Initially published in June 2015, NIST SP 800-171 is essentially a set of standards that define how to safeguard and distribute material deemed sensitive but not classified, otherwise referred to as Controlled Unclassified Information (CUI). Both the CUI designation and the NIST SP 800-171 framework are intended to standardize and replace previously existing designations and frameworks used to protect this type of sensitive information. NIST SP 800-171 consists of 14 security requirement families and further specifies a group of 114 controls that are deemed Basic and Derived.


The 14 Security Requirement Families of NIST SP 800-171 

Access Control 

Awareness and Training 

Audit and Accountability 

Configuration Management 

Identification and Authentication 

Incident Response 


Media Protection 

Physical Protection 

Personnel Security 

Risk Assessment 

Security Assessment 

System and Communications Protection 

System and Information Integrity 


NIST SP 800-171 provides federal agencies with regulations for protecting the confidentiality of CUI when:

CUI resides in nonfederal information systems/organizations.

CUI resides in information systems not operated by contractors of federal agencies or organizations on behalf of federal agencies.

There are no specific regulations for the protection and maintenance of CUI confidentiality prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.


The NIST requirements apply to all components of nonfederal information systems and organizations that:

Process, store, or transmit CUI, or provide security protection for such components.

The following outlines MegaplanIT’s proven NIST SP 800-171 methodology.


NIST SP 800-171 Assessment Approach

(Click the numbers below to view each phase description.)

Select an assessment from the dropdown menu for more information.