By Framework · NIST 800-171
Protect controlled unclassified information, or lose the contract
If you handle Controlled Unclassified Information for the federal government, NIST SP 800-171 is the baseline you are measured against. It has been a contract requirement for defense suppliers since 2017, it now reaches GSA contractors too, and it is the technical core of CMMC.
The landscape
One score, flowed down the whole supply chain
NIST 800-171 defines how nonfederal systems must protect CUI. Under DFARS clause 252.204-7012, prime contractors have had to meet it since 2017 and flow it down to any subcontractor that touches CUI, so a single requirement ripples across an entire supply chain. Revision 3 trims the requirement count and introduces organization-defined parameters, while most current contracts still measure against the 110 requirements of Revision 2.
The requirement is no longer defense-only. Revision 3 is now the baseline for GSA contractors handling CUI, which pulls a much wider set of suppliers into the same rules, and CMMC turns the honor-system self-score into a third-party assessment.
Why it is hard
Your score is public, and so is the gap
NIST 800-171 asks for a documented System Security Plan, a scored self-assessment, and a plan of action for every unmet requirement, all kept current and all flowed down to subcontractors. With CMMC arriving, that self-attestation is about to be checked by an assessor, so a score that was optimistic on paper becomes a finding in person.
Managed in spreadsheets, that becomes an SSP that does not match the network, a POA&M that never closes, and a supply chain no one can actually vouch for.
How SimpleRisk fits
One control library, every obligation
SimpleRisk turns 800-171 from a spreadsheet score into a managed program: every requirement owned, evidenced, and ready for the assessment CMMC is bringing.
- Track all 110 requirements. Score each one, keep the System Security Plan current, and manage every POA&M item to closure instead of losing it in a tab.
- Get ahead of CMMC. The same 800-171 controls are CMMC Level 2, so the work you do now is the assessment you pass later.
- Cover the supply chain. Track the subcontractors you flow CUI down to against the same requirements, so the weakest link is not a surprise.
- Prove it on demand. Produce the SSP, the score, and the evidence an assessor or a DIBCAC review asks for.
Turn your 800-171 score into a program you can defend
Start a free trial or book a demo, and see how SimpleRisk tracks every requirement, POA&M, and subcontractor CUI flows through.
Start a free trial