DFARS 252.204-7012

NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.

Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.

Covered Defense Information (CDI) is the subset of CUI that DoD specifically requires contractors to protect under DFARS 252.204-7012. It includes unclassified controlled technical information and other information that requires safeguarding when in support of a DoD contract.

DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to post a current NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.