NIST SP 800-171

The security requirements for protecting Controlled Unclassified Information.

What is NIST 800-171?

NIST Special Publication 800-171 is a set of security requirements published by the National Institute of Standards and Technology (NIST). It provides a framework for protecting Controlled Unclassified Information (CUI) in non-federal systems.

For defense contractors, NIST 800-171 compliance has been required since 2017 under DFARS clause 252.204-7012. CMMC Level 2 is directly based on the 110 security requirements in NIST 800-171 Rev 2.

Relationship to CMMC

CMMC Level 2 = NIST 800-171

CMMC Level 2 contains all 110 security requirements from NIST SP 800-171. If you're already compliant with NIST 800-171, you're well-positioned for CMMC Level 2 certification.

The key difference is verification: NIST 800-171 allowed self-attestation, while CMMC requires either self-assessment with SPRS submission or third-party assessment by a C3PAO.

Key Requirements

Protect CUI

Implement controls to protect Controlled Unclassified Information from unauthorized access and disclosure.

Access Management

Control who can access systems and data, with least privilege and need-to-know principles.

Audit & Monitoring

Log and monitor system activity to detect and respond to security incidents.

Risk Assessment

Regularly assess risks to organizational operations and CUI.

Incident Response

Have a plan to detect, report, and respond to cybersecurity incidents.

Configuration Management

Maintain secure baseline configurations for all systems and devices.

Official Resources

NIST SP 800-171 Rev 2
Official publication from NIST
NIST SP 800-171A
Assessment procedures for 800-171

Assess your compliance

Use our SPRS calculator to see how you score against NIST 800-171 requirements.

Calculate Your Score