NIST SP 800-171, explained

The standard behind CMMC Level 2, in plain English: what it is, the 14 requirement families and 110 requirements, Revision 2 versus Revision 3, how it relates to CMMC and DFARS, and the self assessment that produces your SPRS score.

Last updated July 5, 2026 · Primary sources cited
110
Security requirements (Rev 2)
14
Requirement families
320
Assessment objectives (800-171A)
110
A perfect DoD assessment score

What NIST 800-171 is, in one paragraph

NIST Special Publication 800-171 is the federal standard for protecting Controlled Unclassified Information when it lives on a system the government does not own, in other words, on a contractor's own laptops, servers, and cloud accounts. It defines 110 security requirements across 14 families. For a defense contractor it is not optional reading: it is required by DFARS 252.204-7012 and it is the entire security substance of CMMC Level 2.

Revision 2 vs Revision 3

Revision 2 (2020) is what CMMC Level 2 references today: 110 requirements across 14 families. Revision 3 (2024) reorganizes and updates the controls and introduces organization defined parameters, values you set for things like password length or review frequency. Until the CMMC program formally adopts Revision 3, you assess against Revision 2. Do not rebuild your program around Revision 3 before the rule points to it.

NIST 800-171 vs CMMC

They are not competitors, they are two halves of one thing. NIST 800-171 is the standard: the 110 requirements. CMMC is the program that verifies you meet it, adding a scored self assessment for many contracts and a C3PAO certification for others. Satisfy 800-171 and you satisfy CMMC Level 2.

The self assessment and your SPRS score

Under DFARS 252.204-7019 and 7020, contractors score themselves against the 110 requirements using the DoD Assessment Methodology and post the result to SPRS. The method starts at 110 and subtracts 1, 3, or 5 points per requirement not met, so a low or negative score is common at first. CMMC Level 2 formalizes and verifies that same assessment.

Turn 800-171 into a filed score

The Level 2 Accelerator walks all 110 requirements with you, runs your live score, generates your SSP and POA&M, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

NIST 800-171 questions, answered

What is NIST SP 800-171?+

NIST Special Publication 800-171 is the U.S. standard for protecting Controlled Unclassified Information (CUI) on nonfederal systems. It defines 110 security requirements across 14 families, assessed against 320 objectives in its companion publication NIST SP 800-171A. For defense contractors it is the substance of CMMC Level 2 and is required by DFARS 252.204-7012.

How many requirements are in NIST 800-171?+

NIST SP 800-171 Revision 2 has 110 security requirements, organized into 14 families from Access Control to System and Information Integrity. Each is scored in the CMMC Level 2 assessment, and together they define what protecting CUI actually means in practice.

What is the difference between NIST 800-171 and CMMC?+

NIST SP 800-171 is the security standard; CMMC is the program that verifies you meet it. CMMC Level 2 is built directly on the 110 requirements of 800-171, and adds an assessment and certification structure: a self assessment for many contracts, or a C3PAO assessment for others. Meeting 800-171 is how you satisfy CMMC Level 2.

What is the difference between NIST 800-171 Rev 2 and Rev 3?+

Revision 2 (2020) is the version CMMC Level 2 currently references: 110 requirements across 14 families. Revision 3 (2024) reorganizes and updates the controls, introduces organization-defined parameters, and changes the count and structure. Until the CMMC program formally adopts Revision 3, contractors assess against Revision 2.

What is a NIST 800-171 self assessment?+

A NIST 800-171 self assessment is a contractor's own review of how it meets the 110 requirements, scored using the DoD Assessment Methodology and posted to SPRS. Under DFARS 252.204-7019 and 7020, a current self assessment score in SPRS has been required to be eligible for many DoD awards; CMMC Level 2 formalizes and verifies that assessment.

How is a NIST 800-171 score calculated?+

The DoD Assessment Methodology starts at 110 and subtracts points for each requirement not met, 1, 3, or 5 depending on its impact, which can drive the score below zero. The same weighting underlies the CMMC Level 2 score, where 110 is a perfect result and 88 or better can support conditional status if the remaining gaps are POA&M eligible.

Sources: NIST SP 800-171 r2 · NIST SP 800-171A · NIST SP 800-171 r3 · DFARS 252.204-7012 / 7019 / 7020 · 32 CFR § 170.24.