NIST SP 800-171 (Protecting CUI in Non-Federal Systems)

NIST Special Publication 800-171 revision 2 ("Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations") establishes 110 security requirements across 14 control families — from Access Control (AC) and Audit and Accountability (AU) through System and Communications Protection (SC) and System and Information Integrity (SI). Published in February 2020, it serves as the security baseline for the DoD's DFARS 252.204-7012 clause and the foundation for CMMC Level 2. Revision 3 (public draft released May 2023, final expected 2024) reorganizes requirements into 17 families and adds 10 new requirements around supply chain, system recovery, and unsupported components, with a proposed scoring weight system replacing the flat 110-control count.

Engineering implementation of 800-171 is not a policy exercise — it demands concrete technical controls. AC.1.001 (limit system access to authorized users) requires integrating every system into a centralized identity provider with MFA enforced at the authentication layer, not just at the application layer. AU.2.042 (create and retain system audit logs) demands tamper-evident, centralized log aggregation with retention ≥3 years for CUI systems. SC.3.177 (employ FIPS-validated cryptography) means replacing all TLS 1.0/1.1, MD5, SHA-1, and non-FIPS cipher suites across every CUI-touching endpoint, including internal microservice meshes. The most commonly failed controls are: CM.2.061 (establish baseline configurations), SI.2.214 (scan for malicious code), and MA.3.115 (supervise maintenance activities of personnel without required access).

Scoping is the most consequential and most misunderstood aspect of 800-171 compliance. The "covered system" boundary must encompass all components that process, store, or transmit CUI — including backup systems, monitoring agents, DevOps toolchains, and any third-party SaaS tools used in the development or delivery of CUI-processing systems. Many organizations unknowingly extend their CUI boundary by syncing files to personal cloud storage or using non-compliant collaboration tools. The DoD's NIST SP 800-171 Assessment Methodology assigns each control a value (1, 3, or 5 points); failing a single 5-point control such as multi-factor authentication drops the SPRS score by 5, and an organization cannot claim a passing score without achieving all 5-point controls.

We conduct system boundary definition workshops before touching any controls, ensuring that the CUI boundary is both accurate and as narrow as defensible — this directly reduces compliance cost and implementation complexity. We then deploy our 800-171 control implementation accelerators: pre-configured SIEM rules mapped to AU family requirements, FIPS 140-2 validated encryption baselines for cloud workloads, and automated configuration drift detection for CM family controls.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.