Engineer reviewing NIST 800-171 compliance checklist on a large screen in a modern office, illustrating cybersecurity requirements for CMMC Level 2.

What Do the 110 NIST 800-171 Controls Really Mean?

CMMC Compliance Guide Blog
May 02, 20254 min read
Custom HTML/CSS/JAVASCRIPT

Struggling to make sense of the 110 NIST 800-171 controls required for CMMC Level 2 compliance? You’re not alone. Most defense contractors and manufacturers feel overwhelmed when trying to interpret technical government language and apply it to their real-world environments.

In this article, we break it all down in plain English—so you can stop spinning your wheels and start getting compliant with confidence.

What Is NIST 800-171 and Why Does It Matter?

NIST SP 800-171 (Rev. 2) is the foundation for CMMC Level 2 compliance. It outlines 110 cybersecurity controls across 14 families that contractors must implement to protect Controlled Unclassified Information (CUI).

If you’re a DoD contractor or subcontractor handling CUI—or even might handle it—you’re contractually obligated under DFARS clause 252.204-7012 to implement NIST 800-171.

Your SPRS score is based on how many of these 110 controls you’ve properly implemented. And yes—the Department of Defense expects that you’ve already done the work and absorbed the cost.

Control Family Highlights (Explained in Plain English)

Here’s a breakdown of key control families that trip up most contractors—and how to tackle them without losing your mind.

Access Control

Main idea: Only the right people should have access to the right information—and nothing more.

  • Use individual user accounts (no shared logins)

  • Implement role-based permissions

  • Enforce least privilege access

  • Lock down access to CUI by person, device, and job function

Shared shop-floor accounts are one of the top reasons manufacturers fail their CMMC assessments.

Awareness & Training

Main idea: Everyone on your team must be trained on cybersecurity and CUI risks specific to their role.

  • Deliver role-based training

  • Document completion (e.g., save PDFs from DoD’s CUI training site)

  • Maintain audit logs showing who took what training and when

Audit & Accountability

Main idea: Log everything—and make sure no one can erase those logs.

  • Enable logging on servers, firewalls, switches, and endpoints

  • Use a SIEM system to aggregate and protect logs

  • Retain logs for at least 90 days (preferably 1 year)

Without proper logging, you can’t prove what happened—or didn’t happen—after an incident.

Configuration Management

Main idea: Know what your “approved” systems look like—and detect any changes.

  • Define and document baseline configurations for systems

  • Avoid vendor default settings

  • Track changes and verify system compliance regularly

Identification & Authentication

Main idea: Know who is logging in and make sure it’s really them.

  • Use strong passwords

  • Enforce multi-factor authentication (MFA) for CUI access, admin activity, and remote work

  • Avoid exceptions, even for local file servers or internal tools

Incident Response

Main idea: Be ready to detect, contain, and report cybersecurity incidents—fast.

  • Write and test your Incident Response Plan

  • Report incidents within 72 hours via the DoD’s cyber reporting portal

  • Secure a Medium Assurance Certificate before you need it

Treat even potential threats (like compromised email accounts) as incidents—because the DoD might.

Maintenance & Media Protection

Maintenance: Track patches, updates, and repairs.
Media Protection: Encrypt and secure CUI wherever it lives.

  • Patch all systems regularly—including switches, firewalls, and mobile devices

  • Use FIPS 140-2 validated encryption for CUI at rest and in transit

  • Physically secure printed documents, USB drives, and shared tools

Personnel Security & Physical Protection

Main idea: Screen your people and protect your buildings.

  • Perform background checks and define screening standards

  • Secure CUI storage areas with locks, access logs, and visitor logs

  • Track keys, proximity cards, and other access devices

Risk Assessment vs. Security Assessment

Risk Assessment: Identify vulnerabilities before attackers do.
Security Assessment: Confirm that your controls are still working.

  • Run monthly or quarterly vulnerability scans

  • Regularly review your System Security Plan (SSP) and associated policies

  • Update security settings when systems or users change

The Number One Reason Companies Fail CMMC Assessments

It’s not technical—it’s documentation.

You could implement every control perfectly, but if you don’t document it, you’ll fail. Assessors need to see:

  • Lists of authorized users and devices

  • Proof of enforcement (such as screenshots or system exports)

  • Policies, procedures, and audit trails that match your SSP

"You can do everything right, but if you haven’t documented it—no soup for you."
That Seinfeld reference from the episode says it all.

Do It Right, Sleep Better

Yes, 110 controls can feel overwhelming—but taken one step at a time, they’re manageable.

Implement them with intention, document everything, and revisit often. Not only will you pass your CMMC assessment—you’ll actually be protected against the kinds of threats that keep DoD leadership up at night.

Back to Blog