Mandatory · lawNISTUSvRev. 2

NIST 800-171

NIST SP 800-171 Rev. 2

The requirements for protecting CUI in non-federal systems, derived from the moderate baseline of 800-53 and organized into 14 families.

Official source ↗

Who it applies to

US defense supply chainFederal contractorsHandles CUI

Contractors and subcontractors that store, process or transmit Controlled Unclassified Information (CUI) for the US government, enforced for the defense sector through DFARS clauses and CMMC.

3.1 Access Control

3.1.1 Limit system access to authorized users
Limit access to authorized users, processes acting on their behalf, and devices.
16 mapped

3.3 Audit and Accountability

3.3.1 Create and retain audit logs
Create and retain system audit logs to enable monitoring, analysis, investigation and reporting.
11 mapped

3.4 Configuration Management

3.4.2 Establish and enforce security configuration settings
Establish and enforce security configuration settings for IT products in the system.
10 mapped

3.6 Incident Response

3.6.1 Establish an incident-handling capability
Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery and user response.
13 mapped

3.11 Risk Assessment

3.13 System and Communications Protection

3.13.11 Employ FIPS-validated cryptography
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
15 mapped