NIST 800-171 Readiness Guide

A working reference for mid-market firms responding to a federal flow-down: what the 110 controls require, where the budget actually lands and how a 90 to 120 day arc works.

Discuss your flow-down

A flow-down letter from a federal prime contractor is the most common entry point for NIST 800-171. The 110 controls across 14 families are well documented. What is less documented is where the budget actually lands, why the documentation layer eats more time than the technical work and how scope reduction can shrink the in-scope footprint by 60 to 90 percent. This guide answers 24 of the questions mid-market firms ask most often when a 800-171 deadline arrives.

In this guide

1. What NIST 800-171 is and who needs it
2. The 110 controls and what each family demands
3. SSP, POA&M and the documentation layer
4. The 90-120 day compliance arc and common gap patterns
5. Working with prime contractors and Atticus Rowan

What NIST 800-171 is and who needs it

A flow-down letter from a federal prime contractor is the most common entry point. The standard is precise, the scope question is where most firms misread the assignment.

What is NIST 800-171?

NIST Special Publication 800-171 is the federal government's security requirement set for protecting Controlled Unclassified Information (CUI) in nonfederal systems. The current revision is Rev. 3, published May 2024. It contains 110 security controls organized into 14 families. The standard applies when a federal contract, grant or subcontract flows the requirement down to a nonfederal organization handling CUI on the government's behalf.

Who actually needs to comply?

Any nonfederal organization that processes, stores or transmits CUI on behalf of a federal agency or prime contractor. The most common path is a flow-down clause from a Department of Defense prime: a manufacturer, a professional services firm or a logistics provider receives a letter stating the firm must align to 800-171 within a defined window. Commercial-only firms with no federal-flowed CUI do not need 800-171.

What is CUI and how do firms identify it?

CUI is information the government creates or possesses that requires safeguarding under federal law, regulation or policy, but is not classified. Common categories: defense technical drawings, contract performance data, controlled technical information, export-controlled data. The prime contractor or contracting officer typically marks data as CUI on transmittal. Firms that cannot identify which data is CUI cannot scope 800-171 correctly.

How does NIST 800-171 relate to CMMC?

CMMC (Cybersecurity Maturity Model Certification) is the DoD's certification program built on top of 800-171. CMMC Level 2 maps to the 110 controls of 800-171 with third-party assessment. CMMC Level 1 maps to a smaller subset for FCI (federal contract information). 800-171 is the underlying control set. CMMC is the certification regime. We support 800-171 readiness; we are not a CMMC C3PAO.

What is the difference between 800-171 and 800-53?

NIST 800-53 is the much larger control framework (1,000+ controls) federal agencies apply to their own systems. NIST 800-171 is the commercial-facing subset, the 110 controls nonfederal organizations handling CUI must implement. A nonfederal firm asked to align to 800-53 directly is in unusual territory. Ask the prime to confirm whether they meant 800-171 or there is a separate scope reason.

The 110 controls and what each family demands

110 controls across 14 families. Some families are already in place at most mid-market firms. Some families consume the budget. Knowing the difference up front is how a 90-day arc stays a 90-day arc.

What are the 14 control families?

Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC) and System and Information Integrity (SI). The 110 controls distribute unevenly across these families, with AC, SC and SI carrying the largest counts.

Which families are usually already in place?

For most mid-market firms with a competent IT partner, the lighter families are Physical Protection (PE), Personnel Security (PS) and Maintenance (MA). Badge access, visitor logs, server-room controls, background checks, termination procedures and controlled maintenance are usually standard operations. The remediation lift here is documentation and evidence, not new tooling. These are the cheap wins to close in the first 30 days.

Which families take moderate effort?

Access Control (AC), Identification and Authentication (IA), Configuration Management (CM) and Awareness and Training (AT) typically run 30 to 60 days each. The work is real but tractable: tighten access reviews, enforce phishing-resistant MFA, document baseline configurations, deploy annual security training with documented completion. Tool spend is modest. Process and documentation discipline drive the timeline.

Which families consume the budget?

Audit and Accountability (AU), Incident Response (IR), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC) and System and Information Integrity (SI). These usually require log aggregation or SIEM tooling, documented and tested IR plans, quarterly vulnerability management with documented remediation SLAs, the System Security Plan itself and sometimes network re-architecture for segmentation. Real tool spend and real human-hour spend cluster here.

What about controls that overlap with other frameworks?

NIST 800-171 overlaps materially with NIST CSF 2.0, CIS Controls v8, SOC 2 Trust Services Criteria and HIPAA Security Rule. A firm that already aligns to one of those has 40 to 70 percent of 800-171 in place. The overlap is not 1:1. 800-171 has unique CUI-handling and federal-reporting requirements that other frameworks do not address. Map the overlap, do not assume equivalence.

SSP, POA&M and the documentation layer

A firm that deploys every technical control but has no SSP is not compliant. A firm with complete documentation but sloppy technical controls is also not compliant. Both layers matter. Most of the human-hour budget lands in the documentation layer.

What is the System Security Plan (SSP)?

The SSP is the narrative document describing how the organization implements each of the 110 controls. It is not a checklist. Each control gets a description of the implementation, the responsible party, the supporting evidence and any residual risk. A typical mid-market SSP runs 40 to 80 pages. The SSP is the primary artifact a prime contractor or assessor reviews when verifying compliance.

What is a POA&M and when is it used?

A Plan of Action and Milestones (POA&M) is a tracking document for controls that are partially implemented or not yet implemented. Each entry covers the control, the gap, the remediation activity, the responsible owner and the target completion date. POA&Ms are acceptable for transitional non-compliance with a credible remediation timeline. POA&Ms that sit open without progress are not.

What other artifacts does the documentation layer require?

Beyond the SSP and POA&M: a written incident response plan with evidence of a tested tabletop, a documented risk assessment, training completion records by all personnel, configuration baselines for systems in scope, access control lists with periodic review records and a media protection policy. Each control family typically produces 1 to 3 supporting artifacts. The documentation library compounds across the assessment cycle.

How is documentation evidence reviewed?

A prime contractor or third-party assessor typically reviews the SSP first, then samples evidence for selected controls. Sampling is risk-based: AU, IR and CA are usually sampled deeply, the lighter families more lightly. The assessor verifies that the documented control matches the operational reality. Documentation that describes controls the firm does not actually run is the highest-impact assessment finding.

Why does documentation consume more time than technical work?

Technical controls are deployed once and verified. Documentation has to capture the control, the evidence, the responsible party, the review cadence and the residual risk for each of 110 controls, then be updated as the environment changes. The narrative quality matters. A vague SSP fails review. A precise SSP withstands assessment. Most firms underestimate the human-hour budget for the documentation layer by a factor of 2 to 3.

The 90-120 day compliance arc and common gap patterns

For a 30 to 50 user mid-market firm with a reasonable IT baseline, the work fits a 90 to 120 day arc. Skipping the gap-assessment phase is the single most expensive decision a firm can make.

What does a 90-120 day arc actually look like?

Days 1 to 30: gap assessment against the 110 controls with severity, remediation estimate and dependencies, plus SSP scaffolding in parallel. Days 31 to 75: technical remediation across the moderate-lift families and tooling deployment for the heavy-lift families. Days 76 to 105: documentation completion, IR tabletop, training rollout, evidence collection. Days 106 to 120: SSP finalization, POA&M for any residual gaps, prime-contractor submission.

What is the most common gap pattern at the start?

The recurring early-state pattern across mid-market firms: MFA deployed but not on every privileged account, EDR running but coverage at 85 to 92 percent rather than 100, backup in place but not tested or not immutable, IR plan documented years ago but never tabletop-tested, no centralized logging, no SSP. The technical posture is closer to compliant than the documentation posture in roughly 70 percent of cases we see.

What gaps cause the most remediation drag?

Three patterns drag remediation. First, network segmentation gaps where in-scope CUI systems share a flat network with non-scope systems, requiring real re-architecture. Second, logging and monitoring gaps where the firm has no aggregation tool and must select, deploy and configure one. Third, personnel-controls gaps in firms without formal HR processes for background checks, role-based access and termination procedures. Each can extend the arc by 30 to 60 days.

What does scope reduction (enclave architecture) mean?

Scope reduction is the architectural pattern of segregating CUI handling into a defined enclave (network segment, virtual desktop environment, dedicated tenant) so the rest of the environment is out of scope. A well-designed enclave reduces the in-scope footprint by 60 to 90 percent, which proportionally reduces tool spend, documentation burden and ongoing evidence collection. Most mid-market firms benefit from enclave-first design.

What does ongoing compliance look like after initial readiness?

Annual SSP review, quarterly access review, monthly evidence collection (EDR coverage, MFA enforcement, patch compliance, backup verification), annual IR tabletop, annual training refresh, ongoing POA&M tracking and continuous vulnerability management with documented remediation SLAs. The library that produced initial compliance has to be maintained, not just shelved. Firms that treat 800-171 as a one-time project fail the next assessment cycle.

Working with prime contractors and Atticus Rowan

The prime contractor sets the deadline. Atticus Rowan operates the program that produces the SSP, the technical posture and the ongoing evidence. The prime cannot make the firm compliant. The MSP cannot waive the requirement.

When should firms engage Atticus Rowan?

The earlier the better. The ideal point is when the prime-contractor flow-down letter arrives and a deadline is stated, typically 90 to 180 days out. Engaging at letter receipt produces the full 90-120 day arc with margin. Engaging at 30 days remaining compresses the work, drives POA&M-heavy submissions and accepts assessment risk that did not need to exist.

What does an Atticus Rowan 800-171 readiness engagement include?

A typical engagement covers: gap assessment against the 110 controls, scope reduction analysis (whether enclave architecture fits), technical remediation across the moderate and heavy-lift families, SSP authoring, POA&M setup, IR plan and tabletop, training rollout, evidence library setup, prime-contractor submission support and the ongoing compliance cadence post-submission. Engagements are scoped per organization with the 30-day assessment as the entry point.

Does Atticus Rowan handle CMMC certification?

We support 800-171 readiness, the underlying control set. We are not a CMMC C3PAO and do not perform third-party CMMC certification assessments. If a prime requires CMMC Level 2 certification, the firm needs both: an MSP to operate the security program (we cover this) and a C3PAO to perform the assessment (we coordinate but do not perform). The two roles do not overlap and both are required.

What outcomes do firms typically see?

Practical outcomes vary by starting posture. Typical engagements produce SSP delivered ahead of the prime's deadline, POA&M with credible remediation timelines for any residual gaps, technical posture aligned to the 110 controls and an evidence library that supports ongoing compliance and customer security questionnaires. The engagement also establishes a quarterly cadence that maintains posture across assessment cycles. The library compounds across renewals, customer questionnaires and federal-supply-chain expansion.

Flow-down landed?

If your prime contractor sent a 800-171 flow-down and you have 90 to 180 days to respond, schedule a conversation. We can walk through scope, identify whether enclave architecture fits, map the gap and scope what a credible 90-120 day arc looks like inside your prime's deadline.

Schedule a Discovery Call