NIST 800-171 r2
NIST Special Publication 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, defines 110 security requirements across 14 families for any organization that handles Controlled Unclassified Information (CUI) on behalf of the federal government. Compliance is required by DFARS clause 252.204-7012 and is the technical foundation for CMMC Level 2.
Infracast ships 114 automated rules covering all 110 NIST 800-171 r2 requirements, plus an integrated questionnaire workflow for practices that require human attestation.
Why NIST 800-171?โ
- Required for DoD contractors: Any company that receives, stores, processes, or transmits CUI on behalf of DoD must comply.
- CMMC alignment: CMMC Level 2 maps 1:1 to NIST 800-171 r2's 110 practices โ passing 800-171 is passing CMMC L2.
- SPRS score: Self-assessment results must be reported to the DoD's Supplier Performance Risk System (SPRS) before contract award. Infracast calculates your SPRS score automatically.
- Contract prerequisite: DFARS 252.204-7012 mandates 800-171 compliance as a flow-down requirement to subcontractors.
Rule Coverageโ
Infracast evaluates all 14 requirement families:
| Family | ID | Rules | Key Requirements |
|---|---|---|---|
| Access Control | AC | 14 | Limit system access, control CUI flows, enforce least privilege |
| Awareness & Training | AT | 3 | Security training, insider threat awareness |
| Audit & Accountability | AU | 9 | Log generation, review, protection |
| Configuration Management | CM | 10 | Baseline configs, least functionality, user-installed software |
| Identification & Authentication | IA | 11 | MFA enforcement, password complexity, identifier management |
| Incident Response | IR | 6 | Detection, reporting, response, recovery |
| Maintenance | MA | 6 | Remote maintenance controls, sanitize media before release |
| Media Protection | MP | 9 | Media storage, access, transport, sanitization |
| Personnel Security | PS | 2 | Screen individuals, terminate access |
| Physical Protection | PE | 6 | Physical access controls |
| Risk Assessment | RA | 5 | Risk assessments, vulnerability scanning |
| Security Assessment | CA | 9 | System assessments, plan of action |
| System & Comms Protection | SC | 16 | Encryption, network segmentation, CUI in transit |
| System & Info Integrity | SI | 8 | Malware protection, patching, alerts |
| Total | 114 | All 110 NIST 800-171 r2 requirements |
Infracast's 114 rules exceed the 110 requirements because some requirements generate multiple discrete rule checks (e.g., IA-3.083 generates separate checks for console access, API access, and privileged accounts).
SPRS Score Calculationโ
The Supplier Performance Risk System (SPRS) score ranges from -203 (maximum deficiencies) to +110 (all practices met). DoD uses this score to assess contractor risk prior to contract award. Federal law (10 U.S.C. ยง 3551) requires the score to be self-reported in SPRS before bidding on contracts containing DFARS 252.204-7012.
How Infracast Calculates SPRSโ
Each NIST 800-171 practice has a point value defined in DoD's assessment methodology. Practices not met are subtracted from 110:
SPRS Score = 110 โ ฮฃ(point values of failing practices)
Infracast combines automated rule results and attested questionnaire responses to compute your score:
# Get SPRS score and full breakdown
GET /api/v1/tenants/{tenantID}/compliance/summary?framework=nist-800-171
# Response
{
"framework": "nist-800-171",
"sprs_score": 94,
"practices_passing": 104,
"practices_failing": 6,
"practices_attested": 12,
"practices_not_assessed": 0,
"score_breakdown": {
"automated": 82,
"attested": 12,
"failing_deduction": -16
},
"assessment_date": "2026-04-24T00:00:00Z"
}
Self-reported SPRS scores must be submitted by your authorized representative at sprs.csd.disa.mil. Infracast calculates and documents your score but does not submit to SPRS on your behalf.
Generating the SPRS Reportโ
Generate a formal DFARS/NIST 800-171 self-assessment report for submission and records:
POST /api/v1/tenants/{tenantID}/documents/generate
Content-Type: application/json
{
"type": "far-dfars-compliance",
"framework": "nist-800-171",
"format": "pdf",
"options": {
"include_sprs_score": true,
"company_name": "Acme Defense LLC",
"cage_code": "1A2B3",
"assessment_date": "2026-04-24",
"signed": true
}
}
Assessment Workflowโ
1. Scope Your CUI Enclaveโ
Define the systems that store, process, or transmit CUI using Infracast Applications:
POST /api/v1/tenants/{tenantID}/applications
{
"name": "CUI Enclave",
"tags": ["nist-171-in-scope", "cui"],
"resource_ids": [
"aws:us-east-1:aws.ec2.instance:cui-web-01",
"aws:us-east-1:aws.rds.db_instance:cui-db"
]
}
2. Run Automated Assessmentโ
POST /api/v1/tenants/{tenantID}/findings/run
{
"framework": "nist-800-171",
"scope": "application:cui-enclave"
}
3. Complete Questionnaires for Non-Automatable Practicesโ
Practices in AT (training), PE (physical), PS (personnel), and parts of IR/MA require human attestation. Assign the pre-built templates:
# List available templates
GET /api/v1/tenants/{tenantID}/questionnaires/templates?framework=nist-800-171
# Create a questionnaire from a template
POST /api/v1/tenants/{tenantID}/questionnaires/from-template
{
"template_id": "nist171-at",
"title": "NIST 800-171 AT Assessment โ Q2 2026",
"assignees": ["training-lead@company.com"],
"due_date": "2026-05-15"
}
4. Generate SSP and SPRS Documentationโ
# Generate System Security Plan for NIST 800-171
POST /api/v1/tenants/{tenantID}/documents/generate
{
"type": "ssp",
"framework": "nist-800-171",
"format": "docx"
}
5. Export Compliance Reportโ
POST /api/v1/tenants/{tenantID}/reports/generate
{
"type": "framework",
"framework": "nist-800-171",
"format": "pdf",
"options": {
"include_sprs_score": true,
"signed": true
}
}
DFARS 252.204-7012 Complianceโ
NIST 800-171 compliance is mandated by DFARS clause 252.204-7012. Infracast provides a dedicated DFARS 252.204-7012 Rule Pack with 19 rules that specifically map to the clause's reporting and safeguarding requirements โ distinct from the broader 800-171 technical practices.
Key DFARS 252.204-7012 requirements covered:
| Requirement | Description | Automated |
|---|---|---|
| CDI identification | Identify and label Covered Defense Information | โ |
| Rapid reporting | 72-hour incident reporting to DoD Cyber Crime Center (DC3) | Questionnaire |
| Media sanitization | Destroy media containing CDI before disposal | โ |
| Cloud provider requirements | CSP must meet FedRAMP Moderate or equivalent | โ |
| Subcontractor flow-down | Ensure sub-contractors handle CDI per 252.204-7012 | Questionnaire |
See the dedicated DFARS 252.204-7012 section in the FAR/DFARS Compliance Reports API docs for report generation.
Pre-Built Questionnaire Templatesโ
| Template ID | Family | Practices Covered |
|---|---|---|
nist171-at | Awareness & Training | AT.2.056, AT.2.057, AT.3.058 |
nist171-pe | Physical Protection | PE.1.131, PE.1.132, PE.2.135, PE.3.136 |
nist171-ps | Personnel Security | PS.2.127, PS.3.131 |
nist171-ir | Incident Response | IR.2.092, IR.2.093, IR.2.097 |
nist171-ma | Maintenance | MA.2.111, MA.2.112, MA.3.115 |
nist171-dfars | DFARS 252.204-7012 | Reporting, flow-down, cloud requirements |
Next Stepsโ
- CMMC Guide โ CMMC Level 2 is built on NIST 800-171
- DFARS Compliance Reports โ Generate formal SPRS documentation
- Assessment & Questionnaire System โ Manage attestations for non-automatable practices
- SSP Generator โ Auto-generate your System Security Plan