Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-171 Rev. 1

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Date Published: December 2016

Supersedes: SP 800-171 (01/21/2016)


Ron Ross (NIST), Patrick Viscuso (NARA), Gary Guissanie (IDA), Kelley Dempsey (NIST), Mark Riddle (NARA)



Contractor Information Systems; Controlled Unclassified Information; CUI Registry; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; Nonfederal Information Systems; Security Control; Security Requirement; Derived Security Requirement; Security Assessment
Control Families

Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity


SP 800-171 Rev. 1 (12/20/2016) (pdf)

Supplemental Material:
Specific Changes to the Security Requirements in SP 800-171 (pdf)

Related NIST Publications:
SP 800-171A (Draft)

Document History:
12/20/16: SP 800-171 Rev. 1 (Final)