NIST SP 800-171 & CMMC Compliance

NIST SP 800-171 is a standard that defines how to protect and distribute Controlled Unclassified Information (CUI) for government contractors.  

What is Controlled Unclassified Information (CUI)? 

CUI is a type of marking tool used by the federal government to identify information and confidential data that is not classified, yet requires protection from unnecessary disclosure (i.e., financial records, Personally Identifiable Information (PII), FOUO). 

Key Considerations and Lessons Learned for NIST 800-171 Compliance

NIST SP 800-171 contains 110 security controls across the following 14 categories:

3.1 Access Control 

3.2 Awareness and Training 

3.3 Audit and Accountability 

3.4 Configuration Management 

3.5 Identification and Authentication 

3.6 Incident Response 

3.7 Maintenance 

3.8 Media Protection 

3.9 Personnel Security 

3.10 Physical Protection 

3.11 Risk Assessment 

3.12 Security Assessment 

3.13 System and Communications Protection 

3.14 System and Information Integrity 

The 14 Categories cover 5 main elements from the NIST Cybersecurity Framework:

  1. IdentifyDevelop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  2. ProtectDevelop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. 
  3. DetectDevelop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  4. RespondDevelop and implement the appropriate activities to take action regarding a detected cybersecurity event.
  5. RecoverDevelop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. 

CMMC Level 3 versus NIST SP 800-171

The effort to become NIST SP 800-171 compliant is not wasted. CMMC Level 3 contains the same 110 controls found in NIST SP 800-171, plus 20 added practices (controls). There are a few significant areas where CMMC adds practices: 

  • Logging, monitoring, incident response, and reporting capabilities with a SIEM (Security Information and Events Management) or similar technical solution – Domain Reference: Incident Response (IR) and Audit and Accountability (AU). 
  • The ability to backup and restore data through tested, comprehensive, and resilient in backup efforts 
  • Logically and technically separate management of unsupported products with network restrictions and regular risk assessments to identify vulnerabilities – Domain Reference: Risk Management (RM) 
  • DNS filtering, spam protection, and email sandboxing to protect against malicious traffic – Domain Reference: System and Communication Protection (SC) and System and Information Integrity (SI) 
Cybersecurity Magnified Podcast: What Google Can’t Tell you about NIST 800-171 Compliance

Why Comply? 

The DFARS clause 252.204-7012 interim rule released on September 29, 2020 requires that all government contract wins issued to contractors are dependent on the contractor inputting a Supplier Performance Risk System (SPRS) score in the SPRS database system. The SPRS score is derived from a contractor’s score calculated based on the NIST SP 800-171 requirements that have been implemented. Your score in the SPRS database may be a consideration during the selection process. 

DFARS Interim Rule Executive Summary  

CMMC is being rolled out by DoD over the next 5 years. DoD expects the number of contracts with CMMC requirements to reach 75 by Fiscal Year (FY) 2022, 250 contracts by FY 2023, and 479 contracts in FY 2024. DoD expects all new DoD contracts to contain CMMC requirements starting in FY 2026. Looking forward, the DoD expects to have 1,500 contractors certified in FY 2021; 7,500 more in FY 2022; 25,000 more by FY 2023; and almost 48,000 by FY 2025. If you are not CMMC certified at the appropriate level prior to contract award, then working on DoD contracts will not be possible.

Compliance Options:

Option #1: In-house 

Utilize your in-house IT Team. The NIST Handbook 162 or CMMC Model and Assessment Guides gives you a complete self-assessment guide to walk you through the requirements. 

The in-house choice works best if: 

  1. You have extensive policies and procedures in place.
  2. You have IT resources already in place with experience in implementing security requirements. These cybersecurity professionals require a diverse technical background. This is not the time to learn as you go! 


Option #2: Outsource

Augment your IT team with a consultant. By outsourcing your compliance, your provider goes through a process to help you become complaint. 

As experienced consultantsBraxton-Grant Technologies has a three-step process to help you become and stay compliant. 

The Maryland DCAP Grant Program

The Maryland Defense Cybersecurity Assistance Program (DCAP) provides funding and assistance for Defense Contractors to comply with the DFARS and NIST 800-171 Standards for cybersecurity, as well as prepare for the upcoming CMMC certification. The program provides funding and resources for Maryland companies to comply with the cybersecurity standards. Funded by the Department of Defense’s Office of Local Defense Community Cooperation (OLDCC) through the Maryland Department of Commerce, the program is being coordinated by the MD MEP.   

Grant funding is limited and there is waiting list at this time. If you have interest in the program, we recommend submitting an application to the MD MEP Team as soon as possible  – contact us to assist!  

Program Benefits  

  • Up to 60% off mitigation costs.   
  • $2,500 grant funding reimbursement for the CMMC Pre-Assessment.  
  • Reported $513,402,088 total retained sales and $155,158,419 total increased sales from client recipients.  
  • Reported total of 3,051 retained jobs and 136 increased jobs from client recipients.   

Braxton-Grant’s 3-Step Cyber Assessment

Braxton-Grant is a cybersecurity consulting organization with NIST SP 800-171 Subject Matter Experts and CMMC Registered Practitioners to assist in pre-assessments for organizations with DoD contracts. 

We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget 

For more information about how this three-step process would work for your company, please call for a free consultation or contact us to schedule a meeting 

Gap Analysis

Our Gap analysis includes NIST SP 800-171 and CMMC Level 3. We look at your existing information systems and security measures; then, we identify gaps in your CUI and Cyber Security protections that could lead to a data breach in the future or a failure to come into compliance.


Our consultant creates and implements a plan that remediates these deficiencies and addresses other security issues in your information systems. 

Active Monitoring

We keep a close eye on your systems to detect intrusions as early as possible. If you can stop an attacker before they reach any systems that store CUI, then you can limit the chances that they gain access to sensitive data.