NIST Special Publication 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,' defines the security requirements for protecting CUI when it resides outside of federal information systems. Published by the National Institute of Standards and Technology, the standard contains 110 security requirements organized into 14 families. Originally published in 2015 and revised through version 3 in 2024, NIST SP 800-171 is the technical backbone of DFARS 252.204-7012 and CMMC Level 2. It applies to any nonfederal organization that processes, stores, or transmits CUI under agreement with a federal agency.
The 110 requirements are organized into 14 families: Access Control (22 requirements), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7). Organizations must scope their CUI boundary, implement each requirement, document implementation in a System Security Plan, and track gaps in a Plan of Action and Milestones. Key technical controls include multi-factor authentication, encryption of CUI at rest and in transit, FIPS-validated cryptographic modules, comprehensive audit logging, and network segmentation. Version 3 introduced new requirements around supply chain risk management and enhanced monitoring.
NIST SP 800-171 compliance is contractually required for tens of thousands of defense contractors and increasingly referenced by civilian agencies. Self-assessment scores submitted to SPRS directly affect contract eligibility, and the DoD is conducting audits to verify accuracy. Organizations that misrepresent their compliance face False Claims Act liability. Beyond defense contracting, 800-171 serves as a widely recognized benchmark for protecting sensitive information in any industry. Implementing its 110 controls provides a strong security foundation applicable well beyond CUI protection.