Experiencing a breach? help@lyrarecovery.com
Lyra Recovery
Compliance
Protecting CUI in non-federal systems

NIST 800-171

Controls for protecting Controlled Unclassified Information.

Overview

What it is, in plain English.

NIST SP 800-171 defines the 110 security requirements every non-federal organization must implement to protect Controlled Unclassified Information (CUI). It is the technical backbone of CMMC Level 2 and is referenced directly in DFARS 252.204-7012. Whether you are preparing for CMMC, satisfying a federal civilian agency requirement, or self-attesting in SPRS, Lyra runs the assessment, builds the SSP, and remediates the gaps.

Full NIST SP 800-171 assessment, System Security Plan (SSP) development, and Plan of Action & Milestones (POA&M) management.

Who needs it

Built for organizations that have to get this right.

  • DoD contractors and subcontractors (DFARS 7012)

  • NASA, GSA, and federal civilian agency suppliers

  • Higher-ed institutions with federal research contracts

  • Any organization preparing for CMMC Level 2

Our approach

How we get you audit-ready and keep you there.

We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.

  1. 01

    Scope & Gap Assessment

    We map your environment, business processes, and existing controls against the framework to find every gap, redundancy, and risk.

  2. 02

    Remediation & Control Design

    We design and implement the technical and administrative controls — policies, configurations, monitoring, and evidence pipelines.

  3. 03

    Evidence & Documentation

    We build the artifact library auditors expect: policies, SSPs, risk registers, control matrices, and continuous evidence collection.

  4. 04

    Audit Support & Continuous Monitoring

    We sit with you through the audit, respond to auditor requests, and operate the program after certification so you stay compliant year-round.

Key controls

What's actually in scope.

  • All 14 control families: Access Control, Audit & Accountability, Awareness & Training, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, System & Information Integrity

  • Multifactor authentication for privileged and remote access

  • FIPS 140-2/3 validated cryptography

  • CUI flow mapping and boundary diagrams

  • Continuous monitoring and vulnerability scanning

Deliverables

What you walk away with.

  • NIST 800-171 assessment report with scoring against all 110 controls

  • System Security Plan (SSP) — the foundational compliance artifact

  • Plan of Action & Milestones (POA&M) for any open gaps

  • Updated SPRS score submission

  • CUI boundary and data flow diagrams

Timeline

Initial assessment and SSP: 6–10 weeks. Full remediation to a passing score: 3–9 months depending on environment maturity.

Questions we hear

Straight answers to the real questions.

Is 800-171 the same as CMMC?
Not quite. CMMC Level 2 requires the same 110 controls but adds third-party certification and enforces no-POA&M items. 800-171 by itself permits self-attestation with open POA&M items for many federal civilian contracts.
What is Rev. 3?
NIST 800-171 Rev. 3 was published in May 2024 and modernizes several control families. CMMC and most contracts still reference Rev. 2 — we monitor flow-downs and align you to the version your contracts require.
Do I need a separate SSP per contract?
Usually one SSP covers the entire CUI environment. Per-contract security requirements are addressed through tailoring statements within the SSP and contract-specific implementation notes.
Talk to a NIST 800-171 expert All frameworks

Other frameworks we support

24 / 7 Recovery

When the worst day hits, every minute matters.

Our breach team is standing by — call, email, or submit a request and we respond within minutes.

Talk to a Recovery Expert help@lyrarecovery.com