Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > CMMC Compliance > NIST 800-171, CUI, and AI: What Your System Security Plan Is Missing

NIST 800-171, CUI, and AI: What Your System Security Plan Is Missing

by Danielle Barbour updated March 25, 2026 CMMC Compliance
Reading Time: 11 minutes

Thousands of organizations handle controlled unclassified information under government contracts without being in the CMMC certification pipeline. Federal contractors, research universities, state agencies, technology suppliers, and professional services firms that receive CUI under DFARS 252.204-7012 are required to implement the 110 security practices of NIST SP 800-171 and document that implementation in a System Security Plan. Most have done so for human user access to CUI. Almost none have done so for AI agent access.

The gap is not theoretical. AI agents are being deployed in DFARS-covered organizations for proposal development, technical documentation, contract administration, and supply chain workflows — all of which routinely involve CUI. These deployments are not covered by existing SSPs. They are not reflected in risk assessments. They are not addressed in access control policies. And they are not producing the audit logs that NIST 800-171’s audit and accountability practices require for CUI access events.

This post is distinct from the CMMC post in this series, which focuses on the C3PAO assessment process for defense industrial base contractors pursuing certification. This post addresses the broader population of organizations that handle CUI under DFARS contracts but may not be on the CMMC certification track — and whose NIST 800-171 compliance obligations apply to AI agent CUI access regardless of certification status.

Executive Summary

Main Idea: NIST 800-171’s 110 security practices apply to every system that processes, stores, or transmits CUI — including AI agents. Organizations that have implemented 800-171 controls for human user access to CUI but have not extended those controls to AI agent workflows have a material compliance gap in their System Security Plan. That gap represents DFARS contractual non-compliance, potential False Claims Act exposure, and a vulnerability in their cybersecurity posture that adversaries targeting government supply chains know to exploit.

Why You Should Care: DFARS 252.204-7012 requires contractors to flow NIST 800-171 compliance down to subcontractors and service providers that handle CUI on their behalf. AI vendors whose infrastructure processes CUI — even transiently during model inference — are part of this flow-down chain. An organization that cannot demonstrate NIST 800-171-compliant access controls and audit trails for AI agent CUI access is not compliant with its DFARS contract terms — regardless of whether a CMMC assessment is pending.

Key Takeaways

  1. NIST 800-171 compliance obligations arise from DFARS contracts, not CMMC certification. Any organization operating under DFARS 252.204-7012 is required to implement all 110 NIST 800-171 practices for systems that handle CUI. This obligation exists independently of CMMC. Organizations that handle CUI but are not yet in the CMMC certification pipeline are not exempt from 800-171 — they are simply self-attesting to compliance rather than undergoing third-party assessment.
  2. Every AI agent touching CUI is a system component that must be reflected in the SSP. The System Security Plan must describe all systems and components that process, store, or transmit CUI, along with the security controls protecting each. An SSP that describes controls for workstations, servers, and email systems but makes no mention of AI agents accessing CUI repositories is an incomplete SSP — and an incomplete SSP is itself a 800-171 compliance finding.
  3. NIST 800-171 Rev. 3 strengthened the access control and audit requirements that AI deployments must satisfy. The 2024 revision to NIST 800-171 introduced enhanced requirements for access control granularity, audit log detail, and supply chain risk management. These revisions make existing AI deployment architectures — which typically provide session-level credentialing and infrastructure-level logging — even less adequate for 800-171 compliance than they were under Rev. 2.
  4. The DFARS flow-down requirement extends NIST 800-171 obligations to AI vendors. Under DFARS 252.204-7012, contractors must flow 800-171 compliance requirements down to subcontractors and service providers that handle CUI on their behalf. An AI vendor whose infrastructure processes CUI during model inference is a covered subcontractor or service provider. The contractor cannot rely on the vendor’s general security attestations — the vendor must meet 800-171 requirements for CUI handling, and the contractor must document this in their vendor risk management program.
  5. False Claims Act exposure is a material risk for organizations with inaccurate NIST 800-171 self-assessments. The Department of Justice has brought False Claims Act cases against government contractors for submitting inaccurate NIST 800-171 self-assessments. An organization that self-attests to 800-171 compliance while operating AI agents against CUI without the required access controls and audit trails is submitting a potentially false certification — with FCA exposure that extends to individual executives.

NIST 800-171 and the SSP: What AI Deployments Must Cover

NIST 800-171 organizes its 110 security practices into 14 control families. Three are most directly implicated when AI agents access CUI: Access Control (3.1), Audit and Accountability (3.3), and Identification and Authentication (3.5). A fourth — Configuration Management (3.4) — becomes relevant when AI agent components are part of the system boundary. Each of these families contains specific practices that the SSP must address, and that AI agent deployments must satisfy, for the organization to be in compliance with its DFARS obligations.

Access Control (3.1): Authorized Access and Minimum Necessary

Practice 3.1.1 requires that access to CUI be limited to authorized users, processes acting on behalf of authorized users, and devices. Practice 3.1.2 requires limiting access to the types of transactions and functions authorized users are permitted to execute. For AI agents, these two practices establish the same requirements that CMMC AC.1.001 and AC.2.006 impose: access must be authenticated, attributed to an authorized individual, and scoped to the minimum necessary for the specific task. An AI agent operating through a shared service account with broad CUI repository access satisfies neither practice.

Practice 3.1.3 requires controlling the flow of CUI in accordance with approved authorizations. For AI agents, this means the governance layer must prevent controlled data from flowing to unauthorized destinations — external APIs, non-DFARS-covered systems, or infrastructure outside the authorized CUI boundary. System prompts cannot enforce this flow control; only data-layer ABAC policy can technically prevent unauthorized CUI flow regardless of what the model was instructed to do.

Audit and Accountability (3.3): What the Log Must Contain

Practice 3.3.1 requires creating and retaining system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Practice 3.3.2 requires that the identities of users responsible for the actions of their processes — including processes acting on their behalf — be ensured. For AI agents, 3.3.2 is the practice that most directly requires a delegation chain: the audit log must capture not just that an agent performed an action, but the identity of the human who authorized and is accountable for that action.

Standard infrastructure logs and AI inference logs typically capture what system action occurred, not who is accountable for it in the 3.3.2 sense. An organization whose AI agent audit trail records API calls made by a service account, without linking those calls to the specific human operator who delegated the workflow, cannot satisfy practice 3.3.2 for those CUI access events.

Identification and Authentication (3.5): Unique Identification Required

Practice 3.5.1 requires that users and devices — and, critically, processes including AI agents — be identified and authenticated before accessing organizational systems and CUI. Practice 3.5.2 requires authenticating identities before allowing access. For AI agents, unique identification means each agent must have a distinct, verifiable identity credential — not a shared service account whose identity is indistinguishable across multiple agents, workflows, or access events.

Supply Chain Risk Management (3.16): The AI Vendor Dimension

NIST 800-171 Rev. 3 introduced explicit supply chain risk management requirements under practice family 3.16. Practice 3.16.1 requires establishing and maintaining a supply chain risk management plan. For organizations deploying AI agents against CUI, the AI vendor relationship is a supply chain risk that must be assessed and documented: how does the vendor protect CUI during model inference, what are its incident notification obligations, and does it meet 800-171 requirements for the CUI it handles on the contractor’s behalf?

CMMC 2.0 Compliance Roadmap for DoD Contractors

Read Now

The SSP Gap: What Most Organizations Are Missing

A NIST 800-171-compliant SSP must describe the system boundary, all components within it, and the security controls protecting CUI across all components. For most organizations that have deployed AI agents, the SSP reflects a pre-AI architecture — and AI agent components are absent from the system boundary description entirely.

AI Agents Outside the Defined System Boundary

If the AI agent infrastructure is not in the system boundary description, none of the 800-171 practices apply to it in the documented compliance posture. An auditor reviewing the SSP against actual operations will identify AI agents accessing CUI as out-of-scope components — meaning the self-assessment score does not account for those components, and the organization’s DFARS certification is inaccurate. Every system that handles CUI must be in the boundary; every AI system touching CUI is a system that handles CUI.

Risk Assessments That Predate AI Deployments

Practice 3.11.1 requires periodic risk assessment of organizational operations and CUI system operation. Most organizations’ current assessments predate their AI deployments. An assessment that does not reflect AI agents now accessing CUI — their vulnerabilities, vendor dependencies, access scope, and governing controls — is not a current risk assessment for 800-171 purposes.

Plan of Action and Milestones Gaps

Once an organization identifies 800-171 compliance gaps created by AI deployments, those gaps must be captured in a POA&M with remediation timelines. Identifying the gap without documenting it is itself a compliance issue: 800-171 requires systematic tracking of security control deficiencies, not just their identification.

Best Practices for NIST 800-171-Compliant AI Agent Access to CUI

1. Include AI Agent Components in the System Security Plan

Update the SSP to include all AI agents and their infrastructure components in the system boundary description. For each AI component — orchestration layer, model hosting, vector database, API gateway — document the security controls in place, the CUI it handles, and the practice implementation status. This is not optional: an SSP that does not reflect current AI deployments is inaccurate, and an inaccurate SSP is a 800-171 finding. The SSP update should precede any further AI deployment expansion against CUI.

2. Implement Authenticated Agent Identity with Delegation Chain Preservation

Every AI agent accessing CUI must operate under a unique identity credential at the workflow level, linked to the specific human operator who is accountable for that workflow under practice 3.3.2. This credential must be distinct per-agent and per-workflow — shared service accounts do not satisfy practices 3.5.1 or 3.3.2. The delegation chain (human operator to agent identity to CUI access event) must be captured in every audit log entry, providing the accountability attribution that 800-171 requires.

3. Enforce Operation-Level CUI Access Scoping Through ABAC

Implement ABAC that evaluates every AI agent CUI request against the agent’s authenticated profile, the CUI classification of the requested data, the workflow context, and the specific operation. This satisfies practices 3.1.1 (authorized access) and 3.1.2 (minimum necessary transaction scope) at the operation level. An agent authorized to read a contract folder cannot download all files, cannot access adjacent CUI repositories, and cannot perform operations outside its authorized scope — with enforcement at the data layer, not the model layer.

4. Produce Operation-Level Audit Logs with Human Accountability Attribution

Every AI agent CUI interaction must be captured in a tamper-evident log that satisfies practices 3.3.1 and 3.3.2: agent identity, human operator accountable for the action, specific CUI accessed, operation performed, and timestamp. These logs must support monitoring and investigation of unauthorized access and be retained for the period required by the organization’s records management policy. Standard infrastructure logs and inference logs do not satisfy 800-171’s audit requirements without operation-level, attribution-complete detail.

5. Assess and Document AI Vendor CUI Handling Under the Supply Chain Risk Management Program

For every AI vendor whose infrastructure handles CUI on the organization’s behalf, conduct a DFARS-specific vendor risk management assessment: evaluate whether the vendor meets 800-171 requirements for CUI handling, document the assessment, and flow 800-171 compliance requirements down contractually. Update the supply chain risk management plan under practice 3.16.1 to reflect AI vendor relationships. Update the POA&M with any identified gaps. An AI vendor that processes CUI without documented 800-171 compliance is a DFARS flow-down deficiency that affects the prime contractor’s compliance posture.

How Kiteworks Enables NIST 800-171-Compliant AI Agent Governance

Bringing AI agent CUI access into NIST 800-171 compliance requires updating three things simultaneously: the SSP to include AI components in the boundary, the technical controls to govern AI agent CUI access at the data layer, and the vendor assessment to confirm that the AI governance platform itself meets 800-171 requirements for CUI handling. The Kiteworks Private Data Network addresses all three: it provides the technical governance infrastructure for AI agent CUI access, serves as an SSP-documentable system component with NIST 800-171 compliance capabilities, and supports the vendor assessment that DFARS flow-down requires.

Authenticated Identity and Delegation Chain for Practices 3.5.1 and 3.3.2

Kiteworks authenticates every AI agent before CUI access occurs, using a unique per-workflow credential linked to the human operator accountable for the workflow. The complete delegation chain is captured in every audit log entry. This satisfies practice 3.5.1’s unique identification requirement and practice 3.3.2’s human accountability attribution requirement — providing the documentation that both SSP practice implementation statements and DFARS compliance audits require.

Operation-Level ABAC for Practices 3.1.1, 3.1.2, and 3.1.3

Kiteworks’ data policy engine evaluates every AI agent CUI request against a multi-dimensional policy: authenticated agent profile, CUI classification, workflow context, and specific operation. Minimum necessary access is enforced at the operation level, and CUI flow is controlled to authorized destinations only. These enforcement mechanisms satisfy practices 3.1.1, 3.1.2, and 3.1.3 at the data layer, independent of model behavior — making them audit-defensible practice implementations that can be documented in the SSP.

Tamper-Evident Audit Trail for Practices 3.3.1 and 3.3.2

Every AI agent CUI interaction is captured in a tamper-evident, operation-level audit log feeding directly into the organization’s SIEM. The log records agent identity, human operator, CUI data accessed, operation type, policy evaluation outcome, and timestamp — satisfying practices 3.3.1 and 3.3.2 with the operation-level detail and human accountability attribution that 800-171 requires. When a DFARS compliance review requests evidence of CUI access controls, the response is an exportable evidence package, not an investigation into scattered infrastructure logs.

FIPS 140-3 Encryption and Governed CUI File Operations

All CUI accessed through Kiteworks is protected by FIPS 140-3 Level 1 validated encryption in transit and at rest, satisfying NIST 800-171’s encryption requirements. Kiteworks Compliant AI’s Governed Folder Operations and Governed File Management capabilities allow AI agents to organize and manage CUI repositories with every operation enforced by the data policy engine — satisfying RBAC and CUI segregation requirements without manual provisioning, and providing SSP-documentable practice implementations for configuration management practices under family 3.4.

For organizations that handle CUI under DFARS contracts and need to bring AI agent deployments into NIST 800-171 compliance, Kiteworks provides the technical governance infrastructure and the SSP-documentable practice implementations that close the gap between pre-AI compliance posture and the operational reality of agentic CUI access. Learn more about Kiteworks NIST 800-171 compliance capabilities or request a demo.

Frequently Asked Questions

Yes. NIST 800-171 compliance obligations arise from DFARS 252.204-7012, not from CMMC certification. Any organization operating under this clause must implement all 110 800-171 practices for systems that handle CUI — including AI agents. The self-attestation requirement means the organization is certifying compliance with its government contracts. An AI agent accessing CUI without the required access controls and audit trails is a DFARS compliance gap regardless of CMMC status.

Every system component that processes, stores, or transmits CUI must be included in the System Security Plan — including AI agents and their infrastructure components. The SSP must describe what each component does with CUI, what security controls protect it, and the implementation status of each applicable 800-171 practice. AI components not in the SSP represent undocumented CUI system components, which is itself a practice deficiency. The SSP must also be kept current — deploying AI agents against CUI without updating the SSP creates an immediate documentation gap. A POA&M should capture any identified gaps with remediation timelines.

DFARS 252.204-7012 requires contractors to flow NIST 800-171 compliance obligations to subcontractors and service providers that handle CUI on their behalf. An AI vendor whose infrastructure processes CUI — including during model inference — is a covered service provider. The contractor must assess whether the vendor meets 800-171 requirements for CUI handling, document that assessment in their supply chain risk management program, and flow the 800-171 requirements down contractually. General vendor security certifications like SOC 2 do not satisfy the DFARS flow-down requirement — the vendor must specifically meet 800-171 for the CUI it handles. Vendor risk management documentation for AI vendors is now a DFARS compliance requirement.

No. A self-assessment score that does not reflect current AI deployments is inaccurate. The risk assessment and SSP must reflect the current operational environment, including all systems that handle CUI. Deploying AI agents against CUI repositories after the last assessment — without updating the SSP, reassessing the risk, and documenting new control implementations or gaps in the POA&M — means the self-attestation submitted to the government does not accurately reflect the organization’s compliance posture. Department of Justice False Claims Act enforcement has targeted contractors with inaccurate 800-171 self-assessments.

The minimum architecture requires four components, all documented in the SSP and verified as practice implementations: authenticated agent identity linked to a human accountable operator, satisfying practices 3.5.1 and 3.3.2; operation-level ABAC policy enforcement limiting CUI access to authorized scope, satisfying practices 3.1.1, 3.1.2, and 3.1.3; tamper-evident, operation-level audit logging with human attribution, satisfying practices 3.3.1 and 3.3.2; and FIPS 140-3 validated encryption across all CUI data paths in the agent pipeline. Each must be implemented by a technical control that operates independent of model behavior, documented in the SSP as a practice implementation, and verifiable by evidence production on demand.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks