NIST SP 800-171
External service providers that process, store or transmit Controlled Unclassified Information (CUI) or Covered Defense Information belonging to the U.S. federal government must safeguard that CUI. These nonfederal service providers include contractors, subcontractors and service providers. Additionally, CUI is often provided to, or shared with, state and local governments, colleges and universities, and independent research organizations. NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, defines the type of security requirements service providers are likely to be contractually obligated to meet to safeguard CUI confidentiality.