NIST 800-171 Controlled Unclassified Information (CUI) Controls   

NIST and NARA carried out specific tailoring actions to identify the controls that are needed to protect CUI. According to NIST 800-171, there were 3 criteria used to identify what security controls or control enhancements from NIST 800-53 rev4 moderate baseline specifically would be considered a "CUI control" for NIST 800-171. If the following criteria was not applicable, then the NIST 800-53 rev4 control or control enhancement became a CUI control:

  1. The control or control enhancement is uniquely federal (i.e., primarily the responsibility of the federal government);

  2. The control or control enhancement is not directly related to protecting the confidentiality of CUI;38 or

  3. The control or control enhancement is expected to be routinely satisfied by nonfederal organizations without specification.

Interestingly, while there are 110 CUI controls listed in Appendix D of NIST 800-171, there are 125 unique CUI controls listed in Appendix E. The reduction of 15 controls appears to be through the mapping that reduced redundancies. These 125 unique CUI controls, as listed below:

SCF Practitioner - ComplianceForge.jpg

© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.


ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.