NIST SP 800-171 Rev. 1

    Standards and Frameworks

    NIST SP 800-171 Rev. 1

    National Institute for Standards and Technology (NIST)

    NIST Special Publication 800-171 Rev. 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations belongs to NIST SP 800 series and provides a set of recommended security requirements to federal agencies for protecting the confidentiality of Controlled Unclassified Information under various conditions.

    Last Updated: July 30, 2019

  • General

    NIST SP 800 series were created in 1990. It is a series of reports on the Information Technology Laboratory’s (ITL) research, guidelines, and outreach efforts in computer security, and ITL’s collaborative activities with industry, government, and academic organizations. NIST develops SP 800 series which provides standards and guidelines to help U.S. federal agencies and contractors meet the standards under Federal Information Security Modernization Act (FISMA).

    NIST SP 800-171 Rev. 1


    The purpose of NIST 800-171 Rev. 1 is to update security requirements of selected Controlled Unclassified Information (CUI) and includes additional references, definitions, and a new appendix featuring more detailed discussions about each CUI requirement. According to NIST, these security requirements should be employed when protecting the confidentiality of CUI that:

    1. Resides in “nonfederal systems and organizations;
    2. When the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and
    3. Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry.


    These security requirements apply only to elements of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such elements. The intended users of these requirements are federal agencies establishing contracts or agreements between those agencies and nonfederal organizations.

    The specific requirements for safeguarding CUI in nonfederal systems and organizations are derived from the following authoritative federal standards and guidelines with the intention of maintaining a consistent level of protection.

    • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems
    • Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems
    • NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
    • NIST Special Publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories

    However, recognizing that the scope of the safeguarding requirements in the federal CUI regulation is limited to the security objective of confidentiality (i.e., not directly addressing integrity and availability) and that some of the security requirements expressed in the NIST standards and guidelines are uniquely federal, the requirements in this publication have been tailored for nonfederal entities. This tailoring is intended to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal systems and organizations and does not mitigate the level of protection of CUI required for moderate confidentiality.


    NIST SP 800-171 Rev. 1 is organized as follows:

    • Chapter One: Introduction – The Need to Protect Controlled Unclassified Information
    • Chapter Two: The Fundamentals – Assumptions and Methodology for Developing Security Requirements
    • Chapter Three: The Requirements – Security Requirements for Protecting the Confidentiality of CUI
    • Supporting Appendices:  provide additional information related to the protection of CUI in nonfederal systems and organizations.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.