NIST SP 800-171 Revision 3
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Current Revision: Revision 3 (Final)
Publication Date: May 14, 2024
Supersedes: SP 800-171 Rev. 2 (February 2020, updated January 28, 2021)
Authority: DFARS 252.204-7012, Federal Acquisition Regulation (FAR)
Overview
NIST SP 800-171 establishes security requirements that federal agencies use when protecting Controlled Unclassified Information (CUI) stored, processed, or transmitted by nonfederal systems and organizations. The standard is mandatory for defense contractors and widely used across federal contracting.
Purpose and Scope
Purpose
Provide recommended security requirements for federal agencies to include in contractual agreements when CUI will reside in nonfederal systems and organizations.
Scope
Security requirements apply to:
- Components of nonfederal systems that process, store, or transmit CUI
- System components providing security protection for CUI
- Organizations handling CUI under federal contracts
Key Focus
Primary focus on protecting
confidentiality of CUI (integrity and availability addressed indirectly)
17 Security Requirement Families
Revision 3 expands from 14 to 17 families (aligned with SP 800-53r5):
- AC - Access Control
- AT - Awareness and Training
- AU - Audit and Accountability
- CA - Assessment, Authorization and Monitoring (renamed in Rev 3)
- CM - Configuration Management
- IA - Identification and Authentication
- IR - Incident Response
- MA - Maintenance
- MP - Media Protection
- PE - Physical Protection
- PL - Planning (NEW in Rev 3)
- PS - Personnel Security
- RA - Risk Assessment
- SA - System and Services Acquisition (NEW in Rev 3)
- SC - System and Communications Protection
- SI - System and Information Integrity
- SR - Supply Chain Risk Management (NEW in Rev 3)
Approximately 110 Security Requirements
- Flexible, organization-defined parameters
- Risk-based implementation approach
- Tailorable to organizational context
- Scoped to CUI-processing systems only
Key Requirements Overview
Foundational Controls Include:
- Access Control: Least privilege, role-based access, privileged user management
- Multi-Factor Authentication: Required for privileged and network access
- Encryption: CUI encrypted at rest and in transit
- Audit Logging: Comprehensive logging and monitoring
- Incident Response: Established incident handling capability
- Configuration Management: Baseline configurations, change control
- Physical Security: Facility access controls, equipment protection
- Personnel Security: Background screening, access termination
- Assessment: Regular security assessments and continuous monitoring
- Supply Chain: Supply chain risk management
Mandatory vs Voluntary
MANDATORY when:
- Federal contract requires compliance
- DFARS Clause 252.204-7012 in DoD contract
- Processing, storing, or transmitting CUI on nonfederal systems
- Subcontractor receiving CUI from prime contractor
- University/research projects with federal CUI
NOT Required when:
- No federal contracts or agreements
- No CUI processed, stored, or transmitted
- Operating on behalf of federal agency (SP 800-53 applies instead)
- Specific law/policy provides different requirements
Enforcement
Contractual obligation - Non-compliance results in:
- Inability to bid on federal contracts
- Loss of existing contracts
- Prohibition from receiving CUI from primes
- Exclusion from federal supply chain
Effective Dates
Key Timeline:
- December 31, 2017: DFARS 252.204-7012 effective (SP 800-171 required)
- February 2020: Rev. 2 published
- May 14, 2024: Rev. 3 published (current)
- 2026: Target for all defense supply chain entities to have minimum CMMC Level 1
Relationship to Other Standards
Derived from NIST SP 800-53
- SP 800-171 represents subset of SP 800-53 moderate baseline
- Tailored by eliminating federal-specific controls
- Streamlined for nonfederal organizations
- ~110 requirements vs. 1,150+ controls in SP 800-53
DFARS 252.204-7012
- Defense Federal Acquisition Regulation Supplement clause
- Requires DoD contractors to implement SP 800-171
- Effective December 31, 2017
- Applies to all covered defense information
CMMC (Cybersecurity Maturity Model Certification)
- CMMC Level 3 requires SP 800-171 implementation
- DoD verification program for cybersecurity
- Third-party assessments required (C3PAOs)
- All defense entities need minimum CMMC Level 1 by 2026
- Any entity handling DoD CUI requires CMMC Level 3+
- CMMC level specified in contract RFP
NIST SP 800-172
- Enhanced security requirements for CUI (APT protection)
- Supplements SP 800-171 for critical programs/high-value assets
- Both 171 and 172 required for critical programs
- 172 not universally required like 171
Applicable Industries
Primary Industries:
- Defense Contractors - All DoD contractors/subcontractors (60,000+ entities)
- Federal Contractors - GSA, NASA, other agency contractors
- Research Institutions - Universities with federal contracts
- State/Local Government - Processing federal CUI
- Manufacturing - Defense and federal supply chain
- Professional Services - Consultants handling CUI
- Technology Companies - Federal software/hardware providers
- Healthcare/Medical Research - Federally funded research with CUI
- Aerospace - Aviation and space contractors
- Energy Sector - Critical infrastructure with federal contracts
Massachusetts Organizations:
- Raytheon, General Dynamics (defense contractors)
- MIT, Harvard, UMass (research institutions)
- Biotech companies with federal research funding
- Technology companies with federal contracts
- Manufacturing companies in defense supply chain
Company Size Applicability
Universal Requirement:
"A similar level of protection irrespective of organization size"
No Exemptions:
- Small businesses = same requirements as large contractors
- No reduced requirement sets
- No company size thresholds
Small Business Support:- SP 1318 - Small Business Primer (August 2025)
- Massachusetts MEP Center assistance
- NIST Small Business Cybersecurity Corner
- Getting-started guidance for each family
Scoping Flexibility:- Requirements apply only to CUI-processing systems
- Organizations can scope appropriately
- Smaller attack surface may mean fewer systems
- Risk-based prioritization allowed
Assessment Requirements
Assessment Framework (SP 800-171A Rev. 3)
Assessment Types:
- Self-assessments by organization
- Independent third-party assessments
- Government-sponsored assessments
- CMMC assessments (Cyber-AB certified for Level 3+)
Assessment Characteristics:- Flexible and customizable
- Scalable rigor based on requirements
- Risk-based approach
- Variable depth and coverage
Assessment Frequency:- Not specified by NIST (determined by contracts)
- Typically annual reassessments
- Continuous monitoring recommended
- CMMC certifications valid ~3 years
Scoring:- CMMC uses 0-110 point scale (one point per requirement)
- 110 points = full compliance
- Thresholds vary by CMMC level
Documentation Required:- System Security Plan (SSP)
- Security Assessment Report
- Plans of Action and Milestones (POA&M)
- Continuous monitoring plans
- Implementation evidence for each control
Enforcement Agencies
Primary Enforcement:
- DoD Contracting Officers - Through contract terms
- DCMA - Defense Contract Management Agency monitoring
- DIBCAA - Defense Industrial Base assessments (being replaced by CMMC)
- Federal Contracting Agencies - GSA, NASA, other agencies
Note: NIST does not enforce - enforcement through federal acquisition regulations and contracts
Penalties for Non-Compliance
NIST publications do not specify penalties - penalties derive from contracts:
Contractual Consequences:
- Loss of contract awards
- Contract termination for non-compliance
- Disqualification from bidding
- Prohibition on CUI sharing with non-compliant subcontractors
- Removal from federal/defense supply chains
CMMC-Related:
- Cannot bid on DoD contracts without required CMMC level
- Failed assessments prevent contract awards
- CMMC certification is "go/no-go" for contracts
Indirect Consequences:
- Reputational damage
- Loss of competitive advantage
- Potential liability for CUI breaches
- Increased insurance costs
No direct fines from NIST - penalties from contract terms and federal acquisition regulations
Implementation Guidance
Getting Started:
- Identify systems processing CUI
- Conduct gap analysis against 110 requirements
- Develop System Security Plan (SSP)
- Implement security controls across 17 families
- Document implementation evidence
- Conduct self-assessment (SP 800-171A)
- Create POA&M for gaps
- Prepare for independent assessment if required
Resources:
- SP 1318 - Small Business Primer
- SP 800-171A - Assessment procedures
- MEP Centers - Manufacturing assistance
- NIST Handbook 162 - DFARS self-assessment
Timeline:
- Full implementation typically 12-24 months
- Phased approach recommended
- Prioritize high-risk requirements
- Continuous improvement model
Massachusetts-Specific Considerations
No State Variations:
Federal standard applies identically across all states
Massachusetts Impact:
- Defense contractors must comply (Raytheon, General Dynamics, etc.)
- Research universities with federal contracts (MIT, Harvard, UMass)
- Biotech and medical research with federal funding
- Technology companies serving federal agencies
- Manufacturing in defense supply chain
State Resources:
- Massachusetts MEP Center for manufacturers
- State contracting may reference federal standards
- State agencies with federal CUI must comply
Official Resources
Key Takeaways
- Mandatory for federal contractors handling CUI (DFARS effective Dec 31, 2017)
- 110 requirements across 17 families (expanded from 14 in Rev 2)
- Universal applicability - no size exemptions
- CMMC Level 3 requires SP 800-171 for DoD contracts
- Assessment required using SP 800-171A framework
- Derived from SP 800-53 moderate baseline
- Contractual enforcement - not direct NIST penalties
- Small business support through SP 1318 and MEP Centers
- Rev. 3 current as of May 2024
- 60,000+ organizations affected in defense supply chain