NIST 800-171 Checklist for Hardware Buyers
Most NIST 800-171 gap assessments come back with findings that trace to a switch, a server, or an endpoint — not a policy document. Here is what to check before the assessor does.
By Uniqcli Team · · 6 min read

Compliance
NIST 800-171 checklist: what actually touches your hardware
NIST SP 800-171 governs how contractors protect Controlled Unclassified Information (CUI), and most of its 110 controls read as policy: training, incident response, personnel screening. But a meaningful share of them are only satisfiable with the right infrastructure underneath the policy. An access-control policy means nothing if the switch can't enforce port-based authentication. A media-sanitization procedure means nothing if the drives can't be cryptographically erased. This NIST 800-171 checklist works through the control families that land on physical hardware — network gear, servers, and endpoints — and what an assessor is actually looking for when they ask to see the equipment, not just the documentation. It also covers where 800-171 hands off to CMMC, since the two get conflated constantly and the hardware requirements aren't identical.
Which NIST 800-171 control families depend on hardware
Of the 14 control families in 800-171, three carry the most hardware weight: Access Control (3.1), Media Protection (3.8), and System and Communications Protection (3.13), with System and Information Integrity (3.14) close behind. Each has requirements that a spreadsheet policy can describe but only a device can enforce.
Access Control asks for the capability to limit system access to authorized users and devices, and to separate duties so no single account can both configure and audit a system. That means managed switches with 802.1X, wireless controllers with per-user authentication, and servers with role-based admin separation baked into the hardware's management plane, not just the OS on top of it.
Media Protection asks for control over CUI on removable and fixed media, including sanitization before reuse or disposal. That's a drive-level capability — self-encrypting drives, NIST 800-88 purge support, and firmware that actually executes a cryptographic erase rather than a soft delete. Buying storage without checking this is a common gap that surfaces during assessment prep, not before.
What assessors check on the network side
System and Communications Protection requires boundary protection, monitoring of communications at external interfaces, and network segmentation to isolate CUI-handling systems from the rest of the environment. In practice, assessors want to see firewalls or next-gen security appliances positioned at the boundary, VLANs or physical separation between CUI and non-CUI segments, and switches capable of enforcing that segmentation at line rate.
A flat network where CUI systems share broadcast domains with guest Wi-Fi or general office traffic is one of the more common findings in a gap assessment, and it's a hardware topology problem before it's a configuration problem — no amount of firewall rules fixes a switch that can't do VLAN tagging or a wireless AP that can't isolate SSIDs at the radio level.
Encryption in transit is the other piece assessors probe. That means TLS-capable management interfaces, IPsec-capable routers for site-to-site links, and — increasingly, as agencies look past FIPS 140-2's 2026 sunset — hardware that already supports FIPS 140-3 validated cryptographic modules rather than deprecated ones.
Endpoint and system integrity requirements
System and Information Integrity requires timely identification and remediation of flaws, and protection from malicious code at entry and exit points. On hardware, that translates to endpoints and servers with a supported firmware update path, hardware root of trust (TPM 2.0 is now table stakes on federal endpoint refreshes), and Secure Boot enforced at the BIOS/UEFI level so unauthorized firmware or boot-path modification is detectable.
Older fleets are the recurring problem here: a server or workstation that's aged out of vendor firmware support can't close a flaw even if IT wants to, because there's no patch coming. That's a genuine compliance risk masquerading as a budget decision, and it's worth flagging separately from any general end-of-support refresh conversation, since 800-171 findings and warranty expiration don't always land on the same calendar.
Physical protection (3.10) rounds this out with a requirement most teams underweight: limiting physical access to organizational systems, equipment, and operating environments. That means lockable rack enclosures, tamper-evident seals on chassis handling CUI, and asset tags tied to an inventory system — none of it exotic, all of it checkable in an audit walkthrough.
How NIST 800-171 relates to CMMC
CMMC doesn't add new technical controls on top of 800-171 — CMMC Level 2 largely is 800-171, restructured as a certification regime with third-party assessment instead of self-attestation. The hardware checklist above is the same checklist a C3PAO assessor will work through during a CMMC Level 2 assessment. The difference is procedural: under CMMC, gaps get documented in a formal Plan of Action and Milestones with a completion timeline, and the assessment itself is conducted by an accredited third party rather than taken on faith.
That makes the hardware side less forgiving under CMMC than it was under years of self-attested 800-171 compliance. A switch that technically supports 802.1X but has never had it configured, or drives that support sanitization but were never enrolled in the process, won't hold up to an assessor asking for evidence. Contractors moving through CMMC enforcement should treat this checklist as a pre-assessment gap list, not a post-assessment remediation plan.
Hardware capabilities to verify before a 800-171 assessment
Run through this list against your current fleet, not the vendor spec sheet, before an assessor does.
- Managed switches support 802.1X port authentication, not just VLAN tagging
- Wireless controllers enforce per-user auth and SSID isolation from guest traffic
- Storage drives support NIST 800-88 cryptographic erase, not soft delete
- Servers and endpoints ship with TPM 2.0 and UEFI Secure Boot enabled
- Boundary firewalls log and monitor traffic at every external interface
- CUI-handling systems sit on segmented VLANs, physically or logically isolated
- Firmware on all fleet devices is under active vendor support with a patch path
- Rack enclosures and chassis handling CUI are lockable and tamper-evident
- Cryptographic modules in use are validated to a currently supported FIPS revision
- Asset inventory ties physical hardware to logical system boundaries
Frequently asked
Does NIST 800-171 require specific hardware brands or models?
No. 800-171 is capability-based, not brand-specific — it requires functions like 802.1X authentication or cryptographic erase, not a named product. Any hardware that supports the required capability and, where applicable, uses a validated cryptographic module can satisfy the control, which keeps procurement open to competitive sourcing across vendors.
Is a NIST 800-171 self-assessment enough, or do I need CMMC certification?
It depends on your contract terms. Many DoD contracts currently accept a self-assessed 800-171 score in SPRS; CMMC Level 2 third-party certification is being phased into contracts on a rolling basis as enforcement rolls out. Check your specific solicitation or existing contract language rather than assuming.
Can existing network hardware be reconfigured to meet 800-171, or does it need replacement?
Often it can be reconfigured — many enterprise-grade switches and firewalls already support the required features and simply aren't configured for them. Replacement becomes necessary when hardware is out of vendor firmware support or physically lacks the capability, most commonly with older unmanaged switches or access points.
What's the difference between NIST 800-171 and NIST 800-53 for hardware requirements?
800-53 is the broader federal control catalog used for systems that are part of federal information systems themselves; 800-171 is a subset tailored for contractors protecting CUI on nonfederal systems. For most hardware buyers outside federal agencies, 800-171 is the relevant standard, and its hardware-touching controls are a narrower set than 800-53's.
Related resources
Go deeper
CMMC enforcement in 2026
How CMMC Level 2 assessment is rolling into DoD contracts and what changes from self-attestation.
Learn moreCyber capabilities
Sourcing and integration support for the network and endpoint hardware that compliance programs depend on.
Learn moreFederal & DoD solutions
How Uniqcli supports federal and defense buyers through sourcing, staging, and compliance screening.
Learn moreClosing a hardware gap before your next assessment?
Uniqcli sources and stages the switches, storage, and endpoints that help you meet NIST 800-171 hardware controls, with TAA and NDAA §889 screening built into the quote.