NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is the cybersecurity standard that defines the security requirements for organizations handling Controlled Unclassified Information (CUI) outside of federal systems. If your organization holds a DoD contract, a federal grant that includes technical data, or participates in government research programs, you are almost certainly subject to NIST 800-171 requirements under DFARS 252.204-7012 — and increasingly, under the CMMC 2.0 framework that uses 800-171 as its Level 2 control baseline.
NIST published Revision 3 of SP 800-171 in May 2024, the first major revision since Rev 2 in 2020. Understanding what changed in Rev 3, how the scoring methodology works, and where organizations consistently fall short is essential for any contractor navigating the current compliance landscape.
What Is CUI and Who Handles It?
Controlled Unclassified Information is government-created or government-owned information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy — but that does not meet the criteria for classification as Confidential, Secret, or Top Secret. The CUI Registry, maintained by the National Archives and Records Administration (NARA), catalogs dozens of CUI categories including:
- Defense: Technical data, export-controlled defense information, operations security
- Intelligence: Sensitive but unclassified intelligence information
- Law Enforcement: Sensitive law enforcement information
- Legal: Attorney-client privileged information, grand jury information
- Privacy: Personally identifiable information (PII), health information
- Procurement and Acquisition: Source selection information, contractor bid and proposal data
Organizations that handle CUI include defense contractors, aerospace and defense manufacturers, federal research universities, government consulting firms, and any commercial entity that supports federal programs involving technical data subject to International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR).
NIST 800-171 Rev 3: What Changed in 2024
The 2024 revision to SP 800-171 introduced several significant changes from Rev 2:
- Control restructuring: Rev 3 restructured some controls to align more closely with the NIST SP 800-53 Rev 5 control baseline, improving traceability between the federal and nonfederal control frameworks.
- Organization-defined parameters (ODPs): Rev 3 introduces organization-defined parameters — placeholders in control text that allow organizations to tailor requirements to their environment (e.g., defining the specific frequency for log review). This adds flexibility but also requires organizations to document their parameter choices in their System Security Plan.
- Revised control families: Rev 3 adds new requirements in areas including supply chain risk management (derived from NIST 800-161), system and services acquisition, and planning, while many controls were withdrawn or subsumed, reducing the total to 97 security requirements (down from 110 in Rev 2).
- Planning family addition: A new Planning (PL) family was added in Rev 3, requiring organizations to document system rules of behavior and privacy plans.
Note: CMMC 2.0 Level 2 is currently based on NIST 800-171 Rev 2. The transition timeline for Rev 3 requirements in CMMC assessments is expected to be announced by DoD but had not been finalized as of early 2026.
SPRS Scoring Methodology
The Supplier Performance Risk System (SPRS) scoring methodology, documented in DoD's 800-171 Assessment Methodology, assigns each of the 110 Rev 2 practices a point value based on importance. The scoring works as follows:
- A perfect implementation score is 110 points
- Each practice that is NOT implemented or partially implemented deducts its assigned point value
- Point values range from 1 to 5 per practice, with high-impact requirements (like MFA, system boundary protection) deducting more
- A practice with a POA&M (Plan of Action and Milestones) with a target completion date deducts only 1 point while the remediation is in progress
- Scores can be negative — a score of -203 represents zero implementation of any practice
DoD contractors must keep a current NIST SP 800-171 self-assessment score posted in SPRS — current meaning the assessment is no more than 3 years old (DFARS 252.204-7019/-7020). The submission is self-attested under penalty of False Claims Act liability — meaning signing a false SPRS submission is a federal crime, not merely a contract violation.
System Security Plan Requirement
NIST 800-171 requires that covered organizations develop, document, and periodically update a System Security Plan (SSP) that describes the system boundary, the operational environment, how security requirements are implemented, and the relationships with or connections to other systems. The SSP is the primary artifact that a C3PAO assessor will use to evaluate CMMC compliance — it defines the scope of the assessment boundary and documents the implementation status of each control.
A poorly scoped SSP is one of the most common mistakes contractors make. Including systems in scope that do not actually process CUI increases the assessment cost and surface area; excluding systems that do process CUI creates compliance gaps and potential False Claims Act exposure. Scoping the CUI environment correctly — identifying where CUI flows, is stored, and is processed — is the critical first step in building an SSP.
Plan of Action and Milestones (POA&M)
For requirements that are not yet fully implemented, NIST 800-171 and CMMC 2.0 both permit the use of a Plan of Action and Milestones (POA&M) to document remediation timelines. A credible POA&M must identify the gap, assign an owner, identify resources required, and specify a realistic completion date. Under CMMC, a POA&M is not an indefinite to-do list — it must be closed out by a follow-on assessment within 180 days of the Conditional CMMC Status Date, or the Conditional Status expires and standard contractual remedies (including False Claims Act exposure) apply, leaving the contractor ineligible for new awards requiring that CMMC level (32 CFR 170.21).
Common Gaps: Access Control and Audit Logging
Assessment experience across the defense industrial base consistently surfaces the same high-frequency gaps. In the Access Control (AC) family, the most common failures are: lack of session lock implementation for workstations; absence of account management procedures for privileged accounts; remote access policies not enforcing MFA; and failure to limit system access to the types of transactions and functions authorized users are permitted to execute.
In the Audit and Accountability (AU) family, common failures are: systems not configured to generate required audit events; audit log retention falling short of the organization-defined period its CUI obligations demand (note that DFARS 252.204-7012(e) separately requires preserving system images and relevant monitoring data for at least 90 days after discovering a cyber incident); no process for reviewing audit logs; and audit records not protected from unauthorized access, modification, or deletion.
Using Nessus/Tenable for Automated Assessment
Tenable.sc and Tenable.io include audit file libraries specifically mapped to NIST 800-171 requirements. Running a Tenable scan with the NIST 800-171 audit file against in-scope systems will automatically identify configuration gaps — missing account lockout policies, audit logging configuration deficiencies, patch status, and encryption settings — and generate findings mapped to specific 800-171 requirement identifiers. This automated assessment data feeds directly into both the gap analysis and the SPRS score calculation.
Automated scanning is a starting point, not a complete assessment. Technical scanning does not capture administrative control gaps, policy documentation deficiencies, or physical security requirements. A complete NIST 800-171 gap assessment requires both automated scanning and structured interviews with system owners. Fortress MSSP conducts technical security assessments and provides virtual CISO services to help defense contractors build and maintain 800-171-compliant security programs. Contact us to begin your 800-171 gap assessment.