What is NIST 800-171?
NIST 800-171 is a set of security requirements that any organization, inside or outside the United States, must meet when it handles sensitive unclassified information from a U.S. government contract. It spells out, in practical terms, how to protect that kind of data: who can access it, how to log its use, how to respond to an incident. It is the foundation of the CMMC program and applies across the entire defense supply chain, including subcontractors outside the U.S.
How NIST 800-171 works
NIST 800-171 is not a one-time audit; it is a set of requirements organized by theme, against which a company assesses itself and proves compliance. It exists to protect what is called controlled unclassified information (CUI): data that is not a state secret, but that, if leaked, exposes programs, projects, and people.
Map where the controlled data lives
The first step is knowing which systems, emails, and files hold government-contract information. You cannot protect what you do not know the location of.
Compare yourself to the requirements
The company assesses itself against the standard's security requirements, organized by family (access control, incident response, media protection, and others), and identifies each gap.
Add up the score and record the plan
The result becomes a score recorded in the government's official system, and every item still open goes into a plan of action with a deadline, the POA&M.
Prove it and maintain it
The evidence that each requirement is met has to exist and hold over time, because the standard is the basis of the CMMC assessment, which now requires third-party verification for the most sensitive contracts.
Source: NIST SP 800-171 Rev. 3 (csrc.nist.gov) and the U.S. Department of Defense clause DFARS 252.204-7012.
Who must comply, and why it catches people off guard
- It is not only whoever holds a direct government contract. The requirement flows down the whole chain: if your company supplies whoever supplies defense, the controlled data reaches you, and so does the requirement.
- International reach. The standard follows the data, not the border: a manufacturer, an engineering firm, or a software house outside the U.S. that touches information from a U.S. contract falls into scope.
- The deadline has already passed on paper. The clause that makes the standard mandatory has been in force since 2017; many companies discover the requirement only when a larger customer asks for the score, and by then the clock is already running.
- The score can be negative. The count starts at 110 and subtracts for each unmet requirement, so an honest first self-assessment often lands below zero, which alarms those who thought they were 'almost there.'
The requirement families, in business terms
- Access control and identity Who gets in, with which credential, and how far they go. This is the foundation: least privilege, strong authentication, and the record of who accessed what.
- Logging and response Keeping audit trails and having a plan for when something goes wrong. Without logs, an incident becomes a mystery with no evidence.
- Data and media protection Encryption, control of USB drives, and secure disposal. Controlled data has to stay protected at rest, in transit, and at end of life.
- Configuration and maintenance Keeping systems updated, hardened, and under controlled change. Rev 3 strengthened supply-chain risk management as a family of its own.
- People and continuity Training the operators and making sure protection survives vacations, departures, and incidents. Security is a routine, not a project with an end date.
What is at stake for the business
NIST 800-171 has stopped being 'compliance paperwork' and become a condition for selling. The DFARS clause that makes it mandatory has been in force since 2017, and CMMC, the program that verifies that compliance, took effect in November 2025: in many contracts, without the recorded score and the plan of action, a company never even reaches the proposal stage. Rev 3 of the standard reorganized the requirements into 97 items across 17 families (Rev 2, with 110 requirements across 14 families, remains the contractual baseline during the transition), which means the bar is not static: anyone who treated the topic as 'solved once' has to reassess. And the cost of getting it wrong is not only losing the contract: a data breach still costs, on average, $ 4.44 million worldwide (IBM, 2025), on top of the damage of exposing the information of a customer the size of a government.
How a company prepares in practice
Meeting NIST 800-171 is a project with a beginning but no end: preparation turns a daunting requirement into a manageable routine.
- Scope it firstSeparate the systems that touch controlled data from the rest of the environment. Shrinking the boundary shrinks the cost: not everything needs to be in scope of the standard.
- Do the honest self-assessmentA real score, even a negative one, is more useful than an inflated number. It is what guides where to invest first and what to put in the plan of action.
- Prioritize access and responseLeast privilege, strong authentication, and an incident response plan resolve a large share of the requirements and cut real risk, not just the score.
- Document as you goThe evidence has to exist at the moment the requirement is met. Reconstructing proof afterward is expensive and fragile; recording it in the moment is cheap.
- Treat it as a continuous routineThe score ages, systems change, and the bar evolves from revision to revision. Reviewing periodically is what keeps a company eligible for the next contract.
In practice
If a larger customer asked for your score in the official system today, would you have a number to give, or would you discover the requirement at the moment of losing the deal? The answer to that question usually separates who is already in the chain from who is about to be left out of it.
How Zamak supports the NIST 800-171 journey
Zamak Technologies supports NIST 800-171 preparation alongside your team: it scopes the controlled data, runs the self-assessment, organizes the plan of action, and keeps the evidence current, using a compliance platform as one of the roadmaps. One honest clarification: governance documents and proves compliance; it does not replace the technical defenses that protect the data, which remain a separate layer. A good starting point is the compliance self-check, and the preparation is part of the Governance and Compliance of the Zamak Method.