NIST 800-171

Protecting CUI under NIST SP 800-171 is the price of admission for most defense work — and the foundation of CMMC. We help contractors implement all 110 controls in a way that holds up to scrutiny and actually reduces risk.

What it is

NIST SP 800-171 defines the security requirements for protecting Controlled Unclassified Information on nonfederal systems. Meeting them is how you safeguard the data and the contract at the same time.

Who must comply

Defense contractors, subcontractors, and suppliers that process, store, or transmit CUI — usually triggered by DFARS clauses in DoD contracts. If you’ve signed one, the clock is already running.

The 110 controls

They span access control, incident response, configuration management, risk assessment, awareness training, system protection, and continuous monitoring — across both technical and administrative measures. Implementing them well is the work; documenting them honestly is what gets you through an assessment.

Gap assessment and SPRS

We measure your current state, generate a defensible SPRS score, build the System Security Plan, and write the POA&M that maps every gap to a fix and a date. For the detail, see our guides on your SPRS score and SSP requirements.