NIST 800-171 Compliance for Small Government Contractors: What 110 Controls Actually Mean for a 20-Person Shop

NIST 800-171 compliance is the implementation of 110 security controls across 14 families on any non-federal information system that processes, stores, or transmits Controlled Unclassified Information under a DoD contract, evidenced by a System Security Plan, a Plan of Action and Milestones, and a self-assessment score posted to SPRS. FieldLedger does not generate the SSP itself, but it provides the DCAA-grade audit log, role-based access enforcement, and seven-year retention that map directly to the Audit and Accountability (3.3) and Access Control (3.1) families small contractors most often lose points on.

If you handle Controlled Unclassified Information on a federal contract, you owe DoD a NIST 800-171 self-assessment. That's a score from -203 to 110, posted to the Supplier Performance Risk System (SPRS), implementing 110 separate security controls across 14 families. Most small contractors discover this after they've already won the contract and the contracting officer asks for the SPRS score.

This is the practical guide. Not the marketing version, not the consultant-pitch version. What the controls actually require, where SMBs lose the most points, what documentation an auditor will actually accept, and how DCAA-compliant accounting data overlaps with the audit-trail half of the framework.

Why NIST 800-171 exists

The DFARS 252.204-7012 clause has been in every contract that touches Controlled Unclassified Information (CUI) since December 2017. That clause says you must safeguard CUI to the standard defined in NIST Special Publication 800-171. The most recent revision in active enforcement is Rev 2; Rev 3 is finalized but DoD is still phasing it in via DFARS rule updates.

The 7012 clause was largely unenforced until 2020, when DoD added the DFARS 252.204-7019 (assessment) and 7020 (NIST SP 800-171 DoD Assessment Methodology) clauses. That's when self-attestation became measurable. Today, no SPRS score means the contracting officer can't legally award you a CUI-bearing contract.

CMMC 2.0 layers a third-party verification regime on top of NIST 800-171 for contracts above certain CUI sensitivity thresholds. We cover CMMC separately. NIST 800-171 is the foundation; CMMC is the audit of that foundation.

The 14 control families and what each one actually means

Family	Controls	What it actually covers
3.1 Access Control	22	Who can log in, what they can see, session timeouts, mobile/remote access
3.2 Awareness and Training	3	Annual security training for everyone with CUI access
3.3 Audit and Accountability	9	What gets logged, log retention, who reviews logs
3.4 Configuration Management	9	Approved software, hardening baselines, change control
3.5 Identification and Authentication	11	MFA, password complexity, account lifecycle
3.6 Incident Response	3	Detection, reporting (72-hour rule), recovery
3.7 Maintenance	6	Who can touch the systems, remote maintenance auth
3.8 Media Protection	9	Removable media, sanitization before disposal, transport
3.9 Personnel Security	2	Background screening, account termination on offboarding
3.10 Physical Protection	6	Facility access, escort visitors, alternate work sites
3.11 Risk Assessment	3	Annual risk assessment, vulnerability scanning
3.12 Security Assessment	4	Self-assessment process and POA&M discipline
3.13 System and Communications Protection	16	Encryption in transit, network boundaries, FIPS-validated crypto
3.14 System and Information Integrity	7	Patching, malware protection, monitoring
Total	110

Each control is worth 1, 3, or 5 points based on impact. Maximum score: 110. The starting baseline subtracts every unimplemented control's weight, which is why the floor is -203.

The four families that hammer small contractors

In our experience scoring sub-50-employee contractors, the same four families produce 80 percent of the lost points.

3.13 System and Communications Protection (16 controls, often -50+ in lost points). This family wants FIPS 140-2 validated cryptography for CUI in transit and at rest. Most SMBs are using Microsoft 365 Business Standard or Google Workspace Business Starter — both of which are excellent products but neither uses FIPS-validated crypto modules by default. You need M365 GCC ($35/user/mo) or Google Workspace Enterprise Plus with FedRAMP-equivalent posture. That's a real cost.

The same family also wants network boundary protection — separate the CUI environment from the rest of your network. For a 20-person shop where everyone works from home offices, "network boundary" means VPN-gated access plus device-level segmentation. This is why most small contractors end up on a Microsoft 365 GCC tenant: it draws a clear boundary that maps to the controls.

3.5 Identification and Authentication (11 controls). MFA on every account that touches CUI, including service accounts and privileged accounts. Most SMBs do MFA on the email layer but forget about the file storage layer, the timekeeping system, the contract-management system, and the GL. Each of those needs MFA enforcement, password complexity meeting NIST 800-63B, and account lockout policies. The lost points here come from missing service-account credentials, not user accounts.

3.3 Audit and Accountability (9 controls). This is where DCAA-compliant accounting and NIST 800-171 overlap most. The family requires logging of access to CUI, retention of those logs (typically 1 year minimum, longer if your contract specifies), and periodic review. Your timekeeping system must log every entry, every edit, who made it, and when. Your accounting system must log every transaction with user attribution and an immutable change history. If your DCAA-compliant timekeeping already has this (FieldLedger does — every entry is logged with user, timestamp, before/after values), you've satisfied 5 of the 9 controls in this family.

3.4 Configuration Management (9 controls). Approved software list, hardening baselines, no unauthorized installations. For a small shop, this means BYOD is hard. You either need a managed device program (Intune, Jamf) or you draw a hard line: CUI only gets touched on company-issued, hardened laptops. Most SMBs lose points here because their developers run Homebrew packages without an approval process, or marketing installs random Chrome extensions on the same laptops they use for the contract portal.

DoD Assessment Methodology — Basic, Medium, High

DoD Assessment Methodology is in NIST SP 800-171A. Three levels:

• Basic — self-assessment, you score yourself, post to SPRS. Required for all contractors with the 7012 clause. Refreshed every 3 years or when you make a material change.
• Medium — DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) reviews your System Security Plan (SSP) and POA&M remotely. Triggered by contract value or when DoD selects you.
• High — full on-site DIBCAC assessment. Reserved for contractors handling the most sensitive CUI and high-value contracts.

Most small contractors are Basic-only. The honest read: a Basic self-assessment is exactly as rigorous as you make it. You can give yourself a 110 in 30 minutes and post it to SPRS. The trap is that the contracting officer (or worse, an OIG audit later) can pull your SSP and POA&M and verify that the score reflects reality. Falsified scores have triggered False Claims Act cases. The penalties are real.

What the SSP and POA&M actually look like

The System Security Plan (SSP) is the document that maps each of the 110 controls to how you implement it. Every control gets either:

• Implemented — you have it, here's how, here's the evidence
• Partially implemented — you have part of it, here's what's missing, on the POA&M
• Not implemented — listed on the POA&M with a target date and remediation plan
• Not applicable — with justification

The Plan of Action and Milestones (POA&M) is the running list of every gap with a remediation timeline. Auditors read this first. A POA&M with realistic dates and recent updates says "this contractor is managing their security posture." A POA&M that hasn't moved in 18 months says "this contractor checked a box and forgot."

The format is not specified by NIST. Spreadsheet works fine. The DoD CIO has a template you can use. The substance is what matters: each row needs a control, a description of the gap, a target date, an owner, and a status.

Cost ranges (honest)

For a 20-person federal contractor going from zero to a posted SPRS score:

Item	Range	Notes
Microsoft 365 GCC tenant	$35/user/mo × 20 = $8,400/yr	Required for FIPS-validated email + storage
MDM / endpoint hardening (Intune included with M365 GCC)	$0 incremental	Configuration time, not license cost
FIPS-validated VPN	$300–$2,000/yr	OpenVPN Access Server with FIPS module, or Tailscale Enterprise
Vulnerability scanning (Tenable, Rapid7, or Nessus)	$3,000–$8,000/yr	Required by 3.11.2
MFA / SSO (often included with M365 GCC)	$0 incremental	Use Entra ID, included
Security awareness training (KnowBe4 or similar)	$1,500–$4,000/yr	Required by 3.2
Logging / SIEM (Microsoft Sentinel pay-as-you-go)	$1,000–$5,000/yr	Required by 3.3, scales with log volume
Initial SSP/POA&M development	$5,000–$25,000 one-time	Consultant or detailed self-build
Annual SSP/POA&M maintenance	$3,000–$10,000/yr	Less if you do it in-house
Year 1 total	$22K–$62K	Plus internal time, typically 0.1–0.25 FTE
Recurring	$15K–$30K/yr	Excluding ongoing internal time

If a consultant quotes you $80K-plus for "NIST 800-171 compliance" without breaking down the underlying tools and recurring costs, get a second quote. The market has predatory pricing for SMBs who don't know any better.

Where DCAA-compliant accounting fits in

NIST 800-171 family 3.3 (Audit and Accountability) requires:

• 3.3.1 — Create and retain system audit records
• 3.3.2 — Ensure traceable actions
• 3.3.4 — Alert on audit logging failures
• 3.3.8 — Protect audit information from tampering
• 3.3.9 — Limit audit-record management to privileged users

DCAA-compliant timekeeping covers all five for the timekeeping subsystem. Every timesheet entry is logged with user, timestamp, and before/after values for any edit. Logs are retained for the contract retention period (typically 3 years post-final-payment). Logs are protected from end-user modification — only system administrators can access the audit table, and even admins can't edit historical entries.

If you're already running a DCAA-compliant timekeeping and indirect-rate system, you've satisfied the audit-trail requirements for accounting data. You still need to extend audit logging to your file storage (handled by M365 GCC), email (M365 GCC), and any other system that touches CUI. But the accounting layer is solved.

This is part of the FieldLedger pitch: the same audit trail that satisfies DCAA satisfies NIST 3.3 for accounting data. You don't pay twice. You don't run two log-collection systems. The DCAA Form 1408 audit trail and the NIST 3.3.2 traceability requirement are the same trail.

Common SMB mistakes that lose points

1. Treating MFA as one-and-done. MFA on email but not on the file repo, the timekeeping system, or the contract portal. Each unprotected privileged account is a point lost.

2. No documented incident response plan. 3.6.1 requires a documented IR plan. Not "we'll figure it out if it happens." A two-page document naming who calls who and within what timeframe satisfies the control.

3. Background checks for the wrong scope. 3.9.1 wants screening for personnel with access to CUI. Many SMBs run background checks for direct hires but skip 1099 contractors and subcontractor staff who get CUI access. Either screen them or don't grant CUI access. Most SMBs choose the second.

4. Treating BYOD as compliant by default. It's not. Either provision managed devices for CUI work or accept that your home-office laptops are out of scope (which means CUI never touches them).

5. POA&M with no movement. If your POA&M dates are all from 18 months ago and nothing has been remediated, an auditor reads that as "checked the box, ignored the work." Better to have 5 items with recent updates than 30 items frozen in time.

6. Ignoring the 72-hour breach reporting clock. 3.6.2 plus DFARS 7012 require reporting cyber incidents to DC3 within 72 hours. You need a process to make that call, not a hope you'll think of it during a real incident.

How long does it actually take to get to a defensible SPRS score

Honest timeline for a 20-person contractor starting from M365 Business Standard with no SSP:

• Week 1–2: Migrate email and file storage to M365 GCC. Enable Entra ID MFA on all accounts. ~$8K/yr in license uplift.
• Week 3–4: Configure Intune for managed-device baselines. Push policies. Hard-cut BYOD for CUI work.
• Week 5–6: Stand up vulnerability scanning, security awareness training. Document your IR plan.
• Week 7–10: Write the SSP. Map every control. Build the initial POA&M. This is the slow part.
• Week 11–12: Self-score using the DoD methodology. Post to SPRS. Update internally.

Three months is realistic for an SMB doing this in-house. Six months if you have a day job and this is a side project. A consultant can compress it to 4–6 weeks but the cost runs $25K–$50K for the SSP work alone.

Where to start tomorrow morning

If you don't have a posted SPRS score and you're either bidding on or actively performing a contract with the DFARS 7012 clause, do this in order:

1. Run a 30-minute gap analysis. Pull the NIST 110-control checklist and score yourself honestly. You'll know within an hour whether you're at 30 or 80.

2. Decide M365 GCC vs status quo. This is the largest single license-cost decision and gates 30+ points across families 3.13, 3.5, and 3.3. If you're not migrating, you're capping your score.

3. Write a one-page IR plan. Free points. 3.6.1 satisfied.

4. Build the initial SSP and POA&M. Pick a control, write what you do, mark it implemented or in-progress. Do five controls a day. You'll be done in three weeks.

5. Post your honest score to SPRS. A posted score of 60 with a credible POA&M is better than no score. The contracting officer needs something on file.

The trap is paying $50K to a consultant before you've done the gap analysis yourself. You'll pay 10x more for work you could have done yourself in three weeks. The consultants worth their fee are the ones who help you with the SSP narrative and the SPRS post — not the ones who run the gap analysis you could run on a Saturday.

Related reading

• NIST 800-171 Rev 3 changes — what's actually different
• NIST 800-171 self-assessment template (free download)
• DFARS clauses 7012, 7019, 7020, 7021 — what each one actually requires
• CUI handling for small government contractors
• CMMC 2.0 compliance for sub-50-employee contractors