US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government contractors), as it applies to:
- When CUI is resident in non-federal information systems and organizations;
- When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry
The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.