Carnegie Mellon University

NIST SP800-171 or just 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.  This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. The exact requirements for NIST SP 800-171 revision 2 can be found at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

NIST SP 800-171 compliance is currently required by some Department of Defense contracts via DFARS clause 252.204-7012.

The Office of Sponsored Programs is responsible for research contracts and will work with contracting officers to ensure that NIST 800-171 requirements are applicable.  If you have a prospective project that may involve CUI data and you are seeking guidance, please complete the Tartan CUI Cloud Access Request Form.

The DoD has announced the Cybersecurity Maturity Model Certification (CMMC) program, which leverages NIST SP800-171, but contains 3 different levels and has additional controls at level 3. The CMMC program requires an independent 3rd party assessor every 3 years at level 2 and above.

The Information Security Office is available to assist if you have questions about NIST 800-171, CMMC, CUI, or general data protection requirements.  

Our System Security Plan Templates can be used/modified without any warranties or guarantees.

Revision History

Status:  Date
Last Reviewed:  10/26/2023
Last Updated:  10/26/2023