← All guides
NIST12 min read2 July 2026

NIST 800-171 and CMMC 2.0: What DoD Contractors Need to Know About CUI Security in 2026

CMMC 2.0 is now embedded in DoD contracts. Any contractor handling Controlled Unclassified Information needs to meet NIST SP 800-171's 110 requirements and maintain a SPRS score. Here's what the requirements actually mean.

Why CMMC 2.0 matters more than it used to

For years, DoD contractors were required to self-attest NIST SP 800-171 compliance under DFARS 252.204-7012, but enforcement was limited. CMMC (Cybersecurity Maturity Model Certification) changed that — it requires third-party assessment for many contractors, and false self-certifications now create False Claims Act exposure (up to $27,000 per false claim plus treble damages, plus potential debarment).

CMMC 2.0 became effective on December 16, 2024, with rulemaking finalised under 32 CFR Part 170. DoD is now embedding CMMC requirements in new contracts through DFARS 252.204-7021. If you're pursuing or renewing a DoD contract that involves Controlled Unclassified Information (CUI), CMMC Level 2 is not optional.

What is Controlled Unclassified Information (CUI)?

CUI is unclassified information that requires safeguarding per law, regulation, or government-wide policy. It's different from classified information — it doesn't carry security clearance requirements — but it still requires documented security controls. CUI categories include:

  • Technical data: Engineering drawings, specifications, manufacturing data
  • Export-controlled information: EAR and ITAR-controlled technical data
  • Procurement-sensitive: Contractor proprietary data, contract pricing
  • Research and technology: R&D results, programme information
  • Privacy data: Personnel records, SSNs, security clearance information

If your DoD contract includes DFARS 252.204-7012, you're handling CUI and NIST 800-171 applies.

CMMC 2.0: three levels explained

Level Name Practices What data? Assessment
Level 1Foundational17 (FAR 52.204-21)FCI — Federal Contract InformationAnnual self-assessment, SPRS upload
Level 2Advanced110 (NIST 800-171)CUI — Controlled Unclassified InformationTriennial C3PAO or self-assessment (if not critical)
Level 3Expert110+ (NIST 800-172)Critical programme CUIGovernment-led DCSA assessment

Most CUI-handling contractors fall under Level 2. For Level 2, whether you need a C3PAO (Certified Third-Party Assessment Organisation) assessment or can self-assess depends on the contract — "prioritised acquisitions" (critical programmes) require C3PAO; others may allow self-assessment with SPRS upload.

The 14 NIST 800-171 security requirement families

NIST SP 800-171 Rev 2 contains 110 security requirements across 14 families. Here's what each covers and the most common gaps:

Access Control (AC) — 22 requirements

The largest family. Covers limiting system access to authorised users, controlling the flow of CUI, separation of duties, remote access controls, wireless access, and connections to external systems. Most common gaps: shared accounts on CUI systems, no formal access reviews, remote access without MFA, split tunnelling on VPN.

Awareness and Training (AT) — 3 requirements

Security awareness training for all CUI personnel, role-based training for those with significant security responsibilities, and insider threat awareness. Most common gap: no documented training programme for CUI handlers specifically — general cybersecurity training isn't enough if it doesn't cover CUI handling procedures.

Audit and Accountability (AU) — 9 requirements

Creating, retaining, and protecting audit logs. Reviewing logs for anomalous activity. Keeping audit log capacity sufficient to avoid loss. Most common gaps: logs not retained for sufficient period, no regular log review process, logs stored on same system they monitor (no separation).

Configuration Management (CM) — 9 requirements

Baseline configurations, security hardening, deny-by-default, user-installed software controls. Most common gaps: no documented baseline configuration, default credentials not changed, no software allowlist for CUI systems.

Identification and Authentication (IA) — 11 requirements

Unique identifiers for all users, MFA for privileged and network access, password complexity, authenticator management. The MFA requirement is one of the most commonly cited gaps in DoD contractor assessments. MFA must be enforced for all CUI system access — not just admin accounts.

Incident Response (IR) — 3 requirements

Incident-handling capability, testing the IRP, and the critical DoD-specific requirement: reporting CUI incidents to DIBNet (dibnet.dod.mil) within 72 hours. The 72-hour reporting requirement catches many contractors off-guard — it's not just DFARS posturing, it's a contractual obligation with consequences for non-compliance.

Maintenance (MA) — 6 requirements

Controlled maintenance, removal of CUI equipment for off-site maintenance, sanitisation before maintenance. Most relevant for physical hardware containing CUI — less commonly a gap for cloud-based systems.

Media Protection (MP) — 9 requirements

Protecting, sanitising, and destroying media containing CUI (both paper and digital). NIST SP 800-88 disposal methods required. Most common gap: portable media (USB drives, laptops) containing CUI without encryption, or disposal without documented sanitisation.

Personnel Security (PS) — 2 requirements

Pre-employment screening and ensuring CUI access is terminated immediately upon separation. The two requirements are simple but the second — immediate termination of CUI access — is frequently a gap for organisations with manual offboarding processes.

Physical Protection (PE) — 6 requirements

Physical access controls for CUI facilities, visitor management, monitoring physical access. Primarily relevant for on-premises systems — cloud-native organisations may have fewer gaps here, but still need to address physical workstation access in offices where CUI is processed.

Risk Assessment (RA) — 5 requirements

Periodic risk assessments, vulnerability scanning, and tracking remediation. The DoD NIST 800-171 assessment methodology scores these highly — no documented risk assessment is a significant deduction from your SPRS score.

Security Assessment (CA) — 4 requirements

The two most important requirements here are the System Security Plan (SSP) (3.12.4) and the Plan of Action and Milestones (POA&M) (3.12.2). Both are required documents that must be uploaded to SPRS. An SSP without a matching POA&M for any identified gaps will result in a score deduction. Contractors who have never prepared an SSP cannot credibly self-attest CMMC Level 2.

System and Communications Protection (SC) — 16 requirements

Network boundary protection, CUI flow control, encryption in transit (TLS 1.2+ with NIST-approved algorithms), encryption at rest (FIPS 140-2/3 validated modules). The encryption requirements are clear: CUI transmitted across any network must be encrypted, and CUI stored on systems must be encrypted at rest.

System and Information Integrity (SI) — 7 requirements

Patch management, anti-malware, security monitoring. Critical vulnerabilities must be patched in a documented, timely manner. Anti-malware must be deployed on all endpoints processing CUI — this includes endpoint detection and response (EDR), not just legacy AV.

The SPRS score: what it is and why it matters

The Supplier Performance Risk System (SPRS) is a DoD database where contractors must upload their NIST 800-171 self-assessment score. The score starts at 110 and deductions are taken for each unmet requirement:

  • Requirements worth -5 points each: the most critical controls (MFA, encryption, incident reporting, vulnerability scanning)
  • Requirements worth -3 points each: high-impact controls
  • Requirements worth -1 point each: standard controls

A contractor with many unmet requirements can have a negative SPRS score. DoD contracting officers review SPRS scores. A score well below 110 won't necessarily disqualify you from a contract, but combined with a POA&M showing a credible remediation plan, it demonstrates good faith compliance.

False Claims Act exposure arises when a contractor uploads an inaccurate SPRS score (claiming 110 when actual compliance is much lower) and receives government contracts as a result. The government has successfully prosecuted FCA cases based on SPRS score falsification.

NIST 800-171 and cloud services

If you use cloud services to process, store, or transmit CUI, those services must also be compliant. DFARS 252.204-7012 requires cloud service providers to meet FedRAMP Moderate baseline (or equivalent) when processing CUI. Major options:

  • AWS GovCloud: FedRAMP High authorised
  • Microsoft Azure Government: FedRAMP High authorised
  • Microsoft 365 GCC High: Commonly used for CUI email/collaboration
  • Commercial clouds with FedRAMP Moderate: May be acceptable for some CUI categories

If your primary cloud (AWS us-east-1, GCP, standard Azure) doesn't have FedRAMP authorisation for the specific service you're using, you have a compliance gap for CUI processing.

Getting started: priority order

  1. Scope your CUI environment: Identify all systems, people, and processes that handle CUI. Define the CUI boundary.
  2. Conduct a NIST 800-171 gap assessment: Assess all 110 requirements against your current state. Use the NIST 800-171 / CMMC 2.0 Assessment Generator to structure the assessment.
  3. Write your SSP: Document your CUI system boundary, environment, and security control implementation status.
  4. Write your POA&M: Document every gap with remediation plan, timeline, and responsible person.
  5. Upload to SPRS: Login to login.contractor.mil → SPRS → upload your assessment score and POA&M.
  6. Remediate critical gaps: Focus on MFA, encryption, incident response, and access control first.
  7. Prepare for C3PAO (if required): If your contract requires a third-party assessment, engage a C3PAO from CMMC.mil/resources/c3paos.

The NIST 800-171 assessment covers 35 of the highest-impact requirements across all 14 families — use the free NIST 800-171 / CMMC 2.0 Assessment Generator to get your readiness score, SSP framework, and pre-populated POA&M. For general information security documentation, see the Information Security Policy Generator and Incident Response Plan Generator.