What is NIST 800-171?

What is NIST 800-171?

NIST Special Publication 800-171 is a set of cybersecurity requirements published by the National Institute of Standards and Technology (NIST) that applies to non-federal organizations (e.g., contractors) handling Controlled Unclassified Information (CUI). NIST 800-171 is a subset of NIST 800-53 and is designed to protect the confidentiality and integrity of CUI in contractor and subcontractor systems outside the federal government.

NIST 800-171 applies to defense contractors, research institutions and other entities that receive or process CUI from federal agencies. From a compliance perspective, organizations must develop and implement policies, procedures and technical controls to meet these requirements.

CUI Notice 2020-04 specifies that NIST 800-171A is the authoritative method necessary to demonstrate conformity with NIST 800-171. Those Assessment Objectives (AOs) from NIST 800-171A must be met for a corresponding NIST 800-171 control to be deemed satisfactorily implemented. ComplianceForge provides editable NIST 800-171 documentation templates and guidance to simplify adherence to NIST 800-171 controls and NIST 800-171A AOs.

NIST 800-171 is often referenced in federal contracts and regulations like DFARS clause 252.204-7012 and serves as the foundation for Cybersecurity Maturity Model Certification (CMMC) compliance. Failure to comply can result in contract termination, penalties and loss of business.

If you read NIST SP 800-171 R2, you will see that there are far more than just the 110 controls identified in Appendix D. Appendix E lists an additional 61 Non-Federal Organization (NFO) controls that are expected to exist for any organization that stores, transmits or processes CUI. Directly from NIST SP 800-171, NFO controls are "expected to be routinely satisfied by non-federal organizations without specification." NIST SP 800-171 R3 removes NFO controls, due to the confusion that existed by contractors believing only CUI controls were required. Most of the NFO controls in NIST SP 800-171 R2 are incorporated into new controls within NIST SP 800-171 R3.

Governance Risk & Compliance (GRC) Content

Secure Controls Framework (SCF)

NIST 800-171 & CMMC - Where Do I Start?

Editable Policies & Standards Templates

Editable Procedures Templates

Cybersecurity Supply Chain Risk Management

NIST 800-171 Compliance

Risk Management

Data Protection (Privacy) & Secure Engineering

Vulnerability & Patch Management

Incident Response

PCI DSS Compliance

NIST 800-171 & CMMC Compliance

Premium GRC Content (GRC Importable)

Cybersecurity Policies, Standards & Procedures

Cybersecurity Supply Chain Risk Management

Privacy & Data Protection (GDPR, CCPA & more)

Risk Management Bundles

Subscriptions

Common Compliance Requirements

Alignment With Secure Practices

Free Guides

Cost Savings

US Federal Data Security Laws & Regulations

US State Data Security Laws & Regulations

International Data Security Laws & Regulations

SCF Licensed Content Provider (LCP)

SCF Certifications

Individual Certifications

Controlled Unclassified Information (CUI)

Why Choose ComplianceForge?

Industries Served & Client References

Multiple Company Discount

Product Comparison: DSP vs CDPP

What is NIST 800-171?