/ resume
Practitioner's Guide

NIST 800-53 vs. NIST 800-171: What's the Difference and Which One Applies to You?

Federal control catalog vs. CUI protection for contractors — how they differ, how they connect, and which one you actually need.

One is the federal control catalog; the other is what your contractors follow to protect CUI. They're related but not interchangeable — here's how to tell them apart and pick the right one.

Contents·Jump to a section

Why this matters

Compliance officers mix these two up constantly, and it's an expensive mistake. NIST 800-53 and 800-171 share DNA, but they answer different questions: who you are, what data you hold, and which rules a contract or a law puts on you. Pick the wrong one and you either over-build a program you don't need or fail an assessment you thought you'd pass.

The short version

NIST 800-53 is the full security and privacy control catalog for federal information systems. It's the source.

NIST 800-171 is a tailored subset of 800-53 aimed at protecting Controlled Unclassified Information (CUI) on nonfederal systems — contractors, universities, and other organizations that handle federal data without being federal agencies.

Put plainly: federal agencies build to 800-53; the contractors who hold their sensitive data build to 800-171.

Where each one applies

800-53 governs federal agencies and their systems under FISMA. It's also adopted voluntarily across industry and serves as the foundation for FedRAMP (cloud) and other federal programs.

800-171 applies to nonfederal organizations that store, process, or transmit CUI — most prominently defense contractors under DFARS clause 252.204-7012, but also any contractor or institution handling CUI on a federal agency's behalf.

How they relate

800-171 isn't a separate invention. NIST built it by taking the moderate baseline from 800-53 (now maintained in 800-53B) and tailoring it down to the controls that protect the confidentiality of CUI. Every 800-171 requirement traces back to an 800-53 control. If you already run 800-53 at moderate, you've done most of 800-171 — the reverse is not true.

Scope and structure

800-53 (Rev 5): 20 control families, roughly 1,196 controls and enhancements, with Low, Moderate, and High baselines maintained in 800-53B. It covers security and privacy. The latest update, Release 5.2.0 (August 2025), added controls for software-update integrity and cyber resiliency.

800-171 (Rev 3, May 2024): 17 families and 97 requirements — down from 110 in Rev 2 — focused on CUI confidentiality. Rev 3 added three families (Planning; System and Services Acquisition; Supply Chain Risk Management) to track the 800-53B moderate baseline, introduced Organization-Defined Parameters (values like password length and session timeout that the agency or organization sets), and dropped both the old "basic versus derived" requirement split and the vague word "periodically."

The CMMC piece (if you're a defense contractor)

This is where 800-171 grows teeth. The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) program is built on 800-171. CMMC Level 2 maps to the 800-171 control set; Level 3 layers on the enhanced requirements from NIST 800-172. Under CMMC, many contractors move from self-attestation to a third-party assessment by a certified assessor (C3PAO) before they can win or keep contracts that involve CUI.

One current wrinkle worth knowing: even though Rev 3 has been final since May 2024, the DoD issued a class deviation keeping Rev 2 as the standard of reference, and assessors are not yet authorized to evaluate against Rev 3. CMMC is aligned to Rev 2 today. If you're pursuing CMMC, build to Rev 2 now and plan a Rev 3 migration for when the DoD formally makes the switch.

How compliance gets checked

800-53: assessed through the Risk Management Framework using 800-53A procedures, ending in an Authority to Operate (ATO) granted by an authorizing official.

800-171: historically a self-assessment scored against 800-171A, with the result posted to the DoD's Supplier Performance Risk System (SPRS). Under CMMC, that self-score is increasingly backed by a formal C3PAO assessment. The move from "trust me" to "prove it" is the whole point of CMMC.

Side by side

DimensionNIST 800-53NIST 800-171
PurposeFull security and privacy control catalogProtect the confidentiality of CUI
Applies toFederal agencies and systemsNonfederal orgs handling CUI (e.g., contractors)
OriginThe original catalogTailored subset of 800-53 moderate
Latest versionRev 5 / Release 5.2.0 (2025)Rev 3 (2024); CMMC still references Rev 2
Scope20 families, ~1,196 controls17 families, 97 requirements (Rev 3)
MandateFISMADFARS 7012; CMMC for DoD work
AssessmentRMF + 800-53A, ending in an ATO800-171A self-assessment and SPRS; C3PAO under CMMC
PrivacyYes (PT family)No — confidentiality focus

Which one do you need?

  • A federal agency? 800-53. It's the law for your systems, and everything else descends from it.
  • A defense contractor handling CUI? 800-171, and you're almost certainly headed into CMMC — build to Rev 2 today.
  • A non-defense contractor or institution handling CUI? 800-171, under whatever clause your sponsoring agency flows down.
  • Running cloud services for the government? That's FedRAMP, which is 800-53 with added parameters — a separate topic.
  • Handling federal tax information? That's IRS Pub 1075, another 800-53 overlay.

The rule of thumb: if your data includes CUI and you're not a federal agency, 800-171 is your floor. If you're federal, 800-53 is the whole house.

Key takeaways

  • 800-53 is the federal control catalog; 800-171 is a tailored subset of it for protecting CUI on nonfederal systems.
  • Federal agencies follow 800-53; their contractors follow 800-171.
  • 800-171 Rev 3 (2024) trimmed the count to 97 requirements and added three families — but CMMC still references Rev 2 for now.
  • For defense contractors, 800-171 compliance increasingly means a C3PAO assessment under CMMC, not just a self-score.
  • Run 800-53 at moderate and you've covered most of 800-171; the reverse doesn't hold.

About the author

Jose D Soto is an information security leader with hands-on experience across federal and government IT, GRC, and security modernization, including building and assessing programs against NIST 800-53, 800-171, and related federal frameworks. This guide reflects real implementation work, not theory.

← Back to home