NIST 800-171: Protecting Controlled Unclassified Information

If your organisation handles Controlled Unclassified Information (CUI) on behalf of the US government, NIST SP 800-171 is the control set you’re measured against — and it’s the technical backbone of CMMC Level 2. Get it right and the rest of your federal-supply-chain obligations fall into place.

What it covers

800-171 defines security requirements across 14 control families, spanning access, identity, audit, configuration, incident response and more. The current revision streamlined and clarified the requirements while keeping the same broad structure.

Six of the fourteen families shown; the full standard spans all 14, including Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, Maintenance, Awareness & Training, and System & Information Integrity.

The SPRS score

Compliance is quantified. Starting from 110, each unmet requirement subtracts a weighted value (1, 3 or 5 points), producing a score that can go negative. Defense contractors must post this score to the Supplier Performance Risk System (SPRS) — so a defensible, evidence-backed number matters.

Closing the gaps

• Identify where CUI lives and flows, then minimise that footprint.
• Assess against all 110 requirements and calculate your SPRS score.
• Document a System Security Plan (SSP) — it is mandatory.
• Track remaining gaps in a Plan of Action & Milestones (POA&M).
• Automate evidence (MFA, logging, encryption, patching) so the score stays current.

The bottom line

NIST 800-171 is the foundation of US supply-chain security and the heart of CMMC. Treat it as a continuous programme — scoped CUI, a living SSP, and automated evidence — and your SPRS score becomes something you can defend at any moment, not reconstruct under pressure.