NIST SP 800-171

NIST Special Publication 800-171 defines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems — meaning your systems, as a contractor. It contains 110 security requirements organized into 14 families, and it is the direct basis for CMMC Level 2.

The requirements in 800-171 are derived from NIST SP 800-53 but tailored for the contractor environment. They cover access control, awareness training, audit logging, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system protection, and system integrity.

If your company handles CUI, implementing all 110 requirements of NIST SP 800-171 is your compliance target. Your SPRS score is calculated based on how many of these requirements you fully meet.