Carnegie Mellon University

The Information Security Office can help researchers comply with Department of Defense contracts that include NIST SP 800-171 (or DFARS clause 252.204-7012).

NIST SP800-171 or just 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.  This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. The exact requirements for NIST SP 800-171 revision 1 can be found at

The Office of Sponsored Programs is responsible for research contracts and will work with researchers to remove the clause where possible, have the research designated as Fundamental Research, or have a documented exception where the researcher will not be receiving or generating CUI.  The Information Security Office steps in to help researchers if none of those attempts are successful.

Conducting research falling under NIST 800-171 is difficult (but not impossible) on main campus, and we encourage you to reach out to NREC and PSC which are both capable of supporting this type of research.


CMU System Security Plan Template (requirement 3.12.4)