NIST 800-171 R2 · 110 Controls

NIST 800-171 software, mapped from the official OSCAL

Not re-typed from the PDF. Not interpreted by a consultant. The same control IDs your assessor uses.

Readyline's NIST 800-171 R2 catalog is built from the official NIST OSCAL files (SP 800-53 / 800-171). Every control is mapped 1:1 with the source. You implement, mark Implemented or Not Implemented or Planned, attach evidence, and your SPRS score is computed per DoD NIST SP 800-171 Assessment Methodology v1.2.1. No re-skin, no consultant re-interpretation.

Book a demo See the full feature catalog

OSCAL-native · SPRS computed correctly · Per-tenant DB isolation · SaaS or self-hosted

Why OSCAL-native matters for NIST 800-171 software

NIST publishes 800-171 in two forms: a PDF for humans and OSCAL (Open Security Controls Assessment Language) for machines. OSCAL is the source of truth.

Most NIST 800-171 software products transcribe the PDF into their own internal taxonomy. That means:

  • Control IDs drift from the official NIST IDs over time
  • Updates to the spec are slow to propagate (re-transcription cycle)
  • The assessor sees control IDs that don't match their reference materials

Readyline's catalog is built from the official NIST OSCAL source, and we refresh it when NIST publishes an update. Your control IDs match the source. Your assessor reads what they expect.

NIST 800-171 R2 coverage in Readyline
  • AC · Access Control 22 controls
  • AT · Awareness & Training 3 controls
  • AU · Audit & Accountability 9 controls
  • CM · Configuration Management 9 controls
  • IA · Identification & Authentication 11 controls
  • IR · Incident Response 3 controls
  • MA · Maintenance 6 controls
  • MP · Media Protection 9 controls
  • PE · Physical Protection 6 controls
  • PS · Personnel Security 2 controls
  • RA · Risk Assessment 3 controls
  • CA · Security Assessment 4 controls
  • SC · System & Comms Protection 16 controls
  • SI · System & Information Integrity 7 controls

14 control families × 110 total controls = full NIST 800-171 R2 coverage from OSCAL source.

How NIST 800-171 software works in Readyline

The implementation loop, end to end.

1. Ingest from OSCAL

NIST publishes 800-171 R2 OSCAL files on GitHub. Readyline parses them, populating the 110 controls into your tenant with their official IDs, family groupings, and discussion text.

2. Mark Implementation Status

For each control: Implemented / Implementing / Planned / Not Implemented / Not Applicable. Each status carries the DoD methodology weight (5 / 3 / 1 / -5).

3. Attach Evidence

Upload policies, procedures, screenshots, configurations. Each evidence file is linked to the controls it satisfies. No CSV gymnastics.

4. SPRS Score Auto-Computes

Per DoD NIST SP 800-171 Assessment Methodology v1.2.1. Real-time delta as you move controls. The exact number to submit to SPRS for DoD contract eligibility.

5. POA&M for Gaps

Any control not Implemented auto-suggests a POA&M item. Add assignee, priority, due date. POA&M PDF export for the C3PAO.

6. SSP PDF Generated

Auto-populated from your control assessments + evidence. Includes boundary diagram, asset inventory, system description, revision history. Audit-grade output ready for the C3PAO.

FAQ

NIST 800-171 software questions

The implementation questions DoD subcontractors actually ask.

FAQ

Both. R2 is the version DoD currently scores you against in SPRS, so it ships fully today with all 110 controls auto-mapped from OSCAL. R3 is supported as a crosswalk overlay: you can see how each R2 control maps to R3, useful for forward planning, but DoD scoring stays on R2 until they update the SPRS methodology.

NIST 800-172 adds 35 enhanced security requirements. CMMC Level 3 selects 24 of those for the certification scope. Our NIST 800-172 module is in active development, on track to ship before the CMMC Phase 3 rollout in November 2027.

Per the DoD NIST SP 800-171 Assessment Methodology v1.2.1. Each control has a weight (1, 3, or 5 points). Starting score is 110. Every Not Implemented control subtracts its weight from the total. Implemented or Planned-with-POA&M restores points. Real-time delta as you change statuses. The number you see is the number you submit to SPRS.

The DFARS 252.204-7020 assessment standard expects either: (1) a policy document showing intent, (2) a procedure showing how the policy is operationalized, (3) artifacts showing the procedure is followed (screenshots, logs, training records, configs). For most controls, 1-3 evidence items satisfy. We surface the recommended evidence types per control during the assessment.

Yes. The C3PAO assessor mode provides a scoped, time-limited (default 14 days), read-only window into your tenant during assessment. Every page view is audit-logged. You control which modules are in scope. Consultants typically get a full-access support seat during onboarding.

Ready to talk?

30 minutes. Founder-led. No slides. Walk away with a clearer view of your CMMC posture, either way.

Book a demo

Reply within 1 business day · ES/EN · or email us directly.

Ready to talk?