NIST 800-171 Requirements: A Plain-English Guide for Defense Contractors

NIST 800-171 is the cybersecurity rulebook behind most CMMC Level 2 work. If your company handles Controlled Unclassified Information (CUI) for the Department of Defense, these are the requirements DoD expects you to follow.

The problem is that the official document was written for security professionals, not owners of machine shops, electronics suppliers, logistics firms, or small engineering teams. This guide translates the requirements into plain English: what NIST 800-171 is, when it applies, how it connects to CMMC, and what to do first if you are starting from zero.

This is not legal advice and it is not a substitute for a qualified CMMC professional. But it will help you understand the terrain before you spend money.

What Is NIST 800-171?

NIST Special Publication 800-171 is a federal cybersecurity standard for protecting CUI in nonfederal systems. In simpler terms: it tells contractors how to protect sensitive government information when that information sits inside a private company’s network.

CUI is not classified information. It is lower than classified, but still sensitive enough that the government does not want it handled casually. For defense contractors, CUI can include technical drawings, engineering data, specifications, export-controlled information, test results, or other contract-related information marked or treated as controlled.

If you are not sure whether you handle CUI, start with our guide to what CUI means for defense contractors or take the CMMC applicability quiz.

How NIST 800-171 Connects to CMMC

CMMC is the assessment and verification program. NIST 800-171 is the underlying requirement set.

For most small and mid-sized defense contractors, the relationship looks like this:

• CMMC Level 1 applies to Federal Contract Information (FCI) and uses a smaller set of basic safeguarding practices.
• CMMC Level 2 applies when you handle CUI and maps to the NIST 800-171 security requirements.
• CMMC Level 3 is for the highest-risk programs and adds requirements from other NIST guidance.

So when someone says, “You need CMMC Level 2,” the practical meaning is usually: “You need to implement the NIST 800-171 requirements, document them, operate them, and be ready for assessment.”

For a deeper comparison, see CMMC Level 1 vs Level 2.

Who Needs to Follow NIST 800-171?

You should assume NIST 800-171 matters if all three are true:

1. You work on DoD contracts or subcontracts.
2. Your contract, prime contractor, or customer gives you CUI or expects you to create it.
3. That CUI is processed, stored, or transmitted on your company systems.

This includes subcontractors. You do not need to be the prime contractor for CUI obligations to flow down to you. If a prime sends you controlled technical data so you can manufacture, inspect, quote, or support a defense item, your environment may be in scope.

If you only receive basic contract information and never touch CUI, you may be closer to CMMC Level 1 than Level 2. But do not guess. Misclassifying your scope is one of the fastest ways to waste money or create False Claims Act risk. Our do I need CMMC guide walks through the decision path.

The 14 Requirement Families

NIST 800-171 organizes its security requirements into 14 families. The family names sound abstract, but the underlying questions are practical.

Family	Plain-English Question
Access Control	Who can get into systems that hold CUI, and what are they allowed to do?
Awareness and Training	Do employees know how to handle CUI and spot basic security risks?
Audit and Accountability	Can you log and review important activity on your systems?
Configuration Management	Are your systems configured securely and changed in a controlled way?
Identification and Authentication	Can you verify that each user is who they claim to be?
Incident Response	Do you know what to do when something goes wrong?
Maintenance	Are system repairs and maintenance controlled and documented?
Media Protection	Are removable drives, printed materials, and stored media protected?
Personnel Security	Do you manage access when employees join, change roles, or leave?
Physical Protection	Can unauthorized people physically access systems or facilities holding CUI?
Risk Assessment	Do you identify and prioritize security risks?
Security Assessment	Do you test whether your controls actually work?
System and Communications Protection	Is CUI protected when it moves across networks?
System and Information Integrity	Do you detect, prevent, and correct malicious code and system flaws?

These families are not separate projects. They overlap. For example, multi-factor authentication affects access control, identification, and system protection. Employee offboarding affects personnel security, access control, and audit evidence.

What the Requirements Look Like in Real Life

NIST 800-171 can feel theoretical until you translate it into daily operations. A small defense manufacturer may need to show evidence that it:

• Limits CUI access to specific employees who need it for contract work.
• Uses multi-factor authentication for relevant systems.
• Keeps an inventory of systems, users, and software in scope.
• Patches laptops, servers, and network devices on a defined schedule.
• Protects CUI in email, file sharing, backups, and removable media.
• Logs security events and reviews them.
• Has an incident response plan and knows when reporting obligations apply.
• Documents how CUI flows through the business.
• Maintains a System Security Plan (SSP) and tracks unresolved gaps in a Plan of Action and Milestones (POA&M).

The key word is evidence. It is not enough to say you have a policy. For CMMC Level 2, you need to show that the policy exists, that the technical control is implemented, and that the process is actually being followed.

The Documents You Usually Need

A contractor preparing for CMMC Level 2 will usually need at least these documentation pieces:

System Security Plan (SSP). This is the central document that describes your environment, where CUI lives, which systems are in scope, and how you satisfy each requirement.

Scope diagram and asset inventory. You need to know what is inside the CUI boundary: devices, users, networks, cloud services, applications, and data flows.

Policies and procedures. These explain how your company handles access, passwords, incident response, media, physical security, training, risk management, and related processes.

Evidence artifacts. These are screenshots, logs, tickets, training records, configuration exports, meeting notes, and other proof that controls are operating.

POA&M. A Plan of Action and Milestones tracks gaps that are not fully closed. Under CMMC, some conditional status may be possible, but not all gaps are eligible and unresolved high-weight items can block certification.

If you are early, do not start by buying a giant policy template. Start by mapping where CUI enters, where it moves, where it is stored, and who touches it. Scope drives everything.

Why Scope Comes Before Remediation

Most CMMC budgets get blown up by bad scope.

If CUI can spread across every laptop, inbox, file share, and production workstation, your assessment boundary becomes large. That means more controls to implement, more systems to harden, more documentation to maintain, and more evidence to collect.

If CUI is limited to a smaller controlled environment, the work becomes more manageable. That is why many contractors use a CMMC enclave strategy: isolate CUI into a defined segment instead of trying to certify the entire business network.

Scope is also a business decision. A small enclave can reduce cost, but it may create operational friction. A full-environment approach may be simpler for employees, but it is usually more expensive. The right answer depends on how your contract work actually happens.

Use the CMMC cost estimator if you need a rough planning range before talking to vendors.

Common NIST 800-171 Mistakes

Treating it as an IT-only project. NIST 800-171 affects contracts, HR, operations, facilities, procurement, and leadership. IT may implement many controls, but the business owns the risk.

Skipping the CUI discovery step. You cannot protect CUI until you know where it is. Many contractors discover late that CUI is sitting in old email threads, shared drives, supplier portals, or inspection files.

Writing policies nobody follows. Assessors care about operating reality. If the written procedure says one thing and employees do another, that is a gap.

Assuming Microsoft 365 automatically solves everything. Government cloud tools can help, especially when designed as part of an enclave, but configuration and process still matter.

Waiting for the contract clause. If you wait until a solicitation or prime flowdown demands CMMC, you may not have enough time. Remediation can take months, especially if you need architecture changes, tooling, documentation, and assessment scheduling. See our CMMC timeline guide for the practical sequence.

What to Do First

If you are starting from scratch, use this order:

1. Confirm whether you handle CUI. Review contracts, markings, prime flowdowns, portals, technical packages, and customer instructions.
2. Map CUI flow. Identify where CUI enters, who touches it, where it is stored, and how it leaves.
3. Define your boundary. Decide which systems are in scope and whether an enclave is realistic.
4. Run a gap assessment. Compare your current environment against NIST 800-171.
5. Prioritize high-impact fixes. Access control, MFA, asset inventory, patching, logging, incident response, and CUI handling usually come early.
6. Build evidence as you remediate. Do not wait until the end to collect proof.
7. Talk to a qualified RPO or C3PAO before assessment. A short scoping conversation can prevent expensive rework.

You can begin with Meridian’s free readiness assessment. It will not certify you, but it will help you see whether you are dealing with a small documentation problem or a larger technical remediation project.

When to Get Help

You should involve a qualified CMMC advisor if:

• You handle CUI and have never built an SSP.
• You are unsure whether your current environment is in scope.
• A prime contractor is asking for CMMC status or SPRS-related information.
• You have a near-term recompete or new award tied to CMMC requirements.
• You need to choose between an enclave, GCC High, MSP-managed environment, or full-network remediation.

Meridian does not perform CMMC assessments or remediation. We help contractors understand the problem and connect with the right partner when outside help makes sense. If you want a practical starting point, get in touch and we will point you in the right direction.

---

Frequently Asked Questions

Is NIST 800-171 the same as CMMC?

No. NIST 800-171 is the security requirement set for protecting CUI. CMMC is the DoD assessment program that verifies whether contractors have implemented the required controls at the applicable level.

How many NIST 800-171 requirements are there?

NIST SP 800-171 Rev. 2 contains 110 security requirements organized into 14 families. CMMC Level 2 is built around these requirements for contractors handling CUI.

Do subcontractors need NIST 800-171?

Yes, if CUI flows down to the subcontractor and is processed, stored, or transmitted on the subcontractor’s systems. Subcontractors should not assume the prime contractor carries the whole obligation.

Can I pass CMMC Level 2 with a POA&M?

Sometimes a conditional status may be possible, but not every gap is eligible and timelines are limited. Treat POA&Ms as temporary gap tracking, not a strategy for avoiding remediation.

What is the first NIST 800-171 step for a small contractor?

Map CUI. Find where it enters, where it is stored, who touches it, and which systems transmit it. Without that scope map, every cost estimate and remediation plan is guesswork.