Understanding the Role of NIST SP 800-171 in CMMCNIST Special Publication (SP)800-171is the definitive standard for protectingControlled Unclassified Information (CUI)innonfederal systems and organizations. It provides security requirements that organizations handling CUImust implementto protect sensitive government information.
This document isthe foundationofCMMC 2.0 Level 2compliance, which aligns directly withNIST SP 800-171 Rev. 2requirements.
Breakdown of Answer ChoicesNIST SP
Title
Relevance to CMMC
NIST SP 800-37
Risk Management Framework (RMF)
Focuses on risk assessment for federal agencies, not directly applicable to CUI in nonfederal systems.
NIST SP 800-53
Security and Privacy Controls for Federal Systems
Provides security controls forfederalinformation systems, not specifically tailored tononfederalorganizations handling CUI.
NIST SP 800-88
Guidelines for Media Sanitization
Covers secure data destruction and disposal, not overall CUI protection.
NIST SP 800-171
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
✅Correct Answer – Directly addresses CUI protection in contractor systems.
Key Requirements from NIST SP 800-171The document outlines110 security controlsgrouped into14 families, including:
Access Control (AC)– Restrict access to authorized users.
Audit and Accountability (AU)– Maintain system logs and monitor activity.
Incident Response (IR)– Establish an incident response plan.
System and Communications Protection (SC)– Encrypt CUI in transit and at rest.
These controls serve as thebaseline requirementsfor organizations seekingCMMC Level 2 certificationto work withCUI.
CMMC 2.0 Level 2alignsdirectlywith NIST SP800-171 Rev. 2.
DoD contractors that handle CUImustcomply withall 110 controlsfrom NIST SP800-171.
Official Reference from CMMC 2.0 DocumentationFinal Verification and ConclusionThe correct answer isD. NIST SP 800-171, as this documentexplicitly definesthe cybersecurity requirements for protectingCUI in nonfederal systems and organizations.
Submit