What is NIST SP 800-171

NIST SP 800-171 defines the requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Compliance is required for Department of Defense contractors and underpins the CMMC certification framework. Smither, an authorized C3PAO, is ready to help your organization understand and meet NIST 800-171 requirements.

NIST SP 800-171 Cybersecurity

Do you have specific questions you would like to discuss?

We're happy to support! Schedule a 30-minute meeting today.

Schedule a Meeting

How to Comply with CMMC/NIST 800-171

NIST SP 800-171 was published by the National Institute of Standards and Technology to provide a comprehensive set of security requirements for protecting CUI in non-federal information systems. The publication organizes its 110 security requirements into 14 families, each addressing a distinct area of cybersecurity practice.

Organizations in the Defense Industrial Base (DIB) must assess their compliance against these requirements and submit their score to the Supplier Performance Risk System (SPRS). CMMC Level 2 certification requires a third-party assessment by an authorized C3PAO against these same requirements.

Robert McVay

ROBERT
MCVAY

Senior Consultant, Information Security Services

United States

Contact Robert
AC

Access Control

Access control requirements limit system access to authorized users, processes, and devices. Organizations must manage who can access systems containing CUI, what actions they can perform, and ensure that remote access connections are properly controlled and protected.

Access Control
AT

Assessments and Training

Organizations must ensure that personnel are aware of the security risks associated with their activities and are trained to carry out their security responsibilities. Regular security awareness training is a foundational requirement for protecting CUI.

AU

Audit and Accountability

System audit logs must be created, protected, and reviewed to enable the monitoring and investigation of security events. Organizations must ensure that user activities can be traced to individuals accountable for those actions.

CM

Configuration Management

Organizations must establish and maintain baseline configurations for their information systems, control changes to those configurations, and ensure that only authorized software is installed and executed.

IR

Incident Response

Organizations must establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities. Incidents must be tracked and documented.

IA

Identification and Authentication

All users, processes, and devices must be identified and authenticated before being granted access to systems containing CUI. Multi-factor authentication is required for privileged and network access.

MA

Maintenance

System maintenance activities must be controlled and monitored. Maintenance tools must be approved and media containing diagnostic programs must be checked for malicious code before use.

MP

Media Protection

Organizations must protect system media containing CUI — both paper and digital — limiting access to authorized users and sanitizing or destroying media before disposal or reuse to prevent unauthorized disclosure.

Media Protection
PS

Personnel Security

Organizations must screen individuals prior to authorizing access to systems containing CUI, and ensure that CUI is protected during and after personnel actions such as terminations and transfers.

PE

Physical Protection

Physical access to systems containing CUI must be limited to authorized individuals. Organizations must protect equipment and systems from physical threats, and control physical access to facilities and operating environments.

RA

Risk Assessment

Organizations must periodically assess the risk to operations, assets, and individuals resulting from the operation of their systems. Risk assessments inform security decisions and help prioritize protective measures for CUI.

CA

Security Assessment

Organizations must periodically assess the security controls in their systems to determine their effectiveness, develop and implement plans of action to correct deficiencies, and monitor controls on an ongoing basis.

SC

System and Communication Protection

Organizations must monitor, control, and protect communications at the external boundaries and key internal boundaries of their systems. Cryptographic mechanisms must be used to protect CUI during transmission.

System and Communication Protection
SI

System and Information Integrity

Organizations must identify, report, and correct information system flaws in a timely manner, protect against malicious code, and monitor systems to detect attacks and indicators of potential compromise.

Why Pursue a CMMC (NIST 800-171) Certification?

Healthy Habits

Implementing NIST 800-171 requirements creates disciplined cybersecurity practices across your organization. Regular access reviews, configuration management, and incident response planning become ingrained habits that reduce risk well beyond satisfying DoD requirements. These practices protect your sensitive data, your employees, and your customers.

Security for the Present and the Future

Cyber threats continue to grow in frequency and sophistication. Organizations that implement NIST 800-171 controls are significantly better positioned to detect, respond to, and recover from cyberattacks. Compliance today builds a foundation of security resilience that protects your organization as the threat landscape evolves.

Business Growth

As CMMC requirements take full effect, organizations that are certified will have a clear competitive advantage in winning and retaining DoD contracts. Early movers who achieve CMMC certification now will be positioned to capture contracts from peers who are not yet compliant. Certification is increasingly a market differentiator, not just a compliance burden.

Right Response

When a cybersecurity incident occurs, the organizations that respond most effectively are those that have implemented incident response plans, trained their staff, and tested their capabilities. NIST 800-171's incident response requirements ensure your team knows exactly what to do when an event occurs — minimizing damage, downtime, and regulatory exposure.

Why Choose Smither?

Smither is an authorized C3PAO with more than 30 years of experience as an accredited assessment body. Our information security consultants and CMMC assessors bring deep technical expertise and real-world experience to every NIST 800-171 engagement. We understand the pressure that DoD contractors face and work efficiently to support your compliance journey without unnecessary disruption.

Whether you are beginning your NIST 800-171 assessment, preparing for a CMMC Level 2 certification, or seeking ongoing cybersecurity consulting, Smither has the credentials and experience to guide you every step of the way.

Request a Quote
NIST 800-171 Assessment Checklist

Your NIST 800-171 Assessment Checklist

Use our checklist to evaluate your organization's current posture against the 110 NIST SP 800-171 security requirements before beginning your formal assessment.

Cybersecurity Resources

Explore our Cybersecurity Resources

Browse Smither' library of CMMC and cybersecurity resources including guides, webinars, and frequently asked questions.

Follow us on LinkedIn