866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

What is NIST SP 800-171? Blog Feature
STEPHEN HALBROOK

By: STEPHEN HALBROOK

Print/Save as PDF

What is NIST SP 800-171?

Federal Assessments | NIST | CMMC

Published: Sep 14, 2022

Last Updated: Jan 13, 2025

Published by the National Institute of Standards and Technology (NIST), NIST SP 800-171 is a standard created to help organizations protect Controlled Unclassified Information (CUI) from unauthorized access or disclosure.

With the advent of the new Cybersecurity Maturity Model Certification (CMMC) program, adherence to the NIST SP 800-171 controls has become mandatory for contractors who do work or wish to work with the Department of Defense (DoD) and civilian agencies who may require adherence to the standard.

Because failure to comply with NIST SP 800-171 can result in significant fines and loss of contracts, we—as one of the first CMMC Third Party Assessment Organizations (C3PAOs), want to help you avoid this kind of fallout.

In this comprehensive guide, we’ll explore everything you need to know about NIST SP 800-171 compliance, including what it is, why it's important, and how to achieve it. We'll also dive into the specific controls and requirements outlined in NIST SP 800-171 and provide tips and best practices for meeting them.

Whether you're new to NIST SP 800-171 or looking to improve your compliance efforts, this guide has everything you need to protect your sensitive data and meet government requirements.

 

What is NIST SP 800-171?

To help organizations protect sensitive information that is not classified but still needs to be kept secure—particularly when being shared between non-federal organizations and federal agencies—NIST published its Special Publication (SP) 800-171.

Said “sensitive information” is actually categorized as Controlled Unclassified Information (CUI)—things like:

  • Intelligence
  • Financial data
  • Legal records

What is CUI?

By definition, CUI is any non-public executive agency information, and here’s how you might determine if the data in your charge classifies as such. CUI is:

 

    • Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
  • Includes any data whose public release (or unauthorized disclosure) would negatively impact the agency of origin, including if aggregated with additional information. 

To help paint an even clearer picture, organizations likely to handle CUI and that may need to adhere to NIST SP 800-171 standards include:

 

  • Defense contractors
  • Systems integration service providers
  • Financial, web, or communication service providers to the federal government
  • Healthcare information processors
  • Colleges, universities, or institutes that receive federal data or grants

 

NIST SP 800-171 Requirements

Note: The following dissemination is for NIST 800-171, revision 2. Updates will soon be posted regarding the draft of NIST 800-171, revision 3.

 

Whether your organization classifies as one of those or not, if you handle CUI—likely as part of your relationship with the government—no matter whether you’re a prime contractor or a subcontractor, you must comply with NIST SP 800-171’s 110 requirements, which are helpfully organized into 14 general security topics (or families) that break down as follows:

 

Family

Details

1. Access Control

22 requirements

To safeguard access to networks, systems, and information.

2. Awareness and Training

3 requirements

To ensure relevant personnel are aware of and trained on cybersecurity risks and procedures.

3. Audit and Accountability

9 requirements

To protect the storage of audit records for future analysis and reporting, including regular reviews of system security logs.

4. Configuration Management

9 requirements

To confirm adequate installation and configuration of hardware, software, and devices within the relevant network.

5. Identification and Authentication

11 requirements

To distinguish privileged and non-privileged accounts and ensure authentication procedures and policies are in place so that only authenticated users can access the network or systems.

6. Incident Response

3 requirements

To verify there are response procedures in place in the event of a serious cybersecurity incident.

7. Maintenance

6 requirements

To ensure relevant systems receive maintenance that is protected and based on best practices.

8. Media Protection

9 requirements

To help control access to sensitive media that is in both physical and digital formats.

9. Personnel Security

2 requirements

To safeguard CUI through security screenings of individuals before their accessing systems that contain CUI and adequate employee transfer/termination procedures where CUI is relevant.

10. Physical Protection

6 requirements

To control physical access to CUI, including on work sites, hardware, devices, and equipment that are required to be limited to authorized personnel.

11. Risk Assessment

3 requirements

To ensure the regular performance of risk assessments that reveal vulnerabilities.

12. Security Assessment

4 requirements

To validate that security plans are continuously monitored and further developed so that systems are regularly improved and remain effective.

13. System and Communications Protection

16 requirements

To protect systems and the transmission of information through cryptography policies to protect CUI, among other measures.

14. System and Information Integrity

7 requirements

To monitor the ongoing protection of systems using security alerts that aid in preventing unauthorized use of systems.

 

(All these requirements map back loosely to NIST SP 800-53 controls and control enhancements, and while those are much more prescriptive than these NIST SP 800-171 security requirements, they can help provide a better understanding of what controls will meet 800-171 requirements.) 

Using this framework, you can ensure the CUI you handle is kept confidential, accurate, and available when needed, no matter where it’s stored or how it’s transmitted, as the guidelines are designed to be flexible and adaptable for organizations of all sizes and types.

 

How to Achieve NIST SP 800-171 Compliance

That being said, to achieve compliance with NIST SP 800-171, you must follow a specific process that includes the following steps:

 

  • Define your scope. Determining what CUI you store, process, and transmit in your organization—as well as the systems that CUI data touches—is imperative.
  • Understand the requirements. A baseline understanding of the requirements outlined in NIST SP 800-171 will be your key foundation for compliance, and yours should include a grasp of what CUI is and how it needs to be protected, as well as the specific controls and requirements outlined in the guidelines.
  • Conduct a gap analysis. Then, conduct a gap analysis to identify areas where you’re not currently meeting the requirements, as that will help you develop a plan for achieving full compliance.
  • Develop a plan of action and milestones (POA&M). Based on the results of the gap analysis, develop a POA&M that outlines the steps you’ll take to achieve compliance, which should include specific tasks, timelines, and responsible parties.
  • Implement security controls. At this point, begin implementing the security controls outlined in NIST SP 800-171, and that may involve upgrading software, improving access controls, or implementing encryption, among other things.
  • Conduct regular self-assessments. To ensure ongoing compliance, conduct regular self-assessments to identify any new gaps or vulnerabilities.
  • Monitor and report. Finally, monitor your systems and report any incidents or breaches to the appropriate authorities. They should also maintain documentation of their compliance efforts, including the POA&M and self-assessment reports.

By following these steps, you can achieve compliance with NIST SP 800-171 and protect your sensitive data from potential cyber threats.

 

Consequences of Non-Compliance with NIST SP 800-171

On the other hand, failure to comply with these guidelines—and a consequential breach or leak—can result in the revocation of contracts or the inability to bid on future contracts with the DoD, as well as fines and other legal penalties.

In some cases, you may also face reputational damage and additional loss of customer trust if you’re found to be non-compliant with NIST 800-171, making it essential to take steps to ensure that you’re fully compliant with these guidelines—you may even consider getting assessed by an independent third party to confirm everything is in place.

 

NIST SP 800-171 and FedRAMP

And while it is possible to be assessed against the 800-171 framework itself, the publication does tie into other, more prominent government compliance initiatives, including FedRAMP.

As noted above, the NIST SP 800-171 requirements are a subset (about 35%) of the overall NIST SP 800-53 controls that are required for FedRAMP—a program that any cloud service provider (CSP) seeking to provide services to government agencies must achieve compliance with to obtain FedRAMP Authority to Operate.

Still, the specific relationship between NIST SP 800-171 and FedRAMP really depends on what your cloud system is, how your system works, and to which agency you’re providing what services:

 

  • If your cloud service is an IaaS, PaaS, or SaaS and you’re doing business with the federal government, you need to be FedRAMP Authorized regardless of the classification of data your systems/service facilitates.
  • If you—not the government—operate the system that contains/uses CUI for the federal government, you’re subject to NIST SP 800-171 requirements.
  • If you’re a contractor with the DoD and handling specific data types, you’re required to comply with these requirements as mandated in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

 

NIST SP 800-171 and CMMC

Even given all that, NIST SP 800-171 has recently risen to further prominence because of its relevance to the new Cybersecurity Maturity Model Certification (CMMC), which has been developed to protect the particularly sensitive information—aka CUI—within the United States Defense Industrial Base (DIB).

Though it’ll make for a new compliance requirement when it goes live, the basis for CMMC is not “brand new.” This certification pulls from many existing sources—explicitly NIST SP 800-171—to create a centralized and comprehensive framework for defense contractors. 

Before CMMC, compliance with NIST SP 800-171 allowed for a simple self-assessment to suffice—you could develop the required System Security Plan, but deficiencies in requirements met were allowed so long as you had a plan of action to remedy that.

That might’ve been enough to claim compliance with the publication, but CMMC is different and that might no longer be enough. Depending on which of the different levels of compliance you choose to certify against, you may also need to be evaluated by a certified third-party assessment organization (C3PAO).

 

Frequently Asked Questions About NIST SP 800-171

Who Needs to Comply with NIST SP 800-171?

Any organization that works with federal agencies, including DoD contractors, needs to comply with NIST SP 800-171 if they handle CUI.

How Does NIST SP 800-171 Relate to Other Cybersecurity Frameworks?

NIST SP 800-171 is designed to complement other cybersecurity frameworks, such as the NIST Cybersecurity Framework and ISO 27001, in that it provides specific guidance for specifically protecting CUI.

What is the Role of Third-Party Assessors in NIST SP 800-171 Compliance?

Third-party assessors can help organizations evaluate their compliance with NIST SP 800-171 and provide recommendations for improving their security controls.

How Often Do Organizations Need To Assess Their Compliance with NIST SP 800-171?

You should assess compliance with NIST SP 800-171 regularly, such as on an annual cadence, but also whenever significant changes are made to your IT systems.

Is Your Organization Compliant?

NIST SP 800-171 was born to help better secure the range of external service providers governmental departments rely on to operate, as many of these essential services result in the processing and storage of the sensitive information that is CUI.

And though it may still not be NIST’s most well-known publication, the importance of SP 800-171 and its requirements is growing, thanks to the upcoming codification of CMMC that many organizations continue to prepare for. 

Now that you understand its areas of concern—including the type of data and requirement families, you’re in good shape should you need to get started with compliance and in better protecting your data from potential cyber threats.

However, if you still have some questions about this publication—or any of the other prominent ones from NISTplease reach out to us. Our team of experts is well-versed in the many, many details involved in government compliance and would love to help you ease any concerns you may have.

About STEPHEN HALBROOK

Stephen Halbrook is a Managing Principal at Schellman. He is an experienced and proven federal practice leader performing service delivery management across service lines including FedRAMP, NIST, SOC, PCI DSS and ISO. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 15 years of experience in the assessment industry and started his career working in Deloitte’s Advisory practice.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.