NIST SP 800-171
What is NIST SP 800-171?
NIST SP 800-171A NIST publication defining security requirements for protecting Controlled Unclassified Information (CUI) stored or processed by non-federal organizations.
NIST Special Publication 800-171 specifies how non-federal organizations — primarily contractors and subcontractors working with the U.S. government — must protect Controlled Unclassified Information (CUI) on their systems. The current Revision 3 defines roughly one hundred security requirements organized into 17 families derived from NIST SP 800-53, covering access control, audit, configuration management, incident response, and more. Compliance is required by U.S. defense contractors under DFARS 7012 and forms the technical foundation of CMMC Level 2. Implementing organizations document a System Security Plan (SSP) and a Plan of Action and Milestones (POA&M) to demonstrate conformance.
● Examples
- 01
A Department of Defense contractor implementing 800-171 to meet DFARS 252.204-7012.
- 02
A research university handling federal CUI on grant-funded projects.
● Frequently asked questions
What is NIST SP 800-171?
A NIST publication defining security requirements for protecting Controlled Unclassified Information (CUI) stored or processed by non-federal organizations. It belongs to the Compliance & Frameworks category of cybersecurity.
What does NIST SP 800-171 mean?
A NIST publication defining security requirements for protecting Controlled Unclassified Information (CUI) stored or processed by non-federal organizations.
How do you defend against NIST SP 800-171?
Defences for NIST SP 800-171 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for NIST SP 800-171?
Common alternative names include: SP 800-171, NIST 800-171.