When NIST 800-171 and CUI Matter for Your Business

You run a fabrication shop in Port Arthur. A major defense contractor is looking for local suppliers. They want to subcontract some of their manufacturing work to you. The parts will include technical specifications.

You want the contract. The defense contractor emails you a spreadsheet: "Complete this CUI flows assessment before we can proceed."

You have no idea what CUI is. Neither does your IT guy. Neither does your lawyer.

This is the moment NIST 800-171 becomes your problem.

What this solves (in real business terms)

NIST 800-171 is a federal security standard for protecting "Controlled Unclassified Information" (CUI) in non-federal systems. If a federal agency shares CUI with you, or if you're a subcontractor handling CUI from a prime contractor, you are legally required to meet this standard.

It's not a suggestion. It's a contract requirement. Fail to meet it, and you lose the contract—or worse, you get the contract and then fail an audit.

What can go wrong

The $30 million False Claims Act case. In 2023, a government contractor was fined $30 million for falsely certifying NIST 800-171 compliance. They had a checklist. They didn't actually implement the requirements. When an audit happened, the gap was obvious.

The subcontractor cut. A defense prime contractor audited their supply chain in 2022. 40% of their small business subcontractors failed the initial assessment. They lost their subcontracts—not because of performance, but because they couldn't demonstrate security compliance.

The stolen laptop scenario. A defense contractor employee left a laptop in a car. The laptop contained CUI about an ongoing weapons program. It was stolen. The contractor had to report the incident to DoD, launch an investigation, and spend $500,000 on remediation—including replacing the affected program components.

Your IT guy's advice is wrong. Most IT professionals have never worked with federal security requirements. Their "best practices" recommendations may not meet NIST 800-171 specifications. I've seen IT shops spend $50,000 on the wrong solutions.

Do you actually need to comply?

You need NIST 800-171 compliance if:

• You have a federal contract that specifies CUI handling requirements
• You're a subcontractor to someone who has CUI requirements flowing down to you
• You have DFARS clauses in your contracts
• You receive, process, or store information marked as CUI

You probably don't need to comply if:

• You only do commercial (non-government) work
• No contract has mentioned CUI, DFARS, or NIST 800-171
• You're a supplier to a commercial company with no federal contracts

If you're not sure: ask the contracting officer or prime contractor. If they say you don't need it, get that in writing.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | Initial self-assessment (DIY with guidance) | $0–$2,000 | | Gap assessment by a CMMC consultant | $5,000–$20,000 | | Plan of Action and Milestones (POA&M) development | $3,000–$10,000 | | Implementing required security controls (varies widely) | $10,000–$100,000+ | | Third-party assessment (when required) | $20,000–$50,000 | | Annual maintenance and monitoring | $5,000–$20,000/year |

The range is wide because requirements depend on your current infrastructure. A shop with modern Windows systems and managed IT will spend far less than one running Windows Server 2012 with no patching.

Minimum viable implementation

1. Identify if CUI is actually in your environment. Search your files, email, and systems for: contract numbers, program names, technical specifications from government contacts, anything marked "CUI" or "FOUO."

2. Run a self-assessment against NIST 800-171's 110 security requirements. Use the NIST self-assessment handbook (SP 800-171A). Focus on the 14 families of requirements.

3. Create a Plan of Action and Milestones (POA&M). For each requirement you don't meet, document: the gap, the required remediation, the responsible party, and the completion date.

4. Address the high-impact, low-effort items first:

   • Multi-factor authentication (requirement 3.5.3)
   • Media protection and sanitization (requirements 3.8.x)
   • Audit logging for account management (requirements 3.1.2, 3.1.1)
   • Incident response plan (requirement 3.6.1)

5. Document everything. NIST 800-171 compliance is 20% technical, 80% documentation. You need to prove you did what you said you did.

6. Get a CMMC-registered assessor when required. Starting in 2025, many contracts will require third-party certification through the Cybersecurity Maturity Model Certification (CMMC) program.

Vendor questions (copy/paste)

When working with consultants on NIST 800-171:

1. "Are you CMMC-registered or certified? What's your C3PAO status?"

2. "What's your experience with organizations of our size and industry?"

3. "Can you conduct a gap assessment against the actual NIST 800-171 requirements, not just general security best practices?"

4. "Will you provide a prioritized POA&M that we can track progress against?"

5. "Do you have experience preparing organizations for CMMC assessments?"

6. "What's your approach to documentation—do you help us build the evidence we need for an audit?"

When to hire help

Hire a CMMC consultant if:

• You've been awarded a contract with DFARS clauses and a CUI flow-down requirement
• You're pursuing a defense contract and want to pre-position for compliance
• You've had a security incident involving government information
• You're within 12 months of a CMMC assessment deadline
• Your current IT provider doesn't understand federal security requirements

The right consultant pays for themselves. The wrong one gives you a checkbox that fails on the first audit.