A framework published by the National Institute of Standards and Technology (NIST) that defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Officially titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” it was developed to help contractors meet the obligations outlined in DFARS 252.204-7012.

The requirements are organized into 14 control families, including access control, incident response, system integrity, and personnel security. Together, they establish a baseline for safeguarding sensitive government data that is not classified but still requires protection.

NIST SP 800-171 compliance is central to the Department of Defense’s cybersecurity expectations and forms the foundation of CMMC Level 2 certification. Contractors must implement, document, and maintain these controls in order to continue doing business with the DoD.