Carnegie Mellon University

NIST SP800-171 or just 800-171 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems.  This document is based on the Federal Information Security Management Act of 2002 (FISMA) Moderate level requirements. The exact requirements for NIST SP 800-171 revision 2 can be found at

NIST SP 800-171 compliance is currently required by some Department of Defense contracts via DFARS clause 252.204-7012.

The Office of Sponsored Programs is responsible for research contracts and will work with contracting officers to ensure that NIST 800-171 requirements are applicable.  When NIST 800-171 requirements are applicable,  it is advisable to consult NREC and/or PSC,  both of which are capable of supporting this type of research.

The DoD has announced the Cybersecurity Maturity Model Certification (CMMC) program, which is related to NIST SP800-171, but contains 3 different levels, has additional controls, and requires showing a maturity level.

The Information Security Office is available to assist if you have questions about NIST 800-171, CMMC, CUI, or general data protection requirements.  

Our System Security Plan Templates can be used/modified without any warranties or guarantees.

Revision History

Status:  Date
Last Reviewed:  08/31/2021
Last Updated:  08/31/2021