NIST SP 800-171 is the control catalog that CMMC Level 2 is built on, and it is also the requirement organizations most often discover they're subject to only after a contract is already signed. This article covers what 800-171 actually protects, its 14 control families at a high level, how it differs from NIST CSF, and why it reaches far more organizations than the phrase "DoD contractor" suggests.
What NIST SP 800-171 protects
NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," specifies security requirements for one particular category of data: Controlled Unclassified Information (CUI). CUI is information the federal government creates or possesses that requires safeguarding but isn't classified — categories like export-controlled technical data, certain law enforcement information, and unclassified defense technical information. When a non-federal organization — a contractor, subcontractor, or research partner — stores, processes, or transmits CUI on its own systems, 800-171 defines the security requirements that apply to those systems.
800-171 is a requirement, not a suggestion
Unlike NIST CSF, which is voluntary, NIST SP 800-171 compliance is contractually mandated wherever a contract clause (commonly DFARS 252.204-7012) requires it. It is not a framework an organization chooses to adopt for its own benefit — it is a specific, testable requirement tied to handling a specific category of federal information.
The 14 control families
NIST SP 800-171 organizes its 110 security requirements into 14 control families, each covering a distinct domain of security practice.
| Control Family | Focus Area |
|---|---|
| Access Control | Limiting system access to authorized users, processes, and devices |
| Awareness and Training | Ensuring personnel understand security risks and their responsibilities |
| Audit and Accountability | Creating, protecting, and retaining system audit records |
| Configuration Management | Establishing and maintaining secure baseline configurations |
| Identification and Authentication | Verifying the identity of users, processes, and devices |
| Incident Response | Establishing an operational incident-handling capability |
| Maintenance | Performing system maintenance without introducing security gaps |
| Media Protection | Protecting system media containing CUI, including disposal |
| Personnel Security | Screening individuals before granting access to CUI |
| Physical Protection | Limiting physical access to systems, equipment, and facilities |
| Risk Assessment | Periodically assessing risk to operations and assets |
| Security Assessment | Periodically assessing and monitoring control effectiveness |
| System and Communications Protection | Monitoring and protecting information at system boundaries |
| System and Information Integrity | Identifying, reporting, and correcting system flaws |
Some families translate into a small number of very specific technical controls, while others — Access Control and System and Information Integrity in particular — carry a large share of the 110 total requirements and typically demand the most implementation effort.
How NIST SP 800-171 differs from NIST CSF
Organizations that have already worked through NIST CSF sometimes assume 800-171 is simply a more detailed version of the same thing. The relationship is closer to complementary than equivalent. NIST CSF is an organizing framework — six functions used to structure and communicate a security program's maturity, with no fixed list of testable requirements and no certification body. NIST SP 800-171 is the opposite in character: a fixed, prescriptive list of 110 specific security requirements, each of which is directly assessable as implemented or not implemented. An organization can use NIST CSF to structure its overall program while separately implementing 800-171's specific requirements to satisfy a CUI-handling contract obligation — the two are not substitutes for each other, and satisfying one does not automatically satisfy the other.
Why this matters even without a direct DoD contract
The most consequential misunderstanding about NIST SP 800-171 is assuming it only applies to organizations that hold a contract directly with the Department of Defense. In practice, the requirement flows through the supply chain via flow-down clauses: a prime contractor's contract with the DoD obligates it to require the same protections from its subcontractors, and those subcontractors' contracts obligate their own vendors in turn. A manufacturer producing a single component, an engineering firm doing subcontracted design work, or an IT services provider supporting any of these organizations can all inherit an 800-171 obligation without ever submitting a bid to the federal government directly. Many organizations first learn they are subject to 800-171 when a prime contractor's due-diligence questionnaire or contract addendum requires evidence of compliance — at which point remediation is happening under a deadline rather than proactively.
Common mistakes
- Assuming 800-171 only applies to direct DoD contractors. Flow-down clauses extend the requirement across multiple tiers of the defense supply chain, catching organizations with no direct federal relationship.
- Confusing NIST SP 800-171 with NIST CSF. They serve different purposes — one is a prescriptive, testable control catalog; the other is a voluntary organizing framework. Treating CSF alignment as sufficient for an 800-171 contractual obligation leaves real gaps.
- Scoping CUI too broadly or too narrowly. Applying 800-171 controls to every system in the environment when only a subset actually processes CUI wastes budget; failing to correctly identify which systems touch CUI leaves the actual obligation unmet.
- Treating the System Security Plan (SSP) as a one-time document. The SSP needs to reflect the environment as it actually operates and be updated as systems and controls change, not filed away after an initial assessment.
FAQ
What is Controlled Unclassified Information (CUI)? Information the federal government creates or possesses that requires safeguarding under law, regulation, or government-wide policy but is not classified — it spans categories including export-controlled data, certain technical and procurement information, and other sensitive-but-unclassified categories defined by the CUI Registry.
Do we need 800-171 compliance if we're only a subcontractor? Very likely yes, if CUI passes through your systems at any point. The requirement is defined by whether you handle CUI, not by whether your contract is directly with a federal agency.
How does 800-171 relate to CMMC? NIST SP 800-171's 110 requirements are the direct basis for CMMC Level 2's 110 practices. See CMMC 2.0 Overview for how CMMC formalizes assessment and certification against this same control set.