NIST SP 800-171
Also known as: NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2 — but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.
Related terms
- NIST SP 800-171A
NIST SP 800-171A is the companion assessment guide to SP 800-171 — it breaks each of the 110 controls into discrete assessment objectives (about 320 in total) that an assessor uses to verify implementation. CMMC Level 2 assessments are conducted against the 800-171A objectives.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- Controlled Unclassified Information
Controlled Unclassified Information (CUI) is unclassified information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is explicitly marked CUI by the originating agency and triggers NIST SP 800-171 protections — and at the contractual level, CMMC Level 2.
- DFARS 252.204-7012
DFARS 252.204-7012 is the DoD acquisition clause that requires contractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 and report cyber incidents within 72 hours. It is the contractual hook that has made NIST 800-171 mandatory across the defense industrial base since 2017.