NIST Special Publication 800-171 (aka SP 800-171 or NIST 171) provides recommendations and requirements that organizations must follow to ensure the confidentiality of controlled unclassified information (CUI) that they obtain when working as supply chain contractors on Federal contracts. NIST 171 is related to the broader Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) regulations.
DFARS stipulates that defense contractors must use the recommended procedures in NIST SP 800-171 to show that they can secure the CUI defense information that they hold due to their contracts. All businesses and organizations working as part of a DoD, GSA, NASA, or other Federal agency supply chain must implement SP 800-171 (and possibly the enhanced SP 800-172, depending on the project or contract they are working on).
The current Cybersecurity Maturity Model Certification (CMMC) 2.0 specification adopts the requirements outlined in NIST SP 800-171. The new CMMC 2.0 Level 2 certification maps to the 110 practices in NIST SP 800-171.