NIST 800-171: Protecting CUI

Reviewed by the Fully Compliance editorial team

NIST 800-171 is the security standard that governs how non-federal organizations — primarily defense contractors — must protect Controlled Unclassified Information (CUI). It contains 110 security requirements across 14 families, serves as the foundation for CMMC Level 2, and is now enforced through third-party assessment rather than self-attestation. If you hold a DoD contract involving CUI, compliance is contractually mandatory.

What NIST 800-171 Is and Who It Applies To

NIST 800-171, officially titled "Security Requirements for Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," was designed specifically for non-federal organizations that handle government data classified as CUI. This is distinct from NIST 800-53, which applies to federal information systems themselves. The 800-171 standard takes the broader controls from 800-53 and scales them for the specific challenge of protecting CUI when that data is processed in contractor environments outside direct federal control.

The standard covers 14 security requirement families and approximately 110 individual requirements. These families overlap significantly with 800-53 but with a narrower, more targeted focus. A federal system protecting classified information might need 200-plus controls. A contractor environment protecting CUI needs roughly 110 because controls applicable to classified systems do not all apply to unclassified information. This makes 800-171 less onerous than 800-53 but more specific to the actual problem of protecting government data outside federal agencies. If you are a defense contractor, 800-171 was designed for your situation.

The 14 Requirement Families — What They Actually Demand

Access Control addresses who can access what information and systems, enforcing role-based access, least privilege, and separation of duties. The requirement is that access is reviewed periodically and users cannot reach information outside their authorized scope. This is foundational — if you cannot control who gets in, nothing else matters.

Awareness and Training requires that staff understand their security obligations and their specific role in protecting CUI. You need formal training programs, and people who handle CUI need to understand what it is, why it matters, and what they are responsible for protecting.

Audit and Accountability requires logging of user actions and system events, with logs that are protected and reviewed. Audit trails must prove who took what action and when — this is the accountability mechanism that makes everything else enforceable.

Configuration Management requires documented baseline configurations and a change management process. This prevents configuration drift where systems gradually become inconsistent or insecure through ad hoc changes that nobody tracks.

Identification and Authentication covers verifying user identity before system access — passwords, multifactor authentication, or other mechanisms. Users must be uniquely identified so actions can be attributed to individuals.

Incident Response requires the capability to detect security incidents, procedures to contain and investigate them, and evidence preservation. You need a plan, and that plan needs to work, not just exist on paper.

Maintenance requires processes for patching and updating systems while managing the risk that maintenance activities themselves could introduce vulnerabilities.

Media Protection covers physical storage media and portable devices. If CUI exists on a hard drive, USB drive, or laptop, controls must protect that media from loss, theft, or unauthorized access.

Physical and Environmental Protection requires controlling facility access where CUI is processed or stored, environmental controls to protect equipment, and measures to prevent physical theft of systems or media.

Planning requires a documented security plan covering your security approach, roles and responsibilities, and how security integrates into operations.

Risk Assessment requires understanding what risks threaten your CUI and documenting what controls you are implementing to manage those risks.

System and Communications Protection covers encryption for CUI in transit, firewalls, boundary protection, and defenses against malware and network-based attacks.

System Development and Lifecycle covers security in how you build and maintain systems — security requirements in development, testing before production deployment, and security considerations for system modification and retirement.

System Information Integrity covers malware protection, system monitoring for signs of compromise, and detection of unauthorized changes to system files and configurations.

Together, these 14 families provide comprehensive protection for CUI across technical, administrative, and physical domains.

CUI — What It Is and Why the DoD Cares This Much

Controlled Unclassified Information is government information that does not meet the threshold for classification as Confidential, Secret, or Top Secret but still requires protection. CUI includes technical data related to defense systems, federal research information, acquisition and contract information, and other sensitive government data. The common thread is that improper disclosure could harm the government, national security, or individuals.

Defense contractors handle CUI because their work involves developing, maintaining, or modifying defense systems or supporting government operations. Service providers to those contractors often handle CUI because their systems process or store information that originated upstream. The DoD has made clear that protecting CUI is not optional. CMMC, which has become a contractual requirement for most DoD contractors, is built directly on top of 800-171. According to the DoD's own reporting, adversaries have exploited contractor networks to steal CUI at scale, with the loss of sensitive defense technical data representing billions in research and development investment.

The Implementation Reality

Implementing 800-171 is not a paper exercise. It starts with understanding what CUI you have and what systems process it. Many organizations discover during this initial assessment that they have no clear picture of their information landscape. Where is CUI stored? What systems process it? Who has access to it? Until those questions have definitive answers, controls cannot be implemented effectively.

From there, you conduct a risk assessment to understand which threats are most relevant and which vulnerabilities exist. Your risk profile drives which controls are most critical. Then you identify which 800-171 requirements apply to your environment. Not every organization implements every requirement identically — a small company with 20 employees and straightforward operations may implement some requirements more simply than a large organization. But you cannot skip requirements because they are inconvenient. If a requirement applies to protecting CUI in your environment, you implement it.

Prioritize gaps and build a remediation roadmap. Implement controls sequentially rather than trying to do everything at once. A typical timeline for a small organization is 6 to 12 months to implement core controls. Larger or more complex organizations may need longer. As you implement, gather evidence immediately — documentation of policies, proof that controls are enforced, audit logs showing controls are functioning. By the time you need to prove compliance, comprehensive evidence collection should already be well underway.

Assessment and Proving Compliance — The Gap Between Claiming and Demonstrating

For years, organizations could claim 800-171 compliance without formal verification. That era is over. CMMC requires third-party assessment. Your contract may independently require an 800-171 assessment. Your prime contractor customers may require it as a condition of doing business.

A formal assessment involves an independent assessor reviewing your controls and documenting evidence. The assessor conducts interviews, reviews policies and procedures, tests controls on systems, and examines logs and configurations. The outcome is an assessment report documenting compliance and gaps.

The assessment is where the gap between intent and reality becomes visible. If an assessor documents that you claim encryption but have not actually implemented it across all systems, that is a finding. If you claim to have an incident response plan but the plan is vague and nobody has trained on it, that is a finding. Many organizations now conduct self-assessments before formal assessment to identify and fix obvious gaps first. Even without a formal requirement, understanding how an assessor would evaluate you is a valuable exercise.

Ongoing Compliance Is Where Most Organizations Fail

Implementing 800-171 once does not mean you are always compliant. Systems change. New vulnerabilities emerge. Staff turnover means people who understood the controls leave, and new employees need training. Controls degrade without active maintenance.

Ongoing compliance requires explicit process ownership. Someone must be responsible for periodic access control review. Someone must own patch management. Someone must review logs and audit data regularly. Someone must maintain policies and procedures as systems and threats change. According to the Verizon 2024 DBIR, exploitation of vulnerabilities as an initial access vector increased 180% year over year, underscoring why patch management cannot be a one-time activity.

The organizations that stay compliant treat 800-171 as ongoing operational work, not as a project that ends. The organizations that fail are those that implement controls, pass assessment, and take their foot off the gas — only to discover a year later that their controls have drifted significantly.

Frequently Asked Questions

What is the difference between NIST 800-171 and CMMC?
NIST 800-171 defines the security requirements — what you must do to protect CUI. CMMC adds a verification layer — it requires third-party assessment to prove you have actually implemented those requirements. CMMC Level 2 maps directly to 800-171's 110 controls. You can think of 800-171 as the "what" and CMMC as the "prove it."

Does NIST 800-171 apply if I do not handle CUI?
800-171 specifically governs protection of CUI in non-federal systems. If your organization does not handle CUI, 800-171 does not directly apply — though your contract may reference it or impose equivalent requirements. Other NIST frameworks like 800-53 or CSF may apply depending on your situation.

Can I pass a CMMC assessment based solely on my NIST 800-171 compliance?
800-171 compliance is necessary but not always sufficient for CMMC certification. CMMC assessors verify not only that you have implemented the controls but also that you maintain documentation, evidence, and ongoing processes. Organizations that are technically compliant with 800-171 sometimes fail CMMC assessment because their evidence gathering, documentation, or maintenance practices are inadequate.

How often does NIST 800-171 get updated?
NIST periodically revises its publications. Revision 3 of 800-171 introduced significant changes to control structure and requirements. When updates occur, contractors typically have a transition period to comply with the new revision. Monitor NIST publications and your contract requirements to understand which revision applies to you.

What is the penalty for non-compliance with NIST 800-171?
Non-compliance can result in loss of DoD contracts, removal from eligible bidder lists, and potential False Claims Act liability if you misrepresent your compliance status. The Department of Justice has pursued cases against contractors who falsely certified NIST compliance, with settlements reaching into the millions of dollars.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about NIST 800-171 as of its publication date. Standards, requirements, and assessment methodologies evolve — consult a qualified security professional for guidance specific to your organization.