code/+/trust primary logo full color svg

NIST SP 800-171

Definition

NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. Any company that handles CUI under a DoD contract must implement all 110 requirements and submit a self-assessment score to the Supplier Performance Risk System (SPRS).

NIST 800-171 is organized into 14 requirement families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

Scoring

Each of the 110 practices carries a point value. A perfect score is 110. Unimplemented requirements reduce the score. Contractors submit their score to SPRS -- a low score does not disqualify a firm but must be accompanied by a Plan of Action and Milestones (POA&M) with remediation timelines.

800-171 vs. 800-53

NIST 800-53 covers federal information systems operated by the government. NIST 800-171 covers contractor-operated systems handling CUI. If you are a vendor, 800-171 is your framework. If you are building a system that will operate inside a federal agency''s boundary, 800-53 applies.

Related terms

FedRAMP

FedRAMP (Federal Risk and Authorization Management Program) is the U.S. government''s standardized authorization framework for cloud services sold to federal agencies. A FedRAMP Moderate authorization covers 80% of federal civilian use cases, takes 12-24 months to achieve, and costs $500,000-$2,000,000 -- but unlocks a $100 billion+ federal cloud services market with a single reusable authorization.

ATO (Authority to Operate)

An Authority to Operate (ATO) is the formal approval granted by a federal Authorizing Official that allows a software system to operate within a government environment after completing the NIST Risk Management Framework assessment process. ATOs are required before any federal system goes live and must be continuously maintained -- typically reviewed annually and triggered by significant system changes.

CMMC (Cybersecurity Maturity Model Certification)

CMMC (Cybersecurity Maturity Model Certification) is the DoD''s third-party verification program for cybersecurity practices on defense contracts. CMMC Level 2 -- required on most DoD contracts handling Controlled Unclassified Information by 2026 -- mandates independent assessment of all 110 NIST SP 800-171 practices by a Certified Third-Party Assessment Organization (C3PAO).

SOC 2

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates a software company''s controls over security, availability, processing integrity, confidentiality, and privacy. A SOC 2 Type II report -- covering 6-12 months of operating effectiveness -- is increasingly required by enterprise buyers and is a de facto procurement requirement for B2B SaaS vendors.

← Back to full glossary

Need help implementing this in your business?

Code and Trust translates AI concepts like nist sp 800-171 into working implementations — starting with a workflow audit that shows exactly where it creates ROI.

Schedule AI Audit →