Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
Understanding NIST SP 800-171 Compliance
Last updated
December 2, 2025
{x} minute read

Understanding NIST SP 800-171 Compliance

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Abi Tyas Tunggal
Writer and Senior Product Manager at UpGuard.
Abi's work has influenced leaders across cybersecurity, technology, and financial services.
Reviewed by
Cindy Ruan
Lead GRC specialist
Cindy combines degrees in Computer Science and Law with expertise in GRC, and she has presented her insights at the Australian Cyber Conference.
Table of contents

NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171 or NIST 800-171), provides federal agencies with a set of guidelines designed to ensure that Controlled Unclassified Information (CUI) remains confidential and unchanged in nonfederal systems and organizations.

The protection of CUI is of paramount importance to federal agencies and can directly impact their ability to conduct their assigned missions and business operations successfully. 

Specifically, NIST SP 800-171 provides a set of recommended security requirements for protecting the confidentiality of CUI that:

  • Resides in nonfederal systems and organizations
  • Is not collected or maintained on behalf of a federal agency or using or operating a system on behalf of an agency
  • Has no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation or government-wide policy for the CUI category or a subcategory.

The security requirements are intended for use by federal agencies in contractual vehicles or agreements established between those agencies and nonfederal organizations.

Why is NIST SP 800-171 important?

Today, more than any time in history, the U.S. government relies on external service providers to carry out a wide range of missions and business functions. 

For example, many federal contractors routinely process, store and transmit sensitive information in their systems to support the delivery of products or services to federal agencies.

Additionally, federal information is frequently provided to or shared with state and local governments, colleges, universities and independent research organizations. 

NIST SP 800-171 is important because it is designed to protect sensitive federal information residing in third-party vendors, government contractors or service providers.

This is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those related to critical infrastructure. 

Previous OPSEC failures have shown us sensitive data can be grouped together to illuminate otherwise clandestine plans. 

Real-world implications of non-compliance

NIST SP 800-171 is more than a set of best practices; it's a mandatory compliance requirement for Department of Defense (DoD) contractors via DFARS (Defense Federal Acquisition Regulation Supplement), and a contractual obligation for many other federal agencies. Failure to comply carries significant repercussions:

  • Financial penalties and contract loss: Non-compliance can lead to a breach of contract, potentially resulting in the immediate termination of lucrative federal contracts and the inability to bid on future work. Furthermore, companies that falsely attest to meeting the security standards may face civil liability under the False Claims Act for misrepresentation.
  • Reputational damage: A security incident involving CUI (Controlled Unclassified Information) due to inadequate protection can severely damage a company's reputation, eroding trust with federal agencies and potentially excluding them from the federal supply chain for years.

Expert perspective: Setting the baseline

In the broader security landscape, NIST SP 800-171 is viewed by experts as the essential security baseline for protecting CUI across the non-federal supply chain.

Compliance with 800-171 is also the crucial first step toward meeting the evolving, more rigorous requirements of the Cybersecurity Maturity Model Certification (CMMC). The CMMC Level 2 assessment, for instance, is built almost entirely upon the 110 security controls detailed in NIST SP 800-171. Therefore, achieving 800-171 compliance is a prerequisite for long-term participation in the Defense Industrial Base (DIB).

What is the purpose of NIST SP 800-171?

NIST SP 800-171 was created to provide guidelines around security requirements for protecting Controlled Unclassified Information (CUI). 

It does this by providing a set of 14 security requirement categories that support the development of secure and resilient data processing.

These security controls are operational, technical and management safeguards, that when used, maintain the confidentiality, integrity and availability and prevent unauthorized access of sensitive information. 

This approach is designed to help nonfederal entities to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. 

These security requirements apply to any component of non-federal systems and organizations that process, store, or transmit CUI, or provide security protection for such components.  

Note: The term' information system' has been replaced by 'system' to reflect a more broad-based, holistic definition that encompasses general-purpose information systems, industrial and process control systems, cyber-physical systems, and individual devices that are part of the Internet of Things (IoT).

NIST SP 800-171, like NIST SP 800-53, is part of the NIST Special Publications (SP) 800 series which are based on the Information Technology Laboratory's (ITL) research and guidelines. 

The 800 series is designed to provide a multi-tiered approach to risk management through control compliance and security measures. 

As a whole, they provide federal agencies and their supply chain with minimum acceptable information security standards for managing sensitive government data.

Who is the intended audience for NIST SP 800-171?

NIST SP 800-171 serves a diverse group in both the public and private sectors. The intended audience can be viewed from two distinct but interconnected perspectives: the Federal entity that establishes and conveys the security requirements, and the Non-Federal entity that responds to and complies with them.

1. The Federal Entity establishing requirements

These individuals are primarily focused on risk management, oversight, and acquisition, ensuring that CUI is protected throughout the supply chain:

  • Acquisition or procurement responsibilities: Such as Contracting Officers, who embed the NIST SP 800-171 requirements into contractual vehicles or agreements.
  • System, security, risk management, or oversight responsibilities: Including Authorizing Officials, chief information officers (CIOs), chief information security officers (CISOs), and information security Managers. They make the final risk management decision on whether to process, store, or transmit CUI through a third-party system.

2. The Non-Federal Entity is complying with requirements

These roles are responsible for the physical and technical implementation of the 110 security controls:

  • System development life cycle responsibilities: Including Program managers, system designers and developers, security engineers, and system integrators who build and maintain the systems that handle CUI.
  • Security assessment and monitoring responsibilities: Such as auditors, system evaluators, assessors, and independent verifiers who review the organization’s system security plan (SSP) and implementation.

Key Industries that must prioritize compliance

While compliance is contract-driven, certain industries are overwhelmingly the target audience due to their routine handling of CUI:

                                                                                                                                                               
IndustryWhy Compliance is Critical
Defense Industrial Base (DIB)Mandatory via DFARS clauses for all contractors and subcontractors that process, store, or transmit CUI.
Higher Education & ResearchEssential for universities and laboratories receiving federal grants or conducting federally sponsored research that involves CUI.
Managed Service Providers (MSPs)For those providing IT or cloud hosting services to federal contractors, ensuring their infrastructure can meet the CUI protection requirements.
IT & Engineering ContractorsAny company providing specialized services, such as software development or system engineering, where CUI access is required to fulfill the contract.

Who must comply with NIST SP 800-171?

Compliance with NIST SP 800-171 is contractually driven, meaning the requirement is directly imposed by a federal agency through an agreement or legal mandate.

Generally, any federal agency that engages with third parties, and any nonfederal system or organization used by a federal agency, must comply if they process, store, or transmit Controlled Unclassified Information (CUI).

The most prominent example of this mandate is with the Department of Defense (DoD):

  • The DoD requires NIST SP 800-171 compliance for all its contracts and DoD contractors via the DFARS (Defense Federal Acquisition Regulation Supplement).
  • In fact, all research projects governed by a DoD contract must be in compliance with NIST 800-171 as of December 2017.

For organizations seeking to assess their vendor's alignment with these principles, a free NIST 800-171 questionnaire template can be a useful starting point.

Further guidance on compliance requirements

While NIST SP 800-171 provides the what (the security controls), your federal contract or agreement provides the why (the mandate) and the when (the deadline).

If your organization is unsure whether a specific system or piece of information falls under the compliance umbrella, it is essential to seek clarity. The definitive source for clarification is always the Federal Contracting Officer or the responsible federal agency that issued the contract or agreement. They can confirm the exact scope of CUI involved and the specific contractual requirements your organization must meet.

You can use this free NIST 800-171 questionnaire template to assess each vendor's alignment with NIST 800-171 principles.

What are the benefits of complying with NIST SP 800-171?

NIST SP 800-171 provides a standardized way to handle Controlled Unclassified Information (CUI).

The CUI Program addresses several deficiencies in managing and protecting unclassified information including inconsistent marketings, inadequate safeguarding and needless restrictions by standardizing procedures and providing common definitions through the CUI Registry.

By complying with NIST SP 800-171, you will also meet the majority of the criteria for NIST SP 800-53 and compliance with NIST SP 800-53 is a major part of FISMA and FedRAMP compliance.

It will also improve your organization's security posture and prevent data breaches by providing a secure foundation for information processing. 

Additionally, complying with NIST SP 800-171 and other best practices can help your organization comply with other data protection laws and regulations including the SHIELD ActLGPDGDPRCCPAGLBAPIPEDAHIPAAPCI DSS and 23 NYCRR 500.

How to comply with NIST SP 800-171

NIST SP 800-181 outlines 14 families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations.

Additionally, organizations can use the security controls from NIST SP 800-53 to obtain additional, non-prescriptive information related to the security requirements and supplemental guidance about how they relate to each other.  

As an example, control 3.1.19 requires organizations to “Encrypt CUI on mobile devices and mobile computing platforms".

Nonfederal organizations must create a system security plan (SSP) that describes how the specified security requirements are met. The SSP should describe the system boundary, operational environment, how security requirements are implemented and the relationships with or connections to other systems. 

For any unimplemented security requirements, a plan of action should be created to describe how they will be met and how any planned mitigations will be implemented. 

Organizations can document the system security plan and plan of action as seperate or combined documents in any chosen format.

When requested, the system security plan and associated plan of action can be submitted to the responsible federal agency or contracting officer to demonstrate your implementation or planned implementation of the security requirements.

These documents will feed into the federal agency's overall risk management decision to process, store or transmit CUI through your system or organization.  

This checklist will support your NIST 800-171 compliance efforts.

What are the 14 security requirement categories in NIST SP 800-171?

NIST SP 800-171 Revision 3 outlines 14 families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. These requirements are not just technical; they are categorized as operational, technical, and management safeguards. Together, they support the development of secure and resilient data processing systems.

Organizations can use the security controls from NIST SP 800-53 to obtain additional, non-prescriptive information related to the security requirements and supplemental guidance.

Access control

The access control family focuses on limiting system access to authorized users, processes, and devices. It ensures that only those with a need-to-know can reach CUI.

  • Focus: Managing who can access the system and what they can do once inside.
  • Key requirement example: Implementing the Principle of Least Privilege, which means users are granted only the minimum access rights necessary to perform their job functions.
  • Expert tip: Review access lists quarterly and revoke inactive accounts immediately.

Awareness and training

The awareness and training family ensures that personnel are adequately trained to carry out their security-related duties and responsibilities.

  • Focus: Educating employees about the risks associated with handling CUI and the policies they must follow.
  • Key requirement example: Requiring mandatory, role-based security awareness training for all employees with access to CUI, covering topics like social engineering and proper CUI marking.

Audit and accountability

The audit and accountability family focuses on creating, protecting, and retaining system audit logs to reconstruct events, provide evidence, and ensure accountability.

  • Focus: Monitoring system activity and ensuring that all user activity is traceable.
  • Key requirement example: Ensuring that audit records are generated for all security-relevant events, such as log-in attempts and file access, and that the audit logs are protected from unauthorized deletion or modification.

Configuration management

The configuration management family is about establishing and maintaining baseline configurations for systems, managing changes, and monitoring configuration settings.

  • Focus: Preventing unauthorized changes that could introduce vulnerabilities.
  • Key requirement example: Using a documented, standardized change control process for all software, hardware, and security component updates and new installations.

Identification and authentication

The identification and authentication family verifies the identity of users and devices before granting access to the system.

  • Focus: Verifying a user's identity.
  • Key requirement example: Requiring Multi-Factor Authentication (MFA) for both local and network access to privileged accounts, as well as for remote access to CUI systems.

Incident response

The incident response family establishes plans and capabilities to detect, analyze, contain, and recover from security incidents.

  • Focus: Preparing for and effectively managing security breaches.
  • Key requirement example: Developing an incident response plan that includes specific procedures for reporting a CUI-related breach to the responsible federal agency or contracting officer within contractual timelines.

Maintenance

The maintenance family focuses on performing timely and controlled maintenance on system components and managing maintenance tools and personnel.

  • Focus: Ensuring system upkeep doesn't introduce vulnerabilities.
  • Key requirement example: Ensuring that all external maintenance personnel are screened, supervised, and have all media containing CUI removed or secured before starting work on systems that process or store CUI.

Media protection

The media protection family protects CUI on various types of media (digital and hard copy) during handling, storage, and transport.

  • Focus: Securing CUI throughout its lifecycle, including disposal.
  • Key requirement example: Sanitizing (e.g., wiping, degaussing) or destroying media containing CUI before disposal or reuse to prevent data recovery.

Personnel security

The personnel security family ensures personnel who access CUI are trustworthy and manages access when employment is terminated.

  • Focus: Managing Human Factor Risk.
  • Key requirement example: Conducting background screening for individuals with access to CUI and immediately revoking system access upon employee termination or transfer.

Physical protection

The physical protection family secures the physical environment of the system from unauthorized access and environmental hazards.

  • Focus: Limiting and monitoring physical access to CUI systems and facilities.
  • Key requirement example: Using facility access controls (e.g., electronic locks, biometric scanners, visitor logs) to limit physical access to server rooms and other CUI processing areas.

Risk assessment

The risk assessment family requires organizations to periodically assess the risk to organizational operations and assets, including CUI.

  • Focus: Identifying threats and vulnerabilities.
  • Key requirement example: Conducting regular internal and external vulnerability scans and penetration testing to proactively identify system weaknesses that could expose CUI.

Security assessment

The security assessment family is about monitoring, reviewing, and assessing the security controls to ensure they are implemented correctly and operating as intended.

  • Focus: Verifying the effectiveness of implemented controls.
  • Key requirement example: Performing annual self-assessments or independent third-party assessments to verify compliance with the system security plan.

System and communications protection

The system and communications protection family monitors, controls, and protects organizational communications (internal and external) and secures system components.

  • Focus: Securing the CUI as it moves through networks.
  • Key requirement example: Encrypting CUI on mobile devices and using intrusion detection systems at system boundaries to monitor and control communications.

System and information integrity

The system and information integrity family protects against, detects, and corrects flaws, errors, and unauthorized changes to systems and information.

  • Focus: Maintaining system health and preventing compromise.
  • Key requirement example: Implementing malware protection and ensuring the timely application of security patches and updates to address known vulnerabilities.

Read about the underlying security requirements in the NIST SP 800-171 paper here.

What is the Definition of Controlled Unclassified Information (CUI)? 

Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

The approved CUI categories are outlined in the CUI Registry

What is the CUI Registry? 

The CUI Registry is an online repository for information, guidance, policy and requirements on handling CUI. 

Additionally, the CUI Registry identifies the basis for controls, ans sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, reusing and disclosing the information.  

CUI: The compliance trigger

CUI is the compliance trigger for NIST SP 800-171. If a non-federal system or organization processes, stores, or transmits CUI, the requirements of the standard apply. This is why identifying and accurately marking CUI is the essential first step in the compliance journey.

The CUI Program addresses several deficiencies in managing and protecting unclassified information, including inconsistent markings, inadequate safeguarding, and needless restrictions, by standardizing procedures and providing common definitions through the CUI Registry.

Examples of CUI

The approved CUI categories are outlined in the CUI Registry. The registry details 20 categories, including:

  • Export control: Technical data related to controlled goods, ensuring they are not improperly shared with foreign nationals.
  • Critical infrastructure: Information concerning the security or vulnerability of critical systems like power grids or transportation networks.
  • Procurement and acquisition: Unclassified information related to source selection, competitive range determination, or other sensitive contract information.
  • Privacy: Certain types of personally identifiable information (PII), when mandated by law or policy, such as records managed by the Department of Veterans Affairs (VA).

The CUI registry

The CUI registry is the online repository that serves as the single source of information, guidance, policy, and requirements on handling CUI. It identifies the basis for controls and outlines procedures for the use of CUI, including, but not limited to, marking, safeguarding, transporting, disseminating, reusing, and disclosing the information.

What are the approved CUI categories?

The approved CUI categories are:

  • Critical infrastructure
  • Defense
  • Export control
  • Financial
  • Immigration
  • Intelligence
  • International agreements
  • Law enforcement
  • Legal
  • Natural and cultural resources
  • NATO
  • Nuclear
  • Patent
  • Privacy
  • Procurement and acquisition
  • Proprietary business information
  • Provisional
  • Statistical
  • Tax
  • Transportation

Read more about the CUI categories here.

How does NIST SP 800-171 relate to FISMA?

The Federal Information Security Management Act (FISMA) is a United States federal law that establishes a comprehensive framework to protect government information, operations, and assets against natural and man-made threats, including cyber attacks, data breaches, and data leaks.

FISMA requires federal government agencies, state agencies with federal programs and private-sector firms that support, sell to or receive services from the government to develop, document and implement risk-based information security policies and procedures based on the NIST 800 series. 

Relationship to NIST SP 800-53

The foundation for FISMA compliance is NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-171's requirements are directly derived from the security controls in NIST SP 800-53, but they are tailored for a specific purpose: protecting CUI in non-federal systems.

The key distinction lies in the scope and focus of the two publications:

Framework Target Audience Primary Focus Security Goal
NIST SP 800-53 Federal Information Systems (FISMA-mandated) Provides a comprehensive catalog of controls Confidentiality, Integrity, and Availability
NIST SP 800-171 Non-Federal Systems (Contractually mandated) Provides a tailored subset of 800-53 controls Primarily on Confidentiality of CUI

The benefit of compliance

Since NIST SP 800-171 is a streamlined version of NIST SP 800-53, compliance with 800-171 automatically satisfies the majority of the criteria for moderate-level CUI confidentiality requirements defined under 800-53. This means an organization meeting 800-171 is well on its way to meeting a major part of overall FISMA compliance.

How does NIST SP 800-171 relate to FedRAMP?

The Federal Risk and Authorization Management Program (FedRAMP) is designed to enable easier contracting for federal agencies with cloud service providers. 

The process of FedRAMP certification requires a third-party assessment organization (3PAO) to assess security controls of the cloud service provider.

This is done through a Security Assessment Plan (SAP), performing initial and periodic assessments of security controls and producing a Security Assessment Report (SAR). 

These assets are then submitted to the Joint Authorization Board or an agency to review. 

If authorized, cloud service providers are awarded an Authority to Operate (ATO) and are placed on the FedRAMP marketplace for other agencies to find services that meet their needs and security requirements. 

The ATO attestation is reviewed on an annual basis by the 3PAO or more frequently if there is any deviation requests or significant changes.

The contractor’s responsibility: A shared security model

While FedRAMP provides assurance that the cloud service itself is secure, it does not automatically ensure an organization meets its NIST SP 800-171 obligations. The relationship is one of shared responsibility:

  • FedRAMP secures the infrastructure: When a contractor uses a FedRAMP-authorized cloud service to store CUI, the cloud provider handles the security controls for the underlying infrastructure (e.g., physical protection, core network security).
  • NIST 800-171 secures the data and practices: The federal contractor remains responsible for implementing all the remaining NIST SP 800-171 controls on their own portion of the system and their organizational practices. This includes:
    • Access control: Ensuring their employees are authorized and using Multi-Factor Authentication (MFA) to access the cloud environment.
    • Awareness and training: Training their personnel on proper CUI handling in the cloud environment.
    • Configuration management: Securely configuring the applications and data within their portion of the cloud service.

In short, FedRAMP is a crucial enabler, but the ultimate responsibility for overall NIST SP 800-171 compliance rests with the organization that holds the federal contract and processes the CUI.

Who published NIST SP 800-171?

NIST SP 800-171 is published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the Department of Commerce

NIST was set up to encourage and assist in innovation and science through the promotion and maintenance of a set of industry standards, such as the NIST Cybersecurity Framework.

NIST SP 800-53 is one of those standards and guidelines designed to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). NIST's other remit to develop Federal Information Processing Standards (FIPS). 

The authority of the NIST 800 series

The NIST Special Publications (SP) 800 series, including 800-171 and 800-53, are based on the Information Technology Laboratory's (ITL) research and guidelines. They are designed to provide a multi-tiered approach to risk management and offer federal agencies and their supply chain with minimum acceptable information security standards for managing sensitive government data.

While NIST itself is a non-regulatory body, its publications become mandatory when referenced in:

  1. Federal law: For instance, the NIST 800 series is the basis for meeting the requirements of the Federal Information Security Management Act (FISMA).
  2. Contractual mandates: The requirements of NIST SP 800-171 are mandated for federal contractors through contracts and interorganizational agreements, most notably the Defense Federal Acquisition Regulation Supplement (DFARS). When cited in a contract, the standards effectively become a mandatory, binding legal and security requirement.

When was NIST SP 800-171 last updated?

The most recent updated was Revision 1 in December 2016. This was an errata update that included minor editorial changes, additional references and definitions, and a new appendix with expanded discussion about each CUI requirement. The largest change was a subtle name change from "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations" to "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," reflecting a more broad-based, holistic definition of systems that includes industrial control systems and IoT.

How UpGuard Can Improve Your Cybersecurity

UpGuard helps companies secure their third-party attack surface by addressing the complete lifecycle of Vendor Risk Management, including:

    • Due diligence - Secure the vendor onboarding process with a vast library of industry-standard security assessments, including NIST CSF and NIST 800-53.
    • Attack surface monitoring - By combining point-in-time assessments with security ratings, UpGuard supports real-time awareness of emerging vendor security risks and supply chain attack threats.
    • Regulatory compliance tracking - Track the regulatory compliance efforts of all your third-party vendors and identify compliance gaps increasing your risk of suffering costly violations.
    • Data leak detection - Detect and shut down data leaks on the dark web before they're used to facilitate data breaches.

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts