U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

SP 800-171 Rev. 2

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Date Published: February 2020

Supersedes: SP 800-171 Rev. 1 (06/07/2018)


Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)



basic security requirement; contractor systems; Controlled Unclassified Information; CUI Registry; derived security requirement; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; nonfederal systems; security assessment; security control; security requirement; nonfederal organizations
Control Families

Access Control; Audit and Accountability; Awareness and Training; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Personnel Security; Physical and Environmental Protection; System and Communications Protection; System and Information Integrity


None available

Supplemental Material:
None available

Other Parts of this Publication:
SP 800-171A
SP 800-172 (Draft)

Document History:
06/19/19: SP 800-171 Rev. 2 (Draft)
02/21/20: SP 800-171 Rev. 2