REAEGIS
Sign inRequest a demo
Framework Guides
NIST SP 800-171 Rev 2

NIST SP 800-171 Rev 2

📋

Accuracy commitment
Every regulatory reference on this page links to the official source document. If you find an error, email [email protected].

What it is

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. NIST SP 800-171 Rev 2 defines 110 security requirements across 14 practice families that nonfederal organizations must implement to protect CUI.

Source: NIST SP 800-171 Rev 2 (opens in a new tab)

Who must comply

DoD contractors and subcontractors who handle CUI under contracts containing DFARS 252.204-7012.

Source: DFARS 252.204-7012 (opens in a new tab)

The 14 Practice Families

FamilyNamePractices
ACAccess Control22
ATAwareness and Training3
AUAudit and Accountability9
CASecurity Assessment4
CMConfiguration Management9
IAIdentification and Authentication11
IRIncident Response3
MAMaintenance6
MPMedia Protection9
PEPhysical Protection6
PSPersonnel Security2
RARisk Assessment3
SCSystem and Communications Protection16
SISystem and Information Integrity7
Total110

Source: NIST SP 800-171 Rev 2, Table 1 (opens in a new tab)

SPRS Scoring

The DoD Assessment Methodology assigns a weighted point value to each of the 110 practices. The maximum score is +110 (all practices implemented). Unimplemented practices reduce the score, with the minimum possible score being -203.

Score formula: Start at +110. For each unimplemented practice, subtract its weighted value (varies by practice, 1–5 points). The resulting score is entered into SPRS.

Prime contractor minimum: Many DoD solicitations require a minimum SPRS score of 88 for bid eligibility. This is not a regulatory floor — it is a solicitation-level requirement that varies by program.

Source: DoD NIST SP 800-171 Assessment Methodology v1.2.1 (opens in a new tab)
SPRS portal: sprs.csd.disa.mil (opens in a new tab)

⚠️

The NIST SP 800-171 Rev 2 assessment must be based on actual system evidence. Self-assessments submitted to SPRS are subject to review under the False Claims Act (FCA) if they overstate implementation.

Practice family depth

The 14 families vary significantly in implementation complexity. The most complex for digital-native organizations:

Access Control (AC) — 22 practices

AC is the highest-practice family and generates the most CMMC and 800-171 findings. Key requirements:

  • AC.1.001: Limit system access to authorized users, processes, and devices — requires active account management and periodic access reviews
  • AC.2.007: Employ the principle of least privilege — requires role-based access with documented justification for privileged access
  • AC.3.012: Protect wireless access using authentication and encryption — requires WPA3 or equivalent with certificate-based authentication for enterprise Wi-Fi
  • AC.3.017: Separate the duties of individuals to reduce the risk of malevolent activity — requires role separation in configuration management, access administration, and audit review

System and Communications Protection (SC) — 16 practices

SC addresses network security and encryption. Common gaps:

  • SC.3.177: Employ FIPS-validated cryptography — requires explicit FIPS 140-2 or 140-3 validated modules, not just AES-256 in general
  • SC.3.183: Deny network communications traffic by default — requires default-deny posture on all network boundaries
  • SC.3.187: Establish and manage cryptographic keys — requires documented key management practices with rotation schedules

Audit and Accountability (AU) — 9 practices

AU is frequently under-implemented in organizations that have logging but not systematic audit review:

  • AU.2.041: Ensure that the actions of individual users can be uniquely traced — shared accounts violate this requirement
  • AU.3.045: Review and update logged events — requires documented annual review of the audit event list
  • AU.3.046: Alert in the event of an audit logging process failure — requires monitoring of the audit subsystem itself

SPRS scoring in detail

The DoD Assessment Methodology assigns specific point weights to each practice. Not all practices are weighted equally — the weighting reflects the DoD's assessment of each practice's risk impact.

High-value practices (5 points each, typically):

  • Multi-factor authentication for privileged accounts (IA.3.083)
  • Employ FIPS-validated cryptography (SC.3.177)
  • Perform periodic risk assessments (RA.2.141)
  • Monitor the information system for indicators of compromise (SI.3.219)

Standard practices (1–3 points): Most of the 110 practices fall in the 1–3 point range.

Score reporting requirements:

RequirementDetail
When to submitWithin 30 days of completing an assessment
What to submitThe total score, system name, assessment date, CAGE code
Where to submitSPRS portal (opens in a new tab)
FrequencyAfter each assessment; annually minimum for self-assessments
Who can submitCompany official with SPRS access; submission is a legal attestation

Source: DFARS 252.204-7021(c) (opens in a new tab)

Relationship to CMMC Level 2

CMMC Level 2 requires implementation of all 110 practices from NIST SP 800-171 Rev 2. The practices are identical — CMMC Level 2 is the certification mechanism that verifies their implementation.

The difference between a NIST 800-171 self-assessment and a CMMC Level 2 C3PAO assessment is not in the requirements but in the rigor and independence of the verification. Self-assessments are accepted for non-critical programs; C3PAO assessments are required for critical CUI programs.

Source: CMMC Model v2.0, Level 2 (opens in a new tab)

Assessment methodology

The DoD Assessment Methodology defines three types of assessment:

Assessment TypeWho conductsSPRS score type
BasicContractor self-assessmentSelf-assessment score
MediumDoD/agency-led (DIBCAC)Government-led score
HighDIBCAC on-siteGovernment-led score

Self-assessments use the same methodology: for each of the 110 practices, the contractor determines whether the practice is fully implemented, partially implemented, or not implemented. Partially implemented practices do not receive credit — only full implementation counts.

⚠️

The phrase "partially implemented" has legal significance under the Assessment Methodology. A practice must meet all objective evaluation criteria in the methodology to receive credit. Claiming a practice is implemented based on plans or partial controls that do not meet the full criteria is a common source of False Claims Act exposure.

Preparing for assessment

The DoD Assessment Methodology includes Objective Evaluation Criteria for each of the 110 practices. These are the specific questions an assessor will ask and the evidence they will request. Before conducting a self-assessment or submitting to SPRS, organizations should:

  1. Map evidence. For each practice, identify the artifact that proves implementation (policy document, configuration screenshot, scan result, tool output).
  2. Identify gaps. Practices with no evidence are almost certainly not implemented. Document them in a POA&M.
  3. Remediate gaps. Use REAEGIS to prioritize by SPRS point value — address highest-value practices first.
  4. Sign and submit. A company official must attest the accuracy of the score in SPRS.

How REAEGIS Supports NIST 800-171 Rev 2

CapabilityDescription
110-practice catalogFull catalog with implementation status, narrative, and evidence per practice
SPRS Score CalculatorLive computation from actual control data; gap-to-88 path with prioritized remediation
RAMPART gatesMaps gate results to AC, AU, CM, IA, SC, SI, CA, and SR families
POA&M managementDocuments unimplemented practices with milestone dates; OSCAL-formatted
Evidence vaultCosign-signed evidence package per practice with Rekor-anchored audit trail
AI-drafted narrativesControl narratives generated from actual scanner output for SSP
FCA exposure dashboardIdentifies practices where self-assessment claims exceed evidence
Rev 3 transitionDelta analysis between Rev 2 and Rev 3 with ODP editor

Related guides

Last verified: 2026-06-14 · Report an error
CMMCFedRAMP