NIST SP 800-171 is the rulebook behind CMMC Level 2: 110 security controls, organized into 14 families, that together define how to protect Controlled Unclassified Information in a non-government system.
What it is
Published by the National Institute of Standards and Technology, Special Publication 800-171 specifies the safeguards a contractor must apply to CUI. CMMC Level 2 assesses you against Revision 2 of the standard — its 110 controls and the 320 assessment objectives detailed in the companion document, NIST SP 800-171A.
The 14 control families
| Family | Controls | Focus |
|---|---|---|
| Access Control | 22 | Who can reach what |
| Awareness & Training | 3 | People know the risks |
| Audit & Accountability | 9 | Logging and traceability |
| Configuration Management | 9 | Hardened, controlled systems |
| Identification & Authentication | 11 | Proving who users are (incl. MFA) |
| Incident Response | 3 | Detect, report, recover |
| Maintenance | 6 | Safe system upkeep |
| Media Protection | 9 | Protecting CUI on media |
| Personnel Security | 2 | Screening and offboarding |
| Physical Protection | 6 | Facility and device access |
| Risk Assessment | 3 | Finding and ranking risk |
| Security Assessment | 4 | Checking your own controls |
| System & Communications Protection | 16 | Network boundaries, encryption |
| System & Information Integrity | 7 | Patching, malware defense, monitoring |
14 families, 110 controls total.
A note on Revision 3
NIST released Revision 3 of 800-171 in 2024, which reorganizes the controls. However, CMMC currently assesses against Revision 2 — DoD will transition to Rev 3 through future rulemaking with advance notice. Build to Rev 2 today, and keep an eye on the transition.
From control list to compliance
Meeting 800-171 isn't just turning on settings — it's implementing each control, documenting how in your System Security Plan, proving it with evidence, and tracking any gaps in a POA&M. We map your environment against all 110, score it, and hand you the roadmap to close the rest.
Mapped against all 110?
Our gap assessment scores every control and shows you exactly which ones to fix first.