NIST SP 800-171: CUI Protection Requirements

NIST Special Publication 800-171 establishes the security requirements that non-federal organizations must satisfy when handling Controlled Unclassified Information (CUI) on behalf of the federal government. The standard applies to contractors, subcontractors, research institutions, and any organization whose systems process, store, or transmit CUI under federal contracts or agreements. Failure to demonstrate conformance exposes organizations to contract termination, False Claims Act liability, and exclusion from federal procurement. The 2023 revision, NIST SP 800-171 Revision 3, restructured the control families and tightened alignment with NIST SP 800-53.

Definition and scope

NIST SP 800-171 defines its protective scope through the CUI Registry administered by the National Archives and Records Administration (NARA). CUI is government-created or government-controlled information that requires safeguarding under law, regulation, or government-wide policy — but is not classified under Executive Order 13526. The distinction matters: classified information is governed by intelligence community directives, while CUI occupies a middle tier of sensitivity covering categories such as export-controlled technical data, law enforcement sensitive information, privacy-act-protected records, and controlled technical information (CTI) associated with defense contracts.

The standard applies when a federal contract, grant, or other agreement includes a requirement to handle CUI. The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 is the primary contractual vehicle that triggers SP 800-171 obligations for defense contractors (DFARS 252.204-7012, ecfr.gov). Non-defense agencies increasingly reference the standard through their own acquisition supplements and inter-agency agreements.

The geographic and organizational scope is broad: any nonfederal system that touches CUI must conform, regardless of whether the organization is a prime contractor, a sub-tier supplier, a university research department, or a cloud service provider processing federal data. The standard does not apply to federal information systems — those fall under the Federal Information Security Modernization Act (FISMA) and NIST SP 800-53 directly.

Core mechanics or structure

SP 800-171 Revision 3, published by NIST in May 2024, organizes its requirements into 17 control families drawn from a subset of NIST SP 800-53 controls tailored for nonfederal environments. The 17 families encompass 110 security requirements in Revision 2; Revision 3 restructured these into organization-defined parameters and added 3 new families for a total of 20 families (NIST SP 800-171r3, csrc.nist.gov).

The 17 control families in Revision 2 (the version still referenced in most active DFARS contracts) are:

  1. Access Control (AC)
  2. Awareness and Training (AT)
  3. Audit and Accountability (AU)
  4. Configuration Management (CM)
  5. Identification and Authentication (IA)
  6. Incident Response (IR)
  7. Maintenance (MA)
  8. Media Protection (MP)
  9. Personnel Security (PS)
  10. Physical Protection (PE)
  11. Risk Assessment (RA)
  12. Security Assessment (CA)
  13. System and Communications Protection (SC)
  14. System and Information Integrity (SI)

Revision 2 carried 110 requirements mapped across these families. Organizations implementing the standard must document conformance in a System Security Plan (SSP), which describes the system boundary, the CUI handled, and how each requirement is met or planned. Requirements not yet implemented are documented in a Plan of Action and Milestones (POA&M).

The SSP is not simply administrative paperwork — it is the legal artifact that substantiates conformance claims in federal contracts and, under the Department of Justice's Civil Cyber-Fraud Initiative, serves as evidence in False Claims Act prosecutions when organizations misrepresent their implementation status.

Causal relationships or drivers

Three converging regulatory pressures produced the mandatory status of SP 800-171 in the defense industrial base. First, the 2015 Office of Personnel Management (OPM) breach — which compromised background-investigation records of approximately 21.5 million individuals (OPM breach summary, opm.gov) — demonstrated that adversaries were targeting contractor-held federal data rather than classified government networks directly.

Second, DFARS 252.204-7012 took effect in December 2017, making SP 800-171 conformance a contractual obligation for all defense contractors handling covered defense information. Third, CMMC compliance requirements — the Cybersecurity Maturity Model Certification program — layered third-party assessment on top of SP 800-171, meaning self-attestation alone is no longer sufficient for contracts above specified sensitivity thresholds.

The CMMC 2.0 framework published in November 2021 established three maturity levels. Level 1 covers 17 basic practices. Level 2 maps directly to the 110 requirements of SP 800-171 Revision 2. Level 3 adds controls drawn from SP 800-172 (Enhanced Security Requirements). The causal chain is direct: non-conformance with SP 800-171 blocks CMMC Level 2 certification, which blocks contract award for most programs involving CUI.

Beyond defense, the Office of Management and Budget (OMB) Memorandum M-22-18 directed federal agencies to require conformance with SP 800-171 in non-defense grants and research contracts, extending the standard's reach into academic and civilian-agency supply chains (OMB M-22-18).

Classification boundaries

SP 800-171 sits within a tiered framework of federal cybersecurity standards. Understanding where it begins and ends is operationally critical.

SP 800-171 vs. SP 800-53: SP 800-53 applies to federal information systems operated by federal agencies under FISMA. SP 800-171 is derived from a subset of SP 800-53 controls but is tailored for nonfederal systems. Organizations subject to SP 800-171 are not subject to SP 800-53 directly, though cloud service providers supporting federal systems may face both through FedRAMP authorization requirements (see FedRAMP authorization).

SP 800-171 vs. SP 800-172: SP 800-172 contains 35 enhanced requirements for organizations handling CUI associated with critical programs or high-value assets. SP 800-172 is additive — it presupposes full SP 800-171 implementation and adds controls in areas such as advanced persistent threat resistance and supply chain risk management.

CUI vs. Classified: CUI is unclassified by definition. Classified information (Confidential, Secret, Top Secret) is governed by the National Industrial Security Program Operating Manual (NISPOM, 32 CFR Part 117) and is outside SP 800-171's scope entirely.

SP 800-171 vs. HIPAA: Healthcare contractors handling CUI that overlaps with protected health information must satisfy both frameworks. The intersection of HIPAA cybersecurity requirements and SP 800-171 produces additive obligations, not a choice between standards.

Tradeoffs and tensions

The self-attestation model in Revision 2 created a documented gap between claimed and actual conformance. A 2023 Department of Defense Inspector General report found that defense contractors routinely submitted SSPs asserting higher conformance scores than independent assessments confirmed — a gap that the CMMC third-party assessment requirement was designed to close (DoD OIG Report DODIG-2023-047).

Organization-defined parameters (ODPs) introduced in Revision 3 give organizations flexibility to set their own thresholds for certain controls — such as the frequency of audit log review or the length of passwords. This flexibility reduces compliance cost but introduces inconsistency across the supply chain, making it harder for contracting officers to compare conformance postures.

The 110-requirement scope of Revision 2 assumes a mature IT organization. Small and medium-sized manufacturers — a significant portion of the defense industrial base — frequently lack internal expertise to implement controls such as Security Information and Event Management (SIEM) logging, multi-factor authentication across all privileged accounts, and supply chain risk assessments. The DoD's voluntary DIBNet portal offers assessment tools, but uptake has been uneven.

Tension also exists between SP 800-171's boundary-centric model and modern zero trust compliance requirements, which reject implicit trust based on network location. Implementing SP 800-171 controls within a zero-trust architecture requires reinterpreting boundary-defined controls (SC-7, system boundary protection) in network-agnostic terms that the original standard did not fully anticipate.

Common misconceptions

Misconception: SP 800-171 applies only to IT departments. Physical protection (PE), personnel security (PS), and media protection (MP) controls extend obligations to facilities management, HR, and operations staff. A manufacturing floor where CUI technical drawings are printed and handled is within scope.

Misconception: Cloud storage eliminates SP 800-171 obligations. Moving CUI to a cloud environment transfers some technical controls to the cloud service provider but does not eliminate the contractor's compliance obligation. The cloud service must be assessed under FedRAMP or an equivalent framework — and the contractor remains responsible for access control, user provisioning, and incident reporting requirements that the cloud provider does not inherit.

Misconception: A completed SSP equals compliance. An SSP documents intended or achieved implementation. An SSP with extensive POA&M items — unimplemented requirements — is not compliant; it is a documented plan to become compliant. Contracting officers and CMMC assessors treat these differently.

Misconception: Revision 3 is now contractually mandatory. As of the Revision 3 publication date, DFARS 252.204-7012 still references SP 800-171 Revision 2. Revision 3 becomes contractually mandatory only when the DFARS is formally updated. Organizations should monitor DFARS rulemaking through the Federal Register for the transition timeline.

Misconception: SP 800-171 and ISO 27001 compliance are equivalent. ISO 27001 is a certifiable management system standard with broad international applicability. SP 800-171 is a specific control set for a specific data category under US federal contracts. Mapping between them is possible but incomplete — 23 SP 800-171 Revision 2 requirements have no direct ISO 27001 Annex A equivalent.

Checklist or steps (non-advisory)

The following sequence reflects the operational phases organizations move through when implementing SP 800-171 conformance. This is a reference description of the process structure, not prescriptive professional guidance.

Phase 1 — Scoping
- Identify all contracts and agreements that include DFARS 252.204-7012 or equivalent CUI handling clauses.
- Enumerate all system components (servers, endpoints, storage, cloud services, portable media) where CUI is processed, stored, or transmitted.
- Define the system boundary and document external service providers within scope.

Phase 2 — Gap Assessment
- Map each of the 110 SP 800-171 Revision 2 requirements (or Revision 3 requirements once contractually mandated) to current controls.
- Assign a status to each requirement: Met, Partially Met, or Not Met.
- Calculate a SPRS (Supplier Performance Risk System) score using the DoD-prescribed scoring methodology (DFARS 252.204-7019).

Phase 3 — SSP Development
- Draft the System Security Plan documenting system boundary, data flows, and control implementation details.
- Develop a Plan of Action and Milestones (POA&M) for each unmet or partially met requirement.

Phase 4 — Implementation
- Execute POA&M remediation items in priority order, with access control, authentication, and audit logging typically addressed first.
- Implement technical controls: multi-factor authentication on all privileged accounts, encryption of CUI at rest and in transit, audit log retention.

Phase 5 — Assessment
- Conduct an internal or third-party assessment against the SP 800-171 DoE Assessment Methodology (NIST SP 800-171A).
- For CMMC Level 2 contracts: engage a C3PAO (Certified Third-Party Assessment Organization) for a formal assessment.

Phase 6 — Submission and Maintenance
- Submit SPRS score to the DoD's SPRS portal prior to contract award.
- Establish continuous monitoring processes to detect configuration drift.
- Update SSP and POA&M on a defined cycle (minimum annually or upon significant system change).

Reference table or matrix

Attribute SP 800-171 Rev 2 SP 800-171 Rev 3 SP 800-172
Applicability Nonfederal systems with CUI Nonfederal systems with CUI High-value CUI programs
Total requirements 110 Restructured; ~110+ with ODPs 35 (additive to 800-171)
Control families 14 20 Subset of 14 enhanced families
CMMC mapping CMMC Level 2 (110 practices) Not yet mapped in CMMC rule CMMC Level 3
Assessment guide NIST SP 800-171A NIST SP 800-171Ar3 (forthcoming) NIST SP 800-172A
Self-attestation allowed Yes (DFARS contracts below threshold) TBD pending DFARS update No — government-led assessment
SPRS scoring required Yes Yes Yes
Primary federal trigger DFARS 252.204-7012 DFARS update pending High-value asset designation
Classified info scope No No No
FedRAMP interaction Required for cloud services in scope Required for cloud services in scope Required for cloud services in scope

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Cybersecurity: Standards Overview Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator