Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

SP 800-171 Rev. 1

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: December 2016 (updated 06/07/2018)

Planning Note (2/21/2020):

Note 1: SP 800-171 Rev. 1 has been superseded by SP 800-171 Rev. 2, and will be withdrawn in one year, on February 21, 2021. 

Note 2: Documentation > Supplemental Material > CUI SSP template:

** There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.

Superseded By: SP 800-171 Rev. 2 (02/21/2020)
Supersedes: SP 800-171 Rev. 1 (02/20/2018)


Ron Ross (NIST), Kelley Dempsey (NIST), Patrick Viscuso (NARA), Mark Riddle (NARA), Gary Guissanie (IDA)



contractor systems; Controlled Unclassified Information; CUI Registry; derived security requirement; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal systems; security assessment; security control; security requirement
Control Families

Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; System and Communications Protection; System and Information Integrity


SP 800-171 Rev. 1 (DOI)
Local Download

Supplemental Material:
CUI Plan of Action template (word)
CUI SSP template **[see Planning Note] (word)
Mapping: Cybersecurity Framework v.1.0 to SP 800-171 Rev. 1 (xls)

Other Parts of this Publication:
SP 800-171A

Related NIST Publications:
ITL Bulletin

Document History:
06/07/18: SP 800-171 Rev. 1 (Final)