The NIST standard for protecting controlled unclassified information in nonfederal systems and organizations, required by DFARS 252.204-7012 across the defense industrial base.
800-171.
NIST Special Publication 800-171 is published by the National Institute of Standards and Technology under the Federal Information Security Modernization Act and the Executive Order 13556 framework for Controlled Unclassified Information. The publication is the primary security control framework for protecting CUI residing in nonfederal systems and organizations. The current revision, NIST SP 800-171 Revision 3, was published May 14, 2024, superseding the December 2020 Revision 2.
The Revision 3 framework contains 110 security requirements organized into 17 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment and Monitoring, System and Communications Protection, System and Information Integrity, Planning, System and Services Acquisition, and Supply Chain Risk Management. The companion NIST SP 800-171A Revision 3 provides assessment procedures used by contractors for self-assessment, by DOD for medium-confidence and high-confidence assessments, and by C3PAOs for CMMC Level 2 assessment.
The regulatory anchor in defense procurement is DFARS 252.204-7012, which has flowed down NIST SP 800-171 implementation across the defense industrial base since December 2017. DFARS 252.204-7019 requires contractors to perform a current self-assessment using NIST SP 800-171 DOD Assessment Methodology and post the score in the Supplier Performance Risk System (SPRS). DFARS 252.204-7020 establishes assessment requirements above the basic self-assessment for medium and high confidence levels. DFARS 252.204-7021 implements the Cybersecurity Maturity Model Certification (CMMC) regime, with CMMC Level 2 substantively aligned to NIST SP 800-171 plus assessment by an accredited third party.
For a foreign-headquartered firm entering the US defense industrial base through a US subsidiary, NIST SP 800-171 is the substantive cybersecurity baseline that contracts will flow down. The implementation is at the US subsidiary at a minimum, and where CUI flows to the foreign parent or other group entities, those entities are also in scope under DFARS 252.204-7012. The SPRS score is posted at the CAGE-code level, so each operating entity that handles CUI maintains its own score. CMMC Level 2 certification under the November 2024 final rule requires third-party assessment by a C3PAO for most CUI-handling contracts.
The cross-border read is procurement-binding. A foreign supplier without a documented NIST SP 800-171 implementation cannot accept CUI under a DFARS-clause-included contract. The implementation timeline for a Mittelstand or international firm typically runs 12 to 24 months including gap assessment, remediation, System Security Plan (SSP) and Plan of Action and Milestones (POAM) documentation, and pre-assessment readiness work.
NIST 800-171 sits across the defense and federal trajectory work in the Operators entering the US book, on the CMMC and DFARS related entries, and on the Answers hub for cyber-readiness questions in DOD-adjacent firms. The presentation work covers how the firm names its NIST SP 800-171 implementation, its SPRS score, its CMMC certification status, and its CUI-handling architecture on US-facing surfaces. The implementation, SSP authoring, and assessment work belongs with the firm's information-security function, US cybersecurity counsel, and where applicable a CMMC Registered Practitioner Organization or C3PAO.
Global Marketing Agency does not provide NIST SP 800-171 implementation, SSP authoring, gap assessment, C3PAO assessment, or CMMC certification services. Those activities belong to the firm's information-security function and an authorized assessment partner. GMA works on how the firm's NIST 800-171 posture is presented, sequenced, and read on US-facing surfaces.