Case studyFortune 100: 80% less compliance workRead the Story
RiskWatch
NIST 800-171 r3 · DFARS · CMMC Phase 2 · Nov 10, 2026

Are you accidentally a DoD contractor?

If your contract touches CUI, through an aerospace prime, a federal civilian agency, or any DFARS clause that flowed down to you, you're on the hook for all 110 NIST 800-171 controls. Most teams find out when their prime asks for the SPRS score. CMMC Phase 2 is enforceable November 10, 2026.

  • All 110 NIST 800-171 r3 controls + 320 assessment objectives
  • DFARS 252.204-7012 flow-down tracker through Tier 4 suppliers
  • CMMC L1 / L2 / L3 readiness on the same library
  • For procurement teams: supplier portal with cascade verification
Start 30-day free trialWatch 4-min platform tour
No credit card · all 110 controls + flow-down ship day 1
app.riskwatch.com / nist-800-171
Live · 110 controls
NIST 800-171 r3 · self-assessment score
0/100
0 vs Q3 SPRS
Access Control (3.1)92%
Audit & Accountability (3.3)84%
Configuration Mgmt (3.4)78%
POA&M items14
SPRS score
0/110
CUI systems
0 in scope
DFARS clauses
0 covered
POA&M closed Q4
0 of 14
Top open controls · by SPRS score impact
3.5.3 · MFA for privileged + remote
0d
3.13.11 · FIPS-validated cryptography
0d
3.14.1 · Flaw remediation timelines
0d
3.6.1 · Incident handling capability
0d
3.11.2 · Vulnerability scanning
0d
Trusted by DoD contractors and CUI handlers across the Defense Industrial Base
TE ConnectivityHalexPfizerJohnson & JohnsonBoseThe Coca-Cola CompanyXPO LogisticsIberdrola USATE ConnectivityHalexPfizerJohnson & JohnsonBoseThe Coca-Cola CompanyXPO LogisticsIberdrola USATE ConnectivityHalexPfizerJohnson & JohnsonBoseThe Coca-Cola CompanyXPO LogisticsIberdrola USA
What it is

What is NIST 800-171 compliance software?

Your DoD primes will ask for your SPRS score before the next renewal. CMMC Phase 2 is enforceable November 10, 2026. RiskWatch tracks all 110 NIST 800-171 r3 controls + the 320 assessment objectives a C3PAO actually grades against, fans DFARS 252.204-7012 flow-down through Tier 4 suppliers, and walks L1 / L2 / L3 readiness on the same library. Most teams think in practices and miss AO-level documentation, that’s the actual failure mode.

Why teams move to RiskWatch

45% of contractors haven't read the standard. The other 55% can't agree what it means.

NDIA survey hard data: less than 60% of DIB contractors had read the cybersecurity clause; half of those found it hard to understand; 45% hadn't read 800-171 guidelines at all. The pain isn't the technical controls, it's knowing what's in scope, what the controls actually require, and how to document compliance for a DoD assessment.

Pain #1

Where does CUI live in your environment? You're guessing.

The hardest challenge contractors face is determining whether a system is processing covered defense information (CDI/CUI) and is therefore in DFARS 252.204-7012 scope. NIST's boundary guidance is high-level and does little to address real-world network architecture. CUI scope wizard walks the systems-classification flow auditors expect, in-scope, connected-to, out-of-scope, with boundary-justification documentation captured automatically.

Pain #2

Documentation difficulty exceeds technical implementation difficulty.

Implementing access controls, encryption, MFA, these are tractable. Producing the System Security Plan (SSP), incident response plan, and audit log review documentation that an assessor can navigate is what derails most contractors. SSP, POA&M, and incident response plan generated from the same control library, versioned, exportable, structured the way DoD assessors expect.

Pain #3

Self-attest to SPRS. POA&M for what's left. DoD reads the score.

The SPRS submission is one number that DoD source-selection officials read. A 88/110 with documented POA&M reads differently than a 110/110 with no evidence. SPRS score auto-calculated from your control implementation status, with the POA&M items prioritized by SPRS-score impact. Submit the right score with the right backing evidence.

110×
NIST 800-171 r3 controls
across 14 families
4
DFARS clauses covered
252.204-7012 · 7019 · 7020 · 7021
13
Frameworks aligned per assessment
800-171 r3 · CMMC 2.0 L2 · 800-171A assessment
The NIST 800-171 platform

Every module a DoD contractor needs, in one platform.

Sixteen modules sharing the 800-171 r3 catalog, CUI inventory, and SSP/POA&M artifacts. Built around the CUI scope determination so the rest of the assessment flows from a defensible boundary.

DFARS Dashboard

SPRS score at a glance

Per-family compliance %, SPRS score trend, POA&M closure rate, DFARS clause coverage.

800-171 r3 Catalog

All 110 controls · 14 families

Access Control, Awareness & Training, Audit, CM, IR, Maintenance, Media, Personnel, Physical, RA, SA, SC, SI, plus newly-renumbered r3 families.

CUI Scope Wizard

The #1 contractor pain solved

Walks systems-classification flow: in-scope (processes/stores/transmits CUI), connected-to (provides services), out-of-scope. Boundary justification captured.

SSP Generator

System Security Plan auto-built

SSP per 800-171A assessment procedures. Per-control implementation statement + evidence linkage. Versioned, exportable as PDF/Word.

POA&M Tracking

Plan of Action & Milestones

Open findings + milestone dates + risk ratings + remediation evidence. Prioritized by SPRS-score impact.

SPRS Score Submission

DoD-format basic assessment

Auto-calculate SPRS score from control implementation status. Submit per DFARS 252.204-7019. Track score across assessment cycles.

CMMC 2.0 L2 Alignment

Same controls, two deliverables

All 110 NIST 800-171 controls overlap CMMC 2.0 Level 2. Score 800-171, get CMMC 2.0 readiness automatically.

Incident Reporting

DFARS 7012 72-hour clock

Incident reporting per DFARS 252.204-7012(c), 72-hour notification to DoD via DIBNet. Templates and audit trail.

Continuous Monitoring

DFARS is ongoing, not one-time

Continuous compliance, DFARS adherence is required across the contract lifecycle. Quarterly reassessment cadence per family.

Cloud Service Provider tracking

DFARS 7012(b) flow-down

Track CSPs handling CUI on your behalf. Verify FedRAMP Moderate baseline. Maintain DFARS flow-down clauses.

Personnel Training (3.2)

Awareness + role-based + insider threat

Schedule, deliver, attest per 3.2.1, 3.2.2, 3.2.3 controls. Evidence per workforce member.

Cross-Framework Mapping

800-171 + CMMC + 800-53 + ISO 27001

Each control maps to CMMC 2.0 practice + NIST 800-53 r5 control + ISO 27001 Annex A control + CIS v8 safeguard.

Bulk Tools

Import 200 systems in 5 minutes

Bulk import asset register, system inventory, prior assessments. CMDB sync. Customize fields without IT.

Audit Trail

"Who closed 3.5.3?" answered instantly

Timestamped log of every score change, evidence upload, POA&M closure. C3PAO-grade for CMMC overlay.

Self-Assessment Engine

Per 800-171A procedures

Question-by-question scoring against the 800-171A assessment objectives. SPRS-aligned scoring methodology.

Subcontractor Flow-Down

DFARS 7012(m) cascade

Track DFARS clause flow-down to subcontractors handling CUI. Verify their compliance before contract execution.

All 110 controls · 14 families

From Access Control to System & Information Integrity.

NIST 800-171 r3 organizes 110 controls into 14 families. Some families (Access Control, Audit, IR, RA) carry most of the SPRS-score weight; others are quick wins. RiskWatch ships with all 110 r3 controls, the 800-171A assessment procedures per control, and SPRS-impact ranking so you prioritize the right gaps first.

  • 3.1 Access Control (22 controls), the heaviest family, MFA, least privilege, remote access, mobile devices
  • 3.3 Audit & Accountability (9 controls), audit logging, time stamps, audit log protection, audit reduction
  • 3.5 Identification & Authentication (11 controls), MFA for privileged + remote (3.5.3), authenticator management, FIPS-validated crypto
  • 3.6 Incident Response (3 controls), IR capability, IR testing, IR tracking
  • 3.11 Risk Assessment (3 controls), risk assessments, vulnerability scanning, ranking
  • 3.13 System & Communications Protection (16 controls), network segmentation, encryption, FIPS-validated crypto in transit + at rest
  • 3.14 System & Information Integrity (7 controls), flaw remediation, malicious code, system monitoring, security alerts
See all 110 controls
NIST 800-171 r3 · key families
3.1
Access Control (22 controls)
92%
3.2
Awareness & Training (3 controls)
88%
3.3
Audit & Accountability (9 controls)
84%
3.4
Configuration Management (9 controls)
78%
3.5
Identification & Authentication (11)
72%
3.6
Incident Response (3 controls)
86%
3.11
Risk Assessment (3 controls)
90%
3.13
System & Comms Protection (16)
80%
3.14
System & Info Integrity (7 controls)
82%
All 14 families · 110 controls →SPRS-ready submission
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
Cross-framework mapping

NIST 800-171 + CMMC 2.0 + NIST 800-53 + ISO 27001.

NIST 800-171 is the foundation, CMMC 2.0 Level 2 is the same 110 controls plus a third-party assessment requirement. CMMC 2.0 Level 3 adds 24 controls from 800-172. RiskWatch maps every 800-171 control to its CMMC 2.0 practice, NIST 800-53 r5 parent control, ISO 27001 Annex A counterpart, and CIS v8 safeguard. Score 800-171 once, see CMMC 2.0 readiness automatically.

  • CMMC 2.0 Level 2, all 110 NIST 800-171 controls + 320 assessment objectives, same data, different deliverable
  • CMMC 2.0 Level 3, Level 2 + 24 controls from NIST 800-172 enhanced security
  • NIST 800-53 r5, parent controls, most 800-171 controls derive from FedRAMP Moderate baseline
  • ISO 27001:2022 Annex A, for international contractors running ISO + 800-171
  • NIST CSF 2.0, outcome-based mapping for board reporting
DFARS clauses · 4

The four clauses that drive 800-171 compliance.

Item 1
DFARS 252.204-7012

Safeguarding Covered Defense Information + 72-hour cyber incident reporting

Item 2
DFARS 252.204-7019

Notice of NIST SP 800-171 DoD Assessment Requirements (SPRS submission)

Item 3
DFARS 252.204-7020

NIST SP 800-171 DoD Assessment Requirements (Basic / Medium / High)

Item 4
DFARS 252.204-7021

Cybersecurity Maturity Model Certification Requirements (CMMC 2.0 cascade)

How it works

From CUI scoping to SPRS-submitted in five stages.

Most teams complete CUI scope determination in their first week, the foundation for everything else. SPRS submission is the milestone that gets you eligible for new contracts.

1
Stage 01·Day 1-3

Scope CUI

CUI scope wizard walks systems-classification flow. Document boundary justifications. CMDB sync auto-classifies systems.

2
Stage 02·Week 1-3

Score 110 controls

Question-by-question scoring against 800-171A assessment objectives. Evidence linked per control. Auto-fill from prior assessments.

3
Stage 03·Week 4-6

SSP + POA&M

System Security Plan generated from control library. POA&M for not-yet-implemented controls. Prioritized by SPRS-score impact.

4
Stage 04·Continuous

Submit + monitor

SPRS score submitted per DFARS 252.204-7019. Continuous monitoring + quarterly reassessment. POA&M items closed to closure.

Stage 05·On-demand

DoD source-selection ready

SPRS score visible to DoD contracting officials. SSP + POA&M evidence packaged for assessor review. CMMC 2.0 Level 2 readiness 80%+ complete.

Customer stories

The DFARS scoping that stopped getting flagged.

Real DoD contractors. Real CUI scope decisions defended. Real SPRS scores submitted on time.

The CUI scope wizard caught two systems we'd under-scoped. Documentation our last assessor said was “the best he'd seen.”
CD
Cassidy D.
Cybersecurity Lead · DIB contractor · 600 employees · CMMC 2.0 L2 in flight
SPRS score
88/110
↑ from 62/110 prior
CUI systems scoped
23
with boundary justification
Time-to-deploy
4 weeks
first SPRS submission

Self-assessment used to be a 6-week project. Now it's continuous. SPRS score updates automatically when controls change.

MR
Marcus R.
ISSO · Aerospace contractor · 1,800 employees

We're pursuing CMMC 2.0 Level 2 by Phase 2. Cross-framework mapping means our 800-171 work translates directly to CMMC readiness, same controls, two deliverables.

JA
Jenna A.
VP Compliance · Mid-tier defense supplier · 800 employees

DFARS flow-down to our subcontractors was killing us with spreadsheets. Subcontractor module catches missing flow-downs at intake, before contracts execute.

TK
Tom K.
Director of Contracts · DoD contractor · 4,200 employees
Cross-mapped frameworks

Plus every framework on the DoD/Federal contracting path, cross-mapped.

NIST 800-171 is the foundation, CMMC 2.0, NIST 800-53, ISO 27001 all cascade from the same control work. Score once, satisfy multiple.

NIST 800-171 r3
110 controls · 14 families
NIST 800-171A r3
Assessment procedures
CMMC 2.0 Level 1
Foundational (15 practices)
CMMC 2.0 Level 2
Advanced (110 practices)
CMMC 2.0 Level 3
Expert (110 + 24 from 800-172)
NIST 800-172
Enhanced security for high-value CUI
NIST 800-53 r5
Federal control catalog
ISO 27001:2022
ISMS · Annex A controls
FedRAMP Moderate
for cloud handling CUI
NIST CSF 2.0
Outcome-based mapping
FAR 52.204-21
Basic safeguarding
ITAR
Export-controlled data
DFARS 7019/7020
Assessment requirements
DIBNet reporting
DFARS 7012(c) 72hr
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with your subcontractors, or build the DFARS readiness business case.

Most popular
800-171 Checklist · 36 pages
NIST 800-171 r3
110-Control Self-Assessment Checklist
3.1
3.3
3.4
3.5
3.13
PDF · 36 pages · SPRS-ready

NIST 800-171 r3 Self-Assessment Checklist

Thirty-six pages walking all 110 controls across 14 families with 800-171A assessment procedures and the SPRS scoring methodology. Includes the CUI scope determination worksheet.

  • All 110 controls + 800-171A procedures
  • CUI scope determination worksheet
  • SPRS scoring methodology
Get the checklist
SSP + POA&M Pack
SSP + POA&M
DFARS-aligned templates
RISKWATCH 2026
Word + Excel · DFARS templates

SSP + POA&M Template Pack

DFARS-aligned System Security Plan template + Plan of Action & Milestones template + DFARS clause flow-down checklist for subcontractors.

  • DFARS-aligned SSP template
  • POA&M with milestone dates
  • Subcontractor flow-down checklist
Get the templates
Buyer's Guide
Buyer's Guide
NIST 800-171 + CMMC Platform
2026 Vendor Comparison
20-page PDF

NIST 800-171 + CMMC Platform Buyer's Guide

Vendor scorecard, CUI scope determination depth, SSP/POA&M generation features, CMMC 2.0 readiness alignment, pricing.

  • Feature matrix · 6 vendors
  • CMMC 2.0 alignment scorecard
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About NIST 800-171 r3, DFARS clauses, CUI scope determination, SPRS score submission, SSP/POA&M, and how RiskWatch covers all of them.

What is NIST 800-171 compliance software?
NIST 800-171 compliance software is a platform that helps DoD contractors and federal contractors handling Controlled Unclassified Information (CUI) achieve and maintain compliance with NIST SP 800-171 r3, required by DFARS clause 252.204-7012. RiskWatch covers all 110 controls across 14 families, the DFARS clause requirements (7012, 7019, 7020, 7021), CUI scope determination, SSP and POA&M generation, SPRS score submission, and CMMC 2.0 Level 2 alignment, since CMMC 2.0 Level 2 is built directly on NIST 800-171.
What's the difference between NIST 800-171 and CMMC 2.0?
NIST 800-171 is the standard, 110 controls handlers of CUI must implement. CMMC 2.0 is the assessment + certification model layered on top. CMMC 2.0 Level 1 (Foundational) covers 15 practices from FAR 52.204-21. Level 2 (Advanced) covers all 110 NIST 800-171 controls + 320 assessment objectives. Level 3 (Expert) adds 24 controls from NIST 800-172. Today most contractors self-attest to NIST 800-171 via SPRS; by November 10, 2026 (CMMC Phase 2), Level 2 contracts involving CUI will require third-party C3PAO certification.
How does CUI scope determination work?
CUI scope determination is the foundation of any 800-171 implementation, and the most common contractor failure point. The wizard walks the systems classification flow: which systems process, store, or transmit CUI (in-scope), which connect to in-scope systems but don't handle CUI directly (connected-to), and which have no logical connection (out-of-scope). For each in-scope system, you document the CUI category, source contract, retention requirements, and boundary justification. CMDB sync auto-classifies systems where possible. The boundary diagrams generate automatically and become part of your SSP.
What is the SPRS score and how is it submitted?
The Supplier Performance Risk System (SPRS) score is the DoD's mechanism for tracking contractor self-assessments per DFARS 252.204-7019. It's a single number from -203 to +110, start at 110, subtract weighted points for not-yet-implemented controls (most worth 1, 3, or 5 points; some worth 5 or higher). DoD source-selection officials use the SPRS score in award decisions. RiskWatch auto-calculates the SPRS score from your control implementation status and walks you through the SPRS submission process.
What is the SSP and POA&M?
The System Security Plan (SSP) is a structured document describing how each NIST 800-171 control is implemented in your environment, required by DFARS clause 252.204-7012. The Plan of Action & Milestones (POA&M) tracks controls that aren't fully implemented yet, with milestone dates for completion. RiskWatch generates both from the same control library, every control has implementation evidence linked, and any not-yet-implemented control auto-creates a POA&M item. Both export as PDF/Word in the format DoD assessors expect.
How does NIST 800-171 r3 differ from r2?
NIST 800-171 r3 (released May 2024) is the current revision. Significant changes from r2: control numbering reorganized; some controls consolidated (r2 had 110, r3 has 110 but different mappings); requirements language clarified to reduce assessor interpretation variance; added explicit alignment with NIST 800-53 r5 parent controls. r2 remains the basis for current DFARS contracts until DoD updates clauses to reference r3. RiskWatch supports both r2 (legacy) and r3 (current) with mapping between them.
How long does NIST 800-171 implementation take?
Realistic timeline: 6-12 months from initial gap assessment to a defensible self-assessment + clean POA&M. Highly variable based on existing security maturity, scope size, and how aggressively you can implement technical controls. Companies starting from minimal security typically need 12 months; companies with mature security can compress to 4-6 months. SPRS submission can happen earlier with a documented POA&M, DoD doesn't require 110/110 to bid, but the score visibility affects source-selection.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access, every NIST 800-171 r3 control, the CUI scope wizard, SSP/POA&M generation, SPRS scoring, DFARS clause coverage, and CMMC 2.0 Level 2 alignment. You can run a real self-assessment against your own environment and decide before purchasing.
Ready to scope CUI?

Run your CUI scope wizard this week.

Start a 30-day free trial, every NIST 800-171 r3 control, the CUI scope wizard, SSP/POA&M generation, SPRS scoring, DFARS coverage, and CMMC 2.0 Level 2 alignment. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime

Request a Demo