Which framework serves as the baseline for protecting CDI where applicable?

Protecting CDI in applicable DoD contexts relies on a concrete set of security controls designed for nonfederal environments. NIST SP 800-171 provides that baseline: it specifies 110 security requirements organized into 14 families (covering areas like access control, incident response, configuration management, and risk assessment) to safeguard controlled unclassified information when it resides outside federal systems. This framework was established for DoD contracting and aligns with relevant DFARS clauses, making it the go-to baseline for protecting CDI where applicable. The other frameworks are broader or targeted to different domains—ISO/IEC 27001 focuses on management systems, COBIT on governance, and PCI-DSS on payment card data—so they don’t serve as the DoD baseline for CDI protection.