NIST 800-171 provides security requirements for the protection of controlled unclassified information (CUI) on nonfederal systems.
NIST 800-171 is laser focused on confidentiality. Its requirements do not account for availability and integrity.
System Security Plan
NIST 800-171 requires a system security plan (SSP) demonstrating how the entity has implemented the security controls.
NIST 800-53 & FIPS 200
NIST 800-171's 110 security requirements are derived from NIST 800-53 and FIPS 200.
11 Control Families
NIST 800-171 groups its security requirements into 11 families including access control, configuration management, and physical protection.
NIST 800-171's appendix includes 60 non-federal organization (NFO) controls. NIST tailored these controls out because they assume they are implemented.
Learn about NIST 800-171A and explore its assessment procedures.
Learn about the CMMC 2.0 and explore its practices.
NIST 800-171 provides security requirements for CUI on nonfederal systems.
Companies who support the DoD are required to implement the security requirements of NIST 800-171 per DFARS 252.204-7012.
Other government agencies will require its implementation as well.
Our CMMC course has a lot of content related to NIST 800-171: CMMC Overview Training for Small and Medium Businesses (SMBs)
NIST 800-171 r2 has 110 controls.
NIST 800-171's controls are derived from FIPS 200 and NIST 800-53's moderate control baseline.