The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, also known as NIST 800-171, is a set of standards that define how to safeguard and distribute material deemed sensitive but not classified by federal agencies in the United States. These standards apply to all components of nonfederal information systems and organizations that process, store, or transmit Controlled Unclassified Information (CUI) or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
NIST 800-171 is divided into 14 families of security requirements, including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.