NIST SP 800-171 Rev 2
Best for: Any organization that stores, processes, or transmits Controlled Unclassified Information (CUI) on behalf of the U.S. federal government. Defense contractors and subcontractors under DFARS clause 252.204-7012 are the primary audience, but civilian agency contractors with CUI obligations are equally covered. Company size is irrelevant: a 10-person machine shop with a single DoD subcontract has the same compliance obligation as a Fortune 100 prime.
๐ National Institute of Standards and Technology (NIST), U.S. Department of Commerce ยท NIST SP 800-171 Rev 2 Official source โ
Get Started
module "..." {
source = "nist800171.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Logging and Monitoring: Runs 9 Terraform controls validating CloudTrail multi-region enablement, S3 data event logging, object-level read/write auditing, and API Gateway stage logging. Covers requirements 3.3.1 and 3.3.2 for audit event creation and log review.
- Encryption in Transit: Checks ACM certificate expiration (30-day window) and API Gateway SSL certificate attachment. Validates that TLS is enforced on managed API endpoints.
- Encryption at Rest: Validates encryption on API Gateway stage caches and AWS Backup recovery points. Detects unencrypted data stores that could expose CUI.
- Network Boundary Protection: Checks that Auto Scaling launch configurations do not assign public IPs and that WAF web ACLs are associated with API Gateway stages. Detects resources exposed beyond the CUI boundary.
- Backup and Recovery Integrity: Validates backup plan retention minimums (35 days), recovery point retention periods, and that manual deletion of recovery points is disabled. Covers aspects of requirement 3.8.9 and system resilience.
What you handle
- Audit Logging and Monitoring: Defining audit review procedures, configuring alerting thresholds, establishing log retention periods that meet contractual obligations, and documenting audit findings in the SSP.
- Encryption in Transit: Managing certificate lifecycle beyond expiration checks, enforcing minimum TLS versions (1.2+), and documenting encryption policies in the SSP for requirement 3.13.8.
- Encryption at Rest: FIPS-validated cryptographic module selection (where required), KMS key policy management, and verifying that encryption covers all CUI data stores beyond those checked here (EBS, RDS, S3).
- Network Boundary Protection: Defining the CUI enclave boundary in the SSP, configuring WAF rule sets appropriate to your threat model, and implementing network segmentation between CUI and non-CUI systems.
- Backup and Recovery Integrity: Recovery procedures need periodic testing, recovery time objectives need documentation, and backup storage locations must meet the same CUI protection requirements as production systems.
Controls by Category
Audit and Accountability (3.3) (2 controls)
The most common finding in this family is CloudTrail enabled in only one region or missing S3 object-level event logging. Requirements 3.3.1 and 3.3.2 require audit coverage across all regions and services, so assessors check that multi-region trails are active, S3 data events are captured for both read and write operations, and log integrity validation is enabled.
Media Protection (3.8) (1 control)
Auditors ask to see controls that prevent individual operators from deleting recovery points, typically vault lock policies or an equivalent mechanism. Retention schedules must meet organizational and contractual minimums under requirement 3.8.9. Organizations without vault lock policies routinely fail this section, leaving backups exposed to insider deletion or ransomware scenarios.
System and Communications Protection (3.13) (2 controls)
Auditors examine encryption of CUI in transit (requirement 3.13.8) and at rest (3.13.16), boundary protection (3.13.1), and monitoring at managed interfaces (3.13.6). Expected evidence includes valid TLS certificates on all public and internal endpoints, encryption enforced on cached data, and WAF rules protecting externally accessible APIs. Expired or soon-to-expire certificates are flagged as direct gaps in transmission confidentiality.
Additional Controls (100)
AWS CloudTrail (3)
AWS Database Migration Service (1)
AWS IAM (9)
AWS KMS (1)
AWS Lambda (4)
compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module AWS WAF (1)
Amazon CloudWatch (2)
compliance.tf module Log group retention period should be at least 365 days compliance.tf module Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
compliance.tf module DynamoDB table should have encryption enabled compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (8)
compliance.tf module EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should have IAM profile attached compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon EKS (2)
compliance.tf module EKS clusters endpoint should restrict public access compliance.tf module Amazon EMR (1)
Amazon ElastiCache (1)
Amazon OpenSearch Service (3)
compliance.tf module OpenSearch domains should be in a VPC compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (15)
compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module RDS DB instances should have iam authentication enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (6)
compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (14)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 buckets should have event notifications enabled compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module S3 public access should be blocked at bucket levels compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Amazon VPC (2)
compliance.tf module VPC subnet auto assign public IP should be disabled compliance.tf module Elastic Load Balancing (10)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module Other (4)
Related Frameworks
Frequently Asked Questions
Does NIST 800-171 Rev 2 apply to my organization?
If your contract includes DFARS clause 252.204-7012, FAR 52.204-21, or any clause requiring CUI protection, then yes. This applies to prime contractors and every subcontractor in the supply chain that handles CUI. The determining factor is whether CUI flows through or resides on your systems, not your company size or revenue.
Rev 3 was published in May 2024. Should I be implementing Rev 2 or Rev 3?
Implement Rev 2 for now. The CMMC 2.0 final rule (effective December 16, 2024) and DFARS clause 252.204-7012 reference Rev 2. DoD has not updated contractual requirements to mandate Rev 3. Monitor the CMMC program for transition timelines, but don't delay Rev 2 compliance waiting for Rev 3 adoption.
What is the relationship between NIST 800-171 and CMMC?
CMMC Level 2 maps directly to the 110 security requirements in NIST 800-171 Rev 2. CMMC adds the assessment methodology and certification process that 800-171 itself does not define. Think of 800-171 as 'what to implement' and CMMC as 'how you prove it.' CMMC Level 1 maps to the 17 requirements from FAR 52.204-21, which is a subset of 800-171.
How long does it take to achieve full compliance?
For a mid-size contractor starting from scratch, 12 to 18 months is typical. Organizations with existing security programs (ISO 27001, SOC 2) can often close gaps in 6 to 9 months. The main time sinks are documenting the System Security Plan (SSP), implementing missing technical controls, and building the Plan of Action and Milestones (POA&M) for remaining gaps. POA&Ms must carry defined closure timelines; they are not indefinite waivers.
What is an SPRS score and how is it calculated?
The Supplier Performance Risk System (SPRS) score is a self-assessed number from -203 to 110. You start at 110 and subtract weighted values for each requirement not fully implemented. A score of 110 means all requirements are met. DoD contracting officers can view your score before awarding contracts, and posting an inaccurate score carries False Claims Act liability. The scoring methodology is defined in NIST SP 800-171A and the DoD Assessment Methodology.