Skip to Content
Governance and Compliance

What is NIST 800-171?

NIST 800-171 is a set of security requirements that any organization, inside or outside the United States, must meet when it handles sensitive unclassified information from a U.S. government contract. It spells out, in practical terms, how to protect that kind of data: who can access it, how to log its use, how to respond to an incident. It is the foundation of the CMMC program and applies across the entire defense supply chain, including subcontractors outside the U.S.

Zamak TechnologiesUpdated on July 11, 2026

How NIST 800-171 works

NIST 800-171 is not a one-time audit; it is a set of requirements organized by theme, against which a company assesses itself and proves compliance. It exists to protect what is called controlled unclassified information (CUI): data that is not a state secret, but that, if leaked, exposes programs, projects, and people.

1

Map where the controlled data lives

The first step is knowing which systems, emails, and files hold government-contract information. You cannot protect what you do not know the location of.

2

Compare yourself to the requirements

The company assesses itself against the standard's security requirements, organized by family (access control, incident response, media protection, and others), and identifies each gap.

3

Add up the score and record the plan

The result becomes a score recorded in the government's official system, and every item still open goes into a plan of action with a deadline, the POA&M.

4

Prove it and maintain it

The evidence that each requirement is met has to exist and hold over time, because the standard is the basis of the CMMC assessment, which now requires third-party verification for the most sensitive contracts.

Source: NIST SP 800-171 Rev. 3 (csrc.nist.gov) and the U.S. Department of Defense clause DFARS 252.204-7012.

Who must comply, and why it catches people off guard

  • It is not only whoever holds a direct government contract. The requirement flows down the whole chain: if your company supplies whoever supplies defense, the controlled data reaches you, and so does the requirement.
  • International reach. The standard follows the data, not the border: a manufacturer, an engineering firm, or a software house outside the U.S. that touches information from a U.S. contract falls into scope.
  • The deadline has already passed on paper. The clause that makes the standard mandatory has been in force since 2017; many companies discover the requirement only when a larger customer asks for the score, and by then the clock is already running.
  • The score can be negative. The count starts at 110 and subtracts for each unmet requirement, so an honest first self-assessment often lands below zero, which alarms those who thought they were 'almost there.'

The requirement families, in business terms

  • Access control and identity Who gets in, with which credential, and how far they go. This is the foundation: least privilege, strong authentication, and the record of who accessed what.
  • Logging and response Keeping audit trails and having a plan for when something goes wrong. Without logs, an incident becomes a mystery with no evidence.
  • Data and media protection Encryption, control of USB drives, and secure disposal. Controlled data has to stay protected at rest, in transit, and at end of life.
  • Configuration and maintenance Keeping systems updated, hardened, and under controlled change. Rev 3 strengthened supply-chain risk management as a family of its own.
  • People and continuity Training the operators and making sure protection survives vacations, departures, and incidents. Security is a routine, not a project with an end date.

What is at stake for the business

97 / 17
requirements and families in NIST 800-171 Rev 3 (Rev 2 has 110 requirements across 14 families)
2017
the year since which the DFARS clause has made the standard mandatory for defense contractors
$ 4.44M
average global cost of a data breach, IBM Cost of a Data Breach 2025

NIST 800-171 has stopped being 'compliance paperwork' and become a condition for selling. The DFARS clause that makes it mandatory has been in force since 2017, and CMMC, the program that verifies that compliance, took effect in November 2025: in many contracts, without the recorded score and the plan of action, a company never even reaches the proposal stage. Rev 3 of the standard reorganized the requirements into 97 items across 17 families (Rev 2, with 110 requirements across 14 families, remains the contractual baseline during the transition), which means the bar is not static: anyone who treated the topic as 'solved once' has to reassess. And the cost of getting it wrong is not only losing the contract: a data breach still costs, on average, $ 4.44 million worldwide (IBM, 2025), on top of the damage of exposing the information of a customer the size of a government.

How a company prepares in practice

Meeting NIST 800-171 is a project with a beginning but no end: preparation turns a daunting requirement into a manageable routine.

  1. Scope it firstSeparate the systems that touch controlled data from the rest of the environment. Shrinking the boundary shrinks the cost: not everything needs to be in scope of the standard.
  2. Do the honest self-assessmentA real score, even a negative one, is more useful than an inflated number. It is what guides where to invest first and what to put in the plan of action.
  3. Prioritize access and responseLeast privilege, strong authentication, and an incident response plan resolve a large share of the requirements and cut real risk, not just the score.
  4. Document as you goThe evidence has to exist at the moment the requirement is met. Reconstructing proof afterward is expensive and fragile; recording it in the moment is cheap.
  5. Treat it as a continuous routineThe score ages, systems change, and the bar evolves from revision to revision. Reviewing periodically is what keeps a company eligible for the next contract.

In practice

If a larger customer asked for your score in the official system today, would you have a number to give, or would you discover the requirement at the moment of losing the deal? The answer to that question usually separates who is already in the chain from who is about to be left out of it.

How Zamak supports the NIST 800-171 journey

Zamak Technologies supports NIST 800-171 preparation alongside your team: it scopes the controlled data, runs the self-assessment, organizes the plan of action, and keeps the evidence current, using a compliance platform as one of the roadmaps. One honest clarification: governance documents and proves compliance; it does not replace the technical defenses that protect the data, which remain a separate layer. A good starting point is the compliance self-check, and the preparation is part of the Governance and Compliance of the Zamak Method.

Frequently asked questions about NIST 800-171

What is the difference between NIST 800-171 and CMMC?
NIST 800-171 is the set of security requirements; CMMC is the program that verifies whether a company meets them. In other words: 800-171 says what to do, and CMMC checks that it was done, requiring, at the most sensitive levels, a third-party assessment instead of self-assessment.
My company is outside the U.S. Does NIST 800-171 affect me?
It can. The requirement follows the data, not the border: if your company handles information from a U.S. government contract, even as a subcontractor, the standard falls into scope, wherever you are.
What is CUI, the information the standard protects?
CUI is controlled unclassified information: data that is not a state secret, but whose leak causes harm, such as technical specifications, personnel data, or program details. 800-171 exists precisely to protect that kind of data outside the government's own systems.
Do I need Rev 2 or Rev 3?
It depends on the contract. Rev 3 is the newest edition (97 requirements, 17 families), but many contracts still require Rev 2 (110 requirements) during the transition. Confirming which revision the contract asks for is part of the work, because meeting the wrong version does not count.
Do I have to close every requirement before winning a contract?
Not always. In many cases, it is enough to have the recorded score and a plan of action with deadlines for the gaps, the POA&M. What is not accepted is having no assessment at all: without the score and the plan, a company usually does not even enter the competition.
Can a small company comply?
Yes, and the secret is scope. By separating the few systems that truly touch controlled data from the rest of the environment, a small company cuts the effort sharply. For most, it makes sense to run the preparation as a service, without building an internal compliance team.