What is NIST 800-171

NIST 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.

What is NIST 800-171?

  • Helps clarify the role of third parties in data breach incidents.
  • Provides guidance on the types of data to protect and the kinds of protections to apply.
  • Is especially helpful for private sector firms.

NIST SP 800-171 was designed specifically for NON-FEDERAL information systems — those in use to support private enterprises.

NIST 800-171, it is intended to help "non-federal entities":

  • Comply with new security requirements using the systems and practices that contractors already have in place, rather than trying to use government-specific approaches.
  • Provides a standardized and uniform set of requirements for all CUI security needs, tailored to non-federal systems
  • Allows non-federal entities to comply with, and consistently implement, safeguards for the protection of CUI.
  • Addresses common deficiencies in managing and protecting unclassified information to include inconsistent markings and inadequate safeguarding.

    NIST 800-171 Key Assumptions That Impact Scoping

    NIST 800-171 states that contractors may limit the scope of the CUI security requirements to CUI systems and/or components.

    Isolating CUI into its own security domain may be the most cost-effective and efficient approach for non-federal organizations to satisfy requirements and protect CUI confidentiality.

    To isolate CUI:

    • Apply architectural design principles that implement subnetworks with firewalls or other boundary protection devices
    • Employ physical separation, logical separation, or a combination of both for secure domains

    Learn more about other NIST Compliances:

    NIST Compliance Overview


    NIST 800-53