NIST SP 800-171

NIST Special Publication 800-171 specifies how non-federal organizations — primarily contractors and subcontractors working with the U.S. government — must protect Controlled Unclassified Information (CUI) on their systems. The current Revision 3 defines roughly one hundred security requirements organized into 17 families derived from NIST SP 800-53, covering access control, audit, configuration management, incident response, and more. Compliance is required by U.S. defense contractors under DFARS 7012 and forms the technical foundation of CMMC Level 2. Implementing organizations document a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) to demonstrate conformance.