentiality, integrity, and availability	Primarily confidentiality of CUI
Legal mandate	FISMA (44 U.S.C. 3551)	DFARS 252.204-7012, 32 CFR Part 170 (CMMC)
Assessment method	RMF process (SP 800-37), 3PAO for FedRAMP	Self-assessment (SPRS) or CMMC C3PAO assessment
Certification	Authority to Operate (ATO)	CMMC Level 2 certification
Privacy controls	Integrated privacy controls (PT family, Rev. 5)	No dedicated privacy family
Supply chain controls	SR family (new in Rev. 5)	Not included in Rev. 2; partially addressed in Rev. 3
Organization-defined parameters	Extensive; agencies define values during tailoring	Limited in Rev. 2; expanded in Rev. 3 with ODPs
Related PTG service page	PTG NIST 800-53 Compliance	PTG NIST 800-171 Compliance
Primary source document	csrc.nist.gov (SP 800-53 Rev. 5)	csrc.nist.gov (SP 800-171 Rev. 2)

How PTG's AI Tools Automate Framework Mapping

Manual crosswalking between SP 800-53 and SP 800-171 is tedious, error-prone, and expensive. A senior compliance consultant typically spends 40 to 80 hours performing a manual mapping for a single organization, reviewing each of the 110 requirements against existing controls, documenting gaps, and producing a remediation plan. PTG eliminates the bulk of this manual work through its proprietary AI-powered compliance platform.

PTG's approach uses on-premise large language models running on the company's own GPU cluster infrastructure. This is not a third-party SaaS product; PTG's AI fleet processes your compliance data entirely within PTG's controlled environment, ensuring data sovereignty and preventing sensitive control implementation details from being sent to external cloud AI providers. This matters because the control mapping documentation itself often contains detailed descriptions of your security architecture that should not be shared with third parties.

The AI-powered mapping process works in four stages:

1. Ingest: PTG's tools ingest your existing security documentation, policies, System Security Plans, and evidence artifacts. The AI parses these documents and extracts control implementation statements.
2. Map: The system maps your existing controls to both the 800-53 control catalog and the 800-171 requirement set simultaneously, identifying which requirements are fully satisfied, partially satisfied, or not addressed.
3. Gap Analysis: For each gap, the AI generates a detailed finding that explains what is missing, references the specific 800-53 control and 800-171 requirement, and recommends specific remediation actions tailored to your environment.
4. Documentation: The system produces assessment-ready documentation including a POA&M, an SPRS score calculation, and evidence mapping that links each requirement to the specific documents or artifacts demonstrating compliance.

This patented technology stack reduces the mapping and gap analysis timeline from weeks to days, with higher accuracy than manual review. No other compliance firm in the Research Triangle offers this capability. Craig Petronella (MIT Artificial Intelligence Certificate) designed this approach specifically for the SMB defense contractor market, where organizations need enterprise-grade compliance outcomes on realistic budgets. To learn more, visit our compliance service packages or call 919-348-4912.

Common Mapping Pitfalls and How to Avoid Them

Organizations frequently make errors when attempting to map between 800-53 and 800-171 on their own. These mistakes can lead to failed CMMC assessments, inaccurate SPRS scores, and contract performance issues.

Pitfall 1: Assuming 800-171 Compliance Equals 800-53 Moderate Compliance

SP 800-171 is derived from the 800-53 Moderate baseline, but it is not equivalent to it. Approximately 215 Moderate baseline controls were excluded during the derivation process. An organization that implements only 800-171 requirements has not achieved 800-53 Moderate compliance. This distinction matters when a contract requires 800-53 compliance (common in civilian agency contracts and FedRAMP) rather than 800-171 compliance.

Pitfall 2: Ignoring the NFO Controls Entirely

While NFO controls were formally excluded from 800-171, some of them represent security practices that any mature organization should implement. For example, contingency planning (CP family) controls are excluded from 800-171, but an organization without backup and recovery procedures will struggle during a CMMC assessment when assessors ask about incident recovery capabilities. PTG recommends implementing a core set of NFO controls as best practice, even when they are not scored.

Pitfall 3: Misinterpreting Organization-Defined Parameters

SP 800-53 controls frequently contain organization-defined parameters (ODPs) where the implementing organization must specify a value (such as a password length, session timeout duration, or audit retention period). SP 800-171 Rev. 2 addressed some of these by specifying values, but many were left for the organization to define. Organizations that fail to document their chosen parameter values create compliance gaps that CMMC assessors will flag. PTG's assessment process includes a parameter value workshop where we help clients set defensible values aligned with DoD expectations and industry standards.

Pitfall 4: Treating the Mapping as Static

NIST updates both publications on different timelines. SP 800-53 Rev. 5 was published in 2020; SP 800-171 Rev. 3 was published in 2024. The mapping between them changes with each revision. Organizations that performed a mapping based on Rev. 4 of 800-53 and Rev. 1 of 800-171 cannot assume it remains valid. PTG's continuous monitoring services include automated tracking of NIST publication updates and impact analysis against your current control implementations.

The NIST CSF 2.0 Connection

The NIST Cybersecurity Framework (CSF) 2.0 provides an additional layer of context for understanding the 800-53 to 800-171 relationship. CSF 2.0 is an outcome-based framework organized around six functions (Govern, Identify, Protect, Detect, Respond, Recover) that maps to 800-53 controls through informative references. Organizations that have already implemented the NIST CSF can use it as a bridge: the CSF functions map to 800-53 controls, which in turn map to 800-171 requirements. This three-layer mapping is particularly useful for organizations that started their compliance journey with CSF and need to progress to 800-171 for defense contract eligibility.

Frequently Asked Questions

What is the main difference between NIST SP 800-53 and SP 800-171?

SP 800-53 is the comprehensive master catalog of over 1,000 security and privacy controls designed for federal information systems. SP 800-171 is a tailored subset of 110 security requirements derived from the 800-53 Moderate baseline, designed specifically for non-federal organizations that handle Controlled Unclassified Information (CUI). The key distinction is audience: federal agencies use 800-53, while defense contractors and other non-federal entities use 800-171.

How many 800-53 controls map to 800-171 requirements?

The 110 security requirements in SP 800-171 Rev. 2 map to approximately 130 individual 800-53 controls and control enhancements from the Moderate baseline. Some 800-171 requirements consolidate multiple 800-53 controls into a single requirement, while others map one-to-one. The complete mapping is documented in Appendix D of SP 800-171 Rev. 2 and is available in our open-source mapping repository.

If I comply with 800-171, am I automatically compliant with 800-53?

No. SP 800-171 is a subset of the 800-53 Moderate baseline. Full compliance with 800-171 satisfies only a portion of the 800-53 Moderate controls. Approximately 215 Moderate baseline controls were excluded from 800-171 during the tailoring process. If your contracts require full 800-53 compliance (such as for FedRAMP authorization), you must address the complete 800-53 baseline, not just the 800-171 subset.

Does CMMC Level 2 require 800-53 or 800-171?

CMMC Level 2 requires implementation of the 110 security requirements in SP 800-171 Rev. 2. It does not require full 800-53 compliance. The 110 CMMC Level 2 practices are identical to the 110 SP 800-171 Rev. 2 requirements. CMMC Level 3, which addresses enhanced security for the most sensitive CUI, adds requirements from SP 800-172, which itself builds upon 800-171.

Why are some 800-53 control families missing from 800-171?

Six 800-53 families (Planning, Program Management, PII Processing and Transparency, Supply Chain Risk Management, Contingency Planning, and System and Services Acquisition) have no corresponding 800-171 family. These were excluded because they address federal agency program-level functions (NFO), federal employee-specific processes (FED), or security objectives beyond CUI confidentiality (such as availability-focused contingency planning). Despite their exclusion, PTG recommends implementing key controls from these families as organizational best practice.

What is an SPRS score and how does it relate to 800-171?

The Supplier Performance Risk System (SPRS) score is a numerical self-assessment score ranging from -203 to 110 that reflects a defense contractor's implementation status of the 110 SP 800-171 requirements. A score of 110 indicates full implementation. Each unimplemented requirement reduces the score by a weighted amount (1, 3, or 5 points depending on the requirement's significance). DFARS 252.204-7012 requires contractors to submit their SPRS score, and DoD contracting officers use these scores in source selection decisions. Use PTG's SPRS Calculator for an accurate assessment.

When will CMMC transition from 800-171 Rev. 2 to Rev. 3?

As of March 2026, the DoD has stated that CMMC Level 2 assessments will be based on SP 800-171 Rev. 2 for the initial CMMC rollout. A transition timeline to Rev. 3 has not been finalized. Organizations should maintain full Rev. 2 compliance while beginning gap analysis against Rev. 3 requirements. PTG's AI-powered delta analysis can identify the specific differences between your current Rev. 2 implementation and the Rev. 3 requirements, so you are prepared when the transition date is announced.

Can PTG help map my existing controls to both frameworks simultaneously?

Yes. PTG's AI-powered compliance platform performs simultaneous mapping to both SP 800-53 and SP 800-171, as well as related frameworks including CMMC, NIST CSF 2.0, SOC 2, and ISO 27001. This multi-framework mapping is processed on PTG's private AI fleet (on-premise GPU clusters running custom large language models), ensuring your sensitive compliance data never leaves a controlled environment. Contact us at 919-348-4912 or visit our compliance packages page to get started.

How long does a typical 800-53 to 800-171 mapping engagement take with PTG?

For an organization with existing security documentation, PTG typically completes the initial mapping and gap analysis within 5 to 10 business days using our AI-powered tools. By comparison, traditional manual mapping by consultants takes 6 to 12 weeks. The timeline depends on the complexity of your environment, the number of systems in scope, and the maturity of your existing documentation. PTG's approach is particularly effective for small and mid-size defense contractors that need to achieve compliance quickly without the budget for a Big Four consulting engagement.

Open-Source Resources

PTG maintains public repositories with practical compliance tools on GitHub. The NIST 800-53 vs. 800-171 Mapping Repository includes:

• Complete control-to-requirement mapping spreadsheet (Excel and CSV formats)
• Checklist of all 110 SP 800-171 requirements with their 800-53 source controls
• List of excluded 800-53 Moderate controls with exclusion rationale (NFO/FED)
• Rev. 2 to Rev. 3 delta analysis template
• SPRS score calculation worksheet

These resources are released under the MIT License. PTG believes that better access to compliance tools benefits the entire defense industrial base. If your organization needs assistance beyond self-service tools, PTG's compliance team provides hands-on guidance from initial scoping through CMMC certification. Visit our compliance services hub or call 919-348-4912 to schedule a free compliance assessment.

Petronella Technology Group, Inc.
5540 Centerview Dr. Suite 200, Raleigh, NC 27606
919-348-4912