NIST itself is not universally mandatory. However, it becomes mandatory when incorporated into federal contracts, regulatory expectations, or customer cybersecurity requirements. Organizations handling CUI under federal contracts must comply with NIST SP 800-171. Federal agencies and system operators often align to NIST SP 800-53. Many private sector organizations voluntarily adopt the NIST CSF to demonstrate cybersecurity maturity. Obligation is contract-driven, not voluntary once flowed down.