Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

NIST SP 800-171 Explained

What NIST SP 800-171 protects, its 14 control families, how it differs from NIST CSF, and why it matters beyond direct DoD contractors.

5 min read
NIST

NIST SP 800-171 is the control catalog that CMMC Level 2 is built on, and it is also the requirement organizations most often discover they're subject to only after a contract is already signed. This article covers what 800-171 actually protects, its 14 control families at a high level, how it differs from NIST CSF, and why it reaches far more organizations than the phrase "DoD contractor" suggests.

What NIST SP 800-171 protects

NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," specifies security requirements for one particular category of data: Controlled Unclassified Information (CUI). CUI is information the federal government creates or possesses that requires safeguarding but isn't classified — categories like export-controlled technical data, certain law enforcement information, and unclassified defense technical information. When a non-federal organization — a contractor, subcontractor, or research partner — stores, processes, or transmits CUI on its own systems, 800-171 defines the security requirements that apply to those systems.

800-171 is a requirement, not a suggestion

Unlike NIST CSF, which is voluntary, NIST SP 800-171 compliance is contractually mandated wherever a contract clause (commonly DFARS 252.204-7012) requires it. It is not a framework an organization chooses to adopt for its own benefit — it is a specific, testable requirement tied to handling a specific category of federal information.

The 14 control families

NIST SP 800-171 organizes its 110 security requirements into 14 control families, each covering a distinct domain of security practice.

NIST SP 800-171 control families
Control FamilyFocus Area
Access ControlLimiting system access to authorized users, processes, and devices
Awareness and TrainingEnsuring personnel understand security risks and their responsibilities
Audit and AccountabilityCreating, protecting, and retaining system audit records
Configuration ManagementEstablishing and maintaining secure baseline configurations
Identification and AuthenticationVerifying the identity of users, processes, and devices
Incident ResponseEstablishing an operational incident-handling capability
MaintenancePerforming system maintenance without introducing security gaps
Media ProtectionProtecting system media containing CUI, including disposal
Personnel SecurityScreening individuals before granting access to CUI
Physical ProtectionLimiting physical access to systems, equipment, and facilities
Risk AssessmentPeriodically assessing risk to operations and assets
Security AssessmentPeriodically assessing and monitoring control effectiveness
System and Communications ProtectionMonitoring and protecting information at system boundaries
System and Information IntegrityIdentifying, reporting, and correcting system flaws
10 of the 14 NIST SP 800-171 Control FamiliesFocus AreaAccess ControlLimit system access to authorized users and processesAwareness & TrainingEnsure personnel understand security risks and responsibilitiesAudit & AccountabilityCreate, protect, and review system audit logsConfiguration ManagementEstablish and enforce secure baseline configurationsIdentification & AuthenticationVerify the identity of users, processes, and devicesIncident ResponseDetect, report, and respond to security incidentsMedia ProtectionProtect and sanitize system media containing CUIRisk AssessmentPeriodically assess risk to organizational operationsSystem & Communications ProtectionMonitor and protect information at system boundariesSystem & Information IntegrityIdentify, report, and correct system flaws in a timely manner
NIST SP 800-171 defines 14 control families in total; these 10 are the most representative for organizations scoping a CMMC Level 2 assessment — not an exhaustive list.

Some families translate into a small number of very specific technical controls, while others — Access Control and System and Information Integrity in particular — carry a large share of the 110 total requirements and typically demand the most implementation effort.

How NIST SP 800-171 differs from NIST CSF

Organizations that have already worked through NIST CSF sometimes assume 800-171 is simply a more detailed version of the same thing. The relationship is closer to complementary than equivalent. NIST CSF is an organizing framework — six functions used to structure and communicate a security program's maturity, with no fixed list of testable requirements and no certification body. NIST SP 800-171 is the opposite in character: a fixed, prescriptive list of 110 specific security requirements, each of which is directly assessable as implemented or not implemented. An organization can use NIST CSF to structure its overall program while separately implementing 800-171's specific requirements to satisfy a CUI-handling contract obligation — the two are not substitutes for each other, and satisfying one does not automatically satisfy the other.

Why this matters even without a direct DoD contract

The most consequential misunderstanding about NIST SP 800-171 is assuming it only applies to organizations that hold a contract directly with the Department of Defense. In practice, the requirement flows through the supply chain via flow-down clauses: a prime contractor's contract with the DoD obligates it to require the same protections from its subcontractors, and those subcontractors' contracts obligate their own vendors in turn. A manufacturer producing a single component, an engineering firm doing subcontracted design work, or an IT services provider supporting any of these organizations can all inherit an 800-171 obligation without ever submitting a bid to the federal government directly. Many organizations first learn they are subject to 800-171 when a prime contractor's due-diligence questionnaire or contract addendum requires evidence of compliance — at which point remediation is happening under a deadline rather than proactively.

Common mistakes

  • Assuming 800-171 only applies to direct DoD contractors. Flow-down clauses extend the requirement across multiple tiers of the defense supply chain, catching organizations with no direct federal relationship.
  • Confusing NIST SP 800-171 with NIST CSF. They serve different purposes — one is a prescriptive, testable control catalog; the other is a voluntary organizing framework. Treating CSF alignment as sufficient for an 800-171 contractual obligation leaves real gaps.
  • Scoping CUI too broadly or too narrowly. Applying 800-171 controls to every system in the environment when only a subset actually processes CUI wastes budget; failing to correctly identify which systems touch CUI leaves the actual obligation unmet.
  • Treating the System Security Plan (SSP) as a one-time document. The SSP needs to reflect the environment as it actually operates and be updated as systems and controls change, not filed away after an initial assessment.

FAQ

What is Controlled Unclassified Information (CUI)? Information the federal government creates or possesses that requires safeguarding under law, regulation, or government-wide policy but is not classified — it spans categories including export-controlled data, certain technical and procurement information, and other sensitive-but-unclassified categories defined by the CUI Registry.

Do we need 800-171 compliance if we're only a subcontractor? Very likely yes, if CUI passes through your systems at any point. The requirement is defined by whether you handle CUI, not by whether your contract is directly with a federal agency.

How does 800-171 relate to CMMC? NIST SP 800-171's 110 requirements are the direct basis for CMMC Level 2's 110 practices. See CMMC 2.0 Overview for how CMMC formalizes assessment and certification against this same control set.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT