NIST SP 800-171: CUI Protection Requirements

NIST Special Publication 800-171 establishes the security requirements that nonfederal organizations must implement when processing, storing, or transmitting Controlled Unclassified Information (CUI) on their systems. The publication is issued by the National Institute of Standards and Technology and carries direct contractual weight through its incorporation into federal acquisition regulations, most prominently those governing Department of Defense contracts. This page documents the structure, scope, classification boundaries, and operational mechanics of the 800-171 requirement set as a reference for contractors, assessors, and compliance professionals operating in the federal supply chain.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix

Definition and scope

NIST SP 800-171 applies specifically to nonfederal systems and organizations — meaning it governs the cybersecurity posture of contractors, subcontractors, research universities, and commercial entities that handle CUI on behalf of federal agencies, not federal agency systems themselves (those are governed by NIST SP 800-53). The regulatory trigger is the presence of CUI as defined under the CUI Program established by 32 CFR Part 2002 and administered by the National Archives and Records Administration (NARA).

The current operative version, Revision 2, contains 110 security requirements organized across 14 control families (NIST SP 800-171 Rev. 2). A Revision 3 final public draft was published by NIST in 2023, proposing restructuring around 17 control families and closer alignment with SP 800-53 Rev. 5. Until Revision 3 is finalized and incorporated by reference into federal acquisition instruments, Revision 2 remains the contractually enforced standard for most DoD contractors.

The scope of "nonfederal system" is broad: it encompasses cloud environments hosted by commercial providers, managed service provider (MSP) infrastructure, and hybrid on-premises deployments — as long as CUI transits or resides within those environments. Systems that process only publicly releasable federal data or that operate exclusively under FedRAMP authorization at a boundary that fully contains CUI may operate under different frameworks.

Core mechanics or structure

The 110 requirements in Revision 2 are distributed across 14 families derived from FIPS Publication 200 and the moderate baseline of NIST SP 800-53. Each family addresses a discrete domain of information security:

1. Access Control (AC) — 22 requirements; the largest single family
2. Awareness and Training (AT) — 3 requirements
3. Audit and Accountability (AU) — 9 requirements
4. Configuration Management (CM) — 9 requirements
5. Identification and Authentication (IA) — 11 requirements
6. Incident Response (IR) — 3 requirements
7. Maintenance (MA) — 6 requirements
8. Media Protection (MP) — 9 requirements
9. Personnel Security (PS) — 2 requirements
10. Physical Protection (PE) — 6 requirements
11. Risk Assessment (RA) — 3 requirements
12. Security Assessment (CA) — 4 requirements
13. System and Communications Protection (SC) — 16 requirements
14. System and Information Integrity (SI) — 7 requirements

Each requirement maps to one or more controls in SP 800-53 Rev. 4 (as documented in Appendix D of Revision 2), enabling organizations already operating under SP 800-53 to identify gaps rather than building from scratch. NIST also provides a mapping between SP 800-171 and the NIST Cybersecurity Framework (CSF), facilitating integration with enterprise risk management programs.

Self-assessment under Revision 2 follows a scoring methodology defined in NIST SP 800-171A, the companion assessment guide. The DoD adopted a specific numerical scoring protocol through its Supplier Performance Risk System (SPRS): each of the 110 requirements carries a point value, and the maximum possible score is 110. Partial implementation and non-implemented requirements subtract from that total, producing a score that contractors must submit to SPRS under DFARS clause 252.204-7019.

Causal relationships or drivers

The requirement for nonfederal CUI protection emerged from two converging pressures: the proliferation of CUI handling in the defense industrial base (DIB) and documented breaches of sensitive technical data from contractor networks. The Federal Contract Information (FCI) and CUI framework was formalized through Executive Order 13556 (2010), which directed NARA to establish the CUI Registry and standardize how agencies designate and handle sensitive unclassified information.

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, effective December 2017, made SP 800-171 compliance a contract requirement for all DoD contractors handling CUI. That clause also mandated cloud service providers handling DoD CUI to meet FedRAMP Moderate equivalency — an additional layer beyond 800-171 itself.

The Cybersecurity Maturity Model Certification (CMMC) program, administered by the Office of the Under Secretary of Defense for Acquisition and Sustainment (DoD CMMC Program), builds directly on 800-171 compliance as its foundation. CMMC Level 2 requires implementation of all 110 SP 800-171 Rev. 2 requirements and mandates third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) for contracts involving critical national security information. The proposed CMMC rule published in Federal Register Vol. 88, No. 230 (December 2023) detailed the phased rollout of CMMC requirements into solicitations.

For non-DoD federal agencies, the Office of Management and Budget Memorandum M-22-18 and subsequent guidance direct agencies to require SP 800-171 compliance from contractors handling CUI, extending the standard's reach beyond defense procurement into civilian agency supply chains.

Classification boundaries

Understanding what SP 800-171 governs — and what falls outside it — is essential for scoping assessments correctly.

In scope:
- Nonfederal systems that process, store, or transmit CUI designated under the NARA CUI Registry categories
- Subcontractor systems that receive CUI as part of a flow-down from a prime contractor
- Cloud service provider environments where a contractor's CUI is processed (subject to FedRAMP equivalency requirements under DFARS 252.204-7012)

Out of scope:
- Federal agency systems (governed by SP 800-53 and FISMA)
- Systems handling only publicly available information with no CUI designation
- Systems operating under a separate, agency-specific authorization that explicitly addresses the same CUI categories
- Information classified under Executive Order 13526 (Classified National Security Information), which falls under entirely different handling and protection regimes

The boundary between CUI and classified information is enforced at the data level, not the system level. A system may simultaneously handle CUI and classified data if it is accredited under a separate security authorization for the classified portions. SP 800-171 does not apply to the classified data components of such systems.

NIST SP 800-172, the companion publication for enhanced requirements, applies to a subset of CUI categories deemed Critical Program Information (CPI) or associated with programs requiring additional protection beyond the baseline 110 requirements. SP 800-172 adds 34 enhanced requirements on top of SP 800-171 and is relevant to contractors in Advanced Persistent Threat (APT)-targeted sectors (NIST SP 800-172).

Tradeoffs and tensions

Self-assessment versus third-party verification. Revision 2 permits contractor self-assessment for SPRS score submission under DFARS 252.204-7019. CMMC Level 2 for critical programs replaces self-assessment with mandatory C3PAO assessments — a structural tension between cost (third-party assessments can run from $30,000 to over $100,000 depending on organizational complexity) and assurance quality. For smaller contractors in the DIB, the cost burden of triennial C3PAO assessments relative to contract value has prompted concern across the defense manufacturing sector.

Prescriptive requirements versus outcome-based security. SP 800-171 specifies discrete technical and operational requirements, not risk-based outcomes. An organization may satisfy all 110 requirements yet remain vulnerable to zero-day exploitation or supply chain compromise if risk assessment practices are not integrated beyond the floor the standard sets. The cyber compliance standards overview provides additional context on how prescriptive frameworks interact with risk-based approaches.

Scope creep in system boundary definition. Organizations face pressure to draw narrow system boundaries to limit the number of systems subject to 800-171 requirements. However, boundary definitions that exclude systems through which CUI actually transits — such as email infrastructure, endpoint management platforms, or identity providers — create compliance gaps that assessors and contracting officers may identify during reviews.

Revision 2 to Revision 3 transition uncertainty. NIST's proposed Revision 3 restructures requirements substantially, adding new families including Planning (PL) and Supply Chain Risk Management (SR). Organizations that have built compliance programs around Revision 2 controls face potential gaps when the transition is mandated contractually.

Common misconceptions

Misconception: A System Security Plan (SSP) alone constitutes compliance.
An SSP documents the security posture of the system but does not itself implement any requirement. NIST SP 800-171A makes clear that the SSP is an artifact of assessment, not the substance of it. Contractually, an SSP with a low SPRS score and a Plan of Action and Milestones (POA&M) demonstrates partial compliance, not full compliance.

Misconception: 800-171 only applies to IT systems.
The standard applies to any system that processes, stores, or transmits CUI — including operational technology (OT), industrial control systems (ICS), and physical media used to transfer CUI. Media Protection family requirements (3.8.x) apply explicitly to removable storage and physical media containing CUI.

Misconception: FedRAMP authorization makes a cloud provider 800-171 compliant.
FedRAMP and 800-171 address different scopes. FedRAMP authorizes a cloud service offering at a defined impact level; 800-171 applies to the contractor's use of that offering and the CUI within it. DFARS 252.204-7012 requires that cloud services handling DoD CUI meet the FedRAMP Moderate security baseline as a floor, but FedRAMP authorization of a service does not automatically satisfy all 110 800-171 requirements for the contractor's configuration and use of that service.

Misconception: Encryption alone satisfies the System and Communications Protection requirements.
Family SC (3.13.x) includes 16 requirements, of which encryption (3.13.8 and 3.13.10) addresses two. Remaining requirements cover network segmentation (3.13.1), denial-of-service protection (3.13.9), mobile code controls (3.13.13), and architectural separation of user functionality from system management (3.13.3), among others.

The cyber compliance standards overview addresses how misapplication of point solutions against multi-requirement families is a recurring compliance gap pattern in the DIB.

Checklist or steps (non-advisory)

The following sequence reflects the structured process for establishing an SP 800-171 compliance posture as documented in NIST SP 800-171A and DoD assessment guidance:

1. Identify CUI categories present in organizational systems — Reference the NARA CUI Registry to confirm which categories are handled and whether any carry enhanced handling requirements under SP 800-172.

2. Define the system boundary — Document which systems, components, networks, and cloud environments process, store, or transmit CUI. Include all data flows between in-scope and out-of-scope systems.

3. Develop or update the System Security Plan (SSP) — Document the status of all 110 requirements: met, partially met, or not met. Include system architecture diagrams, interconnection tables, and user privilege matrices.

4. Conduct a gap assessment using SP 800-171A procedures — Apply the assessment objectives in SP 800-171A to determine evidence sufficiency for each requirement. Assessment methods include examination, interview, and testing.

5. Calculate the SPRS score — Apply the DoD scoring methodology: start at 110, subtract point values for each unimplemented or partially implemented requirement. Submit the score to SPRS with an associated assessment date.

6. Develop a Plan of Action and Milestones (POA&M) — Document all deficient requirements, corrective actions, responsible parties, resources required, and scheduled completion dates. DFARS 252.204-7020 governs DoD access rights to SSPs and POA&Ms.

7. Implement corrective actions per the POA&M schedule — Prioritize high-point-value requirements and those in Access Control, Identification and Authentication, and System and Communications Protection families.

8. Conduct periodic reassessment — CMMC Level 2 mandates reassessment every 3 years by a C3PAO. Non-CMMC contractors should establish internal reassessment cycles aligned to contract renewal periods and material system changes.

9. Maintain continuous monitoring artifacts — Preserve evidence of ongoing compliance including audit logs, vulnerability scan results, and configuration management records to support both internal reviews and potential government assessments under DFARS 252.204-7020.

Reference table or matrix

SP 800-171 Rev. 2 Control Families: Requirement Count and Assessment Focus

SP 800-171 vs. Related Standards: Scope Comparison