Is NIST SP 800-171 compliance the same as CMMC Level 2?

CMMC Level 2 maps one-to-one with NIST 800-171's 110 requirements but adds third-party assessment verification.

What is the DFARS 72-hour reporting requirement?

Report cyber incidents to DC3 within 72 hours via DIBNet portal.

What is a System Security Plan?

Documentation of how each of the 110 requirements is implemented, including system boundary and CUI data flows.

Plans documenting unimplemented requirements with timelines. Must be closed within 180 days under CMMC 2.0.

Do subcontractors need to comply?

Yes. DFARS 252.204-7012 flows down to subcontractors handling CUI.

What is the False Claims Act risk?

Claiming compliance without implementation can result in treble damages and per-claim penalties.

How long does compliance take?

12-18 months from scratch, 6-12 months with partial implementations.

Does PTG serve contractors outside the Triangle?

Yes, throughout NC and the eastern US via in-person and remote engagements.

Home | Compliance | NIST and DFARS Compliance

Defense Compliance

NIST and DFARS Compliance Services

DFARS 252.204-7012 mandates NIST SP 800-171 compliance for every DoD contractor handling CUI. PTG helps defense contractors implement all 110 controls, submit accurate SPRS scores, and prepare for CMMC certification.

CMMC Registered Practitioner Org | BBB A+ Since 2003 | 23+ Years Experience

Get Free DFARS Assessment Call 919-601-1601

Regulatory Requirements

What DFARS 252.204-7012 Requires

DFARS is the contractual clause. NIST 800-171 provides the 110 security requirements. Together they form the foundation of defense contractor cybersecurity.

DFARS Obligations

Implement all 110 NIST SP 800-171 security requirements across 14 control families
Report cyber incidents to DC3 within 72 hours of discovery
Preserve affected system images for at least 90 days post-incident
Flow down DFARS requirements to subcontractors handling CUI

SPRS Scoring

Score ranges from -203 (no controls) to 110 (full implementation)
Each unmet requirement reduces score by 1, 3, or 5 points
Contracting officers use SPRS scores in source selection decisions
Required under DFARS Interim Rule clauses 7019 and 7020

14 Control Families

The 110 NIST SP 800-171 Requirements

DFARS mandates implementation of all 110 requirements across these control families.

22 Requirements

Access Control

Limit system access, enforce least privilege, control remote access, and manage wireless access to CUI systems.

16 Requirements

System and Communications Protection

Monitor boundaries, implement encryption, establish subnetworks, and protect CUI during transmission.

11 Requirements

Identification and Authentication

Identify users and devices, implement multi-factor authentication, and manage credential lifecycle.

9 Requirements Each

Audit, Config Management, Media

Create audit records, establish baselines, track changes, and sanitize media containing CUI before disposal.

The Transformation

Before and After DFARS Compliance

Before

Contract Eligibility Risk

Low SPRS scores disqualify your organization from DoD contract awards and prime contractor partnerships.

Incident Liability

No documented incident response capability risks both CUI exposure and False Claims Act penalties.

Supply Chain Gaps

Subcontractors without DFARS flow-down create compliance blind spots throughout your supply chain.

After

SPRS Score of 110

Full implementation of all 110 controls with documented evidence and accurate SPRS submission.

72-Hour Response Capability

Tested incident response plan with DC3 reporting procedures and 90-day evidence preservation.

CMMC Certification Ready

NIST 800-171 compliance positions you directly for CMMC Level 2 certification.

FAQ

Frequently Asked Questions

What is the relationship between DFARS and NIST 800-171?

DFARS 252.204-7012 is the contractual clause that mandates compliance. NIST SP 800-171 provides the 110 specific security requirements that must be implemented. DFARS tells you that you must comply; NIST tells you what to implement.

What is the minimum SPRS score needed for contracts?

There is no single minimum, but contracting officers use SPRS scores in source selection. Organizations with scores significantly below 110 are at a competitive disadvantage. PTG helps you systematically close gaps to reach a perfect score of 110.

How does CMMC 2.0 change DFARS compliance?

CMMC adds third-party certification requirements on top of existing DFARS/NIST obligations. CMMC Level 2 maps directly to NIST 800-171, so your DFARS compliance work is the foundation of your CMMC certification.

Do subcontractors need DFARS compliance?

Yes. DFARS 252.204-7012 requires flow-down to any subcontractor that will handle CUI. Primes are increasingly requiring subcontractors to demonstrate compliance before awarding work.

What happens if we have a cyber incident?

DFARS requires reporting to the DoD Cyber Crime Center (DC3) within 72 hours, preserving system images for 90 days, and providing the government access to affected systems. PTG helps you build and test these incident response capabilities.

Related Services

Achieve NIST and DFARS Compliance

Protect your DoD contract eligibility. PTG handles everything from gap assessment to SPRS submission and CMMC readiness.

Schedule a Consultation Call 919-601-1601

NIST 800-171 & DFARS Compliance [DoD Guide]