Loading...
The NIST standard specifying 110 security requirements for protecting CUI in non-federal systems. Forms the basis of CMMC Level 2 and DFARS 252.204-7012 compliance.
NIST Special Publication 800-171 "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" organizes its 110 security requirements across 14 families: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Rev 3 (published May 2024) restructured requirements and added new ones around supply chain and software assurance.
CUI
Government-created or -owned information that requires safeguarding controls per law, regulation, or government-wide policy, but is not classified.
CMMC Level 2 (Advanced)
The mid-tier CMMC level requiring all 110 NIST SP 800-171 controls. Most contracts involving CUI require this level with third-party assessment.
DFARS
DoD-specific supplement to the FAR that implements defense acquisition policies, including cybersecurity clauses like DFARS 252.204-7012 for CUI protection.
SPRS
The Supplier Performance Risk System score (-203 to 110) reflecting a contractor's self-assessed compliance with NIST SP 800-171. Required for DoD contracts involving CUI.
POA&M
A document identifying security weaknesses, the planned remediation actions, required resources, and scheduled completion dates for achieving full compliance.
Check Your CMMC Readiness
Run our free compliance tools to see where your organization stands.
Audit Your Tech Stack Free