← All posts

NIST 800-171: the 110 controls and which ones eat the budget

A practical breakdown of the NIST 800-171 control families, which controls take the most effort for small and mid-market organizations and how to sequence the 90-120 day compliance arc.

· Atticus Rowan

A common scenario in federal supply chains in 2026: a prime contractor sends a letter to its subcontractors stating that every sub must align to NIST SP 800-171 within 180 days or face removal from the approved vendor list. Mid-market manufacturers and service firms receiving those letters have one question first, what does this actually mean and what does it take to comply?

The short answer: 110 security controls across 14 families, applicable to any organization that processes Controlled Unclassified Information (CUI) on behalf of a federal agency or prime contractor. The practical answer: it is a 90-120 day arc of focused work for a mid-market firm, the technical lift is moderate and the documentation lift is substantial. Most of the budget goes into the documentation and ongoing evidence, not the technology.

What NIST 800-171 is, briefly

NIST Special Publication 800-171 is the National Institute of Standards and Technology’s security requirement set for protecting CUI in nonfederal systems and organizations. It applies when a federal contract, grant or subcontract flows down the requirement. The current revision is NIST 800-171 Rev. 3 (published May 2024), which replaced Rev. 2 and tightened several control families.

The 110 controls are organized into 14 families:

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit and Accountability (AU)
  4. Configuration Management (CM)
  5. Identification and Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

For context: NIST 800-171 is the commercial-facing adaptation of NIST 800-53, which is the much larger (1,000+ controls) framework federal agencies apply to their own systems. The 110 controls in 800-171 are the subset that nonfederal organizations handling CUI must implement.

The families that eat the most budget

After working through this framework with multiple mid-market manufacturers and professional firms, a predictable pattern emerges. Some control families are cheap; others are expensive. Knowing the difference up front lets a firm sequence the work intelligently.

Cheap or already-in-place (for most mid-market firms):

  • Physical Protection (PE), badge access, visitor logs, server-room controls. Most manufacturers already have this.
  • Personnel Security (PS), background checks and termination procedures. Usually in place via HR.
  • Maintenance (MA), controlled maintenance procedures. Standard ops for anyone with an IT partner.

Moderate lift:

  • Access Control (AC), 22 controls covering account management, privilege separation, remote access controls. Most firms need to tighten access reviews and MFA enforcement.
  • Identification and Authentication (IA), MFA across all accounts, strong authenticator requirements. This is usually a 30-60 day project if MFA is not already deployed.
  • Configuration Management (CM), baseline configurations, change control, software inventory. Documentation-heavy but tractable.
  • Awareness and Training (AT), annual security training with documented completion. Cheap tool cost, modest process work.

Heavy lift, budget goes here:

  • Audit and Accountability (AU), centralized logging, log retention, periodic review. This usually means deploying a log aggregation or SIEM tool and standing up a process to review alerts. Real tool spend and real process spend.
  • Incident Response (IR), documented incident response plan, tested incident response, reporting. The documentation and tabletop work is significant.
  • Risk Assessment (RA), periodic risk assessment, vulnerability scanning with documented remediation SLAs, risk management process. This is an ongoing cadence, not a one-time project.
  • Security Assessment (CA), system security plan, plans of action and milestones (POA&Ms), ongoing monitoring. The System Security Plan alone is typically 40-80 pages of organized documentation.
  • System and Communications Protection (SC), network segmentation, boundary protection, cryptographic protection. Can require real network re-architecture.
  • System and Information Integrity (SI), vulnerability management, flaw remediation, malicious code protection (EDR), monitoring. Overlaps with RA and AU.

The documentation layer, what actually takes time

Technical controls are relatively tractable. What consumes project time and what most firms underestimate, is the documentation layer that ties each control to evidence of operation. The core artifacts:

  • System Security Plan (SSP), a document describing how the organization implements each of the 110 controls. Not a checklist; narrative documentation per control.
  • Plans of Action and Milestones (POA&Ms), tracking document for controls that are partially implemented, with remediation timelines.
  • Risk Assessment Report, documented assessment of threats, vulnerabilities and risk ratings.
  • Incident Response Plan, written plan plus evidence of a tested tabletop.
  • Training Records, documented completion of security awareness training by all personnel.
  • Configuration Baselines, documented standard configurations for systems in scope.
  • Access Control Lists and Access Review Records, who has access to what, reviewed periodically with documentation of the review.

A firm that deploys every technical control but has no SSP is not compliant. A firm with complete documentation but sloppy technical controls is also not compliant. Both layers matter and the documentation layer is where most of the human-hour budget lands.

The 90-120 day arc for a mid-market firm

For a 30-50 user firm with a reasonable existing IT baseline, a focused arc looks like this:

Days 1-30, Gap assessment. Map current state to the 110 controls. Produce a gap list with severity, remediation estimate and dependencies. Start the SSP scaffolding in parallel.

Days 30-60, Technical remediation. MFA rollout if not already done, EDR deployment, centralized logging, network segmentation per the scope boundary, backup hardening. Most of the tool spend happens here.

Days 60-90, Documentation and process. Complete the SSP. Write or adapt the incident response plan. Run the first documented tabletop. Conduct the first formal access review. Publish the security awareness training program.

Days 90-120, Final gaps and readiness. Close remaining POA&M items, verify evidence of operation for each control, produce the readiness package the contracting officer or assessor will review.

That arc assumes a firm with reasonable existing IT hygiene. Firms starting from scratch (no MFA, no EDR, no documented backup, no incident response plan) need closer to 180 days.

CMMC and the compliance landscape

NIST 800-171 Rev. 3 is the substantive control set. The Cybersecurity Maturity Model Certification (CMMC) program is the Department of Defense’s assessment framework built on top of 800-171, specifying how compliance is verified (self-assessment vs. third-party assessment) at different levels. CMMC Level 2 is essentially NIST 800-171 with independent assessment.

Atticus Rowan’s practice applies NIST 800-171 as a control reference, building and documenting the program, but we do not pursue CMMC certification assessments ourselves. When a client needs a formal CMMC assessment, we coordinate with a certified Third-Party Assessment Organization (C3PAO).

What this looks like in practice

A mid-market firm with reasonable existing IT hygiene can reach a defensible NIST 800-171 posture in the 14-20 week range through the arc described above. The final SSP package typically runs 50-80 pages plus appendices depending on environment scope. The prime contractor’s review is looking at the SSP, the POA&Ms for partial controls and the evidence the full control environment operates over time, not a theoretical policy binder.

If your organization is facing a flow-down NIST 800-171 requirement or preparing for one ahead of a federal supply-chain opportunity, schedule a discovery call. We can scope the gap assessment and the full 90-120 day arc.