NIST 800-171 Checklist for Small Business

NIST 800-171 Compliance: What Small Businesses Actually Need to Do

If you're a small business working with the Department of Defense, you've probably heard about NIST 800-171. But most guides are written for enterprise IT teams with 50-person security departments. This guide is different — it's written for the small business owner with 5–100 employees who needs to get compliant without drowning in jargon.

NIST Special Publication 800-171 defines 110 security requirements across 14 control families. You must implement all 110 to protect Controlled Unclassified Information (CUI) and maintain eligibility for DoD contracts. Here's your plain-English checklist.

The 14 Control Families — What They Mean in Plain English

1. Access Control (22 requirements)

What it means: Only authorized people should access your systems and data. Limit who can see what, and log everything.

• ✅ Create user accounts for every employee (no shared logins)
• ✅ Use role-based access — people only see what they need for their job
• ✅ Disable accounts immediately when employees leave
• ✅ Lock screens after 15 minutes of inactivity
• ✅ Control remote access with VPN and MFA

2. Awareness & Training (3 requirements)

What it means: Train your employees on security threats and your company's security policies. Do this at hire and annually.

• ✅ Conduct security awareness training for all employees
• ✅ Train employees to recognize phishing emails
• ✅ Document all training with dates and attendee lists

3. Audit & Accountability (9 requirements)

What it means: Log what happens on your systems so you can detect and investigate suspicious activity.

• ✅ Enable logging on all systems that handle CUI
• ✅ Review logs regularly (at least weekly)
• ✅ Protect log files from tampering
• ✅ Retain logs for at least 3 years

4. Configuration Management (9 requirements)

What it means: Keep your systems configured securely. Track and control changes.

• ✅ Maintain an inventory of all hardware and software
• ✅ Use security baselines (CIS Benchmarks are free)
• ✅ Control who can install software
• ✅ Document all system changes

5. Identification & Authentication (11 requirements)

What it means: Verify who's accessing your systems. Use strong passwords and multi-factor authentication.

• ✅ Enforce strong passwords (12+ characters, complexity requirements)
• ✅ Implement multi-factor authentication (MFA) on all accounts
• ✅ Lock accounts after 3 failed login attempts
• ✅ Use unique identifiers for every user

6–14. Remaining Control Families

The remaining families cover Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Each has specific requirements — our full NIST 800-171 compliance hub covers all 110 controls in detail.

Common Mistakes Small Businesses Make

1. Thinking antivirus = compliance. Antivirus covers maybe 5% of the requirements. You need encryption, access controls, incident response plans, and much more.
2. Not documenting anything. NIST 800-171 requires a System Security Plan (SSP) and Plan of Action & Milestones (POA&M). Without documentation, you're not compliant — period.
3. Ignoring the supply chain. If your subcontractors handle CUI, they need to be compliant too. You're responsible for flowing down requirements.
4. Treating compliance as a one-time project. Compliance is ongoing. You need continuous monitoring, annual assessments, and regular training updates.

Related: CMMC 2.0 vs. NIST 800-171: What's the Difference? · How AI Is Helping Defense Contractors Pass CMMC Audits Faster