If your organization works with the federal government—or even just partners with a federal contractor—chances are you’ve encountered the term NIST 800-171. But what is it exactly, why does it matter in 2025, and what should you be doing now to align with it?
At Internetwork Engineering , a Presidio company, we work with IT managers and CISOs who navigate this framework daily—especially those responsible for protecting Controlled Unclassified Information (CUI). Whether you’re pursuing a Department of Defense (DoD) contract or supporting a federal partner, NIST 800-171 compliance is more than a checkbox—it’s a strategic requirement.
Published by the National Institute of Standards and Technology (NIST), Special Publication 800-171 outlines security requirements for non-federal systems that store, process, or transmit CUI.
In simple terms: if your organization handles sensitive but unclassified federal data, you must meet these controls to stay compliant.
You must comply with NIST 800-171 if your organization:
Compliance is often a contractual requirement, and failure to meet it could result in disqualification from bidding or loss of current contracts.
The framework includes 110 controls grouped into 14 control families. Here are some of the most critical domains CISOs and IT leaders should focus on:
Limit access to systems and data based on role and necessity. This includes implementing multi-factor authentication (MFA) and restricting privilege escalation.
Generate logs and monitor access to systems handling CUI. Logs must be protected, retained, and reviewed regularly to identify potential incidents.
Establish and enforce secure system configurations. Prevent unauthorized changes and ensure patch management processes are in place.
Develop and test your incident response plan. You must detect, report, and respond to security events involving CUI.
Encrypt CUI in transit and at rest. Secure communication channels and limit unnecessary data exposure.
Pro tip: Don’t treat all 110 controls equally. Focus first on the “CMMC Level 2- aligned” subset if you’re preparing for CMMC 2.0 certification.
As of 2025, here are key updates and implications that organizations must be aware of:
1. CMMC 2.0 Alignment
CMMC 2.0 now maps directly to NIST 800-171. If you're aiming for CMMC Level 2, you must implement and document all 110 NIST 800-171 controls.
Reminder: The DoD is expected to start including CMMC 2.0 requirements in contracts in 2025. The clock is ticking.
2. Increased Enforcement via SPRS
Federal agencies are increasingly using the Supplier Performance Risk System (SPRS) to track self-assessments and scores. Low scores may flag you for contract reviews or exclusions.
3. Third-Party Validation
While self-assessments were once acceptable, organizations working with more sensitive CUI or under DoD contracts may require independent assessments to verify implementation.
Failing to meet NIST 800-171 puts your contracts—and your reputation—at risk.
That’s why NIST 800-171 should be viewed as part of your broader risk management and cybersecurity strategy—not just a compliance checklist.
At IE, we’ve helped organizations of all sizes build, document, and implement NIST 800-171-aligned security programs. Our approach is practical, tailored, and scalable built to help you protect CUI while keeping your operations running smoothly.
Here’s how we support our clients:
We evaluate your current cybersecurity posture against the 14 control families to pinpoint compliance gaps.
We provide a prioritized action plan to implement necessary controls efficiently based on your risk, budget, and contract timelines.
We help integrate critical controls like multi-factor authentication, endpoint protection, logging, and secure configurations—using tools like Duo and SentinelOne.
Compliance isn’t just about tools. We help build the documentation needed for audits and RPO (Registered Practitioner Organization) verification.
NIST 800-171 compliance isn’t just a requirement—it’s a strategic necessity for protecting your place in the federal ecosystem.
Note: We anticipate that in July 2025, the 48 CFR rule will be released, along with Phase 1, which will require self-assessment scores to be submitted to SPRS.
And while 110 controls may seem daunting, the right partner can help you break the process down, focus on priorities, and build a defensible, resilient cybersecurity program.
Whether you’re starting your compliance journey or preparing for a CMMC audit, Internetwork Engineering, a Presidio company, is here to help.
Contact Internetwork Engineering, a Presidio company, today to schedule a gap assessment or compliance consultation.