NIST SP 800-171 \u2014 Protecting CUI in Nonfederal Systems<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono:wght@400;600;700&family=Barlow+Condensed:wght@300;400;600;700;800&family=Barlow:wght@300;400;500;600&display=swap\" rel=\"stylesheet\">\n<style>\n:root {\n --bg:#080c14;--surf:#0d1420;--surf2:#111b2e;--border:#1e2f4a;--border2:#263d5e;\n --cyan:#00d8f0;--amber:#ffb300;--green:#00cc70;--red:#e84848;--purple:#8866ff;\n --blue:#1a7fd4;--teal:#00b4a8;\n --text:#f0f4ff;--text2:#b8cce0;--text3:#6e8fa8;\n --mono:'IBM Plex Mono',monospace;--cond:'Barlow Condensed',sans-serif;--body:'Barlow',sans-serif;\n}\n*{margin:0;padding:0;box-sizing:border-box;}\nhtml,body{height:100%;overflow:hidden;background:var(--bg);color:var(--text);font-family:var(--body);-webkit-font-smoothing:antialiased;}\n.app{display:flex;height:100vh;overflow:hidden;}\n.sidebar{width:228px;min-width:228px;background:var(--surf);border-right:1px solid var(--border);display:flex;flex-direction:column;overflow:hidden;}\n.sb-hdr{padding:22px 18px 16px;border-bottom:1px solid var(--border);flex-shrink:0;}\n.sb-logo{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.2em;color:var(--cyan);text-transform:uppercase;margin-bottom:6px;}\n.sb-title{font-family:var(--cond);font-size:20px;font-weight:800;color:#fff;line-height:1.1;}\n.sb-sub{font-size:10px;color:var(--text3);margin-top:4px;line-height:1.5;}\nnav{flex:1;overflow-y:auto;padding-bottom:16px;}\n.ng{padding:16px 0 4px;}\n.ngl{font-family:var(--cond);font-size:13px;font-weight:800;letter-spacing:.12em;text-transform:uppercase;color:var(--cyan);padding:4px 18px 8px;display:block;border-bottom:1px solid var(--border2);}\n.ni{display:flex;align-items:center;gap:9px;padding:7px 18px 7px 20px;cursor:pointer;font-size:13px;font-family:var(--body);color:var(--text);transition:background .1s,color .1s;border-left:2px solid transparent;line-height:1.3;}\n.ni:hover{background:var(--surf2);color:var(--text);}\n.ni.active{color:var(--cyan);border-left-color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd{width:5px;height:5px;border-radius:50%;background:var(--border2);flex-shrink:0;transition:background .1s;}\n.ni.active .nd,.ni:hover .nd{background:currentColor;}\n.main{flex:1;overflow-y:auto;background:var(--bg);}\n.panel{display:none;padding:36px 52px 72px;max-width:920px;}\n.panel.active{display:block;animation:fi .18s ease;}\n@keyframes fi{from{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}\n.p-eye{font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.18em;text-transform:uppercase;color:var(--cyan);margin-bottom:10px;display:flex;align-items:center;gap:8px;}\n.p-eye::before{content:'';width:22px;height:2px;background:var(--cyan);}\n.p-title{font-family:var(--cond);font-size:46px;font-weight:800;color:#fff;line-height:1;margin-bottom:6px;}\n.p-title span{color:var(--cyan);}\n.p-sub{font-family:var(--cond);font-size:17px;font-weight:300;color:var(--text2);margin-bottom:28px;letter-spacing:.04em;}\n.divider{height:1px;background:var(--border);margin:24px 0;}\n.prose{font-size:13.5px;line-height:1.75;color:var(--text2);}\n.prose+.prose{margin-top:12px;}\n.prose strong{color:var(--text);font-weight:600;}\n.prose code{font-family:var(--mono);font-size:11.5px;color:var(--cyan);background:rgba(0,216,240,.08);padding:1px 5px;border-radius:2px;}\nh3{font-family:var(--cond);font-size:19px;font-weight:700;color:#fff;margin:26px 0 11px;letter-spacing:.03em;}\n.cg{display:grid;gap:8px;}\n.cg2{grid-template-columns:1fr 1fr;}\n.cg3{grid-template-columns:1fr 1fr 1fr;}\n.card{background:var(--surf);border:1px solid var(--border);padding:15px 16px;}\n.cnum{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;color:var(--text3);margin-bottom:6px;}\n.ctitle{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:6px;line-height:1.2;}\n.ctext{font-size:11.5px;line-height:1.58;color:var(--text2);}\n.tc{border-top:3px solid var(--cyan);}\n.tc:nth-child(1){border-top-color:#00d8f0;}\n.tc:nth-child(2){border-top-color:#29b6f6;}\n.tc:nth-child(3){border-top-color:#8866ff;}\n.tc:nth-child(4){border-top-color:#ffb300;}\n.tc:nth-child(5){border-top-color:#00cc70;}\n.tc:nth-child(6){border-top-color:#ff7043;}\n.tc:nth-child(7){border-top-color:#ec407a;}\n.tc:nth-child(8){border-top-color:#00b4a8;}\n.tc:nth-child(9){border-top-color:#42a5f5;}\n.tc:nth-child(10){border-top-color:#ab47bc;}\n.tc:nth-child(11){border-top-color:#66bb6a;}\n.tc:nth-child(12){border-top-color:#ef5350;}\n.tc:nth-child(13){border-top-color:#26c6da;}\n.tc:nth-child(14){border-top-color:#ffa726;}\n.tc:nth-child(15){border-top-color:#7e57c2;}\n.tc:nth-child(16){border-top-color:#78909c;}\n.tc:nth-child(17){border-top-color:#d4e157;}\n.sr{display:flex;align-items:flex-start;gap:12px;background:var(--surf);border:1px solid var(--border);padding:12px 14px;margin-bottom:6px;}\n.st{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.12em;padding:2px 7px;border-radius:2px;flex-shrink:0;margin-top:2px;white-space:nowrap;}\n.tid{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.tdev{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tnet{background:rgba(255,112,67,.1);color:#ff8a65;border:1px solid rgba(255,112,67,.25);}\n.tres{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.tbeh{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tpa{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tpep{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tcl{background:rgba(0,180,168,.1);color:#40d8d0;border:1px solid rgba(0,180,168,.25);}\n.tnew{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.si{flex:1;}\n.sn{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.sd{font-size:12px;color:var(--text2);line-height:1.5;}\n.or{display:flex;align-items:flex-start;gap:11px;border:1px solid var(--border);padding:13px 14px;margin-bottom:6px;}\n.or.grant{background:rgba(0,204,112,.04);border-color:rgba(0,204,112,.22);}\n.or.deny{background:rgba(232,72,72,.04);border-color:rgba(232,72,72,.22);}\n.or.step{background:rgba(255,179,0,.04);border-color:rgba(255,179,0,.22);}\n.od{width:9px;height:9px;border-radius:50%;flex-shrink:0;margin-top:4px;}\n.od.g{background:var(--green);}.od.d{background:var(--red);}.od.s{background:var(--amber);}\n.ol{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.oc{font-size:12px;color:var(--text2);line-height:1.5;}\n.ib{background:var(--surf);border:1px solid var(--border);border-left:3px solid var(--cyan);padding:14px 16px;margin:14px 0;}\n.ib.a{border-left-color:var(--amber);}\n.ib.g{border-left-color:var(--green);}\n.ib.p{border-left-color:var(--purple);}\n.ib.r{border-left-color:var(--red);}\n.ibt{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;}\n.ibb{font-size:12px;line-height:1.6;color:var(--text2);}\n.ibb strong{color:var(--text);}\ntable{width:100%;border-collapse:collapse;font-size:12.5px;margin:14px 0;}\nth{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:var(--text3);padding:8px 12px;border-bottom:1px solid var(--border2);text-align:left;}\ntd{padding:10px 12px;border-bottom:1px solid var(--border);color:var(--text2);line-height:1.5;vertical-align:top;}\ntd:first-child{color:var(--text);font-weight:500;}\ntr:last-child td{border-bottom:none;}\n.pg{display:grid;grid-template-columns:1fr 1fr;gap:12px;}\n.pb{background:var(--surf);border:1px solid var(--border);padding:18px;}\n.pbg{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;padding:3px 8px;border-radius:2px;text-transform:uppercase;display:inline-block;margin-bottom:10px;}\n.pbg.c{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.pbg.d{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.pbg.w{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.pbg.r{background:rgba(232,72,72,.1);color:var(--red);border:1px solid rgba(232,72,72,.25);}\n.pbn{font-family:var(--cond);font-size:17px;font-weight:700;color:#fff;margin-bottom:12px;}\n.pi{display:flex;gap:8px;font-size:12.5px;color:var(--text2);line-height:1.5;margin-bottom:7px;}\n.pi::before{content:'\u25b8';color:var(--text3);font-size:9px;flex-shrink:0;margin-top:2px;}\n.pi strong{color:var(--text);}\n.dc{background:var(--surf);border:1px solid var(--border);padding:20px;}\n.di{font-size:20px;margin-bottom:10px;}\n.dt{font-family:var(--cond);font-size:16px;font-weight:700;color:#fff;margin-bottom:3px;}\n.ds{font-family:var(--mono);font-size:8px;font-weight:700;color:var(--text3);letter-spacing:.12em;text-transform:uppercase;margin-bottom:10px;}\n.dxt{font-size:12px;line-height:1.6;color:var(--text2);}\n.dl li{font-size:11.5px;color:var(--text2);list-style:none;display:flex;align-items:flex-start;gap:6px;margin-top:5px;}\n.dl li::before{content:'\u2014';color:var(--text3);font-size:9px;margin-top:2px;flex-shrink:0;}\n.related{margin-top:34px;border-top:1px solid var(--border);padding-top:16px;}\n.rlab{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--text3);margin-bottom:10px;}\n.rls{display:flex;flex-wrap:wrap;gap:7px;}\n.rl{font-size:11.5px;font-family:var(--mono);color:var(--cyan);background:rgba(0,216,240,.05);border:1px solid rgba(0,216,240,.18);padding:4px 11px;cursor:pointer;transition:background .1s;}\n.rl:hover{background:rgba(0,216,240,.12);}\n.diag{background:var(--surf);border:1px solid var(--border);padding:20px;margin-bottom:18px;}\n.dcap{font-family:var(--mono);font-size:9px;color:var(--text3);margin-top:10px;letter-spacing:.06em;}\n.sb-copy{padding:10px 18px 14px;font-family:var(--mono);font-size:9px;color:var(--text3);letter-spacing:.06em;flex-shrink:0;border-top:1px solid var(--border);}\nbody.light .sb-copy{color:#4a6680;}\n.ni-doc:hover{color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd-ext{font-size:11px;color:var(--cyan);flex-shrink:0;line-height:1;}\n.sb-fsize{padding:10px 18px 12px;border-bottom:1px solid var(--border);flex-shrink:0;display:flex;align-items:center;gap:10px;flex-wrap:wrap;}\n.fsize-label{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;text-transform:uppercase;color:var(--text3);}\n.fsize-btns{display:flex;gap:4px;}\n.fsz{background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 7px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;}\n.fsz:hover{background:var(--border2);color:var(--text);}\n.fsz:active{background:rgba(0,216,240,.15);color:var(--cyan);border-color:var(--cyan);}\n.theme-btn{margin-left:auto;background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 9px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;white-space:nowrap;}\n.theme-btn:hover{background:var(--border2);color:var(--text);}\n.tbl-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch;margin:14px 0;}\n.tbl-wrap table{margin:0;}\n\n\/* \u2500\u2500 LIGHT MODE \u2500\u2500 *\/\nbody.light{\n --bg:#eef2f7;--surf:#ffffff;--surf2:#e0e8f2;--border:#b0c4d8;--border2:#8aaac4;\n --text:#0a111e;--text2:#1e3448;--text3:#4a6680;\n --cyan:#005f8a;--amber:#a85c00;--green:#006030;--red:#a81820;--purple:#4422aa;\n --blue:#0a50a0;--teal:#006060;\n}\nbody.light .sb-title{color:#0a111e;}\nbody.light .sb-sub{color:#2a3f58;}\nbody.light .sb-logo{color:#005f8a;}\nbody.light .ngl{color:var(--cyan);border-bottom-color:var(--border2);}\nbody.light .ni{color:#0a111e;}\nbody.light .ni:hover{background:var(--surf2);color:#0a111e;}\nbody.light .fsize-label{color:#2a3f58;}\nbody.light .fsz{color:#0a111e;border-color:var(--border2);}\nbody.light .theme-btn{color:#0a111e;border-color:var(--border2);}\nbody.light .p-title{color:#0a111e;}\nbody.light .p-title span{color:var(--cyan);}\nbody.light h3{color:#0a111e;}\nbody.light .card{background:var(--surf);border-color:var(--border);}\nbody.light .ctitle{color:#0a111e;}\nbody.light .sn{color:#0a111e;}\nbody.light .ol{color:#0a111e;}\nbody.light .ibt{color:#0a111e;}\nbody.light .dt{color:#0a111e;}\nbody.light .diag{background:var(--surf);}\nbody.light .pb{background:var(--surf);}\nbody.light table td:first-child{color:#1a2535;}\nbody.light .or.grant{background:rgba(0,122,64,.06);}\nbody.light .or.deny{background:rgba(192,32,42,.06);}\nbody.light .or.step{background:rgba(192,112,0,.06);}\nbody.light .ib{background:var(--surf);}\nbody.light .prose code{background:rgba(0,119,170,.1);}\nbody.light .pbn{color:#0a111e;}\n\n\/* \u2500\u2500 HAMBURGER BUTTON \u2500\u2500 *\/\n.hamburger{display:none;position:fixed;top:12px;left:12px;z-index:1100;background:var(--surf);border:1px solid var(--border);border-radius:4px;padding:8px 7px;cursor:pointer;flex-direction:column;gap:4px;align-items:center;justify-content:center;-webkit-tap-highlight-color:transparent;}\n.hamburger span{display:block;width:18px;height:2px;background:var(--cyan);border-radius:1px;transition:transform .2s,opacity .2s;}\n.hamburger.open span:nth-child(1){transform:translateY(6px) rotate(45deg);}\n.hamburger.open span:nth-child(2){opacity:0;}\n.hamburger.open span:nth-child(3){transform:translateY(-6px) rotate(-45deg);}\nbody.light .hamburger{background:#fff;border-color:var(--border);}\nbody.light .hamburger span{background:var(--cyan);}\n.sb-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.55);z-index:999;-webkit-backdrop-filter:blur(2px);backdrop-filter:blur(2px);}\n\n@media(max-width:900px){\n .hamburger{display:flex;}\n .sidebar{position:fixed;left:-260px;top:0;bottom:0;width:250px;min-width:250px;z-index:1000;transition:left .25s ease;box-shadow:none;}\n .sidebar.open{left:0;box-shadow:4px 0 24px rgba(0,0,0,.45);}\n .sb-overlay.open{display:block;}\n .main{margin-left:0;}\n .panel{padding:28px 28px 60px;max-width:100%;}\n .p-title{font-size:36px;}\n .cg3{grid-template-columns:1fr 1fr;}\n .pg{grid-template-columns:1fr;}\n .diag{padding:12px;overflow-x:auto;-webkit-overflow-scrolling:touch;}\n}\n@media(max-width:560px){\n .panel{padding:18px 14px 48px;}\n .p-title{font-size:28px;}\n .p-sub{font-size:14px;margin-bottom:18px;}\n h3{font-size:16px;}\n .prose{font-size:12.5px;}\n .cg2,.cg3{grid-template-columns:1fr;}\n .pg{grid-template-columns:1fr;}\n table{font-size:11px;}\n th{font-size:7.5px;padding:6px 8px;}\n td{padding:8px;font-size:11px;}\n .diag{padding:8px;margin-bottom:12px;}\n .sr{flex-direction:column;gap:6px;}\n .st{align-self:flex-start;}\n .related{margin-top:22px;}\n .rl{font-size:10.5px;padding:4px 8px;}\n .sb-fsize{flex-wrap:wrap;gap:6px;}\n .card{padding:12px;}\n .ib{padding:10px 12px;}\n}\n<\/style>\n<\/head>\n<body class=\"light\">\n<div class=\"app\">\n\n<button class=\"hamburger\" id=\"menuBtn\" onclick=\"toggleMenu()\" aria-label=\"Toggle navigation\">\n <span><\/span><span><\/span><span><\/span>\n<\/button>\n<div class=\"sb-overlay\" id=\"sbOverlay\" onclick=\"toggleMenu()\"><\/div>\n\n<aside class=\"sidebar\" id=\"sidebar\">\n <div class=\"sb-hdr\">\n <div class=\"sb-logo\">NIST SP 800-171<\/div>\n <div class=\"sb-title\">Protecting<br>CUI<\/div>\n <div class=\"sb-sub\">Interactive reference \u00b7 Rev 2 & Rev 3<\/div>\n <\/div>\n <div class=\"sb-fsize\">\n <span class=\"fsize-label\">Size<\/span>\n <div class=\"fsize-btns\">\n <button class=\"fsz\" onclick=\"adjFont(-1)\" title=\"Decrease font size\">A\u2212<\/button>\n <button class=\"fsz\" onclick=\"adjFont(0)\" title=\"Reset font size\">A<\/button>\n <button class=\"fsz\" onclick=\"adjFont(1)\" title=\"Increase font size\">A+<\/button>\n <\/div>\n <button class=\"theme-btn\" id=\"themeBtn\" onclick=\"toggleTheme()\" title=\"Toggle dark\/light mode\">\u263e Dark<\/button>\n <\/div>\n <nav>\n <div class=\"ng\"><div class=\"ngl\">Overview<\/div>\n <div class=\"ni active\" onclick=\"nav('overview')\"><span class=\"nd\"><\/span>What is 800-171<\/div>\n <div class=\"ni\" onclick=\"nav('scope')\"><span class=\"nd\"><\/span>Scope & Applicability<\/div>\n <div class=\"ni\" onclick=\"nav('cui')\"><span class=\"nd\"><\/span>Controlled Unclassified Info<\/div>\n <div class=\"ni\" onclick=\"nav('revisions')\"><span class=\"nd\"><\/span>Rev 2 vs Rev 3<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Control Families<\/div>\n <div class=\"ni\" onclick=\"nav('ac')\"><span class=\"nd\"><\/span>Access Control<\/div>\n <div class=\"ni\" onclick=\"nav('at')\"><span class=\"nd\"><\/span>Awareness & Training<\/div>\n <div class=\"ni\" onclick=\"nav('au')\"><span class=\"nd\"><\/span>Audit & Accountability<\/div>\n <div class=\"ni\" onclick=\"nav('cm')\"><span class=\"nd\"><\/span>Configuration Management<\/div>\n <div class=\"ni\" onclick=\"nav('ia')\"><span class=\"nd\"><\/span>Identification & Auth<\/div>\n <div class=\"ni\" onclick=\"nav('ir')\"><span class=\"nd\"><\/span>Incident Response<\/div>\n <div class=\"ni\" onclick=\"nav('ma')\"><span class=\"nd\"><\/span>Maintenance<\/div>\n <div class=\"ni\" onclick=\"nav('mp')\"><span class=\"nd\"><\/span>Media Protection<\/div>\n <div class=\"ni\" onclick=\"nav('pe')\"><span class=\"nd\"><\/span>Physical Protection<\/div>\n <div class=\"ni\" onclick=\"nav('ps')\"><span class=\"nd\"><\/span>Personnel Security<\/div>\n <div class=\"ni\" onclick=\"nav('ra')\"><span class=\"nd\"><\/span>Risk Assessment<\/div>\n <div class=\"ni\" onclick=\"nav('ca')\"><span class=\"nd\"><\/span>Security Assessment<\/div>\n <div class=\"ni\" onclick=\"nav('sc')\"><span class=\"nd\"><\/span>System & Comms Protection<\/div>\n <div class=\"ni\" onclick=\"nav('si')\"><span class=\"nd\"><\/span>System & Info Integrity<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Rev 3 New Families<\/div>\n <div class=\"ni\" onclick=\"nav('pl')\"><span class=\"nd\"><\/span>Planning<\/div>\n <div class=\"ni\" onclick=\"nav('sa')\"><span class=\"nd\"><\/span>System & Services Acquisition<\/div>\n <div class=\"ni\" onclick=\"nav('sr')\"><span class=\"nd\"><\/span>Supply Chain Risk Mgmt<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Compliance<\/div>\n <div class=\"ni\" onclick=\"nav('cmmc')\"><span class=\"nd\"><\/span>CMMC Alignment<\/div>\n <div class=\"ni\" onclick=\"nav('sprs')\"><span class=\"nd\"><\/span>SPRS Scoring<\/div>\n <div class=\"ni\" onclick=\"nav('ssp')\"><span class=\"nd\"><\/span>SSP & POA&M<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Source<\/div>\n <div class=\"ni ni-doc\" onclick=\"openNIST()\"><span class=\"nd-ext\">\u2197<\/span>NIST SP 800-171 PDF<\/div>\n <\/div>\n <\/nav>\n <div class=\"sb-copy\">2026 Steve Hatch<\/div>\n<\/aside>\n\n<main class=\"main\">\n\n\n<div class=\"panel active\" id=\"panel-overview\">\n <div class=\"p-eye\">NIST SP 800-171 \u00b7 Introduction<\/div>\n <div class=\"p-title\">Protecting <span>CUI<\/span><\/div>\n <div class=\"p-sub\">Security requirements for Controlled Unclassified Information in nonfederal systems and organizations<\/div>\n\n <div class=\"diag\">\n <svg width=\"100%\" viewBox=\"0 0 740 340\" style=\"display:block\">\n <defs><marker id=\"arr\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"6\" markerHeight=\"6\" orient=\"auto-start-reverse\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"context-stroke\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker><\/defs>\n\n \n <rect x=\"6\" y=\"6\" width=\"728\" height=\"120\" rx=\"3\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"20\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#1a7fd4\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">FEDERAL AUTHORITY<\/text>\n\n <rect x=\"6\" y=\"136\" width=\"728\" height=\"196\" rx=\"3\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"150\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#00cc70\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">NONFEDERAL ORGANIZATION<\/text>\n\n \n <rect x=\"20\" y=\"32\" width=\"160\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.2\"\/>\n <rect x=\"20\" y=\"32\" width=\"160\" height=\"4\" rx=\"2\" fill=\"#1a7fd4\"\/>\n <text x=\"100\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">Federal Agency<\/text>\n <text x=\"100\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Originates CUI<\/text>\n <text x=\"100\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Defines requirements<\/text>\n <text x=\"100\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#4d6780\">DFARS \u00b7 FAR \u00b7 Contract<\/text>\n\n <rect x=\"220\" y=\"32\" width=\"160\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#8866ff\" stroke-width=\"1.2\"\/>\n <rect x=\"220\" y=\"32\" width=\"160\" height=\"4\" rx=\"2\" fill=\"#8866ff\" opacity=\".8\"\/>\n <text x=\"300\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">NIST SP 800-171<\/text>\n <text x=\"300\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">97\u2013110 requirements<\/text>\n <text x=\"300\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">14\u201317 control families<\/text>\n <text x=\"300\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#b39dff\">Derived from SP 800-53<\/text>\n\n <rect x=\"420\" y=\"32\" width=\"150\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#ffb300\" stroke-width=\"1.2\"\/>\n <rect x=\"420\" y=\"32\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/>\n <text x=\"495\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">CMMC<\/text>\n <text x=\"495\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Level 2 = 800-171<\/text>\n <text x=\"495\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Third-party verification<\/text>\n <text x=\"495\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\">DoD rulemaking<\/text>\n\n <rect x=\"610\" y=\"32\" width=\"116\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/>\n <rect x=\"610\" y=\"32\" width=\"116\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/>\n <text x=\"668\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">SP 800-171A<\/text>\n <text x=\"668\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Assessment guide<\/text>\n <text x=\"668\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">320\u2013422 objectives<\/text>\n <text x=\"668\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#4d6780\">Verification procedures<\/text>\n\n \n <line x1=\"180\" y1=\"73\" x2=\"220\" y2=\"73\" stroke=\"#4d6780\" stroke-width=\"1.3\" marker-end=\"url(#arr)\"\/>\n <line x1=\"380\" y1=\"73\" x2=\"420\" y2=\"73\" stroke=\"#4d6780\" stroke-width=\"1.3\" marker-end=\"url(#arr)\"\/>\n <line x1=\"570\" y1=\"73\" x2=\"610\" y2=\"73\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n\n \n <rect x=\"20\" y=\"162\" width=\"220\" height=\"82\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/>\n <text x=\"130\" y=\"190\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">CUI Boundary<\/text>\n <text x=\"130\" y=\"208\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Systems that process, store,<\/text>\n <text x=\"130\" y=\"222\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">or transmit CUI<\/text>\n <text x=\"130\" y=\"237\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#4d6780\">In-scope components<\/text>\n\n <rect x=\"270\" y=\"162\" width=\"220\" height=\"82\" rx=\"3\" fill=\"#111b2e\" stroke=\"#00cc70\" stroke-width=\"1.2\"\/>\n <rect x=\"270\" y=\"162\" width=\"220\" height=\"4\" rx=\"2\" fill=\"#00cc70\" opacity=\".6\"\/>\n <text x=\"380\" y=\"190\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Security Controls<\/text>\n <text x=\"380\" y=\"208\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">110 requirements (Rev 2)<\/text>\n <text x=\"380\" y=\"222\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">14 control families<\/text>\n <text x=\"380\" y=\"237\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\">Implemented & documented<\/text>\n\n <rect x=\"520\" y=\"162\" width=\"206\" height=\"82\" rx=\"3\" fill=\"#111b2e\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"520\" y=\"162\" width=\"206\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".6\"\/>\n <text x=\"623\" y=\"190\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">SSP + POA&M<\/text>\n <text x=\"623\" y=\"208\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">System Security Plan<\/text>\n <text x=\"623\" y=\"222\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Plan of Action & Milestones<\/text>\n <text x=\"623\" y=\"237\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#40d8d0\">SPRS score submitted<\/text>\n\n \n <line x1=\"240\" y1=\"203\" x2=\"270\" y2=\"203\" stroke=\"#00cc70\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <line x1=\"490\" y1=\"203\" x2=\"520\" y2=\"203\" stroke=\"#00b4a8\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n\n \n <path d=\"M300,114 L300,130 L380,130 L380,162\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1.5\" marker-end=\"url(#arr)\"\/>\n <rect x=\"318\" y=\"124\" width=\"48\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"342\" y=\"133\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#b39dff\">defines<\/text>\n\n \n <rect x=\"20\" y=\"262\" width=\"706\" height=\"68\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n <text x=\"32\" y=\"278\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#4d6780\" letter-spacing=\"1\">KEY RELATIONSHIPS<\/text>\n <text x=\"32\" y=\"295\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#1a7fd4\">Federal Agency<\/tspan> originates CUI and mandates protection via DFARS 252.204-7012<\/text>\n <text x=\"32\" y=\"310\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#8866ff\">SP 800-171<\/tspan> provides the security requirements derived from SP 800-53 moderate baseline<\/text>\n <text x=\"32\" y=\"325\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#ffb300\">CMMC Level 2<\/tspan> maps directly to 800-171 \u2014 adds third-party assessment verification<\/text>\n <\/svg>\n <div class=\"dcap\">CUI protection lifecycle \u00b7 from federal authority through nonfederal implementation and verification<\/div>\n <\/div>\n\n <div class=\"prose\"><strong>NIST Special Publication 800-171<\/strong> establishes the security requirements that nonfederal organizations must implement when they process, store, or transmit Controlled Unclassified Information (CUI) on behalf of federal agencies. It is not optional guidance \u2014 for DoD contractors, compliance is a contractual obligation under DFARS 252.204-7012, and it serves as the foundation for CMMC Level 2 certification.<\/div>\n <div class=\"prose\">The publication is derived from <strong>NIST SP 800-53<\/strong>, the comprehensive security control catalog used by federal agencies. SP 800-171 tailors the 800-53 moderate baseline down to the controls directly related to protecting CUI confidentiality \u2014 currently <strong>110 requirements across 14 control families<\/strong> in Rev 2, and <strong>97 requirements across 17 control families<\/strong> in Rev 3.<\/div>\n\n <h3>Core principle<\/h3>\n <div class=\"ib\"><div class=\"ibt\">CUI has the same value regardless of where it resides<\/div><div class=\"ibb\">Whether CUI is on a federal network or a contractor’s laptop, its confidentiality must be protected to the same standard. SP 800-171 exists because <strong>the federal government’s ability to conduct its missions depends on information that lives outside federal boundaries<\/strong>. The publication ensures nonfederal organizations don’t become the weak link in the information supply chain.<\/div><\/div>\n\n <h3>What it covers \u2014 at a glance<\/h3>\n <div class=\"cg cg2\" style=\"margin-top:14px\">\n <div class=\"card tc\"><div class=\"cnum\">14 FAMILIES (REV 2)<\/div><div class=\"ctitle\">Access Control through System Integrity<\/div><div class=\"ctext\">The original 14 control families span technical controls (access, audit, encryption), operational controls (maintenance, media, incident response), and management controls (risk assessment, security assessment).<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">110 REQUIREMENTS (REV 2)<\/div><div class=\"ctitle\">Basic & Derived requirements<\/div><div class=\"ctext\">Each family contains basic requirements (from FIPS 200) and derived requirements (from SP 800-53). Every requirement maps to one or more 800-53 controls in the moderate baseline.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">320 ASSESSMENT OBJECTIVES<\/div><div class=\"ctitle\">SP 800-171A verification<\/div><div class=\"ctext\">The companion assessment guide (SP 800-171A) breaks each requirement into determination statements \u2014 the specific checks an assessor uses to verify implementation. Rev 3 expands this to 422.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">SPRS SCORE<\/div><div class=\"ctitle\">Quantified compliance posture<\/div><div class=\"ctext\">The Supplier Performance Risk System score ranges from \u2212203 to 110. A score of 110 means full implementation. Anything less requires a Plan of Action & Milestones (POA&M) for each gap.<\/div><\/div>\n <\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cui')\">CUI overview<\/span><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-scope\">\n <div class=\"p-eye\">NIST SP 800-171 \u00b7 Chapter 1<\/div>\n <div class=\"p-title\">Scope & <span>Applicability<\/span><\/div>\n <div class=\"p-sub\">Who must implement, what’s in scope, and where the boundary falls<\/div>\n <div class=\"prose\">SP 800-171 applies to <strong>any nonfederal organization<\/strong> that processes, stores, or transmits CUI \u2014 or that provides protection for system components that do. This includes defense contractors, subcontractors, research universities, state and local governments, and any entity receiving CUI through a federal contract, grant, or agreement.<\/div>\n\n <h3>What triggers the requirement<\/h3>\n <div class=\"sr\"><span class=\"st tid\">DFARS<\/span><div class=\"si\"><div class=\"sn\">DFARS 252.204-7012<\/div><div class=\"sd\">Defense Federal Acquisition Regulation Supplement clause. Requires DoD contractors to implement 800-171 on any system handling Covered Defense Information (CDI) \u2014 the DoD’s term for CUI. Non-negotiable for contract award.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">FAR<\/span><div class=\"si\"><div class=\"sn\">FAR CUI clause (forthcoming)<\/div><div class=\"sd\">The Federal Acquisition Regulation will extend 800-171 requirements to all federal agencies, not just DoD. When finalized, any contractor handling CUI for any agency will need compliance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">CMMC<\/span><div class=\"si\"><div class=\"sn\">CMMC Level 2 certification<\/div><div class=\"sd\">Cybersecurity Maturity Model Certification Level 2 maps directly to SP 800-171. Third-party assessment (C3PAO) verifies implementation. Required for DoD contracts involving CUI.<\/div><\/div><\/div>\n\n <h3>Scoping the CUI boundary<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">In scope \u2014 CUI assets<\/div><div class=\"oc\">Any system component that processes, stores, or transmits CUI. Includes servers, workstations, laptops, mobile devices, network infrastructure, cloud services, and applications that touch CUI data.<\/div><\/div><\/div>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">In scope \u2014 security protection assets<\/div><div class=\"oc\">Components that provide security functions for CUI assets even if they don’t directly handle CUI \u2014 firewalls, SIEM, authentication servers, backup systems, and security monitoring tools.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Potentially in scope \u2014 contractor risk assets<\/div><div class=\"oc\">Systems that can, but are not intended to, process CUI. If CUI could traverse these components, they must either be brought into scope or architecturally isolated.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">Out of scope \u2014 isolated systems<\/div><div class=\"oc\">Systems with no physical or logical connection to CUI processing. Must be genuinely isolated \u2014 not just segmented. Architectural evidence required.<\/div><\/div><\/div>\n\n <div class=\"ib a\"><div class=\"ibt\">Scope reduction through architectural isolation<\/div><div class=\"ibb\">Organizations can limit their compliance boundary by <strong>isolating CUI processing into a dedicated security domain<\/strong> \u2014 using subnetworks, firewalls, boundary protection devices, and information flow control. This is legitimate scope reduction, but the isolation must be provably enforced. A VLAN tag alone is not sufficient; the isolation must be architecturally defensible.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('overview')\">Overview<\/span><span class=\"rl\" onclick=\"nav('cui')\">CUI overview<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cui\">\n <div class=\"p-eye\">32 CFR Part 2002 \u00b7 CUI Program<\/div>\n <div class=\"p-title\">Controlled <span>Unclassified<\/span> Information<\/div>\n <div class=\"p-sub\">What CUI is, where it comes from, and why it requires protection<\/div>\n <div class=\"prose\">Controlled Unclassified Information (CUI) is information that the government creates or possesses \u2014 or that an entity creates or possesses for or on behalf of the government \u2014 that requires safeguarding or dissemination controls, but is <strong>not classified<\/strong>. It sits in the gap between publicly releasable information and classified national security information.<\/div>\n\n <h3>Common CUI categories in defense contracts<\/h3>\n <div class=\"cg cg3\" style=\"margin-top:14px\">\n <div class=\"card tc\"><div class=\"cnum\">CTI<\/div><div class=\"ctitle\">Controlled Technical Information<\/div><div class=\"ctext\">Technical data with military or space application, subject to distribution controls. Includes engineering drawings, specs, and technical manuals.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">ITAR<\/div><div class=\"ctitle\">Export-Controlled<\/div><div class=\"ctext\">Information subject to ITAR or EAR export control regulations. Overlaps heavily with CUI in defense manufacturing contexts.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">PCII<\/div><div class=\"ctitle\">Critical Infrastructure<\/div><div class=\"ctext\">Protected Critical Infrastructure Information related to vulnerability assessments, security plans, and operational details.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">PII<\/div><div class=\"ctitle\">Personally Identifiable<\/div><div class=\"ctext\">Personal information that, if disclosed, could result in harm. Social Security numbers, medical records, financial data of government personnel.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">PROPIN<\/div><div class=\"ctitle\">Proprietary Business<\/div><div class=\"ctext\">Contractor proprietary information provided to the government under contract, requiring protection from unauthorized disclosure.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">FOUO<\/div><div class=\"ctitle\">For Official Use Only<\/div><div class=\"ctext\">Legacy marking largely replaced by CUI. Still encountered in older documents. Treat as CUI for protection purposes.<\/div><\/div>\n <\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">CUI marking is the trigger \u2014 not classification<\/div><div class=\"ibb\">If your contract specifies CUI, DFARS 7012 applies, and SP 800-171 compliance is required. You don’t need to determine CUI categories yourself \u2014 the <strong>federal agency originating the information<\/strong> is responsible for marking it. Your job is to protect anything marked CUI (or CDI in DoD parlance) on your systems to the SP 800-171 standard.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-revisions\">\n <div class=\"p-eye\">Revision comparison<\/div>\n <div class=\"p-title\">Rev 2 <span>vs Rev 3<\/span><\/div>\n <div class=\"p-sub\">What changed, what it means, and which version applies today<\/div>\n <div class=\"prose\">NIST published the final version of SP 800-171 Revision 3 in May 2024. However, the DoD issued Class Deviation 2024-O0013 mandating that <strong>contractors continue using Revision 2<\/strong> for DFARS 252.204-7012 compliance. All CMMC Level 2 assessments currently reference Rev 2’s 110 controls. Rev 3 adoption for DoD contractors is expected between late 2026 and early 2027.<\/div>\n\n <div class=\"pg\" style=\"margin-top:18px\">\n <div class=\"pb\">\n <div class=\"pbg c\">Rev 2 \u2014 Current for CMMC<\/div>\n <div class=\"pbn\">110 requirements \u00b7 14 families<\/div>\n <div class=\"pi\"><strong>Published:<\/strong> February 2020 (Updated January 2021)<\/div>\n <div class=\"pi\"><strong>Basic + Derived requirements<\/strong> \u2014 dual sourced from FIPS 200 and SP 800-53<\/div>\n <div class=\"pi\"><strong>320 assessment objectives<\/strong> in SP 800-171A<\/div>\n <div class=\"pi\"><strong>“Periodically”<\/strong> used throughout \u2014 ambiguous timing<\/div>\n <div class=\"pi\"><strong>NFO assumptions<\/strong> \u2014 60+ controls assumed in place but not specified<\/div>\n <div class=\"pi\"><strong>SPRS scoring<\/strong> against these 110 controls<\/div>\n <\/div>\n <div class=\"pb\">\n <div class=\"pbg d\">Rev 3 \u2014 Future state<\/div>\n <div class=\"pbn\">97 requirements \u00b7 17 families<\/div>\n <div class=\"pi\"><strong>Published:<\/strong> May 14, 2024 (Final)<\/div>\n <div class=\"pi\"><strong>Single source<\/strong> \u2014 all requirements derived from SP 800-53 only<\/div>\n <div class=\"pi\"><strong>422 assessment objectives<\/strong> \u2014 32% increase in verification depth<\/div>\n <div class=\"pi\"><strong>“Periodically” eliminated<\/strong> \u2014 specific frequencies required<\/div>\n <div class=\"pi\"><strong>NFO controls eliminated<\/strong> \u2014 if it’s required, it’s in the standard<\/div>\n <div class=\"pi\"><strong>49 ODPs<\/strong> \u2014 organization-defined parameters for flexibility<\/div>\n <\/div>\n <\/div>\n\n <h3>Key structural changes<\/h3>\n <div class=\"tbl-wrap\">\n <table>\n <tr><th>Attribute<\/th><th>Rev 2<\/th><th>Rev 3<\/th><\/tr>\n <tr><td>Control families<\/td><td>14<\/td><td>17 (+PL, SA, SR)<\/td><\/tr>\n <tr><td>Requirements<\/td><td>110<\/td><td>97 (but broader scope each)<\/td><\/tr>\n <tr><td>Assessment objectives<\/td><td>320<\/td><td>422<\/td><\/tr>\n <tr><td>800-53 controls represented<\/td><td>~110<\/td><td>156<\/td><\/tr>\n <tr><td>ODPs<\/td><td>None<\/td><td>49<\/td><\/tr>\n <tr><td>NFO assumptions<\/td><td>60+<\/td><td>Eliminated<\/td><\/tr>\n <tr><td>Basic vs Derived<\/td><td>Yes<\/td><td>Eliminated<\/td><\/tr>\n <tr><td>Withdrawn controls<\/td><td>N\/A<\/td><td>33 (absorbed into others)<\/td><\/tr>\n <\/table>\n <\/div>\n\n <div class=\"ib a\"><div class=\"ibt\">Fewer requirements does not mean a lower bar<\/div><div class=\"ibb\">Rev 3’s reduction from 110 to 97 requirements is primarily consolidation, not relaxation. Many withdrawn controls are folded into broader requirements. The companion assessment guide’s jump from 320 to <strong>422 determination statements<\/strong> tells the real story \u2014 the verification burden increased by 32%. Combined with 49 ODPs, the total number of items requiring documentation is approximately 510.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('overview')\">Overview<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('pl')\">Planning (new)<\/span><span class=\"rl\" onclick=\"nav('sr')\">Supply chain (new)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ac\">\n <div class=\"p-eye\">Family 3.1 \u00b7 22 Requirements<\/div>\n <div class=\"p-title\">Access <span>Control<\/span><\/div>\n <div class=\"p-sub\">The largest control family \u2014 governs who can access CUI, under what conditions, with what enforcement<\/div>\n <div class=\"prose\">Access Control is the foundation of CUI protection. Its 22 requirements address <strong>system access limitations, information flow control, separation of duties, least privilege, session management, and remote access<\/strong>. If an attacker can bypass access controls, no other family matters.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tid\">3.1.1<\/span><div class=\"si\"><div class=\"sn\">Limit system access to authorized users<\/div><div class=\"sd\">Access to CUI systems must be limited to authorized users, processes acting on behalf of authorized users, and authorized devices (including other systems). This is the foundational gate \u2014 every other AC control builds on it.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.2<\/span><div class=\"si\"><div class=\"sn\">Limit system access to authorized functions<\/div><div class=\"sd\">Users receive only the transactions and functions they are authorized to execute. Role-based access control (RBAC) is the most common implementation, but attribute-based (ABAC) is increasingly adopted.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.3<\/span><div class=\"si\"><div class=\"sn\">Control CUI flow<\/div><div class=\"sd\">Control the flow of CUI in accordance with approved authorizations. Prevent CUI from flowing to unauthorized systems, users, or external networks. DLP, boundary protection, and network segmentation are typical controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.5<\/span><div class=\"si\"><div class=\"sn\">Least privilege<\/div><div class=\"sd\">Employ the principle of least privilege, including for specific security functions and privileged accounts. Users get the minimum access needed to perform their duties \u2014 no more.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.12<\/span><div class=\"si\"><div class=\"sn\">Monitor and control remote access<\/div><div class=\"sd\">Remote access sessions must be monitored and controlled. Encrypted tunnels (VPN\/ZTNA), MFA, and session monitoring are required. Remote access is a primary attack vector.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.22<\/span><div class=\"si\"><div class=\"sn\">Control CUI on publicly accessible systems<\/div><div class=\"sd\">Control CUI posted or processed on publicly accessible systems. Prevent inadvertent disclosure of CUI through web servers, file shares, or collaboration platforms with public-facing components.<\/div><\/div><\/div>\n\n <div class=\"ib\"><div class=\"ibt\">Access Control is where Zero Trust and 800-171 converge<\/div><div class=\"ibb\">Requirements 3.1.1 through 3.1.22 collectively establish the access model that Zero Trust Architecture (SP 800-207) operationalizes. <strong>No implicit trust from network location<\/strong> (3.1.14), <strong>least privilege<\/strong> (3.1.5), <strong>session control<\/strong> (3.1.10\u201311), and <strong>remote access monitoring<\/strong> (3.1.12) are ZTA tenets expressed as compliance requirements.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ia')\">Identification & auth<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-at\">\n <div class=\"p-eye\">Family 3.2 \u00b7 3 Requirements<\/div>\n <div class=\"p-title\">Awareness <span>& Training<\/span><\/div>\n <div class=\"p-sub\">Ensuring personnel understand cybersecurity risks and their responsibilities for CUI protection<\/div>\n <div class=\"prose\">This family ensures that all users of CUI systems are <strong>aware of security risks<\/strong> and trained in their responsibilities. It covers general security awareness, role-based training for privileged users, and insider threat awareness. The human layer is often the weakest link \u2014 this family addresses it directly.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tbeh\">3.2.1<\/span><div class=\"si\"><div class=\"sn\">Security awareness for all users<\/div><div class=\"sd\">Ensure that managers, systems administrators, and users are made aware of the security risks associated with their activities and the applicable policies, standards, and procedures related to the security of CUI systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">3.2.2<\/span><div class=\"si\"><div class=\"sn\">Role-based security training<\/div><div class=\"sd\">Ensure personnel are trained to carry out their assigned information security-related duties and responsibilities. Privileged users and system administrators receive specialized training beyond general awareness.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">3.2.3<\/span><div class=\"si\"><div class=\"sn\">Insider threat awareness<\/div><div class=\"sd\">Provide security awareness training on recognizing and reporting potential indicators of insider threats. In Rev 3, this is absorbed into requirement 3.2.1 \u2014 it isn’t removed, just consolidated.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ps')\">Personnel security<\/span><span class=\"rl\" onclick=\"nav('ir')\">Incident response<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-au\">\n <div class=\"p-eye\">Family 3.3 \u00b7 9 Requirements<\/div>\n <div class=\"p-title\">Audit & <span>Accountability<\/span><\/div>\n <div class=\"p-sub\">Logging, monitoring, and retaining evidence of all CUI system activity<\/div>\n <div class=\"prose\">Audit and Accountability establishes the requirement to <strong>create, protect, retain, and review audit logs<\/strong> for all CUI system activity. Without audit trails, breaches cannot be detected, investigated, or attributed. This family provides the forensic foundation for incident response and the compliance evidence for assessments.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tpep\">3.3.1<\/span><div class=\"si\"><div class=\"sn\">Create and retain audit logs<\/div><div class=\"sd\">Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">3.3.2<\/span><div class=\"si\"><div class=\"sn\">Individual user accountability<\/div><div class=\"sd\">Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable. Shared accounts must not be used for CUI access.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">3.3.5<\/span><div class=\"si\"><div class=\"sn\">Correlate audit records<\/div><div class=\"sd\">Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. SIEM integration is the typical implementation.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">3.3.8<\/span><div class=\"si\"><div class=\"sn\">Protect audit information<\/div><div class=\"sd\">Protect audit information and audit logging tools from unauthorized access, modification, and deletion. If an attacker can tamper with logs, accountability is destroyed.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ir')\">Incident response<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cm\">\n <div class=\"p-eye\">Family 3.4 \u00b7 9 Requirements<\/div>\n <div class=\"p-title\">Configuration <span>Management<\/span><\/div>\n <div class=\"p-sub\">Maintaining secure, documented, and change-controlled system configurations<\/div>\n <div class=\"prose\">Configuration Management ensures that CUI systems are <strong>established, documented, and maintained in a known-secure state<\/strong>. Misconfigurations are one of the most common root causes of breaches. This family requires baseline configurations, change control, least-functionality principles, and restriction of unauthorized software.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tcl\">3.4.1<\/span><div class=\"si\"><div class=\"sn\">Establish and maintain baselines<\/div><div class=\"sd\">Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.4.2<\/span><div class=\"si\"><div class=\"sn\">Security configuration enforcement<\/div><div class=\"sd\">Establish and enforce security configuration settings for IT products employed in organizational systems. CIS Benchmarks and DISA STIGs are common reference configurations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.4.6<\/span><div class=\"si\"><div class=\"sn\">Least functionality<\/div><div class=\"sd\">Employ the principle of least functionality by configuring systems to provide only essential capabilities. Disable unused ports, protocols, services, and functions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.4.8<\/span><div class=\"si\"><div class=\"sn\">Application execution policies<\/div><div class=\"sd\">Apply deny-by-exception (blacklisting) or allow-by-exception (whitelisting) policy to prevent the use of unauthorized software. Application whitelisting is the stronger control.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><span class=\"rl\" onclick=\"nav('ma')\">Maintenance<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ia\">\n <div class=\"p-eye\">Family 3.5 \u00b7 11 Requirements<\/div>\n <div class=\"p-title\">Identification <span>& Authentication<\/span><\/div>\n <div class=\"p-sub\">Verifying the identity of users, devices, and processes before granting access to CUI<\/div>\n <div class=\"prose\">This family ensures that <strong>every entity accessing CUI systems is positively identified and authenticated<\/strong> before access is granted. It covers user identification, multi-factor authentication, password management, device authentication, and replay-resistant mechanisms. Identity is the first gate in the access decision chain.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tdev\">3.5.1<\/span><div class=\"si\"><div class=\"sn\">Identify system users and processes<\/div><div class=\"sd\">Identify information system users, processes acting on behalf of users, or devices. Every entity that touches CUI must have a unique identity that supports accountability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">3.5.2<\/span><div class=\"si\"><div class=\"sn\">Authenticate identities<\/div><div class=\"sd\">Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access. Authentication must precede authorization \u2014 always.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">3.5.3<\/span><div class=\"si\"><div class=\"sn\">Multi-factor authentication<\/div><div class=\"sd\">Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA is non-negotiable for CUI systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">3.5.4<\/span><div class=\"si\"><div class=\"sn\">Replay-resistant authentication<\/div><div class=\"sd\">Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Prevents credential replay attacks.<\/div><\/div><\/div>\n\n <div class=\"ib p\"><div class=\"ibt\">MFA is the single highest-impact control for CUI protection<\/div><div class=\"ibb\">Requirement 3.5.3 (multi-factor authentication) is consistently cited as <strong>the control most likely to prevent unauthorized CUI access<\/strong>. Password-only authentication does not meet the 800-171 standard for any CUI system. Hardware tokens, FIDO2\/passkeys, and authenticator apps are all acceptable second factors \u2014 SMS is accepted but discouraged.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><span class=\"rl\" onclick=\"nav('ps')\">Personnel security<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ir\">\n <div class=\"p-eye\">Family 3.6 \u00b7 3 Requirements<\/div>\n <div class=\"p-title\">Incident <span>Response<\/span><\/div>\n <div class=\"p-sub\">Detecting, analyzing, containing, and recovering from security incidents involving CUI<\/div>\n <div class=\"prose\">Incident Response ensures the organization has an <strong>operational capability to detect, report, and respond to security incidents<\/strong>. For DoD contractors, DFARS 7012 adds a 72-hour reporting requirement to the DoD Cyber Crime Center (DC3) for any cyber incident involving CUI. This family is where preparation meets operational reality.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tnet\">3.6.1<\/span><div class=\"si\"><div class=\"sn\">Establish incident handling capability<\/div><div class=\"sd\">Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.6.2<\/span><div class=\"si\"><div class=\"sn\">Track, document, and report incidents<\/div><div class=\"sd\">Track, document, and report incidents to designated officials and\/or authorities both internal and external to the organization. For DoD: report to DC3 within 72 hours of discovery.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.6.3<\/span><div class=\"si\"><div class=\"sn\">Test incident response capability<\/div><div class=\"sd\">Test the organizational incident response capability. Tabletop exercises, simulations, and red team engagements validate that the IR plan actually works under pressure.<\/div><\/div><\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">DFARS 7012 adds teeth to incident response<\/div><div class=\"ibb\">Beyond the 800-171 requirements, DFARS 252.204-7012 mandates <strong>72-hour reporting to DC3<\/strong>, preservation of forensic evidence for 90 days, and cooperation with DoD damage assessment activities. Failure to report can result in contract termination and False Claims Act liability. The IR plan must account for these DFARS-specific obligations.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('at')\">Awareness & training<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ma\">\n <div class=\"p-eye\">Family 3.7 \u00b7 6 Requirements<\/div>\n <div class=\"p-title\"><span>Maintenance<\/span><\/div>\n <div class=\"p-sub\">Controlled maintenance of CUI systems \u2014 local and remote<\/div>\n <div class=\"prose\">This family governs how systems are maintained without introducing new vulnerabilities. It covers <strong>timely maintenance, tool control, remote maintenance security, and media sanitization<\/strong> for equipment removed for off-site maintenance. Maintenance windows are high-risk periods \u2014 elevated privileges, open access, external personnel.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tcl\">3.7.1<\/span><div class=\"si\"><div class=\"sn\">Perform timely maintenance<\/div><div class=\"sd\">Perform maintenance on organizational systems. Maintenance must be timely, documented, and performed by authorized personnel with appropriate access controls in place.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.7.2<\/span><div class=\"si\"><div class=\"sn\">Control maintenance tools<\/div><div class=\"sd\">Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Prevent introduction of malicious tools during maintenance operations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.7.5<\/span><div class=\"si\"><div class=\"sn\">Multifactor auth for remote maintenance<\/div><div class=\"sd\">Require multifactor authentication to establish nonlocal maintenance sessions and terminate such sessions when maintenance is complete.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-mp\">\n <div class=\"p-eye\">Family 3.8 \u00b7 9 Requirements<\/div>\n <div class=\"p-title\">Media <span>Protection<\/span><\/div>\n <div class=\"p-sub\">Safeguarding digital and physical media containing CUI throughout its lifecycle<\/div>\n <div class=\"prose\">Media Protection addresses how CUI is stored, transported, and destroyed on both digital and physical media. This includes <strong>access limitation, marking, storage, transport, sanitization, and disposal<\/strong>. A USB drive in a parking lot is a classic attack vector \u2014 this family prevents it.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tres\">3.8.1<\/span><div class=\"si\"><div class=\"sn\">Protect and control media<\/div><div class=\"sd\">Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. Access limited to authorized users.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.8.3<\/span><div class=\"si\"><div class=\"sn\">Sanitize before disposal<\/div><div class=\"sd\">Sanitize or destroy system media containing CUI before disposal or release for reuse. NIST SP 800-88 provides sanitization guidelines \u2014 degaussing, overwriting, or physical destruction.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.8.6<\/span><div class=\"si\"><div class=\"sn\">Portable storage encryption<\/div><div class=\"sd\">Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pe\">\n <div class=\"p-eye\">Family 3.10 \u00b7 6 Requirements<\/div>\n <div class=\"p-title\">Physical <span>Protection<\/span><\/div>\n <div class=\"p-sub\">Securing facilities, equipment, and physical access to CUI processing environments<\/div>\n <div class=\"prose\">Physical Protection ensures that <strong>physical access to CUI systems is limited to authorized individuals<\/strong> and that the facilities themselves are monitored and secured. Cyber controls are meaningless if an attacker can walk up to a server and plug in. This family covers facility access, visitor management, and physical device security.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tpa\">3.10.1<\/span><div class=\"si\"><div class=\"sn\">Limit physical access<\/div><div class=\"sd\">Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">3.10.2<\/span><div class=\"si\"><div class=\"sn\">Protect physical facility<\/div><div class=\"sd\">Protect and monitor the physical facility and support infrastructure for organizational systems. Includes surveillance, access logs, and environmental controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">3.10.4<\/span><div class=\"si\"><div class=\"sn\">Maintain visitor audit logs<\/div><div class=\"sd\">Maintain audit logs of physical access. Visitor logs must record name, organization, date\/time, escort, and purpose of visit.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><span class=\"rl\" onclick=\"nav('ps')\">Personnel security<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ps\">\n <div class=\"p-eye\">Family 3.9 \u00b7 2 Requirements<\/div>\n <div class=\"p-title\">Personnel <span>Security<\/span><\/div>\n <div class=\"p-sub\">Screening individuals and managing access upon personnel changes<\/div>\n <div class=\"prose\">Personnel Security focuses on the <strong>human element<\/strong> \u2014 ensuring that individuals with CUI access are screened before access is granted, and that access is promptly revoked upon termination or role change. It’s a small family (2 requirements), but the consequences of failure are significant.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tbeh\">3.9.1<\/span><div class=\"si\"><div class=\"sn\">Screen individuals before access<\/div><div class=\"sd\">Screen individuals prior to authorizing access to organizational systems containing CUI. Background checks, employment verification, and clearance validation as appropriate.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">3.9.2<\/span><div class=\"si\"><div class=\"sn\">Protect CUI during personnel actions<\/div><div class=\"sd\">Ensure that CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers. Disable access immediately upon termination. Retrieve all CUI-containing media.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('at')\">Awareness & training<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><span class=\"rl\" onclick=\"nav('ia')\">Identification & auth<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ra\">\n <div class=\"p-eye\">Family 3.11 \u00b7 3 Requirements<\/div>\n <div class=\"p-title\">Risk <span>Assessment<\/span><\/div>\n <div class=\"p-sub\">Identifying, analyzing, and managing risk to CUI and organizational systems<\/div>\n <div class=\"prose\">Risk Assessment requires organizations to <strong>periodically assess the risk to CUI, scan for vulnerabilities, and remediate findings<\/strong>. It’s the analytical backbone that drives prioritization \u2014 without risk assessment, security investments are uninformed. This family links directly to the POA&M process and ongoing compliance maintenance.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tnet\">3.11.1<\/span><div class=\"si\"><div class=\"sn\">Assess risk periodically<\/div><div class=\"sd\">Periodically assess the risk to organizational operations, organizational assets, and individuals resulting from the operation of CUI systems and the processing, storage, or transmission of CUI.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.11.2<\/span><div class=\"si\"><div class=\"sn\">Scan for vulnerabilities<\/div><div class=\"sd\">Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Qualys, Tenable, and Rapid7 are common tools.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.11.3<\/span><div class=\"si\"><div class=\"sn\">Remediate vulnerabilities<\/div><div class=\"sd\">Remediate vulnerabilities in accordance with risk assessments. Prioritize based on CVSS severity, exploitability, and asset criticality. Track remediation in the POA&M.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ca\">\n <div class=\"p-eye\">Family 3.12 \u00b7 4 Requirements<\/div>\n <div class=\"p-title\">Security <span>Assessment<\/span><\/div>\n <div class=\"p-sub\">Evaluating, monitoring, and documenting the effectiveness of security controls<\/div>\n <div class=\"prose\">Security Assessment is the <strong>meta-family<\/strong> \u2014 it governs how organizations assess whether their own controls are effective. It requires periodic evaluation of security controls, development of a System Security Plan, management of a Plan of Action and Milestones, and continuous monitoring. This is where self-assessment and CMMC intersect.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tres\">3.12.1<\/span><div class=\"si\"><div class=\"sn\">Assess security controls periodically<\/div><div class=\"sd\">Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. The assessment produces the SPRS score for DoD contractors.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.12.2<\/span><div class=\"si\"><div class=\"sn\">Develop and implement action plans<\/div><div class=\"sd\">Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. The POA&M is a living document \u2014 updated as gaps are identified and remediated.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.12.3<\/span><div class=\"si\"><div class=\"sn\">Monitor security controls<\/div><div class=\"sd\">Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Continuous monitoring, not annual checkbox exercises.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.12.4<\/span><div class=\"si\"><div class=\"sn\">System Security Plan<\/div><div class=\"sd\">Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and relationships with other systems.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sc\">\n <div class=\"p-eye\">Family 3.13 \u00b7 16 Requirements<\/div>\n <div class=\"p-title\">System & Comms <span>Protection<\/span><\/div>\n <div class=\"p-sub\">Network architecture, boundary protection, and cryptographic safeguards for CUI in transit and at rest<\/div>\n <div class=\"prose\">The second-largest family addresses the <strong>technical architecture<\/strong> that protects CUI during processing, storage, and transmission. It covers boundary protection, network segmentation, FIPS-validated encryption, session authenticity, DNS protection, and architectural isolation of security functions.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tid\">3.13.1<\/span><div class=\"si\"><div class=\"sn\">Monitor and protect communications at boundaries<\/div><div class=\"sd\">Monitor, control, and protect communications at the external and key internal boundaries of organizational systems. Firewalls, proxies, IDS\/IPS, and WAFs are typical implementations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.2<\/span><div class=\"si\"><div class=\"sn\">Architectural security designs<\/div><div class=\"sd\">Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security. Defense in depth. Separation of concerns. Least privilege in code.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.8<\/span><div class=\"si\"><div class=\"sn\">CUI encryption in transit<\/div><div class=\"sd\">Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. TLS 1.2+ minimum. FIPS 140-2 validated modules.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.11<\/span><div class=\"si\"><div class=\"sn\">FIPS-validated cryptography<\/div><div class=\"sd\">Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Non-FIPS crypto does not meet the standard regardless of algorithm strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.16<\/span><div class=\"si\"><div class=\"sn\">CUI encryption at rest<\/div><div class=\"sd\">Protect the confidentiality of CUI at rest. Full-disk encryption (BitLocker, FileVault) with FIPS-validated modules, or application-layer encryption for sensitive data stores.<\/div><\/div><\/div>\n\n <div class=\"ib\"><div class=\"ibt\">FIPS 140-2 validation is a hard gate<\/div><div class=\"ibb\">Requirements 3.13.8 and 3.13.11 together mean that CUI must be protected by <strong>FIPS 140-2 (or 140-3) validated cryptographic modules<\/strong> \u2014 both in transit and at rest. Using AES-256 is not sufficient if the implementation isn’t FIPS-validated. This catches many organizations that rely on default TLS libraries without checking their FIPS validation status.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('ia')\">Identification & auth<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-si\">\n <div class=\"p-eye\">Family 3.14 \u00b7 7 Requirements<\/div>\n <div class=\"p-title\">System & Info <span>Integrity<\/span><\/div>\n <div class=\"p-sub\">Identifying flaws, monitoring for malicious activity, and responding to security alerts<\/div>\n <div class=\"prose\">System and Information Integrity ensures that CUI systems <strong>detect and respond to flaws, malicious code, and unauthorized changes<\/strong>. It covers vulnerability identification, malicious code protection, security alert monitoring, and system integrity verification. This is the operational detection family \u2014 the always-on sensor layer.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tnet\">3.14.1<\/span><div class=\"si\"><div class=\"sn\">Identify and remediate flaws<\/div><div class=\"sd\">Identify, report, and correct information and system flaws in a timely manner. Patch management, vulnerability scanning, and remediation tracking.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.14.2<\/span><div class=\"si\"><div class=\"sn\">Malicious code protection<\/div><div class=\"sd\">Provide protection from malicious code at designated locations within organizational systems. Endpoint detection and response (EDR), antivirus, and application control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.14.3<\/span><div class=\"si\"><div class=\"sn\">Monitor security alerts<\/div><div class=\"sd\">Monitor system security alerts and advisories and take action in response. Subscribe to vendor alerts, CISA advisories, and CVE feeds. Actionable response, not just collection.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.14.6<\/span><div class=\"si\"><div class=\"sn\">Monitor inbound and outbound traffic<\/div><div class=\"sd\">Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Network-level detection \u2014 IDS\/IPS, NDR, or SIEM correlation.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><span class=\"rl\" onclick=\"nav('ir')\">Incident response<\/span><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pl\">\n <div class=\"p-eye\">Rev 3 New Family \u00b7 3.15<\/div>\n <div class=\"p-title\"><span>Planning<\/span><\/div>\n <div class=\"p-sub\">New in Revision 3 \u2014 formalizes security planning and rules of behavior<\/div>\n <div class=\"prose\">The Planning family was elevated to its own control family in Rev 3 to align with SP 800-53. In Rev 2, planning requirements were embedded in Security Assessment (3.12.3, 3.12.4). Rev 3 formalizes system security planning, rules of behavior, and security architecture documentation as <strong>standalone, assessable requirements<\/strong>.<\/div>\n\n <h3>What it adds<\/h3>\n <div class=\"sr\"><span class=\"st tnew\">PL<\/span><div class=\"si\"><div class=\"sn\">System security plan formalization<\/div><div class=\"sd\">Elevates the SSP requirement to its own family. Requires explicit documentation of system boundaries, operational environments, security implementation details, and interconnections. Not new work for Rev 2 compliant organizations \u2014 but now independently assessed.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">PL<\/span><div class=\"si\"><div class=\"sn\">Rules of behavior<\/div><div class=\"sd\">Establish rules describing the responsibilities and expected behavior of individuals with access to CUI systems. Acceptable use policies, security responsibilities, and consequences for violations.<\/div><\/div><\/div>\n\n <div class=\"ib g\"><div class=\"ibt\">If you’re Rev 2 compliant, you’re mostly there<\/div><div class=\"ibb\">Organizations already maintaining an SSP and acceptable use policies under Rev 2 requirements 3.12.3 and 3.12.4 have <strong>the substance of the Planning family already in place<\/strong>. The primary change is that these become independently assessed controls rather than sub-elements of Security Assessment.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sa\">\n <div class=\"p-eye\">Rev 3 New Family \u00b7 3.16<\/div>\n <div class=\"p-title\">System & Services <span>Acquisition<\/span><\/div>\n <div class=\"p-sub\">New in Revision 3 \u2014 governs unsupported components and external service security<\/div>\n <div class=\"prose\">System and Services Acquisition was partially addressed in Rev 2 under System and Communications Protection (3.13.2 \u2014 security architecture). Rev 3 breaks it out into its own family to address <strong>end-of-life system components and external system services<\/strong> that process CUI.<\/div>\n\n <h3>Key additions<\/h3>\n <div class=\"sr\"><span class=\"st tnew\">SA<\/span><div class=\"si\"><div class=\"sn\">Unsupported system components<\/div><div class=\"sd\">Replace or provide compensating controls for system components that are no longer supported by the developer, vendor, or manufacturer. Windows 10 end-of-life, for example, triggers this requirement.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">SA<\/span><div class=\"si\"><div class=\"sn\">External system services<\/div><div class=\"sd\">Require providers of external system services to comply with applicable security requirements. Cloud services, managed security providers, and SaaS platforms processing CUI must meet the same standard \u2014 or be contractually bound to it.<\/div><\/div><\/div>\n\n <div class=\"ib a\"><div class=\"ibt\">Cloud and SaaS providers are now explicitly in scope<\/div><div class=\"ibb\">Rev 3’s SA family formalizes what was always implied: if a third-party service processes CUI on your behalf, <strong>that service must meet 800-171 requirements<\/strong>. FedRAMP Moderate authorization satisfies this for cloud services. For non-FedRAMP services, contractual obligations and security assessments are required.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sr')\">Supply chain risk<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sr\">\n <div class=\"p-eye\">Rev 3 New Family \u00b7 3.17<\/div>\n <div class=\"p-title\">Supply Chain <span>Risk Management<\/span><\/div>\n <div class=\"p-sub\">New in Revision 3 \u2014 the only truly new family, responding to supply chain attacks<\/div>\n <div class=\"prose\">Supply Chain Risk Management is the only genuinely new control family in Rev 3 \u2014 not reorganized from existing requirements, but <strong>created in response to supply chain attacks<\/strong> like SolarWinds, Kaseya, and Log4Shell. It requires organizations to develop SCRM plans, implement acquisition strategies that account for supply chain risk, and establish processes to identify and manage supply chain threats.<\/div>\n\n <h3>Key additions<\/h3>\n <div class=\"sr\"><span class=\"st tnew\">SR<\/span><div class=\"si\"><div class=\"sn\">Supply chain risk management plan<\/div><div class=\"sd\">Develop a plan for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, components, and services. Must address risk identification, assessment, mitigation, and monitoring.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">SR<\/span><div class=\"si\"><div class=\"sn\">Acquisition strategies and tools<\/div><div class=\"sd\">Develop and implement acquisition strategies, contract tools, and procurement methods to protect against supply chain risks. Vendor assessments, contractual security requirements, and provenance tracking.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">SR<\/span><div class=\"si\"><div class=\"sn\">Supply chain requirements and processes<\/div><div class=\"sd\">Establish processes to identify, assess, and manage supply chain threats throughout the system lifecycle. Software bill of materials (SBOM), vendor risk assessments, and continuous supplier monitoring.<\/div><\/div><\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">SolarWinds made this family inevitable<\/div><div class=\"ibb\">The SolarWinds compromise demonstrated that <strong>a trusted vendor’s build pipeline can become the attack vector<\/strong>. Rev 2 had no explicit supply chain controls \u2014 organizations were expected to address this through risk assessment and configuration management. Rev 3’s SR family makes SCRM a first-class compliance requirement with its own assessment objectives.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sa')\">System & services acquisition<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cmmc\">\n <div class=\"p-eye\">CMMC 2.0 \u00b7 Level 2<\/div>\n <div class=\"p-title\">CMMC <span>Alignment<\/span><\/div>\n <div class=\"p-sub\">How CMMC maps to SP 800-171 and what contractors need to know<\/div>\n <div class=\"prose\">The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD’s verification mechanism for SP 800-171 compliance. <strong>CMMC Level 2 maps one-to-one with SP 800-171 Rev 2’s 110 requirements.<\/strong> The critical difference is that CMMC adds third-party assessment \u2014 you’re no longer just self-attesting compliance, you’re being verified by a Certified Third-Party Assessment Organization (C3PAO).<\/div>\n\n <h3>CMMC 2.0 levels<\/h3>\n <div class=\"cg cg3\" style=\"margin-top:14px\">\n <div class=\"dc\"><div class=\"di\">\ud83d\udd12<\/div><div class=\"dt\">Level 1 \u2014 Foundational<\/div><div class=\"ds\">Self-assessment \u00b7 17 practices<\/div><div class=\"dxt\">Basic safeguarding of Federal Contract Information (FCI). 17 practices from FAR 52.204-21. Annual self-assessment submitted to SPRS. No CUI handling permitted at Level 1.<\/div><\/div>\n <div class=\"dc\"><div class=\"di\">\ud83d\udee1\ufe0f<\/div><div class=\"dt\">Level 2 \u2014 Advanced<\/div><div class=\"ds\">C3PAO assessment \u00b7 110 practices<\/div><div class=\"dxt\">Full SP 800-171 Rev 2 implementation. All 110 requirements across 14 control families. Third-party assessment by C3PAO every 3 years. Required for contracts involving CUI. This is where most defense contractors must operate.<\/div><\/div>\n <div class=\"dc\"><div class=\"di\">\u2694\ufe0f<\/div><div class=\"dt\">Level 3 \u2014 Expert<\/div><div class=\"ds\">Government-led \u00b7 800-172<\/div><div class=\"dxt\">SP 800-171 plus selected SP 800-172 enhanced requirements. Government-led assessment (DIBCAC). Reserved for the most sensitive CUI \u2014 APT-level threat protection.<\/div><\/div>\n <\/div>\n\n <h3>Assessment requirements<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">All 110 controls must be assessed<\/div><div class=\"oc\">The C3PAO evaluates every requirement against SP 800-171A’s 320 assessment objectives. Each objective receives a Met, Not Met, or Not Applicable determination.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">POA&Ms permitted with limits<\/div><div class=\"oc\">Some unmet requirements can be documented in a POA&M with a 180-day remediation window. However, certain requirements are POA&M-ineligible \u2014 they must be fully implemented at time of assessment.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">No certification without minimum threshold<\/div><div class=\"oc\">If the number or severity of unmet requirements exceeds the threshold, the assessment fails. Conditional certification is available only if all remaining gaps are POA&M-eligible.<\/div><\/div><\/div>\n\n <div class=\"ib\"><div class=\"ibt\">CMMC uses Rev 2 until further notice<\/div><div class=\"ibb\">Despite Rev 3’s release in May 2024, DoD Class Deviation 2024-O0013 mandates that <strong>CMMC Level 2 continues to reference Rev 2<\/strong>. Do not shift resources to Rev 3 compliance at the expense of Rev 2. Understand Rev 3 changes for future planning, but assess against Rev 2 today.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sprs\">\n <div class=\"p-eye\">DFARS 252.204-7019 \u00b7 SPRS<\/div>\n <div class=\"p-title\">SPRS <span>Scoring<\/span><\/div>\n <div class=\"p-sub\">The Supplier Performance Risk System score \u2014 quantified compliance from \u2212203 to 110<\/div>\n <div class=\"prose\">The SPRS score is a <strong>numerical representation of an organization’s SP 800-171 compliance posture<\/strong>. It ranges from \u2212203 (no controls implemented) to 110 (full implementation). The score must be submitted to the SPRS portal and is visible to DoD contracting officers. It directly affects contract award decisions.<\/div>\n\n <h3>How the score works<\/h3>\n <div class=\"tbl-wrap\">\n <table>\n <tr><th>Score<\/th><th>Meaning<\/th><th>Implication<\/th><\/tr>\n <tr><td>110<\/td><td>All 110 controls implemented<\/td><td>Full compliance. No POA&M required.<\/td><\/tr>\n <tr><td>80\u2013109<\/td><td>Most controls met, minor gaps<\/td><td>Generally competitive. POA&M documents gaps with remediation timeline.<\/td><\/tr>\n <tr><td>50\u201379<\/td><td>Significant gaps remain<\/td><td>At risk for contract award. Aggressive POA&M remediation required.<\/td><\/tr>\n <tr><td>Below 50<\/td><td>Major compliance deficiencies<\/td><td>Unlikely to win CUI-handling contracts. Fundamental security program gaps.<\/td><\/tr>\n <tr><td>\u2212203<\/td><td>No controls implemented<\/td><td>Theoretical floor. All 110 requirements scored as Not Met.<\/td><\/tr>\n <\/table>\n <\/div>\n\n <div class=\"prose\" style=\"margin-top:14px\">Each unmet requirement is assigned a <strong>weighted point value<\/strong> (1, 3, or 5 points) based on its security impact. The total points for unmet requirements are subtracted from 110. Critical controls like MFA (3.5.3), encryption (3.13.11), and audit logging (3.3.1) carry higher weight \u2014 failing these drops the score faster.<\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">Your SPRS score is visible to contracting officers<\/div><div class=\"ibb\">The score is not confidential. Contracting officers <strong>can and do check SPRS scores<\/strong> before awarding contracts. A low score can disqualify an otherwise competitive bid. More critically, submitting an inflated score constitutes a <strong>False Claims Act violation<\/strong> \u2014 the DoJ has already pursued enforcement actions against contractors who misrepresented their compliance posture.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ssp\">\n <div class=\"p-eye\">Requirements 3.12.2 \u00b7 3.12.4<\/div>\n <div class=\"p-title\">SSP & <span>POA&M<\/span><\/div>\n <div class=\"p-sub\">The two foundational compliance documents every CUI-handling organization must maintain<\/div>\n <div class=\"prose\">The System Security Plan (SSP) and Plan of Action & Milestones (POA&M) are the <strong>two documents that define and track your compliance posture<\/strong>. The SSP describes how each requirement is implemented. The POA&M documents gaps and the remediation timeline. Together, they produce the SPRS score and serve as the primary evidence artifacts for CMMC assessment.<\/div>\n\n <div class=\"pg\" style=\"margin-top:18px\">\n <div class=\"pb\">\n <div class=\"pbg c\">System Security Plan<\/div>\n <div class=\"pbn\">How you implement each control<\/div>\n <div class=\"pi\"><strong>System boundary definition<\/strong> \u2014 what’s in scope and what’s out<\/div>\n <div class=\"pi\"><strong>Environment of operation<\/strong> \u2014 physical, logical, and organizational context<\/div>\n <div class=\"pi\"><strong>Control implementation<\/strong> \u2014 how each of the 110 requirements is satisfied<\/div>\n <div class=\"pi\"><strong>System interconnections<\/strong> \u2014 data flows to\/from other systems<\/div>\n <div class=\"pi\"><strong>Living document<\/strong> \u2014 updated when systems, controls, or scope change<\/div>\n <\/div>\n <div class=\"pb\">\n <div class=\"pbg r\">Plan of Action & Milestones<\/div>\n <div class=\"pbn\">What’s not yet implemented<\/div>\n <div class=\"pi\"><strong>Unmet requirements<\/strong> \u2014 each gap documented with root cause<\/div>\n <div class=\"pi\"><strong>Remediation plan<\/strong> \u2014 specific actions, resources, and timeline<\/div>\n <div class=\"pi\"><strong>Milestone tracking<\/strong> \u2014 progress checkpoints with responsible parties<\/div>\n <div class=\"pi\"><strong>Risk acceptance<\/strong> \u2014 interim risk documented for each open item<\/div>\n <div class=\"pi\"><strong>CMMC constraint<\/strong> \u2014 180-day maximum for POA&M closure<\/div>\n <\/div>\n <\/div>\n\n <div class=\"ib\"><div class=\"ibt\">The SSP is your compliance evidence \u2014 not the policies binder<\/div><div class=\"ibb\">A common mistake is treating the SSP as a copy-paste of policies and standards. The SSP must describe <strong>how each control is actually implemented in your specific environment<\/strong> \u2014 not what the policy says should happen, but what happens in practice. Assessors verify the SSP against operational reality. Discrepancies between the SSP and the implemented environment are assessment findings.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-nist\">\n <div class=\"p-eye\">Source document<\/div>\n <div class=\"p-title\">NIST SP <span>800-171<\/span><\/div>\n <div class=\"p-sub\">Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<\/div>\n <div class=\"ib\" style=\"margin-top:8px\">\n <div class=\"ibt\">About this document<\/div>\n <div class=\"ibb\">NIST Special Publication 800-171 provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. Rev 2 (January 2021) contains 110 requirements across 14 control families and remains the current standard for CMMC Level 2. Rev 3 (May 2024) restructures to 97 requirements across 17 families with increased assessment specificity.<\/div>\n <\/div>\n <div style=\"margin-top:28px;display:flex;flex-direction:column;gap:12px;\">\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-171r2.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--cyan);color:#000;font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 SP 800-171 Rev 2 PDF (current for CMMC)\n <\/a>\n <a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r3\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 SP 800-171 Rev 3 PDF (future state)\n <\/a>\n <a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/171\/r3\/final\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 NIST CSRC publication page\n <\/a>\n <a href=\"https:\/\/csrc.nist.gov\/files\/projects\/protecting-controlled-unclassified-information\/documents\/FAQ\/FAQ-SP800-171R3-171AR3.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 NIST FAQ: Rev 3 Changes\n <\/a>\n <\/div>\n <div class=\"divider\"><\/div>\n <div class=\"prose\"><strong>Rev 2 citation:<\/strong> Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). <em>Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<\/em> (NIST Special Publication 800-171 Revision 2). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Rev 3 citation:<\/strong> Ross, R., Pillitteri, V., & Dempsey, K. (2024). <em>Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<\/em> (NIST Special Publication 800-171 Revision 3). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-171r3<\/div>\n<\/div>\n\n<\/main>\n<\/div>\n\n<script>\nfunction toggleMenu() {\n var sb = document.getElementById('sidebar');\n var btn = document.getElementById('menuBtn');\n var ov = document.getElementById('sbOverlay');\n var open = sb.classList.toggle('open');\n btn.classList.toggle('open', open);\n ov.classList.toggle('open', open);\n document.body.style.overflow = open ? 'hidden' : '';\n}\nfunction closeMenu() {\n var sb = document.getElementById('sidebar');\n if (sb.classList.contains('open')) toggleMenu();\n}\nfunction openNIST() {\n nav('nist');\n}\nfunction toggleTheme() {\n var isLight = document.body.classList.toggle('light');\n document.getElementById('themeBtn').textContent = isLight ? '\u263e Dark' : '\u2600 Light';\n}\nvar fontScale = 100;\nvar fontSteps = [80, 90, 100, 110, 120, 135, 150, 170];\nfunction adjFont(dir) {\n if (dir === 0) { fontScale = 100; }\n else {\n var idx = fontSteps.indexOf(fontScale);\n if (idx === -1) idx = 2;\n idx = Math.max(0, Math.min(fontSteps.length - 1, idx + dir));\n fontScale = fontSteps[idx];\n }\n document.querySelector('.main').style.zoom = (fontScale \/ 100);\n if (window.innerWidth > 900) {\n document.querySelector('.sidebar').style.zoom = (fontScale \/ 100);\n }\n}\nfunction nav(id) {\n document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));\n document.querySelectorAll('.ni').forEach(n => n.classList.remove('active'));\n var panel = document.getElementById('panel-' + id);\n if (panel) { panel.classList.add('active'); panel.closest('.main').scrollTop = 0; }\n document.querySelectorAll('.ni').forEach(function(n) {\n var oc = n.getAttribute('onclick') || '';\n if (oc.indexOf(\"'\" + id + \"'\") !== -1) n.classList.add('active');\n });\n closeMenu();\n}\n<\/script>\n<\/body>\n<\/html>\n\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>NIST SP 800-171 \u2014 Protecting CUI in Nonfederal Systems NIST SP 800-171 ProtectingCUI Interactive reference \u00b7 Rev 2 & Rev 3 Size A\u2212 A A+ \u263e Dark Overview What is 800-171 Scope & Applicability Controlled Unclassified Info Rev 2 vs Rev 3 Control Families Access Control Awareness & Training Audit & Accountability Configuration Management Identification… <br \/> <a class=\"read-more\" href=\"https:\/\/www-geek.com\/index.php\/800-171\/\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"pro\/page-templates\/page-with-small-header.php","meta":{"footnotes":""},"class_list":["post-68","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":3,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/68\/revisions"}],"predecessor-version":[{"id":72,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/68\/revisions\/72"}],"wp:attachment":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":68,"date":"2026-03-26T10:14:29","date_gmt":"2026-03-26T17:14:29","guid":{"rendered":"https:\/\/www-geek.com\/?page_id=68"},"modified":"2026-03-31T13:29:06","modified_gmt":"2026-03-31T20:29:06","slug":"800-171","status":"publish","type":"page","link":"https:\/\/www-geek.com\/index.php\/800-171\/","title":{"rendered":"800-171"},"content":{"rendered":"\n\n\n\n\n\nNIST SP 800-171 \u2014 Protecting CUI in Nonfederal Systems<\/title>\n<link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono:wght@400;600;700&family=Barlow+Condensed:wght@300;400;600;700;800&family=Barlow:wght@300;400;500;600&display=swap\" rel=\"stylesheet\">\n<style>\n:root {\n --bg:#080c14;--surf:#0d1420;--surf2:#111b2e;--border:#1e2f4a;--border2:#263d5e;\n --cyan:#00d8f0;--amber:#ffb300;--green:#00cc70;--red:#e84848;--purple:#8866ff;\n --blue:#1a7fd4;--teal:#00b4a8;\n --text:#f0f4ff;--text2:#b8cce0;--text3:#6e8fa8;\n --mono:'IBM Plex Mono',monospace;--cond:'Barlow Condensed',sans-serif;--body:'Barlow',sans-serif;\n}\n*{margin:0;padding:0;box-sizing:border-box;}\nhtml,body{height:100%;overflow:hidden;background:var(--bg);color:var(--text);font-family:var(--body);-webkit-font-smoothing:antialiased;}\n.app{display:flex;height:100vh;overflow:hidden;}\n.sidebar{width:228px;min-width:228px;background:var(--surf);border-right:1px solid var(--border);display:flex;flex-direction:column;overflow:hidden;}\n.sb-hdr{padding:22px 18px 16px;border-bottom:1px solid var(--border);flex-shrink:0;}\n.sb-logo{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.2em;color:var(--cyan);text-transform:uppercase;margin-bottom:6px;}\n.sb-title{font-family:var(--cond);font-size:20px;font-weight:800;color:#fff;line-height:1.1;}\n.sb-sub{font-size:10px;color:var(--text3);margin-top:4px;line-height:1.5;}\nnav{flex:1;overflow-y:auto;padding-bottom:16px;}\n.ng{padding:16px 0 4px;}\n.ngl{font-family:var(--cond);font-size:13px;font-weight:800;letter-spacing:.12em;text-transform:uppercase;color:var(--cyan);padding:4px 18px 8px;display:block;border-bottom:1px solid var(--border2);}\n.ni{display:flex;align-items:center;gap:9px;padding:7px 18px 7px 20px;cursor:pointer;font-size:13px;font-family:var(--body);color:var(--text);transition:background .1s,color .1s;border-left:2px solid transparent;line-height:1.3;}\n.ni:hover{background:var(--surf2);color:var(--text);}\n.ni.active{color:var(--cyan);border-left-color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd{width:5px;height:5px;border-radius:50%;background:var(--border2);flex-shrink:0;transition:background .1s;}\n.ni.active .nd,.ni:hover .nd{background:currentColor;}\n.main{flex:1;overflow-y:auto;background:var(--bg);}\n.panel{display:none;padding:36px 52px 72px;max-width:920px;}\n.panel.active{display:block;animation:fi .18s ease;}\n@keyframes fi{from{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}\n.p-eye{font-family:var(--mono);font-size:9px;font-weight:700;letter-spacing:.18em;text-transform:uppercase;color:var(--cyan);margin-bottom:10px;display:flex;align-items:center;gap:8px;}\n.p-eye::before{content:'';width:22px;height:2px;background:var(--cyan);}\n.p-title{font-family:var(--cond);font-size:46px;font-weight:800;color:#fff;line-height:1;margin-bottom:6px;}\n.p-title span{color:var(--cyan);}\n.p-sub{font-family:var(--cond);font-size:17px;font-weight:300;color:var(--text2);margin-bottom:28px;letter-spacing:.04em;}\n.divider{height:1px;background:var(--border);margin:24px 0;}\n.prose{font-size:13.5px;line-height:1.75;color:var(--text2);}\n.prose+.prose{margin-top:12px;}\n.prose strong{color:var(--text);font-weight:600;}\n.prose code{font-family:var(--mono);font-size:11.5px;color:var(--cyan);background:rgba(0,216,240,.08);padding:1px 5px;border-radius:2px;}\nh3{font-family:var(--cond);font-size:19px;font-weight:700;color:#fff;margin:26px 0 11px;letter-spacing:.03em;}\n.cg{display:grid;gap:8px;}\n.cg2{grid-template-columns:1fr 1fr;}\n.cg3{grid-template-columns:1fr 1fr 1fr;}\n.card{background:var(--surf);border:1px solid var(--border);padding:15px 16px;}\n.cnum{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;color:var(--text3);margin-bottom:6px;}\n.ctitle{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:6px;line-height:1.2;}\n.ctext{font-size:11.5px;line-height:1.58;color:var(--text2);}\n.tc{border-top:3px solid var(--cyan);}\n.tc:nth-child(1){border-top-color:#00d8f0;}\n.tc:nth-child(2){border-top-color:#29b6f6;}\n.tc:nth-child(3){border-top-color:#8866ff;}\n.tc:nth-child(4){border-top-color:#ffb300;}\n.tc:nth-child(5){border-top-color:#00cc70;}\n.tc:nth-child(6){border-top-color:#ff7043;}\n.tc:nth-child(7){border-top-color:#ec407a;}\n.tc:nth-child(8){border-top-color:#00b4a8;}\n.tc:nth-child(9){border-top-color:#42a5f5;}\n.tc:nth-child(10){border-top-color:#ab47bc;}\n.tc:nth-child(11){border-top-color:#66bb6a;}\n.tc:nth-child(12){border-top-color:#ef5350;}\n.tc:nth-child(13){border-top-color:#26c6da;}\n.tc:nth-child(14){border-top-color:#ffa726;}\n.tc:nth-child(15){border-top-color:#7e57c2;}\n.tc:nth-child(16){border-top-color:#78909c;}\n.tc:nth-child(17){border-top-color:#d4e157;}\n.sr{display:flex;align-items:flex-start;gap:12px;background:var(--surf);border:1px solid var(--border);padding:12px 14px;margin-bottom:6px;}\n.st{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.12em;padding:2px 7px;border-radius:2px;flex-shrink:0;margin-top:2px;white-space:nowrap;}\n.tid{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.tdev{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tnet{background:rgba(255,112,67,.1);color:#ff8a65;border:1px solid rgba(255,112,67,.25);}\n.tres{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.tbeh{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tpa{background:rgba(136,102,255,.1);color:#b39dff;border:1px solid rgba(136,102,255,.25);}\n.tpep{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.tcl{background:rgba(0,180,168,.1);color:#40d8d0;border:1px solid rgba(0,180,168,.25);}\n.tnew{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.si{flex:1;}\n.sn{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.sd{font-size:12px;color:var(--text2);line-height:1.5;}\n.or{display:flex;align-items:flex-start;gap:11px;border:1px solid var(--border);padding:13px 14px;margin-bottom:6px;}\n.or.grant{background:rgba(0,204,112,.04);border-color:rgba(0,204,112,.22);}\n.or.deny{background:rgba(232,72,72,.04);border-color:rgba(232,72,72,.22);}\n.or.step{background:rgba(255,179,0,.04);border-color:rgba(255,179,0,.22);}\n.od{width:9px;height:9px;border-radius:50%;flex-shrink:0;margin-top:4px;}\n.od.g{background:var(--green);}.od.d{background:var(--red);}.od.s{background:var(--amber);}\n.ol{font-family:var(--cond);font-size:14px;font-weight:700;color:#fff;margin-bottom:3px;}\n.oc{font-size:12px;color:var(--text2);line-height:1.5;}\n.ib{background:var(--surf);border:1px solid var(--border);border-left:3px solid var(--cyan);padding:14px 16px;margin:14px 0;}\n.ib.a{border-left-color:var(--amber);}\n.ib.g{border-left-color:var(--green);}\n.ib.p{border-left-color:var(--purple);}\n.ib.r{border-left-color:var(--red);}\n.ibt{font-family:var(--cond);font-size:13px;font-weight:700;color:#fff;margin-bottom:5px;}\n.ibb{font-size:12px;line-height:1.6;color:var(--text2);}\n.ibb strong{color:var(--text);}\ntable{width:100%;border-collapse:collapse;font-size:12.5px;margin:14px 0;}\nth{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.12em;text-transform:uppercase;color:var(--text3);padding:8px 12px;border-bottom:1px solid var(--border2);text-align:left;}\ntd{padding:10px 12px;border-bottom:1px solid var(--border);color:var(--text2);line-height:1.5;vertical-align:top;}\ntd:first-child{color:var(--text);font-weight:500;}\ntr:last-child td{border-bottom:none;}\n.pg{display:grid;grid-template-columns:1fr 1fr;gap:12px;}\n.pb{background:var(--surf);border:1px solid var(--border);padding:18px;}\n.pbg{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;padding:3px 8px;border-radius:2px;text-transform:uppercase;display:inline-block;margin-bottom:10px;}\n.pbg.c{background:rgba(0,216,240,.1);color:var(--cyan);border:1px solid rgba(0,216,240,.25);}\n.pbg.d{background:rgba(0,204,112,.1);color:var(--green);border:1px solid rgba(0,204,112,.25);}\n.pbg.w{background:rgba(255,179,0,.1);color:var(--amber);border:1px solid rgba(255,179,0,.25);}\n.pbg.r{background:rgba(232,72,72,.1);color:var(--red);border:1px solid rgba(232,72,72,.25);}\n.pbn{font-family:var(--cond);font-size:17px;font-weight:700;color:#fff;margin-bottom:12px;}\n.pi{display:flex;gap:8px;font-size:12.5px;color:var(--text2);line-height:1.5;margin-bottom:7px;}\n.pi::before{content:'\u25b8';color:var(--text3);font-size:9px;flex-shrink:0;margin-top:2px;}\n.pi strong{color:var(--text);}\n.dc{background:var(--surf);border:1px solid var(--border);padding:20px;}\n.di{font-size:20px;margin-bottom:10px;}\n.dt{font-family:var(--cond);font-size:16px;font-weight:700;color:#fff;margin-bottom:3px;}\n.ds{font-family:var(--mono);font-size:8px;font-weight:700;color:var(--text3);letter-spacing:.12em;text-transform:uppercase;margin-bottom:10px;}\n.dxt{font-size:12px;line-height:1.6;color:var(--text2);}\n.dl li{font-size:11.5px;color:var(--text2);list-style:none;display:flex;align-items:flex-start;gap:6px;margin-top:5px;}\n.dl li::before{content:'\u2014';color:var(--text3);font-size:9px;margin-top:2px;flex-shrink:0;}\n.related{margin-top:34px;border-top:1px solid var(--border);padding-top:16px;}\n.rlab{font-family:var(--mono);font-size:8.5px;font-weight:700;letter-spacing:.16em;text-transform:uppercase;color:var(--text3);margin-bottom:10px;}\n.rls{display:flex;flex-wrap:wrap;gap:7px;}\n.rl{font-size:11.5px;font-family:var(--mono);color:var(--cyan);background:rgba(0,216,240,.05);border:1px solid rgba(0,216,240,.18);padding:4px 11px;cursor:pointer;transition:background .1s;}\n.rl:hover{background:rgba(0,216,240,.12);}\n.diag{background:var(--surf);border:1px solid var(--border);padding:20px;margin-bottom:18px;}\n.dcap{font-family:var(--mono);font-size:9px;color:var(--text3);margin-top:10px;letter-spacing:.06em;}\n.sb-copy{padding:10px 18px 14px;font-family:var(--mono);font-size:9px;color:var(--text3);letter-spacing:.06em;flex-shrink:0;border-top:1px solid var(--border);}\nbody.light .sb-copy{color:#4a6680;}\n.ni-doc:hover{color:var(--cyan);background:rgba(0,216,240,.08);}\n.nd-ext{font-size:11px;color:var(--cyan);flex-shrink:0;line-height:1;}\n.sb-fsize{padding:10px 18px 12px;border-bottom:1px solid var(--border);flex-shrink:0;display:flex;align-items:center;gap:10px;flex-wrap:wrap;}\n.fsize-label{font-family:var(--mono);font-size:8px;font-weight:700;letter-spacing:.14em;text-transform:uppercase;color:var(--text3);}\n.fsize-btns{display:flex;gap:4px;}\n.fsz{background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 7px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;}\n.fsz:hover{background:var(--border2);color:var(--text);}\n.fsz:active{background:rgba(0,216,240,.15);color:var(--cyan);border-color:var(--cyan);}\n.theme-btn{margin-left:auto;background:var(--surf2);border:1px solid var(--border2);color:var(--text2);font-family:var(--mono);font-size:10px;font-weight:700;padding:3px 9px;cursor:pointer;border-radius:2px;transition:background .1s,color .1s;line-height:1;white-space:nowrap;}\n.theme-btn:hover{background:var(--border2);color:var(--text);}\n.tbl-wrap{overflow-x:auto;-webkit-overflow-scrolling:touch;margin:14px 0;}\n.tbl-wrap table{margin:0;}\n\n\/* \u2500\u2500 LIGHT MODE \u2500\u2500 *\/\nbody.light{\n --bg:#eef2f7;--surf:#ffffff;--surf2:#e0e8f2;--border:#b0c4d8;--border2:#8aaac4;\n --text:#0a111e;--text2:#1e3448;--text3:#4a6680;\n --cyan:#005f8a;--amber:#a85c00;--green:#006030;--red:#a81820;--purple:#4422aa;\n --blue:#0a50a0;--teal:#006060;\n}\nbody.light .sb-title{color:#0a111e;}\nbody.light .sb-sub{color:#2a3f58;}\nbody.light .sb-logo{color:#005f8a;}\nbody.light .ngl{color:var(--cyan);border-bottom-color:var(--border2);}\nbody.light .ni{color:#0a111e;}\nbody.light .ni:hover{background:var(--surf2);color:#0a111e;}\nbody.light .fsize-label{color:#2a3f58;}\nbody.light .fsz{color:#0a111e;border-color:var(--border2);}\nbody.light .theme-btn{color:#0a111e;border-color:var(--border2);}\nbody.light .p-title{color:#0a111e;}\nbody.light .p-title span{color:var(--cyan);}\nbody.light h3{color:#0a111e;}\nbody.light .card{background:var(--surf);border-color:var(--border);}\nbody.light .ctitle{color:#0a111e;}\nbody.light .sn{color:#0a111e;}\nbody.light .ol{color:#0a111e;}\nbody.light .ibt{color:#0a111e;}\nbody.light .dt{color:#0a111e;}\nbody.light .diag{background:var(--surf);}\nbody.light .pb{background:var(--surf);}\nbody.light table td:first-child{color:#1a2535;}\nbody.light .or.grant{background:rgba(0,122,64,.06);}\nbody.light .or.deny{background:rgba(192,32,42,.06);}\nbody.light .or.step{background:rgba(192,112,0,.06);}\nbody.light .ib{background:var(--surf);}\nbody.light .prose code{background:rgba(0,119,170,.1);}\nbody.light .pbn{color:#0a111e;}\n\n\/* \u2500\u2500 HAMBURGER BUTTON \u2500\u2500 *\/\n.hamburger{display:none;position:fixed;top:12px;left:12px;z-index:1100;background:var(--surf);border:1px solid var(--border);border-radius:4px;padding:8px 7px;cursor:pointer;flex-direction:column;gap:4px;align-items:center;justify-content:center;-webkit-tap-highlight-color:transparent;}\n.hamburger span{display:block;width:18px;height:2px;background:var(--cyan);border-radius:1px;transition:transform .2s,opacity .2s;}\n.hamburger.open span:nth-child(1){transform:translateY(6px) rotate(45deg);}\n.hamburger.open span:nth-child(2){opacity:0;}\n.hamburger.open span:nth-child(3){transform:translateY(-6px) rotate(-45deg);}\nbody.light .hamburger{background:#fff;border-color:var(--border);}\nbody.light .hamburger span{background:var(--cyan);}\n.sb-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.55);z-index:999;-webkit-backdrop-filter:blur(2px);backdrop-filter:blur(2px);}\n\n@media(max-width:900px){\n .hamburger{display:flex;}\n .sidebar{position:fixed;left:-260px;top:0;bottom:0;width:250px;min-width:250px;z-index:1000;transition:left .25s ease;box-shadow:none;}\n .sidebar.open{left:0;box-shadow:4px 0 24px rgba(0,0,0,.45);}\n .sb-overlay.open{display:block;}\n .main{margin-left:0;}\n .panel{padding:28px 28px 60px;max-width:100%;}\n .p-title{font-size:36px;}\n .cg3{grid-template-columns:1fr 1fr;}\n .pg{grid-template-columns:1fr;}\n .diag{padding:12px;overflow-x:auto;-webkit-overflow-scrolling:touch;}\n}\n@media(max-width:560px){\n .panel{padding:18px 14px 48px;}\n .p-title{font-size:28px;}\n .p-sub{font-size:14px;margin-bottom:18px;}\n h3{font-size:16px;}\n .prose{font-size:12.5px;}\n .cg2,.cg3{grid-template-columns:1fr;}\n .pg{grid-template-columns:1fr;}\n table{font-size:11px;}\n th{font-size:7.5px;padding:6px 8px;}\n td{padding:8px;font-size:11px;}\n .diag{padding:8px;margin-bottom:12px;}\n .sr{flex-direction:column;gap:6px;}\n .st{align-self:flex-start;}\n .related{margin-top:22px;}\n .rl{font-size:10.5px;padding:4px 8px;}\n .sb-fsize{flex-wrap:wrap;gap:6px;}\n .card{padding:12px;}\n .ib{padding:10px 12px;}\n}\n<\/style>\n<\/head>\n<body class=\"light\">\n<div class=\"app\">\n\n<button class=\"hamburger\" id=\"menuBtn\" onclick=\"toggleMenu()\" aria-label=\"Toggle navigation\">\n <span><\/span><span><\/span><span><\/span>\n<\/button>\n<div class=\"sb-overlay\" id=\"sbOverlay\" onclick=\"toggleMenu()\"><\/div>\n\n<aside class=\"sidebar\" id=\"sidebar\">\n <div class=\"sb-hdr\">\n <div class=\"sb-logo\">NIST SP 800-171<\/div>\n <div class=\"sb-title\">Protecting<br>CUI<\/div>\n <div class=\"sb-sub\">Interactive reference \u00b7 Rev 2 & Rev 3<\/div>\n <\/div>\n <div class=\"sb-fsize\">\n <span class=\"fsize-label\">Size<\/span>\n <div class=\"fsize-btns\">\n <button class=\"fsz\" onclick=\"adjFont(-1)\" title=\"Decrease font size\">A\u2212<\/button>\n <button class=\"fsz\" onclick=\"adjFont(0)\" title=\"Reset font size\">A<\/button>\n <button class=\"fsz\" onclick=\"adjFont(1)\" title=\"Increase font size\">A+<\/button>\n <\/div>\n <button class=\"theme-btn\" id=\"themeBtn\" onclick=\"toggleTheme()\" title=\"Toggle dark\/light mode\">\u263e Dark<\/button>\n <\/div>\n <nav>\n <div class=\"ng\"><div class=\"ngl\">Overview<\/div>\n <div class=\"ni active\" onclick=\"nav('overview')\"><span class=\"nd\"><\/span>What is 800-171<\/div>\n <div class=\"ni\" onclick=\"nav('scope')\"><span class=\"nd\"><\/span>Scope & Applicability<\/div>\n <div class=\"ni\" onclick=\"nav('cui')\"><span class=\"nd\"><\/span>Controlled Unclassified Info<\/div>\n <div class=\"ni\" onclick=\"nav('revisions')\"><span class=\"nd\"><\/span>Rev 2 vs Rev 3<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Control Families<\/div>\n <div class=\"ni\" onclick=\"nav('ac')\"><span class=\"nd\"><\/span>Access Control<\/div>\n <div class=\"ni\" onclick=\"nav('at')\"><span class=\"nd\"><\/span>Awareness & Training<\/div>\n <div class=\"ni\" onclick=\"nav('au')\"><span class=\"nd\"><\/span>Audit & Accountability<\/div>\n <div class=\"ni\" onclick=\"nav('cm')\"><span class=\"nd\"><\/span>Configuration Management<\/div>\n <div class=\"ni\" onclick=\"nav('ia')\"><span class=\"nd\"><\/span>Identification & Auth<\/div>\n <div class=\"ni\" onclick=\"nav('ir')\"><span class=\"nd\"><\/span>Incident Response<\/div>\n <div class=\"ni\" onclick=\"nav('ma')\"><span class=\"nd\"><\/span>Maintenance<\/div>\n <div class=\"ni\" onclick=\"nav('mp')\"><span class=\"nd\"><\/span>Media Protection<\/div>\n <div class=\"ni\" onclick=\"nav('pe')\"><span class=\"nd\"><\/span>Physical Protection<\/div>\n <div class=\"ni\" onclick=\"nav('ps')\"><span class=\"nd\"><\/span>Personnel Security<\/div>\n <div class=\"ni\" onclick=\"nav('ra')\"><span class=\"nd\"><\/span>Risk Assessment<\/div>\n <div class=\"ni\" onclick=\"nav('ca')\"><span class=\"nd\"><\/span>Security Assessment<\/div>\n <div class=\"ni\" onclick=\"nav('sc')\"><span class=\"nd\"><\/span>System & Comms Protection<\/div>\n <div class=\"ni\" onclick=\"nav('si')\"><span class=\"nd\"><\/span>System & Info Integrity<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Rev 3 New Families<\/div>\n <div class=\"ni\" onclick=\"nav('pl')\"><span class=\"nd\"><\/span>Planning<\/div>\n <div class=\"ni\" onclick=\"nav('sa')\"><span class=\"nd\"><\/span>System & Services Acquisition<\/div>\n <div class=\"ni\" onclick=\"nav('sr')\"><span class=\"nd\"><\/span>Supply Chain Risk Mgmt<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Compliance<\/div>\n <div class=\"ni\" onclick=\"nav('cmmc')\"><span class=\"nd\"><\/span>CMMC Alignment<\/div>\n <div class=\"ni\" onclick=\"nav('sprs')\"><span class=\"nd\"><\/span>SPRS Scoring<\/div>\n <div class=\"ni\" onclick=\"nav('ssp')\"><span class=\"nd\"><\/span>SSP & POA&M<\/div>\n <\/div>\n <div class=\"ng\"><div class=\"ngl\">Source<\/div>\n <div class=\"ni ni-doc\" onclick=\"openNIST()\"><span class=\"nd-ext\">\u2197<\/span>NIST SP 800-171 PDF<\/div>\n <\/div>\n <\/nav>\n <div class=\"sb-copy\">2026 Steve Hatch<\/div>\n<\/aside>\n\n<main class=\"main\">\n\n\n<div class=\"panel active\" id=\"panel-overview\">\n <div class=\"p-eye\">NIST SP 800-171 \u00b7 Introduction<\/div>\n <div class=\"p-title\">Protecting <span>CUI<\/span><\/div>\n <div class=\"p-sub\">Security requirements for Controlled Unclassified Information in nonfederal systems and organizations<\/div>\n\n <div class=\"diag\">\n <svg width=\"100%\" viewBox=\"0 0 740 340\" style=\"display:block\">\n <defs><marker id=\"arr\" viewBox=\"0 0 10 10\" refX=\"8\" refY=\"5\" markerWidth=\"6\" markerHeight=\"6\" orient=\"auto-start-reverse\"><path d=\"M2 1L8 5L2 9\" fill=\"none\" stroke=\"context-stroke\" stroke-width=\"1.5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/marker><\/defs>\n\n \n <rect x=\"6\" y=\"6\" width=\"728\" height=\"120\" rx=\"3\" fill=\"none\" stroke=\"#1a7fd4\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"20\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#1a7fd4\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">FEDERAL AUTHORITY<\/text>\n\n <rect x=\"6\" y=\"136\" width=\"728\" height=\"196\" rx=\"3\" fill=\"none\" stroke=\"#00cc70\" stroke-width=\".7\" stroke-dasharray=\"6,3\" opacity=\".28\"\/>\n <text x=\"18\" y=\"150\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#00cc70\" letter-spacing=\"2\" opacity=\".55\" font-weight=\"700\">NONFEDERAL ORGANIZATION<\/text>\n\n \n <rect x=\"20\" y=\"32\" width=\"160\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1a7fd4\" stroke-width=\"1.2\"\/>\n <rect x=\"20\" y=\"32\" width=\"160\" height=\"4\" rx=\"2\" fill=\"#1a7fd4\"\/>\n <text x=\"100\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">Federal Agency<\/text>\n <text x=\"100\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Originates CUI<\/text>\n <text x=\"100\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Defines requirements<\/text>\n <text x=\"100\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#4d6780\">DFARS \u00b7 FAR \u00b7 Contract<\/text>\n\n <rect x=\"220\" y=\"32\" width=\"160\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#8866ff\" stroke-width=\"1.2\"\/>\n <rect x=\"220\" y=\"32\" width=\"160\" height=\"4\" rx=\"2\" fill=\"#8866ff\" opacity=\".8\"\/>\n <text x=\"300\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">NIST SP 800-171<\/text>\n <text x=\"300\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">97\u2013110 requirements<\/text>\n <text x=\"300\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">14\u201317 control families<\/text>\n <text x=\"300\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#b39dff\">Derived from SP 800-53<\/text>\n\n <rect x=\"420\" y=\"32\" width=\"150\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#ffb300\" stroke-width=\"1.2\"\/>\n <rect x=\"420\" y=\"32\" width=\"150\" height=\"4\" rx=\"2\" fill=\"#ffb300\" opacity=\".7\"\/>\n <text x=\"495\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">CMMC<\/text>\n <text x=\"495\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Level 2 = 800-171<\/text>\n <text x=\"495\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Third-party verification<\/text>\n <text x=\"495\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#ffb300\">DoD rulemaking<\/text>\n\n <rect x=\"610\" y=\"32\" width=\"116\" height=\"82\" rx=\"3\" fill=\"#0d1420\" stroke=\"#e84848\" stroke-width=\"1\"\/>\n <rect x=\"610\" y=\"32\" width=\"116\" height=\"4\" rx=\"2\" fill=\"#e84848\" opacity=\".7\"\/>\n <text x=\"668\" y=\"60\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"15\" font-weight=\"700\" fill=\"#fff\">SP 800-171A<\/text>\n <text x=\"668\" y=\"78\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Assessment guide<\/text>\n <text x=\"668\" y=\"93\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">320\u2013422 objectives<\/text>\n <text x=\"668\" y=\"106\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#4d6780\">Verification procedures<\/text>\n\n \n <line x1=\"180\" y1=\"73\" x2=\"220\" y2=\"73\" stroke=\"#4d6780\" stroke-width=\"1.3\" marker-end=\"url(#arr)\"\/>\n <line x1=\"380\" y1=\"73\" x2=\"420\" y2=\"73\" stroke=\"#4d6780\" stroke-width=\"1.3\" marker-end=\"url(#arr)\"\/>\n <line x1=\"570\" y1=\"73\" x2=\"610\" y2=\"73\" stroke=\"#4d6780\" stroke-width=\"1.3\" stroke-dasharray=\"5,3\" marker-end=\"url(#arr)\"\/>\n\n \n <rect x=\"20\" y=\"162\" width=\"220\" height=\"82\" rx=\"3\" fill=\"#111b2e\" stroke=\"#263d5e\" stroke-width=\"1\"\/>\n <text x=\"130\" y=\"190\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">CUI Boundary<\/text>\n <text x=\"130\" y=\"208\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Systems that process, store,<\/text>\n <text x=\"130\" y=\"222\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">or transmit CUI<\/text>\n <text x=\"130\" y=\"237\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"9\" fill=\"#4d6780\">In-scope components<\/text>\n\n <rect x=\"270\" y=\"162\" width=\"220\" height=\"82\" rx=\"3\" fill=\"#111b2e\" stroke=\"#00cc70\" stroke-width=\"1.2\"\/>\n <rect x=\"270\" y=\"162\" width=\"220\" height=\"4\" rx=\"2\" fill=\"#00cc70\" opacity=\".6\"\/>\n <text x=\"380\" y=\"190\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">Security Controls<\/text>\n <text x=\"380\" y=\"208\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">110 requirements (Rev 2)<\/text>\n <text x=\"380\" y=\"222\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">14 control families<\/text>\n <text x=\"380\" y=\"237\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#00cc70\">Implemented & documented<\/text>\n\n <rect x=\"520\" y=\"162\" width=\"206\" height=\"82\" rx=\"3\" fill=\"#111b2e\" stroke=\"#00b4a8\" stroke-width=\"1\"\/>\n <rect x=\"520\" y=\"162\" width=\"206\" height=\"4\" rx=\"2\" fill=\"#00b4a8\" opacity=\".6\"\/>\n <text x=\"623\" y=\"190\" text-anchor=\"middle\" font-family=\"Barlow Condensed\" font-size=\"16\" font-weight=\"700\" fill=\"#fff\">SSP + POA&M<\/text>\n <text x=\"623\" y=\"208\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">System Security Plan<\/text>\n <text x=\"623\" y=\"222\" text-anchor=\"middle\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\">Plan of Action & Milestones<\/text>\n <text x=\"623\" y=\"237\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" fill=\"#40d8d0\">SPRS score submitted<\/text>\n\n \n <line x1=\"240\" y1=\"203\" x2=\"270\" y2=\"203\" stroke=\"#00cc70\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n <line x1=\"490\" y1=\"203\" x2=\"520\" y2=\"203\" stroke=\"#00b4a8\" stroke-width=\"2\" marker-end=\"url(#arr)\"\/>\n\n \n <path d=\"M300,114 L300,130 L380,130 L380,162\" fill=\"none\" stroke=\"#8866ff\" stroke-width=\"1.5\" marker-end=\"url(#arr)\"\/>\n <rect x=\"318\" y=\"124\" width=\"48\" height=\"12\" rx=\"1\" style=\"fill:var(--bg)\"\/>\n <text x=\"342\" y=\"133\" text-anchor=\"middle\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"600\" fill=\"#b39dff\">defines<\/text>\n\n \n <rect x=\"20\" y=\"262\" width=\"706\" height=\"68\" rx=\"3\" fill=\"#0d1420\" stroke=\"#1e2f4a\" stroke-width=\"1\"\/>\n <text x=\"32\" y=\"278\" font-family=\"IBM Plex Mono\" font-size=\"8\" font-weight=\"700\" fill=\"#4d6780\" letter-spacing=\"1\">KEY RELATIONSHIPS<\/text>\n <text x=\"32\" y=\"295\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#1a7fd4\">Federal Agency<\/tspan> originates CUI and mandates protection via DFARS 252.204-7012<\/text>\n <text x=\"32\" y=\"310\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#8866ff\">SP 800-171<\/tspan> provides the security requirements derived from SP 800-53 moderate baseline<\/text>\n <text x=\"32\" y=\"325\" font-family=\"Barlow\" font-size=\"10\" fill=\"#8ba3c0\"><tspan font-weight=\"600\" fill=\"#ffb300\">CMMC Level 2<\/tspan> maps directly to 800-171 \u2014 adds third-party assessment verification<\/text>\n <\/svg>\n <div class=\"dcap\">CUI protection lifecycle \u00b7 from federal authority through nonfederal implementation and verification<\/div>\n <\/div>\n\n <div class=\"prose\"><strong>NIST Special Publication 800-171<\/strong> establishes the security requirements that nonfederal organizations must implement when they process, store, or transmit Controlled Unclassified Information (CUI) on behalf of federal agencies. It is not optional guidance \u2014 for DoD contractors, compliance is a contractual obligation under DFARS 252.204-7012, and it serves as the foundation for CMMC Level 2 certification.<\/div>\n <div class=\"prose\">The publication is derived from <strong>NIST SP 800-53<\/strong>, the comprehensive security control catalog used by federal agencies. SP 800-171 tailors the 800-53 moderate baseline down to the controls directly related to protecting CUI confidentiality \u2014 currently <strong>110 requirements across 14 control families<\/strong> in Rev 2, and <strong>97 requirements across 17 control families<\/strong> in Rev 3.<\/div>\n\n <h3>Core principle<\/h3>\n <div class=\"ib\"><div class=\"ibt\">CUI has the same value regardless of where it resides<\/div><div class=\"ibb\">Whether CUI is on a federal network or a contractor’s laptop, its confidentiality must be protected to the same standard. SP 800-171 exists because <strong>the federal government’s ability to conduct its missions depends on information that lives outside federal boundaries<\/strong>. The publication ensures nonfederal organizations don’t become the weak link in the information supply chain.<\/div><\/div>\n\n <h3>What it covers \u2014 at a glance<\/h3>\n <div class=\"cg cg2\" style=\"margin-top:14px\">\n <div class=\"card tc\"><div class=\"cnum\">14 FAMILIES (REV 2)<\/div><div class=\"ctitle\">Access Control through System Integrity<\/div><div class=\"ctext\">The original 14 control families span technical controls (access, audit, encryption), operational controls (maintenance, media, incident response), and management controls (risk assessment, security assessment).<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">110 REQUIREMENTS (REV 2)<\/div><div class=\"ctitle\">Basic & Derived requirements<\/div><div class=\"ctext\">Each family contains basic requirements (from FIPS 200) and derived requirements (from SP 800-53). Every requirement maps to one or more 800-53 controls in the moderate baseline.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">320 ASSESSMENT OBJECTIVES<\/div><div class=\"ctitle\">SP 800-171A verification<\/div><div class=\"ctext\">The companion assessment guide (SP 800-171A) breaks each requirement into determination statements \u2014 the specific checks an assessor uses to verify implementation. Rev 3 expands this to 422.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">SPRS SCORE<\/div><div class=\"ctitle\">Quantified compliance posture<\/div><div class=\"ctext\">The Supplier Performance Risk System score ranges from \u2212203 to 110. A score of 110 means full implementation. Anything less requires a Plan of Action & Milestones (POA&M) for each gap.<\/div><\/div>\n <\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cui')\">CUI overview<\/span><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-scope\">\n <div class=\"p-eye\">NIST SP 800-171 \u00b7 Chapter 1<\/div>\n <div class=\"p-title\">Scope & <span>Applicability<\/span><\/div>\n <div class=\"p-sub\">Who must implement, what’s in scope, and where the boundary falls<\/div>\n <div class=\"prose\">SP 800-171 applies to <strong>any nonfederal organization<\/strong> that processes, stores, or transmits CUI \u2014 or that provides protection for system components that do. This includes defense contractors, subcontractors, research universities, state and local governments, and any entity receiving CUI through a federal contract, grant, or agreement.<\/div>\n\n <h3>What triggers the requirement<\/h3>\n <div class=\"sr\"><span class=\"st tid\">DFARS<\/span><div class=\"si\"><div class=\"sn\">DFARS 252.204-7012<\/div><div class=\"sd\">Defense Federal Acquisition Regulation Supplement clause. Requires DoD contractors to implement 800-171 on any system handling Covered Defense Information (CDI) \u2014 the DoD’s term for CUI. Non-negotiable for contract award.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">FAR<\/span><div class=\"si\"><div class=\"sn\">FAR CUI clause (forthcoming)<\/div><div class=\"sd\">The Federal Acquisition Regulation will extend 800-171 requirements to all federal agencies, not just DoD. When finalized, any contractor handling CUI for any agency will need compliance.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">CMMC<\/span><div class=\"si\"><div class=\"sn\">CMMC Level 2 certification<\/div><div class=\"sd\">Cybersecurity Maturity Model Certification Level 2 maps directly to SP 800-171. Third-party assessment (C3PAO) verifies implementation. Required for DoD contracts involving CUI.<\/div><\/div><\/div>\n\n <h3>Scoping the CUI boundary<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">In scope \u2014 CUI assets<\/div><div class=\"oc\">Any system component that processes, stores, or transmits CUI. Includes servers, workstations, laptops, mobile devices, network infrastructure, cloud services, and applications that touch CUI data.<\/div><\/div><\/div>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">In scope \u2014 security protection assets<\/div><div class=\"oc\">Components that provide security functions for CUI assets even if they don’t directly handle CUI \u2014 firewalls, SIEM, authentication servers, backup systems, and security monitoring tools.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">Potentially in scope \u2014 contractor risk assets<\/div><div class=\"oc\">Systems that can, but are not intended to, process CUI. If CUI could traverse these components, they must either be brought into scope or architecturally isolated.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">Out of scope \u2014 isolated systems<\/div><div class=\"oc\">Systems with no physical or logical connection to CUI processing. Must be genuinely isolated \u2014 not just segmented. Architectural evidence required.<\/div><\/div><\/div>\n\n <div class=\"ib a\"><div class=\"ibt\">Scope reduction through architectural isolation<\/div><div class=\"ibb\">Organizations can limit their compliance boundary by <strong>isolating CUI processing into a dedicated security domain<\/strong> \u2014 using subnetworks, firewalls, boundary protection devices, and information flow control. This is legitimate scope reduction, but the isolation must be provably enforced. A VLAN tag alone is not sufficient; the isolation must be architecturally defensible.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('overview')\">Overview<\/span><span class=\"rl\" onclick=\"nav('cui')\">CUI overview<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cui\">\n <div class=\"p-eye\">32 CFR Part 2002 \u00b7 CUI Program<\/div>\n <div class=\"p-title\">Controlled <span>Unclassified<\/span> Information<\/div>\n <div class=\"p-sub\">What CUI is, where it comes from, and why it requires protection<\/div>\n <div class=\"prose\">Controlled Unclassified Information (CUI) is information that the government creates or possesses \u2014 or that an entity creates or possesses for or on behalf of the government \u2014 that requires safeguarding or dissemination controls, but is <strong>not classified<\/strong>. It sits in the gap between publicly releasable information and classified national security information.<\/div>\n\n <h3>Common CUI categories in defense contracts<\/h3>\n <div class=\"cg cg3\" style=\"margin-top:14px\">\n <div class=\"card tc\"><div class=\"cnum\">CTI<\/div><div class=\"ctitle\">Controlled Technical Information<\/div><div class=\"ctext\">Technical data with military or space application, subject to distribution controls. Includes engineering drawings, specs, and technical manuals.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">ITAR<\/div><div class=\"ctitle\">Export-Controlled<\/div><div class=\"ctext\">Information subject to ITAR or EAR export control regulations. Overlaps heavily with CUI in defense manufacturing contexts.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">PCII<\/div><div class=\"ctitle\">Critical Infrastructure<\/div><div class=\"ctext\">Protected Critical Infrastructure Information related to vulnerability assessments, security plans, and operational details.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">PII<\/div><div class=\"ctitle\">Personally Identifiable<\/div><div class=\"ctext\">Personal information that, if disclosed, could result in harm. Social Security numbers, medical records, financial data of government personnel.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">PROPIN<\/div><div class=\"ctitle\">Proprietary Business<\/div><div class=\"ctext\">Contractor proprietary information provided to the government under contract, requiring protection from unauthorized disclosure.<\/div><\/div>\n <div class=\"card tc\"><div class=\"cnum\">FOUO<\/div><div class=\"ctitle\">For Official Use Only<\/div><div class=\"ctext\">Legacy marking largely replaced by CUI. Still encountered in older documents. Treat as CUI for protection purposes.<\/div><\/div>\n <\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">CUI marking is the trigger \u2014 not classification<\/div><div class=\"ibb\">If your contract specifies CUI, DFARS 7012 applies, and SP 800-171 compliance is required. You don’t need to determine CUI categories yourself \u2014 the <strong>federal agency originating the information<\/strong> is responsible for marking it. Your job is to protect anything marked CUI (or CDI in DoD parlance) on your systems to the SP 800-171 standard.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-revisions\">\n <div class=\"p-eye\">Revision comparison<\/div>\n <div class=\"p-title\">Rev 2 <span>vs Rev 3<\/span><\/div>\n <div class=\"p-sub\">What changed, what it means, and which version applies today<\/div>\n <div class=\"prose\">NIST published the final version of SP 800-171 Revision 3 in May 2024. However, the DoD issued Class Deviation 2024-O0013 mandating that <strong>contractors continue using Revision 2<\/strong> for DFARS 252.204-7012 compliance. All CMMC Level 2 assessments currently reference Rev 2’s 110 controls. Rev 3 adoption for DoD contractors is expected between late 2026 and early 2027.<\/div>\n\n <div class=\"pg\" style=\"margin-top:18px\">\n <div class=\"pb\">\n <div class=\"pbg c\">Rev 2 \u2014 Current for CMMC<\/div>\n <div class=\"pbn\">110 requirements \u00b7 14 families<\/div>\n <div class=\"pi\"><strong>Published:<\/strong> February 2020 (Updated January 2021)<\/div>\n <div class=\"pi\"><strong>Basic + Derived requirements<\/strong> \u2014 dual sourced from FIPS 200 and SP 800-53<\/div>\n <div class=\"pi\"><strong>320 assessment objectives<\/strong> in SP 800-171A<\/div>\n <div class=\"pi\"><strong>“Periodically”<\/strong> used throughout \u2014 ambiguous timing<\/div>\n <div class=\"pi\"><strong>NFO assumptions<\/strong> \u2014 60+ controls assumed in place but not specified<\/div>\n <div class=\"pi\"><strong>SPRS scoring<\/strong> against these 110 controls<\/div>\n <\/div>\n <div class=\"pb\">\n <div class=\"pbg d\">Rev 3 \u2014 Future state<\/div>\n <div class=\"pbn\">97 requirements \u00b7 17 families<\/div>\n <div class=\"pi\"><strong>Published:<\/strong> May 14, 2024 (Final)<\/div>\n <div class=\"pi\"><strong>Single source<\/strong> \u2014 all requirements derived from SP 800-53 only<\/div>\n <div class=\"pi\"><strong>422 assessment objectives<\/strong> \u2014 32% increase in verification depth<\/div>\n <div class=\"pi\"><strong>“Periodically” eliminated<\/strong> \u2014 specific frequencies required<\/div>\n <div class=\"pi\"><strong>NFO controls eliminated<\/strong> \u2014 if it’s required, it’s in the standard<\/div>\n <div class=\"pi\"><strong>49 ODPs<\/strong> \u2014 organization-defined parameters for flexibility<\/div>\n <\/div>\n <\/div>\n\n <h3>Key structural changes<\/h3>\n <div class=\"tbl-wrap\">\n <table>\n <tr><th>Attribute<\/th><th>Rev 2<\/th><th>Rev 3<\/th><\/tr>\n <tr><td>Control families<\/td><td>14<\/td><td>17 (+PL, SA, SR)<\/td><\/tr>\n <tr><td>Requirements<\/td><td>110<\/td><td>97 (but broader scope each)<\/td><\/tr>\n <tr><td>Assessment objectives<\/td><td>320<\/td><td>422<\/td><\/tr>\n <tr><td>800-53 controls represented<\/td><td>~110<\/td><td>156<\/td><\/tr>\n <tr><td>ODPs<\/td><td>None<\/td><td>49<\/td><\/tr>\n <tr><td>NFO assumptions<\/td><td>60+<\/td><td>Eliminated<\/td><\/tr>\n <tr><td>Basic vs Derived<\/td><td>Yes<\/td><td>Eliminated<\/td><\/tr>\n <tr><td>Withdrawn controls<\/td><td>N\/A<\/td><td>33 (absorbed into others)<\/td><\/tr>\n <\/table>\n <\/div>\n\n <div class=\"ib a\"><div class=\"ibt\">Fewer requirements does not mean a lower bar<\/div><div class=\"ibb\">Rev 3’s reduction from 110 to 97 requirements is primarily consolidation, not relaxation. Many withdrawn controls are folded into broader requirements. The companion assessment guide’s jump from 320 to <strong>422 determination statements<\/strong> tells the real story \u2014 the verification burden increased by 32%. Combined with 49 ODPs, the total number of items requiring documentation is approximately 510.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('overview')\">Overview<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('pl')\">Planning (new)<\/span><span class=\"rl\" onclick=\"nav('sr')\">Supply chain (new)<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ac\">\n <div class=\"p-eye\">Family 3.1 \u00b7 22 Requirements<\/div>\n <div class=\"p-title\">Access <span>Control<\/span><\/div>\n <div class=\"p-sub\">The largest control family \u2014 governs who can access CUI, under what conditions, with what enforcement<\/div>\n <div class=\"prose\">Access Control is the foundation of CUI protection. Its 22 requirements address <strong>system access limitations, information flow control, separation of duties, least privilege, session management, and remote access<\/strong>. If an attacker can bypass access controls, no other family matters.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tid\">3.1.1<\/span><div class=\"si\"><div class=\"sn\">Limit system access to authorized users<\/div><div class=\"sd\">Access to CUI systems must be limited to authorized users, processes acting on behalf of authorized users, and authorized devices (including other systems). This is the foundational gate \u2014 every other AC control builds on it.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.2<\/span><div class=\"si\"><div class=\"sn\">Limit system access to authorized functions<\/div><div class=\"sd\">Users receive only the transactions and functions they are authorized to execute. Role-based access control (RBAC) is the most common implementation, but attribute-based (ABAC) is increasingly adopted.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.3<\/span><div class=\"si\"><div class=\"sn\">Control CUI flow<\/div><div class=\"sd\">Control the flow of CUI in accordance with approved authorizations. Prevent CUI from flowing to unauthorized systems, users, or external networks. DLP, boundary protection, and network segmentation are typical controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.5<\/span><div class=\"si\"><div class=\"sn\">Least privilege<\/div><div class=\"sd\">Employ the principle of least privilege, including for specific security functions and privileged accounts. Users get the minimum access needed to perform their duties \u2014 no more.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.12<\/span><div class=\"si\"><div class=\"sn\">Monitor and control remote access<\/div><div class=\"sd\">Remote access sessions must be monitored and controlled. Encrypted tunnels (VPN\/ZTNA), MFA, and session monitoring are required. Remote access is a primary attack vector.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.1.22<\/span><div class=\"si\"><div class=\"sn\">Control CUI on publicly accessible systems<\/div><div class=\"sd\">Control CUI posted or processed on publicly accessible systems. Prevent inadvertent disclosure of CUI through web servers, file shares, or collaboration platforms with public-facing components.<\/div><\/div><\/div>\n\n <div class=\"ib\"><div class=\"ibt\">Access Control is where Zero Trust and 800-171 converge<\/div><div class=\"ibb\">Requirements 3.1.1 through 3.1.22 collectively establish the access model that Zero Trust Architecture (SP 800-207) operationalizes. <strong>No implicit trust from network location<\/strong> (3.1.14), <strong>least privilege<\/strong> (3.1.5), <strong>session control<\/strong> (3.1.10\u201311), and <strong>remote access monitoring<\/strong> (3.1.12) are ZTA tenets expressed as compliance requirements.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ia')\">Identification & auth<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-at\">\n <div class=\"p-eye\">Family 3.2 \u00b7 3 Requirements<\/div>\n <div class=\"p-title\">Awareness <span>& Training<\/span><\/div>\n <div class=\"p-sub\">Ensuring personnel understand cybersecurity risks and their responsibilities for CUI protection<\/div>\n <div class=\"prose\">This family ensures that all users of CUI systems are <strong>aware of security risks<\/strong> and trained in their responsibilities. It covers general security awareness, role-based training for privileged users, and insider threat awareness. The human layer is often the weakest link \u2014 this family addresses it directly.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tbeh\">3.2.1<\/span><div class=\"si\"><div class=\"sn\">Security awareness for all users<\/div><div class=\"sd\">Ensure that managers, systems administrators, and users are made aware of the security risks associated with their activities and the applicable policies, standards, and procedures related to the security of CUI systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">3.2.2<\/span><div class=\"si\"><div class=\"sn\">Role-based security training<\/div><div class=\"sd\">Ensure personnel are trained to carry out their assigned information security-related duties and responsibilities. Privileged users and system administrators receive specialized training beyond general awareness.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">3.2.3<\/span><div class=\"si\"><div class=\"sn\">Insider threat awareness<\/div><div class=\"sd\">Provide security awareness training on recognizing and reporting potential indicators of insider threats. In Rev 3, this is absorbed into requirement 3.2.1 \u2014 it isn’t removed, just consolidated.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ps')\">Personnel security<\/span><span class=\"rl\" onclick=\"nav('ir')\">Incident response<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-au\">\n <div class=\"p-eye\">Family 3.3 \u00b7 9 Requirements<\/div>\n <div class=\"p-title\">Audit & <span>Accountability<\/span><\/div>\n <div class=\"p-sub\">Logging, monitoring, and retaining evidence of all CUI system activity<\/div>\n <div class=\"prose\">Audit and Accountability establishes the requirement to <strong>create, protect, retain, and review audit logs<\/strong> for all CUI system activity. Without audit trails, breaches cannot be detected, investigated, or attributed. This family provides the forensic foundation for incident response and the compliance evidence for assessments.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tpep\">3.3.1<\/span><div class=\"si\"><div class=\"sn\">Create and retain audit logs<\/div><div class=\"sd\">Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">3.3.2<\/span><div class=\"si\"><div class=\"sn\">Individual user accountability<\/div><div class=\"sd\">Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable. Shared accounts must not be used for CUI access.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">3.3.5<\/span><div class=\"si\"><div class=\"sn\">Correlate audit records<\/div><div class=\"sd\">Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. SIEM integration is the typical implementation.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpep\">3.3.8<\/span><div class=\"si\"><div class=\"sn\">Protect audit information<\/div><div class=\"sd\">Protect audit information and audit logging tools from unauthorized access, modification, and deletion. If an attacker can tamper with logs, accountability is destroyed.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ir')\">Incident response<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cm\">\n <div class=\"p-eye\">Family 3.4 \u00b7 9 Requirements<\/div>\n <div class=\"p-title\">Configuration <span>Management<\/span><\/div>\n <div class=\"p-sub\">Maintaining secure, documented, and change-controlled system configurations<\/div>\n <div class=\"prose\">Configuration Management ensures that CUI systems are <strong>established, documented, and maintained in a known-secure state<\/strong>. Misconfigurations are one of the most common root causes of breaches. This family requires baseline configurations, change control, least-functionality principles, and restriction of unauthorized software.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tcl\">3.4.1<\/span><div class=\"si\"><div class=\"sn\">Establish and maintain baselines<\/div><div class=\"sd\">Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.4.2<\/span><div class=\"si\"><div class=\"sn\">Security configuration enforcement<\/div><div class=\"sd\">Establish and enforce security configuration settings for IT products employed in organizational systems. CIS Benchmarks and DISA STIGs are common reference configurations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.4.6<\/span><div class=\"si\"><div class=\"sn\">Least functionality<\/div><div class=\"sd\">Employ the principle of least functionality by configuring systems to provide only essential capabilities. Disable unused ports, protocols, services, and functions.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.4.8<\/span><div class=\"si\"><div class=\"sn\">Application execution policies<\/div><div class=\"sd\">Apply deny-by-exception (blacklisting) or allow-by-exception (whitelisting) policy to prevent the use of unauthorized software. Application whitelisting is the stronger control.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><span class=\"rl\" onclick=\"nav('ma')\">Maintenance<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ia\">\n <div class=\"p-eye\">Family 3.5 \u00b7 11 Requirements<\/div>\n <div class=\"p-title\">Identification <span>& Authentication<\/span><\/div>\n <div class=\"p-sub\">Verifying the identity of users, devices, and processes before granting access to CUI<\/div>\n <div class=\"prose\">This family ensures that <strong>every entity accessing CUI systems is positively identified and authenticated<\/strong> before access is granted. It covers user identification, multi-factor authentication, password management, device authentication, and replay-resistant mechanisms. Identity is the first gate in the access decision chain.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tdev\">3.5.1<\/span><div class=\"si\"><div class=\"sn\">Identify system users and processes<\/div><div class=\"sd\">Identify information system users, processes acting on behalf of users, or devices. Every entity that touches CUI must have a unique identity that supports accountability.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">3.5.2<\/span><div class=\"si\"><div class=\"sn\">Authenticate identities<\/div><div class=\"sd\">Authenticate (or verify) the identities of those users, processes, or devices as a prerequisite to allowing access. Authentication must precede authorization \u2014 always.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">3.5.3<\/span><div class=\"si\"><div class=\"sn\">Multi-factor authentication<\/div><div class=\"sd\">Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. MFA is non-negotiable for CUI systems.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tdev\">3.5.4<\/span><div class=\"si\"><div class=\"sn\">Replay-resistant authentication<\/div><div class=\"sd\">Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. Prevents credential replay attacks.<\/div><\/div><\/div>\n\n <div class=\"ib p\"><div class=\"ibt\">MFA is the single highest-impact control for CUI protection<\/div><div class=\"ibb\">Requirement 3.5.3 (multi-factor authentication) is consistently cited as <strong>the control most likely to prevent unauthorized CUI access<\/strong>. Password-only authentication does not meet the 800-171 standard for any CUI system. Hardware tokens, FIDO2\/passkeys, and authenticator apps are all acceptable second factors \u2014 SMS is accepted but discouraged.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><span class=\"rl\" onclick=\"nav('ps')\">Personnel security<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ir\">\n <div class=\"p-eye\">Family 3.6 \u00b7 3 Requirements<\/div>\n <div class=\"p-title\">Incident <span>Response<\/span><\/div>\n <div class=\"p-sub\">Detecting, analyzing, containing, and recovering from security incidents involving CUI<\/div>\n <div class=\"prose\">Incident Response ensures the organization has an <strong>operational capability to detect, report, and respond to security incidents<\/strong>. For DoD contractors, DFARS 7012 adds a 72-hour reporting requirement to the DoD Cyber Crime Center (DC3) for any cyber incident involving CUI. This family is where preparation meets operational reality.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tnet\">3.6.1<\/span><div class=\"si\"><div class=\"sn\">Establish incident handling capability<\/div><div class=\"sd\">Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.6.2<\/span><div class=\"si\"><div class=\"sn\">Track, document, and report incidents<\/div><div class=\"sd\">Track, document, and report incidents to designated officials and\/or authorities both internal and external to the organization. For DoD: report to DC3 within 72 hours of discovery.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.6.3<\/span><div class=\"si\"><div class=\"sn\">Test incident response capability<\/div><div class=\"sd\">Test the organizational incident response capability. Tabletop exercises, simulations, and red team engagements validate that the IR plan actually works under pressure.<\/div><\/div><\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">DFARS 7012 adds teeth to incident response<\/div><div class=\"ibb\">Beyond the 800-171 requirements, DFARS 252.204-7012 mandates <strong>72-hour reporting to DC3<\/strong>, preservation of forensic evidence for 90 days, and cooperation with DoD damage assessment activities. Failure to report can result in contract termination and False Claims Act liability. The IR plan must account for these DFARS-specific obligations.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('at')\">Awareness & training<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ma\">\n <div class=\"p-eye\">Family 3.7 \u00b7 6 Requirements<\/div>\n <div class=\"p-title\"><span>Maintenance<\/span><\/div>\n <div class=\"p-sub\">Controlled maintenance of CUI systems \u2014 local and remote<\/div>\n <div class=\"prose\">This family governs how systems are maintained without introducing new vulnerabilities. It covers <strong>timely maintenance, tool control, remote maintenance security, and media sanitization<\/strong> for equipment removed for off-site maintenance. Maintenance windows are high-risk periods \u2014 elevated privileges, open access, external personnel.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tcl\">3.7.1<\/span><div class=\"si\"><div class=\"sn\">Perform timely maintenance<\/div><div class=\"sd\">Perform maintenance on organizational systems. Maintenance must be timely, documented, and performed by authorized personnel with appropriate access controls in place.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.7.2<\/span><div class=\"si\"><div class=\"sn\">Control maintenance tools<\/div><div class=\"sd\">Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. Prevent introduction of malicious tools during maintenance operations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tcl\">3.7.5<\/span><div class=\"si\"><div class=\"sn\">Multifactor auth for remote maintenance<\/div><div class=\"sd\">Require multifactor authentication to establish nonlocal maintenance sessions and terminate such sessions when maintenance is complete.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-mp\">\n <div class=\"p-eye\">Family 3.8 \u00b7 9 Requirements<\/div>\n <div class=\"p-title\">Media <span>Protection<\/span><\/div>\n <div class=\"p-sub\">Safeguarding digital and physical media containing CUI throughout its lifecycle<\/div>\n <div class=\"prose\">Media Protection addresses how CUI is stored, transported, and destroyed on both digital and physical media. This includes <strong>access limitation, marking, storage, transport, sanitization, and disposal<\/strong>. A USB drive in a parking lot is a classic attack vector \u2014 this family prevents it.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tres\">3.8.1<\/span><div class=\"si\"><div class=\"sn\">Protect and control media<\/div><div class=\"sd\">Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. Access limited to authorized users.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.8.3<\/span><div class=\"si\"><div class=\"sn\">Sanitize before disposal<\/div><div class=\"sd\">Sanitize or destroy system media containing CUI before disposal or release for reuse. NIST SP 800-88 provides sanitization guidelines \u2014 degaussing, overwriting, or physical destruction.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.8.6<\/span><div class=\"si\"><div class=\"sn\">Portable storage encryption<\/div><div class=\"sd\">Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pe\">\n <div class=\"p-eye\">Family 3.10 \u00b7 6 Requirements<\/div>\n <div class=\"p-title\">Physical <span>Protection<\/span><\/div>\n <div class=\"p-sub\">Securing facilities, equipment, and physical access to CUI processing environments<\/div>\n <div class=\"prose\">Physical Protection ensures that <strong>physical access to CUI systems is limited to authorized individuals<\/strong> and that the facilities themselves are monitored and secured. Cyber controls are meaningless if an attacker can walk up to a server and plug in. This family covers facility access, visitor management, and physical device security.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tpa\">3.10.1<\/span><div class=\"si\"><div class=\"sn\">Limit physical access<\/div><div class=\"sd\">Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">3.10.2<\/span><div class=\"si\"><div class=\"sn\">Protect physical facility<\/div><div class=\"sd\">Protect and monitor the physical facility and support infrastructure for organizational systems. Includes surveillance, access logs, and environmental controls.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tpa\">3.10.4<\/span><div class=\"si\"><div class=\"sn\">Maintain visitor audit logs<\/div><div class=\"sd\">Maintain audit logs of physical access. Visitor logs must record name, organization, date\/time, escort, and purpose of visit.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><span class=\"rl\" onclick=\"nav('ps')\">Personnel security<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ps\">\n <div class=\"p-eye\">Family 3.9 \u00b7 2 Requirements<\/div>\n <div class=\"p-title\">Personnel <span>Security<\/span><\/div>\n <div class=\"p-sub\">Screening individuals and managing access upon personnel changes<\/div>\n <div class=\"prose\">Personnel Security focuses on the <strong>human element<\/strong> \u2014 ensuring that individuals with CUI access are screened before access is granted, and that access is promptly revoked upon termination or role change. It’s a small family (2 requirements), but the consequences of failure are significant.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tbeh\">3.9.1<\/span><div class=\"si\"><div class=\"sn\">Screen individuals before access<\/div><div class=\"sd\">Screen individuals prior to authorizing access to organizational systems containing CUI. Background checks, employment verification, and clearance validation as appropriate.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tbeh\">3.9.2<\/span><div class=\"si\"><div class=\"sn\">Protect CUI during personnel actions<\/div><div class=\"sd\">Ensure that CUI and systems containing CUI are protected during and after personnel actions such as terminations and transfers. Disable access immediately upon termination. Retrieve all CUI-containing media.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('at')\">Awareness & training<\/span><span class=\"rl\" onclick=\"nav('pe')\">Physical protection<\/span><span class=\"rl\" onclick=\"nav('ia')\">Identification & auth<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ra\">\n <div class=\"p-eye\">Family 3.11 \u00b7 3 Requirements<\/div>\n <div class=\"p-title\">Risk <span>Assessment<\/span><\/div>\n <div class=\"p-sub\">Identifying, analyzing, and managing risk to CUI and organizational systems<\/div>\n <div class=\"prose\">Risk Assessment requires organizations to <strong>periodically assess the risk to CUI, scan for vulnerabilities, and remediate findings<\/strong>. It’s the analytical backbone that drives prioritization \u2014 without risk assessment, security investments are uninformed. This family links directly to the POA&M process and ongoing compliance maintenance.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tnet\">3.11.1<\/span><div class=\"si\"><div class=\"sn\">Assess risk periodically<\/div><div class=\"sd\">Periodically assess the risk to organizational operations, organizational assets, and individuals resulting from the operation of CUI systems and the processing, storage, or transmission of CUI.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.11.2<\/span><div class=\"si\"><div class=\"sn\">Scan for vulnerabilities<\/div><div class=\"sd\">Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Qualys, Tenable, and Rapid7 are common tools.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.11.3<\/span><div class=\"si\"><div class=\"sn\">Remediate vulnerabilities<\/div><div class=\"sd\">Remediate vulnerabilities in accordance with risk assessments. Prioritize based on CVSS severity, exploitability, and asset criticality. Track remediation in the POA&M.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('si')\">System & info integrity<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ca\">\n <div class=\"p-eye\">Family 3.12 \u00b7 4 Requirements<\/div>\n <div class=\"p-title\">Security <span>Assessment<\/span><\/div>\n <div class=\"p-sub\">Evaluating, monitoring, and documenting the effectiveness of security controls<\/div>\n <div class=\"prose\">Security Assessment is the <strong>meta-family<\/strong> \u2014 it governs how organizations assess whether their own controls are effective. It requires periodic evaluation of security controls, development of a System Security Plan, management of a Plan of Action and Milestones, and continuous monitoring. This is where self-assessment and CMMC intersect.<\/div>\n\n <h3>Requirements<\/h3>\n <div class=\"sr\"><span class=\"st tres\">3.12.1<\/span><div class=\"si\"><div class=\"sn\">Assess security controls periodically<\/div><div class=\"sd\">Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. The assessment produces the SPRS score for DoD contractors.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.12.2<\/span><div class=\"si\"><div class=\"sn\">Develop and implement action plans<\/div><div class=\"sd\">Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. The POA&M is a living document \u2014 updated as gaps are identified and remediated.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.12.3<\/span><div class=\"si\"><div class=\"sn\">Monitor security controls<\/div><div class=\"sd\">Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Continuous monitoring, not annual checkbox exercises.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tres\">3.12.4<\/span><div class=\"si\"><div class=\"sn\">System Security Plan<\/div><div class=\"sd\">Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and relationships with other systems.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sc\">\n <div class=\"p-eye\">Family 3.13 \u00b7 16 Requirements<\/div>\n <div class=\"p-title\">System & Comms <span>Protection<\/span><\/div>\n <div class=\"p-sub\">Network architecture, boundary protection, and cryptographic safeguards for CUI in transit and at rest<\/div>\n <div class=\"prose\">The second-largest family addresses the <strong>technical architecture<\/strong> that protects CUI during processing, storage, and transmission. It covers boundary protection, network segmentation, FIPS-validated encryption, session authenticity, DNS protection, and architectural isolation of security functions.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tid\">3.13.1<\/span><div class=\"si\"><div class=\"sn\">Monitor and protect communications at boundaries<\/div><div class=\"sd\">Monitor, control, and protect communications at the external and key internal boundaries of organizational systems. Firewalls, proxies, IDS\/IPS, and WAFs are typical implementations.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.2<\/span><div class=\"si\"><div class=\"sn\">Architectural security designs<\/div><div class=\"sd\">Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security. Defense in depth. Separation of concerns. Least privilege in code.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.8<\/span><div class=\"si\"><div class=\"sn\">CUI encryption in transit<\/div><div class=\"sd\">Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. TLS 1.2+ minimum. FIPS 140-2 validated modules.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.11<\/span><div class=\"si\"><div class=\"sn\">FIPS-validated cryptography<\/div><div class=\"sd\">Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Non-FIPS crypto does not meet the standard regardless of algorithm strength.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tid\">3.13.16<\/span><div class=\"si\"><div class=\"sn\">CUI encryption at rest<\/div><div class=\"sd\">Protect the confidentiality of CUI at rest. Full-disk encryption (BitLocker, FileVault) with FIPS-validated modules, or application-layer encryption for sensitive data stores.<\/div><\/div><\/div>\n\n <div class=\"ib\"><div class=\"ibt\">FIPS 140-2 validation is a hard gate<\/div><div class=\"ibb\">Requirements 3.13.8 and 3.13.11 together mean that CUI must be protected by <strong>FIPS 140-2 (or 140-3) validated cryptographic modules<\/strong> \u2014 both in transit and at rest. Using AES-256 is not sufficient if the implementation isn’t FIPS-validated. This catches many organizations that rely on default TLS libraries without checking their FIPS validation status.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ac')\">Access control<\/span><span class=\"rl\" onclick=\"nav('mp')\">Media protection<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('ia')\">Identification & auth<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-si\">\n <div class=\"p-eye\">Family 3.14 \u00b7 7 Requirements<\/div>\n <div class=\"p-title\">System & Info <span>Integrity<\/span><\/div>\n <div class=\"p-sub\">Identifying flaws, monitoring for malicious activity, and responding to security alerts<\/div>\n <div class=\"prose\">System and Information Integrity ensures that CUI systems <strong>detect and respond to flaws, malicious code, and unauthorized changes<\/strong>. It covers vulnerability identification, malicious code protection, security alert monitoring, and system integrity verification. This is the operational detection family \u2014 the always-on sensor layer.<\/div>\n\n <h3>Key requirements<\/h3>\n <div class=\"sr\"><span class=\"st tnet\">3.14.1<\/span><div class=\"si\"><div class=\"sn\">Identify and remediate flaws<\/div><div class=\"sd\">Identify, report, and correct information and system flaws in a timely manner. Patch management, vulnerability scanning, and remediation tracking.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.14.2<\/span><div class=\"si\"><div class=\"sn\">Malicious code protection<\/div><div class=\"sd\">Provide protection from malicious code at designated locations within organizational systems. Endpoint detection and response (EDR), antivirus, and application control.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.14.3<\/span><div class=\"si\"><div class=\"sn\">Monitor security alerts<\/div><div class=\"sd\">Monitor system security alerts and advisories and take action in response. Subscribe to vendor alerts, CISA advisories, and CVE feeds. Actionable response, not just collection.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnet\">3.14.6<\/span><div class=\"si\"><div class=\"sn\">Monitor inbound and outbound traffic<\/div><div class=\"sd\">Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Network-level detection \u2014 IDS\/IPS, NDR, or SIEM correlation.<\/div><\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><span class=\"rl\" onclick=\"nav('ir')\">Incident response<\/span><span class=\"rl\" onclick=\"nav('au')\">Audit & accountability<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-pl\">\n <div class=\"p-eye\">Rev 3 New Family \u00b7 3.15<\/div>\n <div class=\"p-title\"><span>Planning<\/span><\/div>\n <div class=\"p-sub\">New in Revision 3 \u2014 formalizes security planning and rules of behavior<\/div>\n <div class=\"prose\">The Planning family was elevated to its own control family in Rev 3 to align with SP 800-53. In Rev 2, planning requirements were embedded in Security Assessment (3.12.3, 3.12.4). Rev 3 formalizes system security planning, rules of behavior, and security architecture documentation as <strong>standalone, assessable requirements<\/strong>.<\/div>\n\n <h3>What it adds<\/h3>\n <div class=\"sr\"><span class=\"st tnew\">PL<\/span><div class=\"si\"><div class=\"sn\">System security plan formalization<\/div><div class=\"sd\">Elevates the SSP requirement to its own family. Requires explicit documentation of system boundaries, operational environments, security implementation details, and interconnections. Not new work for Rev 2 compliant organizations \u2014 but now independently assessed.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">PL<\/span><div class=\"si\"><div class=\"sn\">Rules of behavior<\/div><div class=\"sd\">Establish rules describing the responsibilities and expected behavior of individuals with access to CUI systems. Acceptable use policies, security responsibilities, and consequences for violations.<\/div><\/div><\/div>\n\n <div class=\"ib g\"><div class=\"ibt\">If you’re Rev 2 compliant, you’re mostly there<\/div><div class=\"ibb\">Organizations already maintaining an SSP and acceptable use policies under Rev 2 requirements 3.12.3 and 3.12.4 have <strong>the substance of the Planning family already in place<\/strong>. The primary change is that these become independently assessed controls rather than sub-elements of Security Assessment.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sa\">\n <div class=\"p-eye\">Rev 3 New Family \u00b7 3.16<\/div>\n <div class=\"p-title\">System & Services <span>Acquisition<\/span><\/div>\n <div class=\"p-sub\">New in Revision 3 \u2014 governs unsupported components and external service security<\/div>\n <div class=\"prose\">System and Services Acquisition was partially addressed in Rev 2 under System and Communications Protection (3.13.2 \u2014 security architecture). Rev 3 breaks it out into its own family to address <strong>end-of-life system components and external system services<\/strong> that process CUI.<\/div>\n\n <h3>Key additions<\/h3>\n <div class=\"sr\"><span class=\"st tnew\">SA<\/span><div class=\"si\"><div class=\"sn\">Unsupported system components<\/div><div class=\"sd\">Replace or provide compensating controls for system components that are no longer supported by the developer, vendor, or manufacturer. Windows 10 end-of-life, for example, triggers this requirement.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">SA<\/span><div class=\"si\"><div class=\"sn\">External system services<\/div><div class=\"sd\">Require providers of external system services to comply with applicable security requirements. Cloud services, managed security providers, and SaaS platforms processing CUI must meet the same standard \u2014 or be contractually bound to it.<\/div><\/div><\/div>\n\n <div class=\"ib a\"><div class=\"ibt\">Cloud and SaaS providers are now explicitly in scope<\/div><div class=\"ibb\">Rev 3’s SA family formalizes what was always implied: if a third-party service processes CUI on your behalf, <strong>that service must meet 800-171 requirements<\/strong>. FedRAMP Moderate authorization satisfies this for cloud services. For non-FedRAMP services, contractual obligations and security assessments are required.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sr')\">Supply chain risk<\/span><span class=\"rl\" onclick=\"nav('sc')\">System & comms protection<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sr\">\n <div class=\"p-eye\">Rev 3 New Family \u00b7 3.17<\/div>\n <div class=\"p-title\">Supply Chain <span>Risk Management<\/span><\/div>\n <div class=\"p-sub\">New in Revision 3 \u2014 the only truly new family, responding to supply chain attacks<\/div>\n <div class=\"prose\">Supply Chain Risk Management is the only genuinely new control family in Rev 3 \u2014 not reorganized from existing requirements, but <strong>created in response to supply chain attacks<\/strong> like SolarWinds, Kaseya, and Log4Shell. It requires organizations to develop SCRM plans, implement acquisition strategies that account for supply chain risk, and establish processes to identify and manage supply chain threats.<\/div>\n\n <h3>Key additions<\/h3>\n <div class=\"sr\"><span class=\"st tnew\">SR<\/span><div class=\"si\"><div class=\"sn\">Supply chain risk management plan<\/div><div class=\"sd\">Develop a plan for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, components, and services. Must address risk identification, assessment, mitigation, and monitoring.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">SR<\/span><div class=\"si\"><div class=\"sn\">Acquisition strategies and tools<\/div><div class=\"sd\">Develop and implement acquisition strategies, contract tools, and procurement methods to protect against supply chain risks. Vendor assessments, contractual security requirements, and provenance tracking.<\/div><\/div><\/div>\n <div class=\"sr\"><span class=\"st tnew\">SR<\/span><div class=\"si\"><div class=\"sn\">Supply chain requirements and processes<\/div><div class=\"sd\">Establish processes to identify, assess, and manage supply chain threats throughout the system lifecycle. Software bill of materials (SBOM), vendor risk assessments, and continuous supplier monitoring.<\/div><\/div><\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">SolarWinds made this family inevitable<\/div><div class=\"ibb\">The SolarWinds compromise demonstrated that <strong>a trusted vendor’s build pipeline can become the attack vector<\/strong>. Rev 2 had no explicit supply chain controls \u2014 organizations were expected to address this through risk assessment and configuration management. Rev 3’s SR family makes SCRM a first-class compliance requirement with its own assessment objectives.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sa')\">System & services acquisition<\/span><span class=\"rl\" onclick=\"nav('ra')\">Risk assessment<\/span><span class=\"rl\" onclick=\"nav('cm')\">Configuration management<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-cmmc\">\n <div class=\"p-eye\">CMMC 2.0 \u00b7 Level 2<\/div>\n <div class=\"p-title\">CMMC <span>Alignment<\/span><\/div>\n <div class=\"p-sub\">How CMMC maps to SP 800-171 and what contractors need to know<\/div>\n <div class=\"prose\">The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD’s verification mechanism for SP 800-171 compliance. <strong>CMMC Level 2 maps one-to-one with SP 800-171 Rev 2’s 110 requirements.<\/strong> The critical difference is that CMMC adds third-party assessment \u2014 you’re no longer just self-attesting compliance, you’re being verified by a Certified Third-Party Assessment Organization (C3PAO).<\/div>\n\n <h3>CMMC 2.0 levels<\/h3>\n <div class=\"cg cg3\" style=\"margin-top:14px\">\n <div class=\"dc\"><div class=\"di\">\ud83d\udd12<\/div><div class=\"dt\">Level 1 \u2014 Foundational<\/div><div class=\"ds\">Self-assessment \u00b7 17 practices<\/div><div class=\"dxt\">Basic safeguarding of Federal Contract Information (FCI). 17 practices from FAR 52.204-21. Annual self-assessment submitted to SPRS. No CUI handling permitted at Level 1.<\/div><\/div>\n <div class=\"dc\"><div class=\"di\">\ud83d\udee1\ufe0f<\/div><div class=\"dt\">Level 2 \u2014 Advanced<\/div><div class=\"ds\">C3PAO assessment \u00b7 110 practices<\/div><div class=\"dxt\">Full SP 800-171 Rev 2 implementation. All 110 requirements across 14 control families. Third-party assessment by C3PAO every 3 years. Required for contracts involving CUI. This is where most defense contractors must operate.<\/div><\/div>\n <div class=\"dc\"><div class=\"di\">\u2694\ufe0f<\/div><div class=\"dt\">Level 3 \u2014 Expert<\/div><div class=\"ds\">Government-led \u00b7 800-172<\/div><div class=\"dxt\">SP 800-171 plus selected SP 800-172 enhanced requirements. Government-led assessment (DIBCAC). Reserved for the most sensitive CUI \u2014 APT-level threat protection.<\/div><\/div>\n <\/div>\n\n <h3>Assessment requirements<\/h3>\n <div class=\"or grant\"><div class=\"od g\"><\/div><div><div class=\"ol\">All 110 controls must be assessed<\/div><div class=\"oc\">The C3PAO evaluates every requirement against SP 800-171A’s 320 assessment objectives. Each objective receives a Met, Not Met, or Not Applicable determination.<\/div><\/div><\/div>\n <div class=\"or step\"><div class=\"od s\"><\/div><div><div class=\"ol\">POA&Ms permitted with limits<\/div><div class=\"oc\">Some unmet requirements can be documented in a POA&M with a 180-day remediation window. However, certain requirements are POA&M-ineligible \u2014 they must be fully implemented at time of assessment.<\/div><\/div><\/div>\n <div class=\"or deny\"><div class=\"od d\"><\/div><div><div class=\"ol\">No certification without minimum threshold<\/div><div class=\"oc\">If the number or severity of unmet requirements exceeds the threshold, the assessment fails. Conditional certification is available only if all remaining gaps are POA&M-eligible.<\/div><\/div><\/div>\n\n <div class=\"ib\"><div class=\"ibt\">CMMC uses Rev 2 until further notice<\/div><div class=\"ibb\">Despite Rev 3’s release in May 2024, DoD Class Deviation 2024-O0013 mandates that <strong>CMMC Level 2 continues to reference Rev 2<\/strong>. Do not shift resources to Rev 3 compliance at the expense of Rev 2. Understand Rev 3 changes for future planning, but assess against Rev 2 today.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('revisions')\">Rev 2 vs Rev 3<\/span><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-sprs\">\n <div class=\"p-eye\">DFARS 252.204-7019 \u00b7 SPRS<\/div>\n <div class=\"p-title\">SPRS <span>Scoring<\/span><\/div>\n <div class=\"p-sub\">The Supplier Performance Risk System score \u2014 quantified compliance from \u2212203 to 110<\/div>\n <div class=\"prose\">The SPRS score is a <strong>numerical representation of an organization’s SP 800-171 compliance posture<\/strong>. It ranges from \u2212203 (no controls implemented) to 110 (full implementation). The score must be submitted to the SPRS portal and is visible to DoD contracting officers. It directly affects contract award decisions.<\/div>\n\n <h3>How the score works<\/h3>\n <div class=\"tbl-wrap\">\n <table>\n <tr><th>Score<\/th><th>Meaning<\/th><th>Implication<\/th><\/tr>\n <tr><td>110<\/td><td>All 110 controls implemented<\/td><td>Full compliance. No POA&M required.<\/td><\/tr>\n <tr><td>80\u2013109<\/td><td>Most controls met, minor gaps<\/td><td>Generally competitive. POA&M documents gaps with remediation timeline.<\/td><\/tr>\n <tr><td>50\u201379<\/td><td>Significant gaps remain<\/td><td>At risk for contract award. Aggressive POA&M remediation required.<\/td><\/tr>\n <tr><td>Below 50<\/td><td>Major compliance deficiencies<\/td><td>Unlikely to win CUI-handling contracts. Fundamental security program gaps.<\/td><\/tr>\n <tr><td>\u2212203<\/td><td>No controls implemented<\/td><td>Theoretical floor. All 110 requirements scored as Not Met.<\/td><\/tr>\n <\/table>\n <\/div>\n\n <div class=\"prose\" style=\"margin-top:14px\">Each unmet requirement is assigned a <strong>weighted point value<\/strong> (1, 3, or 5 points) based on its security impact. The total points for unmet requirements are subtracted from 110. Critical controls like MFA (3.5.3), encryption (3.13.11), and audit logging (3.3.1) carry higher weight \u2014 failing these drops the score faster.<\/div>\n\n <div class=\"ib r\"><div class=\"ibt\">Your SPRS score is visible to contracting officers<\/div><div class=\"ibb\">The score is not confidential. Contracting officers <strong>can and do check SPRS scores<\/strong> before awarding contracts. A low score can disqualify an otherwise competitive bid. More critically, submitting an inflated score constitutes a <strong>False Claims Act violation<\/strong> \u2014 the DoJ has already pursued enforcement actions against contractors who misrepresented their compliance posture.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('ssp')\">SSP & POA&M<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-ssp\">\n <div class=\"p-eye\">Requirements 3.12.2 \u00b7 3.12.4<\/div>\n <div class=\"p-title\">SSP & <span>POA&M<\/span><\/div>\n <div class=\"p-sub\">The two foundational compliance documents every CUI-handling organization must maintain<\/div>\n <div class=\"prose\">The System Security Plan (SSP) and Plan of Action & Milestones (POA&M) are the <strong>two documents that define and track your compliance posture<\/strong>. The SSP describes how each requirement is implemented. The POA&M documents gaps and the remediation timeline. Together, they produce the SPRS score and serve as the primary evidence artifacts for CMMC assessment.<\/div>\n\n <div class=\"pg\" style=\"margin-top:18px\">\n <div class=\"pb\">\n <div class=\"pbg c\">System Security Plan<\/div>\n <div class=\"pbn\">How you implement each control<\/div>\n <div class=\"pi\"><strong>System boundary definition<\/strong> \u2014 what’s in scope and what’s out<\/div>\n <div class=\"pi\"><strong>Environment of operation<\/strong> \u2014 physical, logical, and organizational context<\/div>\n <div class=\"pi\"><strong>Control implementation<\/strong> \u2014 how each of the 110 requirements is satisfied<\/div>\n <div class=\"pi\"><strong>System interconnections<\/strong> \u2014 data flows to\/from other systems<\/div>\n <div class=\"pi\"><strong>Living document<\/strong> \u2014 updated when systems, controls, or scope change<\/div>\n <\/div>\n <div class=\"pb\">\n <div class=\"pbg r\">Plan of Action & Milestones<\/div>\n <div class=\"pbn\">What’s not yet implemented<\/div>\n <div class=\"pi\"><strong>Unmet requirements<\/strong> \u2014 each gap documented with root cause<\/div>\n <div class=\"pi\"><strong>Remediation plan<\/strong> \u2014 specific actions, resources, and timeline<\/div>\n <div class=\"pi\"><strong>Milestone tracking<\/strong> \u2014 progress checkpoints with responsible parties<\/div>\n <div class=\"pi\"><strong>Risk acceptance<\/strong> \u2014 interim risk documented for each open item<\/div>\n <div class=\"pi\"><strong>CMMC constraint<\/strong> \u2014 180-day maximum for POA&M closure<\/div>\n <\/div>\n <\/div>\n\n <div class=\"ib\"><div class=\"ibt\">The SSP is your compliance evidence \u2014 not the policies binder<\/div><div class=\"ibb\">A common mistake is treating the SSP as a copy-paste of policies and standards. The SSP must describe <strong>how each control is actually implemented in your specific environment<\/strong> \u2014 not what the policy says should happen, but what happens in practice. Assessors verify the SSP against operational reality. Discrepancies between the SSP and the implemented environment are assessment findings.<\/div><\/div>\n\n <div class=\"related\"><div class=\"rlab\">Related<\/div><div class=\"rls\"><span class=\"rl\" onclick=\"nav('sprs')\">SPRS scoring<\/span><span class=\"rl\" onclick=\"nav('ca')\">Security assessment<\/span><span class=\"rl\" onclick=\"nav('cmmc')\">CMMC alignment<\/span><span class=\"rl\" onclick=\"nav('scope')\">Scope & applicability<\/span><\/div><\/div>\n<\/div>\n\n\n<div class=\"panel\" id=\"panel-nist\">\n <div class=\"p-eye\">Source document<\/div>\n <div class=\"p-title\">NIST SP <span>800-171<\/span><\/div>\n <div class=\"p-sub\">Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<\/div>\n <div class=\"ib\" style=\"margin-top:8px\">\n <div class=\"ibt\">About this document<\/div>\n <div class=\"ibb\">NIST Special Publication 800-171 provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. Rev 2 (January 2021) contains 110 requirements across 14 control families and remains the current standard for CMMC Level 2. Rev 3 (May 2024) restructures to 97 requirements across 17 families with increased assessment specificity.<\/div>\n <\/div>\n <div style=\"margin-top:28px;display:flex;flex-direction:column;gap:12px;\">\n <a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-171r2.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--cyan);color:#000;font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 SP 800-171 Rev 2 PDF (current for CMMC)\n <\/a>\n <a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-171r3\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 SP 800-171 Rev 3 PDF (future state)\n <\/a>\n <a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/171\/r3\/final\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 NIST CSRC publication page\n <\/a>\n <a href=\"https:\/\/csrc.nist.gov\/files\/projects\/protecting-controlled-unclassified-information\/documents\/FAQ\/FAQ-SP800-171R3-171AR3.pdf\" target=\"_blank\" style=\"display:inline-flex;align-items:center;gap:10px;background:var(--surf);border:1px solid var(--border2);color:var(--cyan);font-family:var(--mono);font-size:12px;font-weight:700;padding:12px 20px;text-decoration:none;border-radius:2px;width:fit-content;letter-spacing:.06em;\">\n \u2197 NIST FAQ: Rev 3 Changes\n <\/a>\n <\/div>\n <div class=\"divider\"><\/div>\n <div class=\"prose\"><strong>Rev 2 citation:<\/strong> Ross, R., Pillitteri, V., Dempsey, K., Riddle, M., & Guissanie, G. (2020). <em>Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<\/em> (NIST Special Publication 800-171 Revision 2). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-171r2<\/div>\n <div class=\"prose\" style=\"margin-top:10px\"><strong>Rev 3 citation:<\/strong> Ross, R., Pillitteri, V., & Dempsey, K. (2024). <em>Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<\/em> (NIST Special Publication 800-171 Revision 3). National Institute of Standards and Technology. https:\/\/doi.org\/10.6028\/NIST.SP.800-171r3<\/div>\n<\/div>\n\n<\/main>\n<\/div>\n\n<script>\nfunction toggleMenu() {\n var sb = document.getElementById('sidebar');\n var btn = document.getElementById('menuBtn');\n var ov = document.getElementById('sbOverlay');\n var open = sb.classList.toggle('open');\n btn.classList.toggle('open', open);\n ov.classList.toggle('open', open);\n document.body.style.overflow = open ? 'hidden' : '';\n}\nfunction closeMenu() {\n var sb = document.getElementById('sidebar');\n if (sb.classList.contains('open')) toggleMenu();\n}\nfunction openNIST() {\n nav('nist');\n}\nfunction toggleTheme() {\n var isLight = document.body.classList.toggle('light');\n document.getElementById('themeBtn').textContent = isLight ? '\u263e Dark' : '\u2600 Light';\n}\nvar fontScale = 100;\nvar fontSteps = [80, 90, 100, 110, 120, 135, 150, 170];\nfunction adjFont(dir) {\n if (dir === 0) { fontScale = 100; }\n else {\n var idx = fontSteps.indexOf(fontScale);\n if (idx === -1) idx = 2;\n idx = Math.max(0, Math.min(fontSteps.length - 1, idx + dir));\n fontScale = fontSteps[idx];\n }\n document.querySelector('.main').style.zoom = (fontScale \/ 100);\n if (window.innerWidth > 900) {\n document.querySelector('.sidebar').style.zoom = (fontScale \/ 100);\n }\n}\nfunction nav(id) {\n document.querySelectorAll('.panel').forEach(p => p.classList.remove('active'));\n document.querySelectorAll('.ni').forEach(n => n.classList.remove('active'));\n var panel = document.getElementById('panel-' + id);\n if (panel) { panel.classList.add('active'); panel.closest('.main').scrollTop = 0; }\n document.querySelectorAll('.ni').forEach(function(n) {\n var oc = n.getAttribute('onclick') || '';\n if (oc.indexOf(\"'\" + id + \"'\") !== -1) n.classList.add('active');\n });\n closeMenu();\n}\n<\/script>\n<\/body>\n<\/html>\n\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>NIST SP 800-171 \u2014 Protecting CUI in Nonfederal Systems NIST SP 800-171 ProtectingCUI Interactive reference \u00b7 Rev 2 & Rev 3 Size A\u2212 A A+ \u263e Dark Overview What is 800-171 Scope & Applicability Controlled Unclassified Info Rev 2 vs Rev 3 Control Families Access Control Awareness & Training Audit & Accountability Configuration Management Identification… <br \/> <a class=\"read-more\" href=\"https:\/\/www-geek.com\/index.php\/800-171\/\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"pro\/page-templates\/page-with-small-header.php","meta":{"footnotes":""},"class_list":["post-68","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":3,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/68\/revisions"}],"predecessor-version":[{"id":72,"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/pages\/68\/revisions\/72"}],"wp:attachment":[{"href":"https:\/\/www-geek.com\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}