Skip to main content

NIST 800-171 compliance

Disclaimer: Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program.

Last updated: November 2025

NIST SP 800-171 Revision 2 specifies 110 security requirements across 14 control families for protecting Controlled Unclassified Information (CUI) in non-federal systems. Defense contractors and government contractors handling CUI must maintain CUI within systems that implement these 110 security requirements and remain under contractor control.

warning

NIST 800-171 applies only to systems that store, process, or transmit CUI. Not all code is CUI. You must assess each repository to determine whether it contains CUI. Commercial software, internal tools, and projects unrelated to government contracts typically do not contain CUI.

Contractor-controlled systems defined: Under NIST 800-171, contractor-controlled systems are information systems that are owned, operated, and maintained by the contractor (not the government), where the contractor implements all required security controls and maintains full administrative access. This includes on-premises infrastructure in contractor facilities and contractor-managed cloud infrastructure where the contractor implements the 110 NIST 800-171 security requirements. Standard commercial cloud services (GitHub.com, GitLab.com, Azure DevOps Services) where the service provider controls security configurations generally do not meet the definition of contractor-controlled for CUI.

When Semgrep scans your source code, it analyzes code for security vulnerabilities and policy violations. If your code does not contain CUI, NIST 800-171 requirements do not apply to code scanning.

For repositories that do not contain CUI, Semgrep may help with your overall security posture:

  • 3.14.1 (flaw remediation): SAST scanning detects security weaknesses in code. Audit logs document vulnerability detection and remediation timelines.

  • 3.5.10 (authenticator management): Secrets detection helps prevent hardcoded credentials that provide unauthorized access from reaching production.

  • 3.3.1 (audit record creation): Audit logs document security scanning activity and findings with timestamps and user attribution.

  • 3.4.7 (least functionality): Policy enforcement can help block vulnerable code at the pull request level. When properly configured with CI/CD systems, Semgrep can enforce security policies on every code change. For details around proper configuration, please chat with the Semgrep team.

Deployment requirements for CUI

If your code contains CUI, you must ensure your Semgrep deployment keeps CUI within contractor-controlled systems implementing all 110 NIST 800-171 security requirements. Currently the only Semgrep deployment that would support NIST SP 800-171 is the Semgrep CLI tool. The CLI tool runs entirely on local systems. If your local systems are contractor-controlled and implement all 110 NIST 800-171 requirements, CLI deployment keeps CUI within compliant systems.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.