NIST SP 800-171: Protecting CUI and Winning DoD Contracts

If your organisation holds, processes, or transmits Controlled Unclassified Information (CUI) for the Department of Defense or any federal agency, NIST SP 800-171 compliance is not optional. It is a contractual requirement embedded in DFARS clause 252.204-7012 and the foundation of the CMMC (Cybersecurity Maturity Model Certification) framework. Non-compliance risks contract termination, False Claims Act liability, and exclusion from future federal contracting opportunities.

What Is CUI and Why Does It Matter

Controlled Unclassified Information (CUI) is information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits safeguarding and dissemination controls.

CUI categories relevant to DoD contractors include: technical drawings and specifications, export-controlled information (EAR, ITAR), law enforcement sensitive information, privacy-protected personal information, proprietary business information used in government contracts, and defence-related research and development information.

If your DoD contracts include DFARS clause 252.204-7012, you are required to implement the security requirements in NIST SP 800-171 on any non-federal system that processes, stores, or transmits CUI.

The 110 Requirements Across 14 Families

SP 800-171 requirements map across 14 security requirement families (matching SP 800-53 families):

Access Control (3.1): 22 requirements — user access, remote access, wireless access, mobile devices, separation of duties, least privilege.

Awareness and Training (3.2): 3 requirements — security awareness training, role-based training, insider threat awareness.

Audit and Accountability (3.3): 9 requirements — audit records, review and analysis, protection of audit information.

Configuration Management (3.4): 9 requirements — baseline configurations, configuration change control, security settings, software installation restrictions.

Identification and Authentication (3.5): 11 requirements — identification, authentication, multi-factor authentication, password management.

Incident Response (3.6): 3 requirements — incident handling, tracking, reporting to DoD.

Maintenance (3.7): 6 requirements — controlled maintenance, maintenance tools, remote maintenance.

Media Protection (3.8): 9 requirements — media access, sanitisation, transport, media use controls.

Personnel Security (3.9): 2 requirements — screening, termination and transfer.

Physical Protection (3.10): 6 requirements — physical access, managing visitors, protecting assets.

Risk Assessment (3.11): 3 requirements — risk assessments, vulnerability scanning.

Security Assessment (3.12): 4 requirements — periodic control assessments, POA&M, system security plans.

System and Communications Protection (3.13): 16 requirements — boundary protection, encryption, network segmentation.

System and Information Integrity (3.14): 7 requirements — flaw remediation, malware protection, security alerts, software integrity.

The Self-Assessment and SPRS Score

Contractors must conduct a NIST SP 800-171 self-assessment using the DoD Assessment Methodology and upload their score to the Supplier Performance Risk System (SPRS). The scoring works as follows:

• Starting score: 110 points
• Each unimplemented requirement deducts a specified number of points (ranging from 1 to 5 points per requirement)
• Maximum score: 110 (all requirements implemented)
• Minimum score: -203 (no requirements implemented)

DoD contracts may specify a minimum SPRS score as a contract requirement. A score of 110 means full implementation. Any score below 110 requires a Plan of Action and Milestones (POA&M) documenting how and when gaps will be closed.

The stakes have increased significantly: CMMC 2.0 requires a third-party assessment (C3PAO) for contracts involving the most sensitive CUI, and the DoD has referred SP 800-171 non-compliance cases to the Department of Justice for False Claims Act investigation.

CMMC 2.0 and SP 800-171: The Connection

CMMC 2.0 is built directly on SP 800-171:

CMMC Level 1 (Foundational): 17 practices drawn from FAR 52.204-21 and SP 800-171. Annual self-assessment.

CMMC Level 2 (Advanced): All 110 SP 800-171 Rev 2 practices. Self-assessment for most contracts; C3PAO assessment for contracts involving the most critical CUI programs.

CMMC Level 3 (Expert): 110 SP 800-171 practices plus additional SP 800-172 practices. Government-led assessment by DCSA.

If you handle CUI on DoD contracts today, achieving full SP 800-171 compliance and a high SPRS score is your most important step toward CMMC Level 2 certification — they are the same 110 requirements.

Why Organisations Choose Savadub

Deep GRC Expertise

Our team holds practitioner-level expertise across every major compliance framework — not just theoretical knowledge, but hands-on implementation experience across multiple industries and organisation sizes.

Engineers, Not Just Consultants

We implement controls, not just recommend them. Our GRC engineers configure the systems, write the integrations, and build the monitoring pipelines that make compliance operational.

Global and African Regulatory Coverage

We understand both the global frameworks and the African regulatory environment — NDPR, NDPA, CBN directives, NITDA guidelines, and regional data protection laws — making us uniquely positioned for organisations operating across Africa and internationally.

Internal and External Audit Capability

We provide both embedded internal audit functions and independent third-party audit support, including CPA-accredited audit coordination for SOC examinations.

End-to-End Engagement

From initial gap assessment through certification, continuous monitoring, and ongoing compliance management — we are your long-term GRC partner, not a one-time consultant.

Industries We Serve

Financial Services · Healthcare · Technology & SaaS · Manufacturing · Logistics & Trade · Government & Public Sector · Energy & Critical Infrastructure · Education & EdTech · Media & Broadcasting · Retail & E-Commerce · Professional Services · Food & Beverage

Deliverables You Receive

Working with Savadub, every engagement delivers a concrete set of outputs:

• Gap Assessment Report — prioritised findings with effort estimates and risk ratings
• Compliance Roadmap — milestone-based plan from current state to certification or attestation
• Risk Register — organisational risk register with treatment plans
• Policy Pack — all required policies authored, reviewed, and approved
• Technical Control Implementation Evidence — configurations, screenshots, and audit trails
• Internal Audit Report — independent assessment of control effectiveness
• Audit Evidence Repository — organised, auditor-ready evidence collection
• Executive Summary Presentation — board and leadership-ready compliance status
• Remediation Tracker — structured tracking of open findings and closure evidence
• Continuous Monitoring Setup — ongoing CCM pipeline for post-certification compliance

Get Started with Savadub

Savadub's GRC practice combines deep compliance expertise with technical engineering capability. We don't just advise — we build, implement, and operate your compliance program from the ground up.

Book a free GRC consultation with our team. We will review your current posture, identify your most critical gaps, and give you a clear, costed roadmap to compliance.

Contact us:

• Email: grc@savadub.com
• Phone: +234 816 734 2201
• WhatsApp: +234 903 234 8435
• Website: www.savadub.com