What is NIST SP 800-171?

What is NIST SP 800-171?

Stephane Nappo once said, “it takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.” 

Some organizations, unfortunately, understand this to be true, as do some countries—including America. Just a few years ago, the United States suffered what is regarded as one of the worst cyber-espionage incidents ever, and security to protect the information flowing in and around our government bodies remains a large concern.

But that’s not to say steps haven’t been taken over the years to create security standards to protect our government and its dealings. NIST Special Publication 800-171 is one such step, a document that sets a high standard for protecting sensitive information that federal contractors must handle in their work with the government.

If you’re a federal contractor whose networks and IT systems involve this sort of data, you may need to be compliant with this framework. In this article, we’ll explore some of the different requirements and how you can get started with your compliance, as well as the relationship of this publication to other important compliance initiatives like FedRAMP or CMMC.

You’ll recognize if your organization needs to look into this further and if so, you’ll have a leg up on the requirements and where to begin.

Do You Need to Comply with NIST 800-171?

NIST SP 800-171 was born to help secure the range of external service providers American governmental departments rely on to operate, as many of these essential services result in the processing and storage of sensitive information.

More specifically, NIST SP 800-171 defines security requirements for protecting Controlled Unclassified Information (CUI) created or possessed by non-federal entities.

What is CUI?

Simply put, CUI is any non-public executive agency information, but here’s how you might determine if the data in your charge classifies as such. CUI is:

  • Any data whose public release (or unauthorized disclosure) would negatively impact the agency of origin, including if aggregated with additional information.
  • Prominently identified with specific markings:
    • “CUI” will appear in document headers and footers.
    • Not only that, but a CUI designation indicator will be included that specifies the organization that controls the information, any specific CUI designation that the information may fall into, dissemination specifications, and a point of contact for the information.
    • Further detail concerning CUI markings.

Those likely to handle CUI and therefore may need to adhere to NIST 800-171 standards include:

  • Defense contractors
  • Systems integration service providers
  • Financial, web, or communication service providers to the federal government
  • Healthcare information processors
  • Colleges, universities, or institutes that receive federal data or grants

These types of organizations that handle CUI in their relationship with the government—whether they’re prime contractors or subcontractors—must comply with the NIST SP 800-171 requirements, as should those hoping to do this kind of work.

What are the Requirements of NIST SP 800-171?

So, for those of you who this affects, what are these requirements?

NIST 800-171 features 110 requirements that are helpfully organized into 14 general security topics, or families. These families are broken out as follows:



Access Control

22 requirements

To safeguard access to networks, systems, and information.

Awareness and Training

3 requirements

To ensure relevant personnel are aware of and trained on cybersecurity risks and procedures.

Audit and Accountability

9 requirements

To protect the storage of audit records for future analysis and reporting, including regular reviews of system security logs.

Configuration Management

9 requirements

To confirm adequate installation and configuration of hardware, software, and devices within the relevant network.

Identification and Authentication

11 requirements

To distinguish privileged and non-privileged accounts and ensure authentication procedures and policies are in place so that only authenticated users can access the network or systems.

Incident Response

3 requirements

To verify there are response procedures in place in the event of a serious cybersecurity incident.


6 requirements

To ensure relevant systems receive maintenance that is protected and based on best practices.

Media Protection

9 requirements

To help control access to sensitive media that is in both physical and digital formats.

Personnel Security

2 requirements

To safeguard CUI through security screenings of individuals before their accessing systems that contain CUI and adequate employee transfer/termination procedures where CUI is relevant.

Physical Protection

6 requirements

To control physical access to CUI, including on work sites, hardware, devices, and equipment that are required to be limited to authorized personnel.

Risk Assessment

3 requirements

To ensure the regular performance of risk assessments that reveal vulnerabilities.

Security Assessment

4 requirements

To validate that security plans are continuously monitored and further developed so that systems are regularly improved and remain effective.

System and Communications Protection

16 requirements

To protect systems and the transmission of information through cryptography policies to protect CUI, among other measures.

System and Information Integrity

7 requirements

To monitor the ongoing protection of systems using security alerts that aid in preventing unauthorized use of systems.

These 110 basic and derived requirements map back loosely to NIST SP 800-53 controls and control enhancements. Though NIST SP 800-53 controls are much more prescriptive than the NIST SP 800-171 security requirements, they can help provide a better understanding of what controls will meet these requirements. 

NIST SP 800-171 and FedRAMP

While it is possible to be assessed against the 800-171 framework itself, this publication does tie in importantly to other, more prominent government compliance initiatives, including FedRAMP.

As noted above, the NIST SP 800-171 requirements are a subset (about 35%) of the overall NIST SP 800-53 controls that are required for FedRAMP, which is a necessity for any cloud service provider (CSP) seeking to provide cloud services to government agencies.

The specific relationship between SP 800-171 and FedRAMP really depends on what your cloud system is, how your system works, and to which agency you’re providing what services:

  • If your cloud service is an IaaS, PaaS, or SaaS and you’re doing business with the federal government, you need to be FedRAMP Authorized regardless of the classification of data your systems/service facilitates.
  • If you—not the government—operate the system that contains/uses CUI for the federal government, you’re subject to NIST SP 800-171 requirements.
  • If you’re a contractor with the Department of Defense (DoD), specifically you’re required to comply with these requirements as mandated in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.

NIST SP 800-171 and CMMC

Even given all that, NIST SP 800-171 has recently risen to further prominence because of its relevance to the new Cybersecurity Maturity Model Certification (CMMC), which has been developed to protect the particularly sensitive information—aka CUI—within the United States Defense Industrial Base (DIB).

Though it will be a new compliance requirement, the basis for CMMC is not “brand new”—this certification pulls from many existing sources, including NIST SP 800-171, to create a centralized and comprehensive framework for defense contractors. Before CMMC, compliance with NIST SP 800-171 allowed for a simple self-assessment to suffice—you could develop the required System Security Plan, but deficiencies in requirements met were allowed so long as you had a plan of action to remedy that.

That might’ve been enough to claim compliance with the publication, but CMMC is different and that might no longer be enough. Dependent on which of the different levels of compliance you choose to certify against, you may also need to be evaluated by a certified third-party assessment organization (C3PAO).

Is Your Organization Compliant?

Though perhaps not the most well-known publication from NIST, the importance of SP 800-171 and its requirements is growing thanks to the upcoming codification of CMMC that many organizations continue to prepare for. Now that you understand its areas of concern—including the type of data and requirement families, you’re in good shape should you need to get started with compliance.

Performing a gap assessment of your current information security program can further assist in determining how what you have in place aligns with the NIST SP 800-171 security requirements. But if you still have some questions about this publication—or any of the other prominent ones from NISTplease feel free to reach out to us. Our team of experts is well-versed in the many, many details involved in government compliance and would love to help you ease any concerns you may have.

About the Author

Stephen Halbrook

Stephen Halbrook is a Managing Principal at Schellman. He is an experienced and proven federal practice leader performing service delivery management across service lines including FedRAMP, NIST, SOC, PCI DSS and ISO. Stephen also helps assist large and complex organizations that have multiple compliances needs helping them strategically align their efforts to maximize cost and efficiencies. He has more than 15 years of experience in the assessment industry and started his career working in Deloitte’s Advisory practice.

More Content by Stephen Halbrook
Previous Article
Panicked About CMMC? Don't be!
Panicked About CMMC? Don't be!

The Cybersecurity Maturity Model Certification (CMMC) has been a hot topic in the federal and defense contr...

Next Video
Launch CMMC into your Compliance Program
Launch CMMC into your Compliance Program