What Are the NIST 800-171 Security Requirements?
If your organization handles Controlled Unclassified Information (CUI) for the Department of Defense or any federal agency, you are required to meet the NIST 800-171 security requirements outlined in NIST Special Publication 800-171. The framework organizes 110 security controls across 14 domains, each targeting a specific aspect of protecting sensitive federal information. Understanding what each domain demands — in plain language — is the first step toward building a defensible compliance posture.
This breakdown is designed for compliance managers and executives who need a working understanding of the framework without wading through NIST's technical language. For a deeper dive into how the standard has evolved, see our post on NIST SP 800-171 Revision 3 and its enhancements for CUI protection.
The 14 Domains of NIST SP 800-171
1. Access Control (AC)
This domain governs who can access your systems and data. Requirements include limiting system access to authorized users, enforcing least privilege, controlling remote access, and managing access for mobile devices and external systems. In practice, this means implementing role-based access, disabling unnecessary accounts, and documenting access policies rigorously.
2. Awareness and Training (AT)
Your people are your first line of defense — and your biggest vulnerability if undertrained. This domain requires that all users understand security risks associated with their activities and that personnel with elevated responsibilities receive role-specific training. Annual security awareness training is the baseline; recurring reinforcement is the expectation.
3. Audit and Accountability (AU)
You cannot defend what you cannot see. This domain requires creating, protecting, and reviewing audit logs for system events. Organizations must capture sufficient detail to trace actions to individual users, protect log integrity, and review logs for anomalies. This domain directly supports incident investigation and insider threat detection.
4. Configuration Management (CM)
Every device, server, and software installation in your environment must be configured securely and inventoried. This domain requires establishing baseline configurations, controlling changes to those configurations, and restricting the use of unauthorized software. Many organizations fail here because of shadow IT and undocumented legacy systems.
5. Identification and Authentication (IA)
This domain addresses how users and devices prove who they are before accessing systems. Requirements include unique user IDs, strong password policies, and — critically — multifactor authentication (MFA) for privileged users and remote access. Weak authentication remains one of the most commonly exploited vulnerabilities in defense contractor environments.
6. Incident Response (IR)
When something goes wrong, your organization must have a documented plan to detect, contain, and recover from security incidents. This domain requires establishing an incident response capability, testing it regularly, and reporting incidents to appropriate authorities. A plan that exists only on paper and has never been exercised will not satisfy auditors — or protect your data.
7. Maintenance (MA)
Performing maintenance on organizational systems introduces risk if not properly controlled. This domain requires that maintenance activities be authorized, logged, and controlled — especially when performed remotely or by outside vendors. Equipment leaving the facility for repair must be sanitized of CUI before it departs.
8. Media Protection (MP)
CUI can leave your environment on a thumb drive, a printed document, or a decommissioned hard drive. This domain governs how physical and digital media containing CUI is marked, stored, transported, and destroyed. Sanitization requirements apply to all media prior to disposal or reuse — a requirement that is frequently overlooked.
9. Personnel Security (PS)
This domain addresses the risks posed by the humans in your organization. Requirements include screening individuals before granting access to CUI systems, establishing termination procedures that immediately revoke access, and managing the security risks associated with third-party personnel. Insider threat programs align directly with this domain.
10. Physical Protection (PE)
Logical controls mean little if an unauthorized person can walk up to a server or workstation. This domain requires limiting physical access to systems that process CUI, escorting visitors, maintaining access logs, and protecting physical assets from environmental threats. For a detailed look at physical control requirements, see our post on meeting CMMC 2.0 and NIST SP 800-171 physical security requirements.
11. Risk Assessment (RA)
Organizations must periodically assess the risk to operations, assets, and personnel that results from the operation of information systems. This includes scanning for vulnerabilities, remediating findings based on risk, and documenting the process. A risk assessment is not a one-time event — it is an ongoing program. Our federal risk assessment services are designed specifically to meet these requirements for government contractors.
12. Security Assessment (CA)
This domain requires periodically evaluating the security controls in your environment to determine whether they are effective. Organizations must develop and maintain a System Security Plan (SSP), produce a Plan of Action and Milestones (POA&M) for any deficiencies, and assess controls on a defined cycle. The SSP is the foundational compliance document that auditors will examine first. For more on these documents, read our post on SSP and POA&M as critical components of a strong security program.
13. System and Communications Protection (SC)
This domain addresses how information is protected as it moves across networks and between systems. Requirements include network segmentation, boundary protection, encryption of CUI in transit, and controls over remote sessions. Organizations operating in cloud environments must ensure their cloud services meet these requirements — a topic we cover in depth for contractors evaluating government cloud options.
14. System and Information Integrity (SI)
The final domain focuses on keeping systems and data free from tampering and malicious code. Requirements include deploying and updating malware protection, monitoring systems for security alerts, patching vulnerabilities in a timely manner, and implementing mechanisms to detect unauthorized changes. Endpoint security tools are central to meeting this domain's requirements.
How NIST 800-171 Connects to CMMC and DFARS
The 110 controls in NIST 800-171 form the technical backbone of CMMC Level 2. If your organization is subject to DFARS clause 252.204-7012, you are already required to implement these controls and report your score in the Supplier Performance Risk System (SPRS). Failure to accurately self-assess and report carries significant legal exposure under the False Claims Act.
Defense contractors who need to understand how these frameworks overlap should review our resources on CMMC, CUI, and DFARS compliance. The relationship between NIST 800-171 and the broader NIST 800-53 standard is also worth understanding — especially for organizations that also hold federal contracts outside the defense space. Our post on the essential differences between NIST SP 800-171 and NIST SP 800-53 breaks this down clearly.
Common Implementation Gaps Across the 14 Domains
In our work with defense contractors, we consistently see the same deficiencies surface during assessments:
- Incomplete SSPs that fail to document system boundaries or CUI flows accurately
- MFA not implemented for remote access or privileged accounts
- Audit logging gaps where critical systems generate no logs or logs are not reviewed
- Uncontrolled media including personal USB drives and unsanitized equipment
- No formal incident response plan or one that has never been tested
- Vulnerability scanning performed infrequently or findings left unaddressed in the POA&M
These are not obscure edge cases. They are the deficiencies that result in failed assessments and, in some cases, contract termination or legal action.
Where to Start If You Are Behind on Compliance
If your organization has not yet conducted a formal gap assessment against the 14 domains, that is the correct first step. A gap assessment maps your current controls against each of the 110 requirements, identifies deficiencies, and produces a prioritized remediation roadmap. From there, building out your SSP and POA&M gives you a documented compliance posture you can defend.
Organizations that lack internal cybersecurity expertise often benefit from engaging a Regulatory vCISO who can own the compliance program on an ongoing basis — managing assessments, documentation, vendor oversight, and audit readiness without the overhead of a full-time hire.
Take Action Before Your Next Contract Requires It
The NIST 800-171 security requirements are not going away, and enforcement pressure is increasing as CMMC certification requirements are written into more DoD contracts. Whether you are starting from scratch or trying to close specific gaps, Cleared Systems has the expertise to help you build a program that is audit-ready and operationally sustainable. Request a quote today and let us assess where you stand across all 14 domains.