NIST SP 800-171 is a special publication created by the National Institute of Standards and Technology (NIST) that outlines the security controls for controlled unclassified information (CUI) or covered defense information (CDI) for Non-Federal Information Systems. The due date for either the implementation of all of the listed security controls OR the identification and documentation of the controls which your organization has yet to implement is December 31st, 2017.
This framework is designed to provide guidance to contractors and sub-contractors that possess CUI to aid in protecting data and reducing or eliminating security incidents from occurring. The NIST 800-171 framework was developed from NIST SP 800-53 publications which outlines the security requirements for Federal information systems.
CUI/CDI is information provided to the contractor by or on behalf of the DoD in connection with the performance of the contract; or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. CUI/CDI also falls in any of the following categories:
Protecting Controlled Unclassified Information on Non-federal Information Systems and Organizations NIST Special Publication 800-171r1
Assessing Security and Privacy Controls in Federal Information Systems and Organizations NIST Special Publication 800-53r4
Guide for Developing Security Plans for Federal Information System, NIST Special Publication 800-18
Final CUI Rule Requires Contractors to Adopt Uniform Treatment of Confidential Information
Understanding NIST SP 800-171: Details About DFARS Compliance