NIST SP 800-171 Discussion for CMMC


Why is there a page for NIST SP 800-171 on a CMMC website?

The NIST standard, as described in a document named “NIST Special Publication 800-171” is a set of 110 security best practices that are CURRENTLY required for all DoD contractors that deal with Controlled Unclalssified Information.

You can tell if your contract requires NIST SP 800-171 by looking for a contract clause that calls out “DFARS 252.204-7012”. If this is the case, you should also check out the DFARS 252.204-7012 page.

In other words, If you are a DoD contractor that is concerned about CMMC, there is a decent chance that you should be following NIST SP 800-171 already.

These 110 best practices are extremely relevant to CMMC, and are re-used for almost all of the CMMC Level 1, Level 2, and Level 3 practices.

During the gradual rollout of CMMC, most contracts will not require CMMC certification. Contracts that process Controlled Unclassified Information (CUI) WILL still require NIST 800-171 until that point. So it is always a good idea to get compliant with 800-171 first, then worry about CMMC afterwards.


Download links

Official NIST homepage for SP 800-171 v2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

NIST homepage for assessing compliance with SP 800-171: https://csrc.nist.gov/publications/detail/sp/800-171a/final

If you know of other official or helpful resources, please comment to help others! I’ll add the links to this page

Leave a Reply

Your email address will not be published. Required fields are marked *