A comprehensive NIST SP 800-171 Rev 3 compliance toolkit with control checklists, System Security Plan (SSP) templates, Plan of Action and Milestones (POA&M) tracking, and implementation guidance for protecting Controlled Unclassified Information (CUI).
- What Is NIST 800-171?
- Who Needs NIST 800-171 Compliance?
- NIST 800-171 Rev 3 Overview
- The 17 Control Families
- Control Family Deep Dives
- Building Your System Security Plan (SSP)
- Managing POA&Ms Effectively
- NIST 800-171 and CMMC 2.0
- Common Implementation Challenges
- Assessment and Scoring
- Templates and Resources
- About Petronella Technology Group
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," defines the security requirements that nonfederal organizations must implement when they store, process, or transmit Controlled Unclassified Information (CUI) on behalf of the federal government.
Originally published in 2015, NIST 800-171 has become the de facto standard for cybersecurity in the defense industrial base (DIB) and is increasingly adopted across other sectors. The publication was updated to Revision 3 in May 2024, aligning more closely with NIST SP 800-53 Rev 5 and introducing significant structural changes.
- 110 security requirements organized into 17 control families (Rev 3)
- Required by DFARS 252.204-7012 for all DoD contractors handling CUI
- Foundation for CMMC 2.0 Level 2 certification
- Self-assessment scoring via NIST SP 800-171A methodology
- Maximum score of 110 (one point per requirement, penalties for unimplemented controls)
- Scores submitted to SPRS (Supplier Performance Risk System) for DoD contracts
- Defense contractors and subcontractors handling CUI under DFARS 252.204-7012
- DoD supply chain participants at any tier who receive or generate CUI
- Federal contractors under FAR 52.204-21 (basic safeguarding) or agency-specific CUI requirements
- Organizations seeking CMMC Level 2 certification (CMMC maps directly to NIST 800-171)
| Industry | CUI Types | Regulatory Driver |
|---|---|---|
| Defense/Aerospace | Technical data, export-controlled information, ITAR data | DFARS, ITAR, CMMC |
| Healthcare (federal) | PHI under federal contracts, research data | HIPAA + NIST 800-171 |
| Higher Education | Research data, export-controlled research | DFARS, NIST 800-171 |
| Financial Services | Federal financial data, tax information | Agency-specific requirements |
| Energy | Critical infrastructure data, nuclear information | DOE/NRC requirements |
| IT/Cloud Providers | CUI processed for federal clients | FedRAMP + NIST 800-171 |
Revision 3 (May 2024) introduced significant changes from Rev 2:
| Aspect | Rev 2 | Rev 3 |
|---|---|---|
| Control families | 14 families | 17 families |
| Requirements | 110 requirements | 110 requirements (renumbered) |
| Structure | Self-contained requirements | Maps to NIST 800-53 Rev 5 |
| Organization-Defined Parameters (ODPs) | Limited | Extensive (organizations set specific values) |
| NFO controls | Separate category | Integrated into main requirements |
| CUI categorization | Single level | Supports CUI categories/subcategories |
- Current contracts: DFARS 252.204-7012 references NIST 800-171 Rev 2 (remains in effect until contract modification)
- New contracts: Will reference Rev 3 as DFARS clauses are updated
- CMMC 2.0: CMMC Level 2 will align with NIST 800-171 Rev 3
- Recommendation: Begin Rev 3 gap analysis now; implement changes alongside Rev 2 compliance
NIST 800-171 Rev 3 organizes 110 security requirements into 17 families:
| # | Family | ID | Requirements | Focus Area |
|---|---|---|---|---|
| 1 | Access Control | AC | 22 | Who can access what, when, and how |
| 2 | Awareness and Training | AT | 3 | Security training and awareness |
| 3 | Audit and Accountability | AU | 9 | Logging, monitoring, and audit trails |
| 4 | Assessment, Authorization, and Monitoring | CA | 4 | Security assessment and continuous monitoring |
| 5 | Configuration Management | CM | 9 | Baseline configs, change management |
| 6 | Identification and Authentication | IA | 12 | Identity verification and credential management |
| 7 | Incident Response | IR | 6 | Incident handling and reporting |
| 8 | Maintenance | MA | 6 | System maintenance procedures |
| 9 | Media Protection | MP | 7 | Protecting digital and physical media |
| 10 | Personnel Security | PS | 5 | Personnel screening and management |
| 11 | Physical Protection | PE | 6 | Physical access controls |
| 12 | Planning | PL | 2 | Security planning |
| 13 | Program Management | PM | 2 | Organizational security program |
| 14 | Risk Assessment | RA | 4 | Risk identification and analysis |
| 15 | System and Communications Protection | SC | 13 | Protecting communications and systems |
| 16 | System and Information Integrity | SI | 7 | Flaw remediation, malware protection, monitoring |
| 17 | Supply Chain Risk Management | SR | 3 | Third-party risk management |
Access Control is the largest family and often the most challenging to implement. It addresses limiting system access to authorized users and transactions.
Key requirements include:
- AC-L2-3.1.1: Limit system access to authorized users, processes, and devices
- AC-L2-3.1.2: Limit system access to authorized transaction types and functions
- AC-L2-3.1.3: Control CUI flow in accordance with approved authorizations
- AC-L2-3.1.5: Employ the principle of least privilege
- AC-L2-3.1.7: Prevent non-privileged users from executing privileged functions
- AC-L2-3.1.12: Monitor and control remote access sessions
- AC-L2-3.1.22: Control CUI posted or processed on publicly accessible systems
Implementation guidance:
- Deploy role-based access control (RBAC) with documented access policies
- Implement multi-factor authentication for all remote and privileged access
- Use network segmentation to isolate CUI processing environments
- Document and review access permissions quarterly
- Implement automated session controls (timeout, lock, termination)
Comprehensive logging and monitoring are essential for detecting incidents and demonstrating compliance.
Key requirements:
- Create and retain audit records sufficient to reconstruct events
- Ensure audit logging cannot be disabled by end users
- Alert on audit process failures
- Correlate audit records across systems
- Protect audit information from unauthorized modification
Implementation guidance:
- Deploy a centralized SIEM for log collection and analysis
- Retain logs for a minimum of 1 year (3 years recommended for CMMC)
- Implement tamper-evident logging mechanisms
- Configure alerts for critical security events
- Review audit logs regularly (automated + manual review)
Strong identity verification prevents unauthorized access to CUI.
Key requirements:
- Uniquely identify and authenticate all users
- Implement multi-factor authentication for network and privileged access
- Use replay-resistant authentication mechanisms
- Enforce password complexity and rotation policies
- Disable identifiers after defined periods of inactivity
Implementation guidance:
- Deploy enterprise MFA solution (hardware tokens, FIDO2, or push-based)
- Implement centralized identity management (Active Directory, Azure AD)
- Enforce minimum 12-character passwords with complexity requirements
- Disable accounts after 90 days of inactivity
- Implement privileged access management (PAM) for administrative accounts
Protect communications and system boundaries.
Key requirements:
- Monitor and control communications at system boundaries
- Implement cryptographic mechanisms to prevent unauthorized disclosure
- Deny network traffic by default (allow by exception)
- Protect the confidentiality of CUI at rest and in transit
- Implement DNS filtering and network segmentation
Implementation guidance:
- Deploy next-generation firewalls at all network boundaries
- Encrypt all CUI at rest (AES-256) and in transit (TLS 1.2+)
- Implement network segmentation between CUI and non-CUI environments
- Deploy DNS filtering and web content filtering
- Use VPN with FIPS 140-2/3 validated encryption for remote access
The System Security Plan is the cornerstone document for NIST 800-171 compliance. It describes your system boundaries, security controls, and how each requirement is implemented.
A complete SSP includes:
- System identification -- Name, purpose, categorization, boundaries
- System environment -- Architecture, network diagrams, data flows
- System interconnections -- External connections and data sharing agreements
- Security requirement implementation -- How each of the 110 requirements is met
- Organization-defined parameters -- Your specific values for each ODP
- Roles and responsibilities -- Who is responsible for each control area
- Continuous monitoring strategy -- How you verify ongoing compliance
- Be specific: Generic statements like "we use encryption" are insufficient. Specify the algorithm, key length, and where encryption is applied
- Document compensating controls: If you cannot fully implement a requirement, document the compensating control and its justification
- Include evidence references: Reference specific policies, configurations, or tool outputs that demonstrate implementation
- Keep it current: The SSP must reflect the current state of your environment (review quarterly at minimum)
- Use the template: See
templates/ssp-template.mdfor a structured SSP template
A Plan of Action and Milestones (POA&M) documents security weaknesses, planned remediation actions, and timelines for completion. It is a required artifact for both NIST 800-171 self-assessment and CMMC certification.
Each POA&M entry must include:
- Weakness description: What specific requirement is not met and why
- Risk level: High, Medium, or Low based on impact analysis
- Remediation plan: Specific steps to achieve compliance
- Milestones: Measurable checkpoints with target dates
- Resources required: Budget, personnel, tools needed
- Responsible party: Named individual accountable for remediation
- Estimated completion date: Realistic timeline based on resources
- Prioritize by risk: Address high-risk findings first
- Set realistic timelines: Overly aggressive timelines lead to missed deadlines
- Track progress monthly: Review POA&M status in regular security meetings
- Close completed items: Document evidence of completion and update SPRS score
- Avoid POA&M debt: Do not let the list grow indefinitely -- it signals systemic issues
See templates/poam-template.md for a POA&M tracking template.
CMMC (Cybersecurity Maturity Model Certification) 2.0 Level 2 maps directly to NIST 800-171. Understanding this relationship is critical for defense contractors.
| CMMC Level | Requirements | Assessment Type | Maps To |
|---|---|---|---|
| Level 1 | 17 practices | Self-assessment (annual) | FAR 52.204-21 |
| Level 2 | 110 practices | Self or C3PAO assessment | NIST 800-171 |
| Level 3 | 110+ practices | Government-led assessment | NIST 800-171 + 800-172 |
- CMMC requires third-party assessment for contracts involving critical CUI (Level 2 C3PAO)
- CMMC does not allow POA&Ms for certain critical controls (you must be fully implemented)
- CMMC certification is valid for 3 years (NIST 800-171 self-assessment is annual)
- CMMC adds maturity requirements beyond just implementing controls
Your NIST 800-171 self-assessment score is submitted to SPRS and visible to DoD contracting officers:
- Maximum score: 110 (all requirements fully implemented)
- Minimum acceptable score: Varies by contract (some require 110, others accept POA&Ms)
- Scoring methodology: Each unimplemented requirement deducts 1, 3, or 5 points based on severity
- Score must be current: Updated within the last 3 years (annual updates recommended)
Problem: Organizations struggle to identify where CUI exists and define appropriate system boundaries.
Solution:
- Conduct a CUI data flow analysis (where does CUI enter, move through, and leave your environment?)
- Minimize the CUI boundary by centralizing CUI processing
- Use network segmentation to isolate CUI environments
- Document the boundary clearly in your SSP with network diagrams
Problem: MFA requirements are broad (network access, privileged access, remote access).
Solution:
- Deploy enterprise MFA that covers all access vectors
- Use FIDO2/WebAuthn for phishing-resistant authentication
- Implement conditional access policies based on risk factors
- Document MFA exceptions and compensating controls
Problem: Generating, collecting, and retaining sufficient audit logs across all systems.
Solution:
- Deploy a centralized SIEM with automated log collection
- Define minimum log sources (domain controllers, firewalls, servers, endpoints, cloud services)
- Implement log integrity protections (write-once storage, hash verification)
- Automate alert rules for security-relevant events
- Budget for adequate storage (3+ years of log retention)
Problem: Rev 3 adds formal supply chain risk management requirements that many organizations have not addressed.
Solution:
- Develop a supply chain risk management policy
- Assess critical suppliers and service providers
- Include cybersecurity requirements in contracts with vendors
- Monitor supplier risk through continuous assessment tools
- Maintain a software bill of materials (SBOM) for critical systems
Problem: NIST 800-171 requires extensive documentation (SSP, POA&M, policies, procedures, evidence).
Solution:
- Use structured templates (like those in this repository)
- Implement a GRC (Governance, Risk, and Compliance) platform
- Assign documentation owners for each control family
- Review and update documentation on a quarterly cycle
- Automate evidence collection where possible
- Scope definition: Identify all systems that process, store, or transmit CUI
- Control evaluation: Assess each of the 110 requirements against your implementation
- Evidence collection: Gather evidence for each implemented control
- Gap identification: Document unimplemented or partially implemented controls
- Scoring: Calculate your SPRS score based on the DoD Assessment Methodology
- POA&M development: Create remediation plans for all gaps
- SPRS submission: Submit your score and date of assessment to SPRS
| Status | Description | Score Impact |
|---|---|---|
| Implemented | Fully meets the requirement with evidence | No deduction |
| Partially Implemented | Some aspects met, gaps remain | Full deduction (1/3/5 pts) |
| Planned | On POA&M with remediation timeline | Full deduction (1/3/5 pts) |
| Not Implemented | Not addressed, no plan | Full deduction (1/3/5 pts) |
| Not Applicable | Requirement does not apply to the system | No deduction (must justify) |
This repository includes the following templates and checklists:
| Resource | Purpose | Location |
|---|---|---|
| NIST 800-171 Controls Checklist | All 110 controls with implementation status tracking | checklists/nist-800-171-controls.md |
| System Security Plan Template | Complete SSP template with all required sections | templates/ssp-template.md |
| POA&M Template | Structured tracking for remediation items | templates/poam-template.md |
Petronella Technology Group has been helping organizations achieve and maintain compliance for over 23 years. Founded by Craig Petronella, a 15x published author on cybersecurity and compliance, PTG specializes in NIST 800-171, CMMC, HIPAA, and SOC 2 compliance programs.
- Gap assessments against NIST 800-171 Rev 2 and Rev 3
- SSP and POA&M development with implementation guidance
- CMMC Level 2 readiness assessments and remediation
- Managed compliance programs with continuous monitoring
- SPRS score optimization and submission support
- Virtual CISO services for ongoing compliance management
- Website: petronellatech.com/compliance/
- Phone: 919-348-4912
- Email: info@petronellatech.com
- Book: How to Avoid a Data Breach by Craig Petronella
- Podcast: Encrypted Ambition -- Weekly cybersecurity and compliance discussions
- Free Consultation: Schedule a Call
We welcome contributions from the compliance community. Submit pull requests with corrections, additional guidance, or improved templates.
This project is licensed under the MIT License -- see the LICENSE file for details.
Built with real-world compliance experience by Petronella Technology Group -- Securing businesses for over 23 years.