NIST 800-171 Standard for Protecting
Controlled Unclassified Information (CUI)

The NIST 800-171 standard was created to address the protection of Controlled Unclassified Information (CUI). As of 2016, the DFARS requires security controls to be implemented by both the contractor and the subcontractor levels based on the information security guidance in NIST Special Publication 800-171.

What is NIST SP 800-171? It is regarding protecting Controlled Unclassified Information in Nonfederal Systems and Orgranizations and provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

The NIST 800-171 document helps to clarify the role of defense contractors in data breach incidents and specifies security controls necessary to protect CUI handled or generated by private sector firms.

CUI Can Apply To:

  • Federal contract information
  • Controlled Unclassified Information (USG-wide)
  • Covered Defense Information (CDI)

Your responsibilities, when it comes to
protecting CUI are as follows:

  • Identify sensitive information marked as “CUI” and noted in solicitations and contract amendments.
  • Provide and maintain “adequate security” on all covered information systems (DFARS 252.204-7012, NIST SP 800-171).
  • Develop and maintain a documented System Security Plan (SSP) and Plan of Action and Milestones (POAM) to demonstrate compliance.
  • Submit your SSP and POAM with all proposals to demonstrate compliance (contract data requirements list).
  • Be prepared for on-site assessments of covered defense information systems by DCMA.
  • Periodically review and update SSP and POAM to maintain compliance. Keep in mind that your SSP and POAM will be evaluated by contracting activities (USG or prime contractor) to assess the risk of sharing CUI/CDI with contractor.  This can affect your ability to win or retain contracts with the federal government.

Consulting Support for NIST 800-171 Compliance

Core Business Solutions has qualified NIST 800-171 consultants ready to help you achieve compliance. Support for the standards is available our Online and Onsite Consulting Programs. We also provide consulting support for companies seeking multiple standards (such as ISO 9001 and ISO 27001) through an Integrated Management System.

Our consultants translate the technical language of the standard into Plain English and make it as simple and effective for your organization as possible.

For more information about compliance, please call our consulting office at 866-354-0300, or email

Related standards

• See ISO 27001 for information security management systems

For more information on Cybersecurity please visit our articles page.

If you would like any additional information about our ISO certification consulting programs, or would like a quote for any of these options, please give us a call or send a quick email. We’re also glad to answer any ISO questions you may have.


Office hours: 8:00 AM – 5:00 PM Eastern Time

Phone: 866-354-0300