NIST SP 800-171.

NIST SP 800-171 is the US standard that defines security requirements for protecting controlled unclassified information in non-federal systems. The technical backbone of CMMC for defence contractors. Revision 3 (2024) tightened the controls. If you sell to the US DoD, this is mandatory; if you sell only in Europe, it is informational.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyInformation securityAll entries

The Cyber Academy take

NIST SP 800-171 is the US standard that defines security requirements for protecting controlled unclassified information in non-federal systems. The technical backbone of CMMC for defence contractors. Revision 3 (2024) tightened the controls. If you sell to the US DoD, this is mandatory; if you sell only in Europe, it is informational.

What NIST SP 800-171 actually requires

When the US government shares sensitive but unclassified data with a contractor, a university, or a service provider, it needs assurance that the data will be protected even though it now lives outside federal systems. NIST SP 800-171 is the catalogue of security requirements that answers that need.

It tells any non-federal organisation handling Controlled Unclassified Information how to protect it: across access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, physical protection, personnel security, risk assessment, security assessment, system and communications protection, and system and information integrity. The point is uniformity. Rather than every agency inventing its own clauses, contractors meet one consistent baseline.

The requirements are derived from the much larger NIST SP 800-53 control catalogue used inside federal systems, but tailored to the realities of a private organisation. They are stated as outcomes you must achieve, not as a single prescribed product or architecture, which gives an organisation room to implement them in a way that fits its own systems. What you do not get is discretion over whether to meet them. When the requirement appears in your contract, implementing it is a condition of holding that contract.

CUI, and why the scope question matters most

Everything in NIST SP 800-171 hinges on one prior question: where does Controlled Unclassified Information actually live in your environment? CUI is information the government creates or possesses, or that an organisation creates for the government, that requires safeguarding under law, regulation, or government-wide policy but is not classified. It covers categories such as technical drawings, export-controlled data, personally identifiable information held on behalf of an agency, and similar sensitive material. The standard only applies to the systems that store, process, or transmit that data.

This is why scoping is the work that determines everything else. Define the boundary too widely and you impose federal-grade controls on your entire network at enormous cost. Define it too narrowly and you leave CUI exposed in a system you forgot to count. Most of a credible 800-171 programme is spent identifying CUI, isolating the systems that touch it, and shrinking that boundary so the controls land where they are actually needed rather than everywhere.

Where 800-171 ends and CMMC begins

NIST SP 800-171 is the control catalogue. The Cybersecurity Maturity Model Certification (CMMC) is the verification mechanism the US Department of Defense built on top of it. For years contractors self-attested that they met 800-171, and the gap between the attestation and the reality only surfaced after an incident. CMMC Level 2 maps directly onto NIST SP 800-171 but adds independent assessment, so a signature is no longer enough. If you genuinely implement 800-171, you have done most of the substantive work for CMMC Level 2; what remains is producing evidence and surviving an assessment by someone who is not you.

Revision 3, published in 2024, restructured and tightened the requirements, reorganised the control families, and moved some specifics into a companion assessment publication. For a European supplier the relevance is entirely contractual. If you subcontract to a US prime, manufacture defence components, or process CUI for a DoD programme, 800-171 binds you the same way it binds an American firm. If your market is purely European, it is informational context that helps you read CMMC and US procurement requirements, and it pairs naturally with the risk-based discipline of the NIST Cybersecurity Framework rather than replacing it.

Frequently asked questions

01Who has to comply with NIST SP 800-171?

Any non-federal organisation that stores, processes, or transmits Controlled Unclassified Information on behalf of the US government, including contractors, subcontractors, universities, and research institutions. The obligation is written into the contract or grant.

02What is the difference between NIST SP 800-171 and CMMC?

NIST SP 800-171 is the catalogue of security requirements for protecting CUI. CMMC is the US Department of Defense certification programme that verifies those requirements are actually implemented. CMMC Level 2 is built directly on 800-171 and adds independent assessment.

03What is Controlled Unclassified Information (CUI)?

CUI is government information that requires safeguarding under law, regulation, or government-wide policy but is not classified. It includes categories such as technical data, export-controlled information, and personally identifiable information held for an agency. NIST SP 800-171 only applies to systems that handle it.

04How is NIST SP 800-171 related to NIST SP 800-53?

The 800-171 requirements are derived from the larger 800-53 control catalogue used inside federal information systems, but tailored for non-federal organisations. 800-53 protects federal systems directly; 800-171 is the moderated set applied to contractors handling CUI.

05Does NIST SP 800-171 apply to European organisations?

Only when they handle CUI in the US government supply chain, for example as a subcontractor to a US prime or a processor of CUI for a DoD programme. For purely European business it is informational rather than mandatory.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.