What is the difference between NIST 800-171 and 800-53?

NIST 800-171 defines 110 controls (Rev 2) for protecting Controlled Unclassified Information on nonfederal systems — it's the basis of CMMC and applies to defense contractors. NIST 800-53 is the comprehensive control catalog (1,000+ controls and enhancements) for federal information systems and cloud services — it's the basis of FedRAMP and DoD authorizations. 800-171 is actually a tailored subset derived from the 800-53 Moderate baseline, focused on the CUI-in-nonfederal-systems problem.

Is NIST 800-171 part of 800-53?

Derived from, not part of. NIST built 800-171 by taking the 800-53 Moderate baseline and tailoring it down to the controls relevant to protecting CUI when it resides on a nonfederal (contractor) system. The result is 110 focused controls instead of 800-53's full catalog. They share underlying control DNA but are published and applied separately for different audiences.

Which one applies to my company — 800-171 or 800-53?

If you're a defense contractor or supplier protecting CUI on your own systems, NIST 800-171 applies, and CMMC is how it's assessed. If you operate a federal information system or a cloud service consumed by federal agencies, NIST 800-53 applies, via FedRAMP baselines or DoD Impact Levels. A company that is both a cloud provider and a defense supplier can touch both — 800-53 for the cloud service, 800-171 for the CUI it handles.

Does CMMC use 800-171 or 800-53?

CMMC Level 2 uses NIST 800-171 — specifically the 110 Rev 2 controls. CMMC is essentially the assessment and certification machinery built on top of 800-171. FedRAMP and DoD Cloud Computing SRG, by contrast, use NIST 800-53. So a defense contractor pursuing CMMC is implementing 800-171; a cloud provider pursuing FedRAMP is implementing 800-53.

Should we implement 800-171 Rev 2 or Rev 3?

For CMMC, build to Rev 2 — it's what C3PAOs assess against through at least the first wave of Phase 2 enforcement. NIST has published Rev 3 and DoD staged the transition by releasing Organization-Defined Parameters, with rulemaking expected late 2026 to early 2027. Track the Rev 3 delta (it adds three control families aligning with 800-53 Rev 5), but don't redesign your environment for it yet — Rev 2 is the current assessable baseline.

← Compare · FOUNDATIONS

NIST 800-171 vs 800-53: two catalogs, two audiences, one common confusion

Two NIST control catalogs that defense and cloud contractors constantly conflate. 800-171 defines requirements for protecting Controlled Unclassified Information in nonfederal systems — it underpins CMMC. 800-53 is the comprehensive control catalog for federal information systems — it underpins FedRAMP and DoD authorizations. They are derived from the same source but serve different worlds.

The short answer

It's not really a choice — it's about who you are. Nonfederal contractor protecting CUI → 800-171 (via CMMC). Federal system or cloud provider serving agencies → 800-53 (via FedRAMP or DoD CC SRG). 800-171 is a focused subset derived from 800-53 Moderate, tailored for the CUI-in-nonfederal-systems problem.

NIST SP 800-171

You are a defense contractor or supplier protecting CUI on your own (nonfederal) systems. NIST 800-171 — 110 controls in Rev 2 — is your standard, and CMMC is how it gets assessed.

NIST SP 800-53

You operate a federal information system or a cloud service consumed by federal agencies. NIST 800-53 is your catalog, applied via FedRAMP baselines (Low/Moderate/High) or DoD Impact Levels.

Side by side

Dimension

NIST SP 800-171

NIST SP 800-53

Full title

Protecting CUI in Nonfederal Systems and Organizations

Security and Privacy Controls for Information Systems

Audience

Nonfederal organizations handling CUI (contractors, suppliers)

Federal information systems + cloud services serving agencies

Size

110 controls (Rev 2), 14 families

Full catalog — 1,000+ controls and enhancements across 20 families

Assessed via

CMMC (C3PAO or self-assessment)

FedRAMP (3PAO) or DoD CC SRG

Relationship

A tailored subset derived from 800-53 Moderate

The source catalog 800-171 draws from

Current revision

Rev 2 (Rev 3 published; CMMC still on Rev 2)

Rev 5

Baselines

Single set of 110 (Level 2)

Low / Moderate / High baselines

Privacy

Embedded in the 110

Full PT family (since Rev 5)

Same DNA, different problems

The confusion is understandable because 800-171 is genuinely derived from 800-53. When NIST built 800-171, it took the 800-53 Moderate baseline and tailored it down to the controls relevant to protecting CUI when it lives on a nonfederal system — a contractor's own infrastructure rather than a federal system.

That tailoring produced 110 focused controls (in Rev 2) instead of 800-53's full catalog of 1,000-plus controls and enhancements. The 110 are the ones that matter when the problem is "a defense contractor is storing CUI on their own systems and we need a defensible baseline." 800-53, by contrast, is the comprehensive catalog applied when the system is federal, or when a cloud service is being authorized for federal consumption.

So they share DNA but solve different problems. 800-171 is the CUI-in-nonfederal-systems standard. 800-53 is the federal-systems-and-cloud standard.

How they map to the frameworks you actually deal with

For a practitioner, the useful translation is which framework sits on which catalog.

NIST 800-171 → CMMC. CMMC Level 2 is the 110 NIST 800-171 Rev 2 controls, with the assessment and certification machinery layered on top. If you are a defense contractor pursuing CMMC, you are implementing 800-171. Our [NIST 800-171 framework page](/frameworks/nist-800-171/) covers this in depth.

NIST 800-53 → FedRAMP and DoD CC SRG. FedRAMP baselines (Low, Moderate, High) are 800-53 control selections with FedRAMP overlays. DoD Impact Levels add further 800-53-derived overlays (and, at IL5+, NSS controls from CNSSI 1253). If you are a cloud service provider seeking federal authorization, you are implementing 800-53.

A CSP that is also a defense supplier can end up touching both — 800-53 via FedRAMP for the cloud service, 800-171 via CMMC for the CUI it handles as a contractor. The controls overlap, but the assessment regimes are separate.

The Rev 3 question

One live wrinkle: NIST published 800-171 Rev 3, but CMMC Level 2 is still assessed against Rev 2. DoD staged the Rev 3 transition by publishing Organization-Defined Parameters ahead of formal rulemaking, and practitioner consensus now expects Rev 3 rulemaking in late 2026 to early 2027.

For now, build to Rev 2 — it is what C3PAOs assess against. But track the Rev 3 delta, because Tier-1 primes are starting to ask subs about Rev 3 readiness in pre-award evaluations even where Rev 2 remains the contractual baseline. Rev 3 adds three control families (Planning, System and Services Acquisition, Supply Chain Risk Management) aligning more closely with 800-53 Rev 5 — narrowing the gap between the two catalogs. Our [Q2 2026 compliance landscape briefing](/insights/compliance-landscape-q2-2026-briefing/) tracks the rulemaking timeline.

Frequently asked

NIST 800-171 vs 800-53 — common questions.

What is the difference between NIST 800-171 and 800-53?: NIST 800-171 defines 110 controls (Rev 2) for protecting Controlled Unclassified Information on nonfederal systems — it's the basis of CMMC and applies to defense contractors. NIST 800-53 is the comprehensive control catalog (1,000+ controls and enhancements) for federal information systems and cloud services — it's the basis of FedRAMP and DoD authorizations. 800-171 is actually a tailored subset derived from the 800-53 Moderate baseline, focused on the CUI-in-nonfederal-systems problem.
Is NIST 800-171 part of 800-53?: Derived from, not part of. NIST built 800-171 by taking the 800-53 Moderate baseline and tailoring it down to the controls relevant to protecting CUI when it resides on a nonfederal (contractor) system. The result is 110 focused controls instead of 800-53's full catalog. They share underlying control DNA but are published and applied separately for different audiences.
Which one applies to my company — 800-171 or 800-53?: If you're a defense contractor or supplier protecting CUI on your own systems, NIST 800-171 applies, and CMMC is how it's assessed. If you operate a federal information system or a cloud service consumed by federal agencies, NIST 800-53 applies, via FedRAMP baselines or DoD Impact Levels. A company that is both a cloud provider and a defense supplier can touch both — 800-53 for the cloud service, 800-171 for the CUI it handles.
Does CMMC use 800-171 or 800-53?: CMMC Level 2 uses NIST 800-171 — specifically the 110 Rev 2 controls. CMMC is essentially the assessment and certification machinery built on top of 800-171. FedRAMP and DoD Cloud Computing SRG, by contrast, use NIST 800-53. So a defense contractor pursuing CMMC is implementing 800-171; a cloud provider pursuing FedRAMP is implementing 800-53.
Should we implement 800-171 Rev 2 or Rev 3?: For CMMC, build to Rev 2 — it's what C3PAOs assess against through at least the first wave of Phase 2 enforcement. NIST has published Rev 3 and DoD staged the transition by releasing Organization-Defined Parameters, with rulemaking expected late 2026 to early 2027. Track the Rev 3 delta (it adds three control families aligning with 800-53 Rev 5), but don't redesign your environment for it yet — Rev 2 is the current assessable baseline.

Go deeper

CMMC · 8 min read

CMMC Level 2 timeline: what 6 to 9 months actually looks like

CMMC · 8 min read

CMMC self-assessment vs C3PAO: which path applies, and when it matters

FedRAMP · 13 min read

FedRAMP Rev 5 control mapping: the new controls, the renumbered ones, and what each costs to implement

Cross-cutting · 14 min read

What changed in compliance — Q2 2026 briefing: CMMC Phase 2, DOJ enforcement, ICD 705, FedRAMP 20x, and the DoD Zero Trust cliff

Framework pages

Not sure which fits your situation?

Book a scoping call.

Thirty minutes. We'll walk through your target, your current posture, and which path — or which combination — actually fits. If the answer is "neither yet," we'll say so.

Book a scoping call →