NIST SP 800-171 protects Controlled Unclassified Information (CUI) in nonfederal systems and is required for DoD contractors via CMMC. Its supply chain risk management requirements align with SBOM practices for documenting and verifying software components.
Who it affects: Nonfederal organizations (primarily Department of Defense contractors) that process, store, or transmit Controlled Unclassified Information (CUI). Also relevant to organizations pursuing Cybersecurity Maturity Model Certification (CMMC) Level 2 or higher.
Need help with compliance? We can help you navigate your SBOM compliance journey.
Get in TouchOverview
NIST Special Publication 800-171 Revision 3 (“Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”), published in May 2024, defines the security requirements that nonfederal organizations must implement to protect Controlled Unclassified Information (CUI). CUI is information that the government creates or possesses that requires safeguarding, such as technical data, export-controlled information, and law enforcement sensitive data.
NIST SP 800-171 is most commonly encountered through Department of Defense (DoD) contracts. The DFARS clause 252.204-7012 requires DoD contractors to implement NIST 800-171, and the Cybersecurity Maturity Model Certification (CMMC) program uses 800-171 as the basis for its Level 2 assessment.
While NIST 800-171 does not explicitly use the term “SBOM,” Revision 3 introduced three new control families — including Supply Chain Risk Management — that create strong requirements for the kind of software component transparency that SBOMs provide.
Relationship to NIST SP 800-53
NIST SP 800-171 Rev 3 derives its controls from NIST SP 800-53 Rev 5, making 800-53 the “single authoritative source” for the underlying security requirements. Specifically, 800-171 Rev 3 controls are drawn from the 800-53 moderate control baseline defined in NIST SP 800-53B, tailored for nonfederal environments.
| Standard | Scope | Audience | Controls |
|---|---|---|---|
| NIST SP 800-53 Rev 5 | Full security control catalog for federal systems | Federal agencies | 1,000+ controls across 20 families |
| NIST SP 800-171 Rev 3 | Protecting CUI in nonfederal systems | DoD contractors, nonfederal organizations | 97 requirements across 17 families |
| NIST SP 800-172 | Enhanced requirements for high-value CUI | CMMC Level 3 organizations | 35 enhanced requirements |
Understanding this hierarchy matters because some 800-53 controls highly relevant to SBOMs (such as SR-4, Provenance) are not directly included in 800-171 but may be required through DoD supplemental guidance or CMMC Level 3 assessments.
Key Control Families Relevant to SBOMs
NIST 800-171 Rev 3 organizes its 97 requirements into 17 control families. Revision 3 added three new families that are particularly relevant to software supply chain security.
03.17 — Supply Chain Risk Management (New in Rev 3)
This family was added in Rev 3 to address the growing threat to software supply chains. It maps to the SR family in NIST SP 800-53.
03.17.01 — Supply Chain Risk Management Plan (maps to 800-53 SR-2)
Requires organizations to develop, review, and update a plan for managing supply chain risks across the system development life cycle, from acquisition through disposal. SBOMs are a practical implementation tool for the component visibility this plan requires.
03.17.02 — Acquisition Strategies, Tools, and Methods (maps to 800-53 SR-5)
Requires organizations to develop acquisition strategies that identify and mitigate supply chain risks. For software acquisitions, this increasingly means requiring SBOM delivery from vendors.
03.17.03 — Supply Chain Requirements and Processes (maps to 800-53 SR-3)
Requires establishing processes for identifying and addressing weaknesses in supply chain elements. The NIST discussion for this control explicitly mentions maintaining provenance — knowing where each component came from and ensuring it has not been tampered with. SBOMs provide exactly this component-level provenance documentation.
03.04 — Configuration Management
03.04.10 — System Component Inventory (maps to 800-53 CM-8, CM-8(1))
Requires maintaining an up-to-date inventory of system components and updating it as part of installations, removals, and system updates. NIST specifies that the inventory should include system names, software version numbers, software owners, and software license information. At the application level, this is precisely what an SBOM documents.
03.04.08 — Authorized Software — Allow by Exception
Requires identifying all software programs authorized to execute on the system and implementing a deny-all, allow-by-exception policy. Maintaining an SBOM makes it possible to verify that deployed software components match authorized inventories.
03.16 — System and Services Acquisition (New in Rev 3)
03.16.02 — Unsupported System Components
Requires replacing system components when the developer, vendor, or manufacturer no longer provides support. SBOMs with lifecycle data (such as CLE — Common Lifecycle Enumeration) make it possible to automatically detect end-of-life and end-of-support components.
03.16.03 — External System Services
Requires that providers of external system services comply with the organization’s security requirements. For software services, this can include requiring SBOMs as part of the vendor assessment process.
03.14 — System and Information Integrity
03.14.01 — Flaw Remediation
Requires identifying, reporting, and correcting system flaws, with security-relevant updates applied within defined timeframes. SBOMs enable this by providing the component inventory needed to match against vulnerability databases like the NVD and the CISA KEV catalog.
03.14.03 — Security Alerts, Advisories, and Directives
Requires receiving security alerts and advisories from external organizations on an ongoing basis. SBOMs make it possible to automatically correlate new advisories with your deployed components, rather than relying on manual cross-referencing.
CMMC and NIST 800-171
The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s program for verifying that contractors have implemented the security requirements in NIST 800-171. CMMC 2.0 defines three levels:
- Level 1 — 15 basic safeguarding requirements (self-assessment)
- Level 2 — Full NIST SP 800-171 implementation (third-party assessment by a C3PAO)
- Level 3 — NIST SP 800-171 plus selected 800-172 enhanced requirements (government-led assessment)
For CMMC Level 2 assessments, assessors evaluate 422 determination statements derived from the 97 NIST 800-171 Rev 3 requirements. The DoD CIO publishes Organization-Defined Parameters (ODPs) that specify values for customizable fields in the 800-171 controls.
Organizations preparing for CMMC should treat SBOM generation and management as supporting evidence for multiple controls, particularly 03.17.01 (Supply Chain Risk Management Plan), 03.04.10 (System Component Inventory), and 03.14.01 (Flaw Remediation).
Key Changes from Rev 2 to Rev 3
| Change | Details |
|---|---|
| Control count | Reduced from 110 to 97 requirements (but maps to 156 underlying 800-53 controls) |
| 3 new families | Planning (03.15), System and Services Acquisition (03.16), Supply Chain Risk Management (03.17) |
| 33 controls withdrawn | Various consolidations and removals |
| ODPs introduced | 88 Organization-Defined Parameters across 49 requirements, replacing vague terms like “periodically” |
| Assessment scope | 422 determination statements (32% more than Rev 2) |
| 800-53 alignment | Full alignment with 800-53 Rev 5; “basic/derived” distinction eliminated |
The addition of the Supply Chain Risk Management family (03.17) is the most significant change for SBOM relevance. Rev 2 had no dedicated supply chain controls.
Practical Implications
For DoD Contractors
If you handle CUI as a DoD contractor:
- Implement a supply chain risk management plan (03.17.01) that includes SBOM generation and monitoring for your software products
- Maintain a software component inventory (03.04.10) using SBOMs as the authoritative source for application-level components
- Automate flaw remediation (03.14.01) by matching SBOM data against vulnerability databases and the CISA KEV catalog
- Require SBOMs from your subcontractors as part of your acquisition strategy (03.17.02), ensuring supply chain transparency flows down
For Software Vendors to DoD Contractors
If you sell software to organizations that handle CUI:
- Be prepared to provide SBOMs in a standard format (CycloneDX or SPDX)
- Maintain vulnerability disclosure and response processes
- Provide component lifecycle information (end-of-support dates)
sbomify helps organizations meet these requirements by automating SBOM generation, enrichment, and vulnerability monitoring, with built-in distribution capabilities for sharing SBOMs with prime contractors and assessors. See our SBOM generation guides for language-specific instructions.
Official Sources
- NIST SP 800-171 Rev 3 — Full publication
- NIST SP 800-171A Rev 3 — Assessment procedures
- NIST SP 800-53 Rev 5 — Parent control catalog
- CMMC Program — DoD certification program
- DFARS 252.204-7012 — Contract clause requiring 800-171 implementation
Frequently Asked Questions
What is NIST 800-171?
NIST Special Publication 800-171 is a set of security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Currently in Revision 3 (published May 2024), it contains 97 requirements across 17 control families. It is most commonly required through DoD contracts and the CMMC certification program.
Does NIST 800-171 require SBOMs?
NIST 800-171 Rev 3 does not explicitly use the term “SBOM.” However, several controls create requirements that SBOMs directly support: 03.04.10 requires a system component inventory including software names, versions, and license information; 03.17.03 requires maintaining provenance in supply chain processes; and 03.14.01 requires timely flaw remediation, which depends on knowing what software components are deployed. SBOMs are the practical tool for satisfying these requirements.
What is the difference between NIST 800-171 and NIST 800-53?
NIST SP 800-53 is the comprehensive security control catalog for federal information systems, containing over 1,000 controls across 20 families. NIST SP 800-171 is a derived subset of 97 requirements tailored for protecting CUI in nonfederal systems. 800-171 Rev 3 controls map directly to 800-53 Rev 5 controls from the moderate baseline.
What is CMMC and how does it relate to NIST 800-171?
CMMC (Cybersecurity Maturity Model Certification) is the DoD’s program for verifying that contractors have implemented NIST 800-171 requirements. CMMC Level 2 directly maps to the 97 requirements in NIST 800-171. Organizations seeking DoD contracts that involve CUI must achieve CMMC Level 2 certification through a third-party assessment.
What changed in NIST 800-171 Rev 3?
The most significant changes include the addition of three new control families (Planning, System and Services Acquisition, and Supply Chain Risk Management), full alignment with NIST SP 800-53 Rev 5, the introduction of 88 Organization-Defined Parameters across 49 requirements, and an increase to 422 assessment determination statements. The new Supply Chain Risk Management family (03.17) is the most relevant addition for SBOM requirements.
Disclaimer: This page represents our interpretation of the referenced frameworks and standards. While we strive for accuracy, we may have made errors or omissions. This content is provided for informational purposes only and does not constitute legal advice. For compliance decisions, consult the official source documents and seek qualified legal counsel.