NIST Special Publication 800-171: Protecting Controlled Unclassified Information
Security requirements for protecting federal CUI in non-federal systems
// What is NIST 800-171?
NIST Special Publication 800-171 establishes security requirements for protecting Controlled Unclassified Information (CUI) when it resides in non-federal information systems. CUI includes sensitive but unclassified federal information that requires protection—everything from export-controlled technical data to law enforcement information to federal contract information.
While NIST 800-171 itself is guidance, compliance is mandatory for organizations that receive, process, or store CUI under federal contracts or grants. The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires defense contractors to implement 800-171. Civilian agencies increasingly require it through FAR clauses.
The standard comprises 110 security requirements across 14 families, derived from the moderate baseline in NIST 800-53. Organizations must implement all applicable requirements and document their System Security Plan (SSP) and Plan of Action and Milestones (POA&M) for any gaps. With CMMC enforcement beginning, 800-171 compliance is now a prerequisite for defense contract eligibility.
// Inside the Regulation
NIST 800-171 Rev 2 organizes requirements into 14 security families. Each family contains specific requirements that must be implemented to protect CUI adequately.
Access Control (AC)
Limit system access to authorized users, processes, and devices.
Account Management
Manage system accounts including creation, modification, disabling, and removal with defined access rights.
Access Enforcement
Enforce approved authorizations for logical access in accordance with access control policies.
Remote Access
Monitor, control, and protect remote access sessions using encrypted channels.
Wireless Access
Protect wireless access using authentication and encryption.
Awareness and Training (AT)
Ensure personnel are aware of security risks and trained on policies.
Security Awareness Training
Provide security awareness training on recognizing and reporting threats.
Role-Based Training
Provide role-based security training before granting access to CUI systems.
Audit and Accountability (AU)
Create, protect, and review audit records.
Audit Events
Create audit records for defined events providing who, what, when, where.
Audit Review
Review and analyze audit records for indications of inappropriate or unusual activity.
Audit Protection
Protect audit information and tools from unauthorized access and modification.
Configuration Management (CM)
Establish and maintain baseline configurations and inventories.
Baseline Configuration
Establish and maintain baseline configurations for systems processing CUI.
Security Configuration Settings
Establish and enforce security configuration settings for IT products.
Change Control
Track, review, approve, and audit changes to systems.
Identification and Authentication (IA)
Identify and authenticate users, processes, and devices.
User Identification
Uniquely identify users, processes acting on behalf of users, and devices.
Multi-Factor Authentication
Use multi-factor authentication for local and network access to privileged accounts and network access to non-privileged accounts.
Authenticator Management
Manage authenticators (passwords, tokens, etc.) with appropriate complexity and lifecycle.
Incident Response (IR)
Establish incident handling capability.
Incident Response Capability
Establish incident handling capabilities including preparation, detection, analysis, containment, recovery.
Incident Reporting
Track, document, and report incidents to appropriate officials and authorities.
Maintenance (MA)
Perform timely maintenance.
Controlled Maintenance
Perform maintenance using approved, controlled tools and supervise non-organizational personnel.
Media Protection (MP)
Protect system media containing CUI.
Media Storage and Transport
Limit access to CUI on media to authorized users; protect and control during transport.
Media Sanitization
Sanitize or destroy media containing CUI before disposal or reuse.
Personnel Security (PS)
Screen individuals prior to access.
Personnel Screening
Screen individuals prior to authorizing access to systems containing CUI.
Personnel Termination
Protect CUI during personnel termination through access revocation and property return.
Physical Protection (PE)
Limit physical access to systems.
Physical Access
Limit physical access to organizational systems and equipment to authorized individuals.
Visitor Controls
Escort visitors and monitor visitor activity.
Risk Assessment (RA)
Assess risk to operations and assets.
Risk Assessment
Periodically assess risk to operations, assets, and individuals.
Vulnerability Scanning
Scan for vulnerabilities periodically and when new vulnerabilities are identified.
Security Assessment (CA)
Assess security controls periodically.
Security Assessment
Periodically assess security controls to determine effectiveness.
Plan of Action
Develop and implement plans of action to correct deficiencies and reduce vulnerabilities.
System and Communications Protection (SC)
Monitor and protect communications.
Boundary Protection
Monitor, control, and protect communications at system boundaries.
Cryptographic Protection
Use FIPS-validated cryptography for CUI protection.
System and Information Integrity (SI)
Identify, report, and correct security flaws.
Flaw Remediation
Identify, report, and correct system flaws in a timely manner.
Malicious Code Protection
Provide protection from malicious code at appropriate locations.
Security Alerts
Monitor security alerts and take appropriate action.
Note: Organizations must maintain a System Security Plan (SSP) describing how requirements are met and a Plan of Action and Milestones (POA&M) for any gaps. Self-assessment scores are reported via SPRS. CMMC will require third-party assessment for many contractors.
// Who Must Comply
- 1 Defense contractors handling CUI (via DFARS 252.204-7012)
- 2 Defense subcontractors with flowdown CUI
- 3 Civilian agency contractors where required by contract
- 4 Higher education institutions with federal research grants
- 5 Any organization receiving, processing, or storing CUI
// Key Requirements
Access Control
Limit system and data access to authorized users with multi-factor authentication
Audit and Accountability
Create, protect, and review audit records for security-relevant events
Configuration Management
Maintain baseline configurations and manage changes through controlled processes
Identification and Authentication
Uniquely identify users and require MFA for privileged and network access
Incident Response
Establish incident handling capabilities with required reporting
Cryptographic Protection
Use FIPS-validated encryption for CUI at rest and in transit
// Enforcement & Penalties
Non-compliance can result in contract termination, suspension from future contracts, False Claims Act liability, and referral to DoJ. CMMC enforcement will add third-party validation requirements.
Contract termination + False Claims Act treble damages
Examples:
- Aerojet Rocketdyne - $9 million False Claims Act settlement for alleged NIST 800-171 non-compliance
- Contractor suspensions for materially false SPRS score submissions
- Contract terminations for failure to implement required safeguards
- DOJ enforcement focus on cybersecurity compliance under Civil Cyber-Fraud Initiative
// Cyber Insurance Impact
Cyber insurance for federal contractors increasingly requires evidence of NIST 800-171 compliance. Insurers may ask for current SPRS scores, SSP documentation, and POA&M status. Non-compliance could affect coverage availability and claims resolution.
// How Breach Craft Helps
We help organizations achieve NIST 800-171 compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of NIST 800-171.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873