NIST 800-171 and CMMC 2.0 for small AI firms

The three artifacts, in order

If you handle Controlled Unclassified Information for DoD or DoD-subject contracts, three federal requirements stack: DFARS 252.204-7012 (the contract clause), NIST SP 800-171 Rev 3 (the 110-control technical baseline), and CMMC 2.0 (the certification program that verifies 800-171 implementation). You do not pick one. DFARS tells you which you need; 800-171 tells you what to implement; CMMC tells you how it gets verified.

The 110 controls, grouped

Family	Controls	What it means
Access Control (AC)	22	Who can access what, session management, privileged-account control, separation of duties.
Awareness and Training (AT)	3	User training on CUI handling and insider threat.
Audit and Accountability (AU)	9	Logging, review, retention, tamper-evidence.
Configuration Management (CM)	9	Baseline configs, change control, least functionality, allowed software.
Identification and Authentication (IA)	11	MFA, password complexity, cryptographic authentication, replay resistance.
Incident Response (IR)	3	Incident handling, DFARS 72-hour reporting, IR testing.
Maintenance (MA)	6	Maintenance authorization, tool approval, non-local maintenance MFA.
Media Protection (MP)	9	Physical media handling, sanitization, encrypted transport.
Personnel Security (PS)	2	Screening, termination procedures.
Physical Protection (PE)	6	Physical access controls, visitor logs.
Risk Assessment (RA)	3	Periodic risk assessment, vulnerability scanning.
Security Assessment (CA)	4	Self-assessment, POA&M, continuous monitoring.
System and Communications Protection (SC)	16	Boundary protection, FIPS 140-validated crypto, key management.
System and Information Integrity (SI)	7	Flaw remediation, malicious code protection, monitoring.

For a small AI firm, IA (MFA everywhere, FIPS 140-3 validated crypto for privileged access), SC (boundary protection, FIPS-validated crypto modules across the stack), and AU (centralized log aggregation with retention and tamper-evidence) are the expensive families.

CMMC 2.0 levels, practically

Level	Scope	Assessment
Level 1	17 controls (FAR 52.204-21). Federal Contract Information (FCI), not CUI.	Annual self-assessment.
Level 2	All 110 NIST 800-171 controls. CUI handling.	Triennial C3PAO assessment for most contracts; self-assessment for a narrow subset.
Level 3	110 plus enhanced 800-172 subset. High-value CUI, APT-relevant.	Triennial DIBCAC government assessment.

Most small AI firms touching DoD CUI operate at Level 2. Level 3 is for a narrow slice of high-sensitivity programs.

SPRS scoring, the math

The Supplier Performance Risk System is the DoD database where you record your 800-171 self-assessment score. Scoring starts at 110 and subtracts weighted penalties for each control not fully implemented. Weights range 1-5 based on risk impact. The possible range is +110 to -203.

• Full implementation = 0 penalty.
• Partial = half penalty, only if listed in a POA&M with a remediation date.
• Not implemented = full penalty.

110 is perfect. Scores in the 90s are common for mature firms. Below 80 gets attention. Negative is a red flag. Your SPRS score is visible to contracting officers and increasingly referenced as a pre-award gate.

DFARS 252.204-7012 in the middle

• Provide adequate security — implement NIST 800-171.
• Report cyber incidents to DoD within 72 hours via DIBNet.
• Preserve affected media and damage-assessment data.
• Flow the same requirements down to subcontractors.

The 72-hour reporting obligation trips small firms. You need a medium-assurance DoD-approved PKI certificate for DIBNet, an IR runbook that references DIBNet, and staff who understand the reporting threshold (any cyber incident affecting CUI or CUI-enabling systems, not only confirmed breaches).

What small AI firms keep missing

1. Treating developer laptops as out of scope

If a dev clones a repo containing CUI training data, that laptop is in scope. The boundary travels with the data. Teams that scope assessment around "only prod" fail C3PAO assessments.

2. Using commercial LLM APIs with CUI

Sending CUI to commercial OpenAI, Anthropic, or Gemini is a flow of CUI outside your boundary to a service not built for 800-171. That is a reportable incident. Use FedRAMP-authorized LLM endpoints.

3. Incomplete asset inventory

Assessment starts with "show me every system in the CUI boundary." A stale Google Doc produces findings across CM, CA, and RA. A live CMDB is not optional.

4. No separation between CUI and non-CUI environments

A dedicated CUI enclave — segregated network, separate identity plane, separate logging — is the single most effective scope-reduction move.

A realistic small-firm build

• CUI enclave in AWS GovCloud or Azure Government (FedRAMP-inherited baseline).
• Azure AD or AWS IAM Identity Center with hardware-key MFA (PIV-I or FIDO2).
• Centralized log aggregation (Splunk, Sentinel) — FIPS-validated transport, tamper-evident, one-year online retention.
• EDR on all in-scope endpoints (CrowdStrike, Defender, S1).
• FedRAMP-authorized LLM endpoint only (Azure OpenAI Government, Bedrock GovCloud, Vertex Assured Workloads).
• Documented IR runbook with DIBNet reporting and 72-hour timer.
• Quarterly vuln scans, monthly patch cadence, annual pen test.
• Written policies for AC, AU, CM, IA, IR, SC, SI — referenced in the SSP.

C3PAO assessment cost

$80K-$200K typical for a small-firm Level 2 C3PAO, depending on scope. Triennial, so $25K-$70K per year amortized. Plan it as G&A. Pre-assessment readiness work usually adds 3-6 months of internal engineering.

Bottom line

NIST 800-171 is 110 controls. CMMC 2.0 Level 2 certifies them. DFARS 7012 is the contract clause that triggers both and adds the 72-hour incident-report obligation. Small AI firms handle this well when they build a tight CUI enclave with FedRAMP-authorized dependencies and document relentlessly. They handle it badly when they treat it as paperwork. Build the enclave first; the paperwork follows.

Frequently asked questions