NIST SP 800-171 became mandatory for federal contractors in 2017, with Revision 2 taking effect in February 2020. The framework applies to contractors and subcontractors working with the DoD, GSA, NASA, and other federal agencies who process, store, or transmit sensitive government data.
The most significant recent change: CMMC has replaced contractor self-attestation. Independent third-party organizations now conduct accreditations — eliminating the “grade your own homework” model that undermined confidence in contractor security postures.
Understanding Controlled Unclassified Information (CUI)
CUI represents information covered by a law, regulation, or government-wide policy that mandates safeguards or dissemination controls. If your organization collects federal information, operates government systems, or provides protective services for these components, you are handling CUI and must implement the required security protocols.
Common attack vectors targeting CUI include phishing emails, ransomware, malware, spyware, rootkits, and trojans. Ransomware deserves particular attention: modern ransomware attacks don’t just encrypt files — criminals encrypt data, create their own copies, demand unlock fees, and threaten to publish the data publicly if demands aren’t met.
The Five CMMC Levels
Level 1 — Basic Cyber Hygiene Protects Federal Contract Information (FCI). Requires 17 foundational practices including antivirus software, basic password protocols, and access control. Annual self-assessment allowed.
Level 2 — Advanced Cyber Hygiene Protects CUI. Aligns with the full 110-control NIST SP 800-171 Rev. 2 framework. Requires a third-party assessment (C3PAO) for most contractors. Some lower-risk cases may allow annual self-assessment.
Level 3 — Expert Protects CUI against Advanced Persistent Threats (APTs). Incorporates a subset of NIST SP 800-172 practices on top of Level 2 requirements. Government-led assessments required.
Level 4 — Advanced Proactively detects and responds to sophisticated persistent threats. Requires advanced protective standards beyond Level 3.
Level 5 — Optimized Organization-wide capabilities for recognizing and countering the most advanced adversaries. Requires full institutionalization of cybersecurity practices across the enterprise.
The 14 Regulatory Categories of NIST SP 800-171
The NIST framework organizes its 110 controls into 14 categories:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
What Contractors Should Do Now
If you’re a DoD contractor and haven’t completed a NIST SP 800-171 self-assessment, start there. Document your current security posture honestly. Identify gaps. Build a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). Then work toward the CMMC level appropriate for the sensitivity of the CUI you handle.
The process takes time and resources — but the cost of non-compliance (loss of contracts, breach liability, reputational damage) far exceeds the investment in compliance.
CEdge has been delivering cybersecurity compliance services to DoD contractors and federal agencies for over 15 years, spanning operational management, system design, maintenance, and acquisition support. Contact us to discuss your CMMC readiness.