NIST 800-171

NIST cybersecurity framework with 110 security controls for protecting CUI in contractor systems.

NIST SP 800-171 Rev 2

Definition

NIST Special Publication 800-171 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" specifies 110 security requirements across 14 control families that contractors must implement to protect Controlled Unclassified Information (CUI) in their systems. Required by DFARS 252.204-7012 for DOD contractors, NIST 800-171 covers access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Contractors must complete a self-assessment, document implementation status in a System Security Plan (SSP), and maintain a Plan of Action and Milestones (POA&M) for unimplemented controls.

Also Known As

  • NIST SP 800-171
  • CUI Security Requirements
  • DFARS Cybersecurity

Examples

Common Mistakes to Avoid

  • Assuming IT systems are the only scope (800-171 applies to all systems processing CUI)
  • Not documenting implementation in required System Security Plan format
  • Confusing NIST 800-171 with NIST 800-53 (different control sets for different purposes)

Who Should Know This Term

Defense contractors, IT security officers, compliance managers, subcontractors handling CUI

Official Source

NIST SP 800-171 Rev 2
Gov Contract Finder Logo
© Copyright 2026 Gov Contract Finder.
NIST 800-171 - Definition | Government Contracting Glossary