NIST SP 800-171 is the backbone of CMMC Level 2. It defines 110 security practices organized into 14 control families that protect Controlled Unclassified Information (CUI). This checklist breaks down all 14 families, shows what's required, explains the difference between Rev 2 and Rev 3, and provides practical guidance for implementation and documentation.
What Is NIST SP 800-171?
NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) is a U.S. government standard that defines security requirements for protecting CUI handled by defense contractors, federal agencies, and other nonfederal systems.
CMMC Level 2 requires implementation of all 110 NIST 800-171 controls. Level 3 adds 61 additional controls from NIST SP 800-172. Understanding these control families is essential for CMMC compliance.
NIST 800-171 Rev 2 vs Rev 3: What Changed?
NIST released Revision 3 in December 2022 to align with emerging threats and cloud computing paradigms. Key differences:
Rev 2 (2015)
Original version with 110 controls focused on traditional on-premises infrastructure. Still widely used.
Rev 3 (2022)
Updated to address cloud services, supply chain risks, multi-factor authentication requirements, and zero-trust principles. CMMC assessors now use Rev 3.
Compatibility
Rev 3 is backward compatible with Rev 2. Organizations can meet Rev 3 requirements without major overhauls if Rev 2 controls are well-implemented.
14 Control Families: Complete Breakdown
1. Access Control (AC) — 22 Controls
Purpose: Limit system access to authorized individuals and processes.
Key Controls: User identification, authentication, least privilege, role-based access control (RBAC), separation of duties, access to CUI repositories.
Commonly Failed: AC-2 (account management), AC-5 (separation of duties).
2. Awareness and Training (AT) — 3 Controls
Purpose: Ensure personnel understand security responsibilities.
Key Controls: Security awareness training (annual minimum), role-based training, training documentation.
Commonly Failed: AT-1 (lacks documentation of annual training).
3. Audit and Accountability (AU) — 9 Controls
Purpose: Monitor, log, and investigate security events.
Key Controls: System audit logging, user activity monitoring, audit log protection, incident response procedures.
Commonly Failed: AU-2 (insufficient audit logging), AU-12 (logs not protected or retained).
4. Configuration Management (CM) — 9 Controls
Purpose: Maintain secure system configurations.
Key Controls: Baseline configurations, change management, configuration reviews, firmware security.
Commonly Failed: CM-3 (lack of formal change control process), CM-7 (ports and services not minimized).
5. Identification and Authentication (IA) — 11 Controls
Purpose: Verify user identity before granting access.
Key Controls: Multi-factor authentication (MFA), password policies, credential management, device authentication.
Commonly Failed: IA-5 (weak password policies), IA-2 (MFA not enforced for all users).
6. Incident Response (IR) — 3 Controls
Purpose: Detect, respond to, and recover from security incidents.
Key Controls: Incident detection procedures, incident handling, incident reporting to DoD.
Commonly Failed: IR-1 (no formal incident response plan).
7. Maintenance (MA) — 6 Controls
Purpose: Secure maintenance of systems and equipment.
Key Controls: Maintenance procedures, equipment removal, maintenance logs, tools security.
Commonly Failed: MA-4 (remote access not properly controlled), MA-7 (lack of maintenance tracking).
8. Media Protection (MP) — 9 Controls
Purpose: Secure physical and digital media containing CUI.
Key Controls: Media handling, secure disposal, encryption, transportation security.
Commonly Failed: MP-7 (CUI not encrypted on portable media), MP-6 (insecure media disposal).
9. Personnel Security (PS) — 2 Controls
Purpose: Manage employee security risks.
Key Controls: Role-based access training, access removal upon termination.
Commonly Failed: PS-4 (delayed access removal for terminated employees).
10. Physical and Environmental Protection (PE) — 6 Controls
Purpose: Protect facilities, equipment, and physical access to systems.
Key Controls: Facility access, visitor management, workstation use policies, equipment placement.
Commonly Failed: PE-3 (inadequate physical access controls), PE-4 (visitors not monitored).
11. Risk Assessment (RA) — 3 Controls
Purpose: Identify, analyze, and prioritize security risks.
Key Controls: Risk assessment processes, vulnerability scanning, risk remediation.
Commonly Failed: RA-5 (vulnerability assessments not documented or outdated).
12. Security Assessment and Authorization (CA) — 4 Controls
Purpose: Assess and authorize systems handling CUI.
Key Controls: Security assessment procedures, assessment documentation, remediation tracking.
Commonly Failed: CA-7 (continuous monitoring plan not implemented).
13. System and Communications Protection (SC) — 16 Controls
Purpose: Protect system communications and data in transit.
Key Controls: Encryption, boundary protection, cryptography, boundary traversal mechanisms, wireless security.
Commonly Failed: SC-7 (no firewall or boundary controls), SC-28 (CUI not encrypted at rest).
14. System and Information Integrity (SI) — 7 Controls
Purpose: Protect systems and information integrity.
Key Controls: Malware protection, security updates/patching, flaw remediation, information system monitoring.
Commonly Failed: SI-2 (patch management not documented or delayed), SI-3 (antivirus not enabled).
Get a Head Start on Your Assessment
Use our readiness assessment tool to evaluate your current compliance level across all NIST control families.
Start AssessmentControl Family Summary Table
| Control Family | Abbreviation | Number of Controls | Primary Focus |
|---|---|---|---|
| Access Control | AC | 22 | User access, authorization, least privilege |
| Awareness & Training | AT | 3 | Employee security awareness |
| Audit & Accountability | AU | 9 | Event logging, monitoring |
| Configuration Management | CM | 9 | System baselines, change control |
| Identification & Authentication | IA | 11 | User identity verification, MFA |
| Incident Response | IR | 3 | Incident handling, reporting |
| Maintenance | MA | 6 | System maintenance, remote access |
| Media Protection | MP | 9 | Data encryption, secure disposal |
| Personnel Security | PS | 2 | Employee access management |
| Physical & Environmental Protection | PE | 6 | Facility access, physical security |
| Risk Assessment | RA | 3 | Risk identification, scanning |
| Security Assessment & Authorization | CA | 4 | Security assessments, authorization |
| System & Communications Protection | SC | 16 | Encryption, firewalls, boundaries |
| System & Information Integrity | SI | 7 | Malware protection, patching |
| TOTAL | 110 |
Top 10 Most Commonly Failed NIST 800-171 Controls
Highest Priority Controls
These controls are frequently failed during CMMC assessments. Focus remediation here first for maximum impact.
- SC-28: Protection of Information at Rest (Encryption) — CUI must be encrypted on all storage media. Most organizations lack comprehensive encryption coverage.
- IA-5: Authentication Mechanisms (Password/MFA) — Weak passwords and lack of multi-factor authentication remain the #1 vulnerability.
- CM-3: Configuration Change Control — Many organizations lack formal change management procedures.
- AU-2: Audit Logging — Systems aren't logging sufficient events for detection and investigation.
- AC-5: Separation of Duties — Critical accounts have excessive privileges without proper authorization controls.
- SI-2: Flaw Remediation (Patching) — Systems aren't patched promptly or lack patch management procedures.
- MA-4: Remote Maintenance Access — Remote access isn't properly logged, authenticated, or controlled.
- CA-7: Continuous Monitoring — No formal security monitoring or metrics collection in place.
- MP-7: Media Encryption — Portable devices and removable media lack encryption.
- PS-4: Personnel Security — Access Removal — Terminated employees' access isn't promptly removed.
Control Implementation Evidence Requirements
For each NIST 800-171 control, you must provide evidence of implementation. Common evidence types include:
Policy and Procedure Documentation
Written policies defining the control requirement, responsibilities, and implementation procedures.
Configuration Evidence
Screenshots of system settings, firewall rules, access control lists (ACLs), or configuration management tools showing the control is enforced.
Logs and Monitoring Data
System logs, security event logs, audit trails, or monitoring dashboards demonstrating ongoing control effectiveness.
Training and Awareness Records
Training sign-off sheets, course completion certificates, or learning management system (LMS) records proving staff training.
Change Management Records
Change requests, approval workflows, and implementation logs showing controlled changes.
How to Use This Checklist for Self-Assessment
Follow this 6-step process:
- Review each control family — Understand the control objectives and requirements.
- Assess current state — For each control, determine if it's implemented, partially implemented, or missing.
- Identify gaps — Document controls that need work or new implementations.
- Prioritize remediation — Focus on high-impact controls first (see "Top 10 Commonly Failed" above).
- Document evidence — Collect and organize evidence for each implemented control.
- Prepare for assessment — Organize evidence into a CMMC-assessor-friendly format with clear references to each control.
Frequently Asked Questions
How long does it take to implement all 110 NIST 800-171 controls?
Typically 3–12 months depending on organizational maturity, budget, and existing security infrastructure. Organizations with strong security foundations can accelerate implementation.
Can I implement controls in a specific order?
Yes. Prioritize high-impact controls: access control, authentication, encryption, and logging. These address the most common vulnerabilities and provide maximum security benefit.
What's the cost of implementing all 110 controls?
Ranges from $50K (small organization with good security baseline) to $500K+ (large organization starting from scratch). Factor in tools, consulting, training, and staff time.
Can a single tool satisfy multiple NIST controls?
Absolutely. A unified security platform can address multiple controls simultaneously. For example, a modern identity management system can satisfy IA-2, IA-5, AC-2, and AU-12 controls.
Is NIST 800-171 compliance the same as CMMC Level 2?
CMMC Level 2 requires NIST 800-171 implementation, but adds maturity level assessment. You can be NIST 800-171 compliant without achieving CMMC Level 2 certification if practices lack maturity or documentation.
How often do controls need to be reviewed?
Annually at minimum. NIST recommends continuous monitoring for controls related to system access, logging, and vulnerability management. CMMC reassessment occurs every 3 years.