Carnegie Mellon University

NIST SP800-171 or just 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.  This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. The exact requirements for NIST SP 800-171 revision 1 can be found at

NIST SP 800-171 compliance is currently required by some Department of Defense contracts via DFARS clause 252.204-7012.

The Office of Sponsored Programs is responsible for research contracts and will work with and contracting officers to ensure that NIST 800-171 requirements are applicable.  When NIST 800-171 requirements are applicable,  it is advisable to consult NREC and/or PSC,  both of which are capable of supporting this type of research.

The Information Security Office is available to assist if you have questions about NIST 800-171, CUI, or general data protection requirements.


CMU System Security Plan Template (requirement 3.12.4)