Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-171 Rev. 2

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: February 2020 (includes updates as of January 28, 2021)

Supersedes: SP 800-171 Rev. 2 (02/21/2020)

Planning Note (04/13/2022):

The security requirements in SP 800-171 Revision 2 are available in multiple data formats. The PDF of SP 800-171 Revision 2 is the authoritative source of the CUI security requirements. If there are any discrepancies noted in the content between the CSV, XLSX, and the SP 800-171 PDF, please contact and refer to the PDF as the normative source.

CUI SSP template

** There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.


Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)



basic security requirement; contractor systems; Controlled Unclassified Information; CUI Registry; derived security requirement; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal systems; security assessment; security control; security requirement; nonfederal organizations
Control Families

Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity