Movalo
Need support? Contact Sales
All frameworks
CUI & federal vendors

NIST SP 800-171, all 110 controls.

The Department of Commerce framework for protecting Controlled Unclassified Information in non-federal systems. The control catalog underneath CMMC Level 2 and DFARS 252.204-7012.

What 800-171 actually requires.

NIST SP 800-171 specifies 110 security requirements organized into 14 control families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

The current revision is Rev. 3 (published 2024), though Rev. 2 remains in many active contract clauses. We track which revision your contracts reference and align controls accordingly.

Compliance is documented in two artifacts: a System Security Plan (SSP) describing how each control is implemented, and a Plan of Action & Milestones (POA&M) listing any gaps with target close dates. Self-attestation has historically been allowed; CMMC 2.0 brings third-party assessment for most contractors at Level 2.

Who has to comply.

Anyone handling CUI in non-federal information systems. Concretely:

What we implement.

The 110 controls collapse into roughly seven operational themes for an MSP-run engagement. Each card below covers multiple control families.

Access control and identification

MFA, role-based access, joiner/mover/leaver, privileged account isolation. Covers AC and IA families.

Configuration and change

Baselined configurations, change tickets, hardening benchmarks, periodic audits. Covers CM family.

Audit logging and monitoring

Centralized log collection, SIEM tuning, alerting, retention windows. Covers AU and SI families.

Incident response

Documented runbooks, tested annually, DFARS 72-hour breach reporting integrated. Covers IR family.

System and communications

Network segmentation, FIPS-validated cryptography, boundary controls. Covers SC family.

Risk and assessment

Annual risk assessment, continuous monitoring program, internal control testing. Covers CA and RA families.

SSP and POA&M

Living SSP that reflects current state. POA&M with realistic close dates. SPRS score that holds up.

Vendor and supply chain

Subcontractor inventory, flow-down tracking, periodic vendor assessment.

Who owns what.

On us

  • Implementation and operation of all 110 controls
  • SSP and POA&M drafting and maintenance
  • SPRS score calculation and submission support
  • Continuous monitoring across CUI systems
  • Coordination with a C3PAO during CMMC assessment
  • Evidence collection across the contract period

On you

  • Identification of which contracts carry 800-171 requirements
  • Executive sponsor and program manager
  • Final SSP approval and assessment signoffs
  • CUI marking and handling training for staff
  • Subcontractor management
  • Incident reporting to the contracting agency

Common pitfalls we see.

POA&M items with no realistic end dates.

An assessor reading your POA&M wants to see plans, not aspirations. Items dated "TBD" or "in progress for 18 months" undermine the whole document. We set, track, and close milestones.

SPRS score that doesn't match the SSP.

Self-attesting to a perfect 110 when the SSP describes partial implementations creates an honesty gap. We score conservatively and document carefully.

Cloud services without FedRAMP Moderate equivalency.

If your CUI lives in a non-government cloud, DFARS requires FedRAMP Moderate equivalency. Most general-purpose Microsoft 365 and AWS deployments don't qualify. We help move CUI to GCC High or AWS GovCloud when applicable.

Treating 800-171 as point-in-time.

Compliance is continuous. A control that worked in March and broke in May is non-compliant in May. We instrument operational evidence so drift gets caught, not deferred to the next audit.

Related frameworks.

Tightly bound to these.

DoD supply chain

CMMC 2.0

Level 2 IS NIST 800-171. If you do one, you've done most of the other.

Federal systems

NIST SP 800-53 Rev. 5

The federal control catalog 800-171 was derived from.

Baseline framework

NIST CSF 2.0

The reporting language to communicate 800-171 program maturity to executives and customers.
Schedule a call

Let's talk for 30 minutes.
No slides.

Bring a recent DFARS clause, your current SSP, or a SPRS score you're not sure you can defend. We'll come back with a written gap analysis, and what it would cost to close it.

  • 30-min discovery, no slide deck
  • Free written assessment, yours to keep
  • A clear proposal, no pressure

Or call us directly: 904-639-0003

Schedule a call →