What is NIST SP 800-171?
NIST SP 800-171 is the federal standard of 110 security controls for protecting CUI in non-federal systems — the technical basis of CMMC Level 2.
NIST Special Publication 800-171 defines 110 security requirements across 14 control families, from Access Control to System and Communications Protection. CMMC Level 2 is, in practice, an assessment against these 110 controls.
Revision 2 remains the assessment baseline under DoD's current class deviation. Revision 3 restructures the families and introduces Organization-Defined Parameters, but CMMC has not yet moved its assessment baseline to Rev 3.
Each control is scored, and unimplemented controls subtract points from a maximum of 110 — which is how an environment that feels 'mostly compliant' can produce a deeply negative SPRS score.
- CUICUI is government-created or -owned information that requires safeguarding under law, regulation, or government-wide policy, but is not classified.
- SPRSSPRS is the DoD system where contractors post their NIST 800-171 self-assessment score and, under CMMC, their certification status and affirmations.
- SSPAn SSP is the document describing how an organization implements each required security control across its in-scope environment.
- POA&MA POA&M is a tracked plan for remediating security controls that are not yet fully implemented, with owners and target dates.
See where you actually stand on the 110 controls.
PolicyCortex maps your live cloud against every NIST 800-171 control and generates C3PAO-ready evidence. Start with the free assessment.
