NIST 800-171 Commonly Asked Questions

NIST 800-171 is a key publication outlining important cybersecurity practices and protocols for government agencies, contractors, and subcontractors. Following the guidelines laid out within it is crucial for anyone handling government contracts.

Unfortunately, it can be difficult to understand what all the guidelines even mean. As is the case with most government documents, there are many questions surrounding 800-171. We’re here to answer them and bring some clarity on NIST 800-171 and how to comply with it.

What is NIST 800-171?

Answering this FAQ on NIST 800-171 is the perfect starting point. Like we mentioned early, this is a special publication meant for contractors and subcontractors of the US federal government. The original publication was released by the National Institute of Standards and Technology in 2015, but the most updated version, 800 171 Revision 2, was published in 2020.

The goal of this publication is to outline the steps that organizations should be taking in order to protect Controlled Unclassified Information, CUI for short.

What is CUI?

On the topic of CUI, let’s cover that next. CUI is information that is not considered classified, but it is nonetheless sensitive and relevant to the interests of the United States government. Because of its potentially sensitive nature, handling CUI requires certain controls for keeping it safeguarded, and that’s why NIST 800-171 was created.

For a more detailed definition of CUI, the US government states that it is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

The main thing to know about CUI is that while it’s not classified, it’s still sensitive enough to require protection by those who handle it.

Who uses CUI?

There are many different types of CUI. In fact, there are 20 different categories, ranging from defense information to statistical data. Within each of those categories, there are multiple subcategories.

Because CUI is such a diverse topic, it is used by many organizations. The most typical users of CUI are government contractors, but many companies create, handle, possess, transmit, or receive CUI, maybe without even realizing it.

Who is required to comply with 800-171 regulations?

The protocols outlined in 800-171 are meant to be adopted by any government agency, contractor, or subcontractor that uses CUI. That means that any organization that handles CUI and does business with the government must comply.

As of December 2017, it officially became a requirement for DoD contractors to comply with Defense Federal Acquisition Regulations Supplement (DFARS) clause 252.204.7012. As long as you’re complying with NIST 800-171 guidelines, then you’re satisfying the DFARS requirement.

What’s the difference between 800-171 vs 800-53

NIST 800-53 is part of the Federal Information Management Security Act (FISMA). Both 800-171 and 800-53 are publications on important technology standards for keeping government information safe, but there are some key differences.

800-53 is a much longer document that covers the entire framework for how government institutions utilize security and privacy in their technology systems. There are over 200 different controls listed in 800-53 to help government organizations piece together the necessary IT protocols and strategies to stay protected.

NIST 800-171, or DFARS, is meant solely for Department of Defense contractors. It covers just over 100 different controls in order to be compliant. These controls are all aimed at protecting CUI within the internal systems of nonfederal organizations working with the DoD.

How do I become NIST 800-171 compliant?

The first step to becoming compliant is to understand the goals of the regulation, who it applies to, and why it’s important. Covering this information will give you a much clearer picture of the steps you need to follow in order to achieve compliance.

To become compliant, it’s recommended to create a NIST SP 800-171 checklist listing out the requirements. We won’t go through everything you need to do to become compliant but to give you a better idea, here are the 6 general steps involved:

  1. Locate and identify CUI within your organization
  2. Categorize CUI to protect the most sensitive data first
  3. Implement required controls laid out in NIST 800-171
  4. Offer NIST 800-171 training to all employees who have access to CUI
  5. Implement a data monitoring system to monitor who is accessing CUI
  6. Regularly assess security systems and processes

Although each of these steps is important, number 6 is a big one. It’s now required for DoD contractors to submit self-assessments of their NIST compliance to the Supplier Performance Risk System (SPRS).

To perform the assessment, DoD’s NIST SP 800-171 Assessment Methodology is used, which is a 110-point scale determining how well a contractor is adhering to each of the controls laid out in NIST 800-171.


This is not the time to brush off NIST 800-171 requirements. Now more than ever, CUI is at greater risk against cyber threats, and you need to take action to protect against them. If your organization experiences a data breach and has not yet reached 800-171 compliance, you’re subject to serious fines and could even be barred from future contracts.

Ready to become NIST 800-171 compliant? We can help! The VAAXA team provides services and guidance to help contractors and subcontractors meet and maintain compliance. We’ll help you form your NIST 800-171 checklist and do what we can to reach your compliance goals.

Get In Touch

With Us

Contact Number

E-mail Address

Follow Us