US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government contractors), as it applies to:

  • When CUI is resident in non-federal information systems and organizations;
  • When information systems where CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry

The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.

NIST-800-171 Solution BriefDownload NIST-800-171 Rev.1
Solution Brief

Reference:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
http://csrc.nist.gov/publications/nistpubs/800-171r1/sp800-171r1-excerpt.pdf