NIST SP 800-171
The NIST standard specifying 110 security requirements for protecting CUI in non-federal systems. Forms the basis of CMMC Level 2 and DFARS 252.204-7012 compliance.
In-Depth
NIST Special Publication 800-171 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" organizes its 110 security requirements across 14 families: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Rev 3 (published May 2024) restructured requirements and added new ones around supply chain and software assurance.
Related Terms
CUI
Government-created or -owned information that requires safeguarding controls per law, regulation, or government-wide policy, but is not classified.
CMMC Level 2 (Advanced)
The mid-tier CMMC level requiring all 110 NIST SP 800-171 controls. Most contracts involving CUI require this level with third-party assessment.
DFARS
DoD-specific supplement to the FAR that implements defense acquisition policies, including cybersecurity clauses like DFARS 252.204-7012 for CUI protection.
SPRS
The Supplier Performance Risk System score (-203 to 110) reflecting a contractor's self-assessed compliance with NIST SP 800-171. Required for DoD contracts involving CUI.
POA&M
A document identifying security weaknesses, the planned remediation actions, required resources, and scheduled completion dates for achieving full compliance.