Continue your mission
NIST SP 800-171 defines 110 security requirements for protecting Controlled Unclassified Information in nonfederal organizations.
NIST Special Publication 800-171, 'Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,' defines the security requirements for protecting CUI when it resides outside of federal information systems. Published by the National Institute of Standards and Technology, the standard contains 110 security requirements organized into 14 families. Originally published in 2015 and revised through version 3 in 2024, NIST SP 800-171 is the technical backbone of DFARS 252.204-7012 and CMMC Level 2. It applies to any nonfederal organization that processes, stores, or transmits CUI under agreement with a federal agency.
The 110 requirements are organized into 14 families: Access Control (22 requirements), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7). Organizations must scope their CUI boundary, implement each requirement, document implementation in a System Security Plan, and track gaps in a Plan of Action and Milestones. Key technical controls include multi-factor authentication, encryption of CUI at rest and in transit, FIPS-validated cryptographic modules, comprehensive audit logging, and network segmentation. Version 3 introduced new requirements around supply chain risk management and enhanced monitoring.
NIST SP 800-171 compliance is contractually required for tens of thousands of defense contractors and increasingly referenced by civilian agencies. Self-assessment scores submitted to SPRS directly affect contract eligibility, and the DoD is conducting audits to verify accuracy. Organizations that misrepresent their compliance face False Claims Act liability. Beyond defense contracting, 800-171 serves as a widely recognized benchmark for protecting sensitive information in any industry. Implementing its 110 controls provides a strong security foundation applicable well beyond CUI protection.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.