Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

Understanding the 110 NIST 800-171 Controls for CMMC Level 2

CMMC Level 2 requires implementing all 110 security controls from NIST Special Publication 800-171 Revision 2. These controls represent a comprehensive security program designed to protect Controlled Unclassified Information. Understanding how the controls are organized, which ones present the greatest challenges, and how to approach implementation systematically is essential for certification success.

CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity program for defense contractors.

CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.

This guide provides an advanced look at the 110 controls and strategies for tackling them effectively.

How the 110 Controls Are Organized

The controls are organized into 14 families, each addressing a different aspect of security:

FamilyCodeControlsFocus Area
Access ControlAC22Who can access what
Awareness and TrainingAT3Security education
Audit and AccountabilityAU9Logging and monitoring
Configuration ManagementCM9System configuration
Identification and AuthenticationIA11Verifying identity
Incident ResponseIR3Handling security events
MaintenanceMA6System upkeep
Media ProtectionMP9Storage media security
Personnel SecurityPS2Human element
Physical ProtectionPE6Facility security
Risk AssessmentRA3Identifying risks
Security AssessmentCA4Evaluating controls
System and Communications ProtectionSC16Network and data protection
System and Information IntegritySI7System security

The families with the most controls—Access Control (22), System and Communications Protection (16), and Identification and Authentication (11)—typically require the most implementation effort.

Control Weighting in SPRS Scoring

Not all controls are weighted equally in SPRS scoring. The DoD Assessment Methodology assigns point values:

SPRS stands for Supplier Performance Risk System—the DoD database where contractors report compliance scores.

5-Point Controls (Most Critical)

These controls address fundamental security capabilities. Missing them significantly impacts your score:

  • AC.L2-3.1.1: Limit system access to authorized users
  • AC.L2-3.1.2: Limit system access to authorized functions
  • AC.L2-3.1.20: Verify and control external system connections
  • IA.L2-3.5.1: Identify system users and processes
  • IA.L2-3.5.2: Authenticate users and processes
  • SC.L2-3.13.1: Monitor and control communications at boundaries
  • SC.L2-3.13.2: Employ architectural designs for security
  • SI.L2-3.14.1: Identify and correct system flaws
  • SI.L2-3.14.2: Provide protection from malicious code

3-Point Controls (Important)

Most controls fall into this category, representing significant but not critical security functions.

1-Point Controls (Supporting)

Some controls are weighted lower, representing supporting functions that enhance but are not critical to security.

Scoring Impact

A perfect score is 110. Failing to implement controls deducts their point value:

  • Missing one 5-point control: Score of 105
  • Missing three 5-point controls: Score of 95
  • Missing ten 3-point controls: Score of 80

For conditional certification, you need a minimum score of 80 (88 or higher recommended). Understanding point values helps prioritize remediation.

The Most Challenging Control Families

Based on assessment data and implementation experience, certain families consistently present greater challenges:

Access Control (AC) – 22 Controls

Access Control has the most controls and touches nearly every system.

Key challenges:

  • AC.L2-3.1.5 (Least privilege): Requires reviewing and limiting all user permissions
  • AC.L2-3.1.7 (Privileged functions): Preventing non-privileged users from executing privileged functions
  • AC.L2-3.1.12 (Remote access monitoring): Monitoring and controlling all remote sessions
  • AC.L2-3.1.17 (Wireless access protection): Securing all wireless connections

Implementation strategy:

  • Conduct a comprehensive access review across all systems
  • Document access authorization for each user
  • Implement role-based access control where possible
  • Use privileged access management (PAM) tools for administrative accounts

Audit and Accountability (AU) – 9 Controls

Logging requirements demand significant infrastructure.

Key challenges:

  • AU.L2-3.3.1 (System auditing): Logging all required event types
  • AU.L2-3.3.2 (User accountability): Tracing actions to individual users
  • AU.L2-3.3.5 (Audit correlation): Correlating logs across systems

Implementation strategy:

  • Deploy a SIEM or a centralized logging solution
  • Configure all systems to generate required logs
  • Establish log review procedures
  • Retain logs for the required period (typically 1+ year)

SIEM stands for Security Information and Event Management—software that collects and analyzes security logs.

System and Communications Protection (SC) – 16 Controls

Network and encryption requirements require technical expertise.

Key challenges:

  • SC.L2-3.13.1 (Boundary protection): Monitoring all network boundaries
  • SC.L2-3.13.8 (Data-in-transit encryption): Encrypting CUI in transit
  • SC.L2-3.13.11 (CUI encryption): Encrypting CUI at rest
  • SC.L2-3.13.16 (Data-at-rest confidentiality): Protecting stored CUI

Implementation strategy:

  • Deploy properly configured firewalls at all boundaries
  • Implement FIPS-validated encryption for CUI
  • Segment CUI systems from the general network
  • Use encrypted protocols for all CUI transmission

FIPS stands for Federal Information Processing Standard—government standards for cryptographic security.

Identification and Authentication (IA) – 11 Controls

Identity controls require comprehensive implementation across all access points.

Key challenges:

  • IA.L2-3.5.3 (Multi-factor authentication): MFA for network and privileged access
  • IA.L2-3.5.10 (Cryptographic authentication): Replay-resistant authentication
  • IA.L2-3.5.11 (Identifier reuse prevention): Managing identifiers across systems

Implementation strategy:

  • Deploy MFA for all CUI system access
  • Use authenticator apps or hardware tokens (not SMS)
  • Implement consistent identity management across systems
  • Document authentication requirements and exceptions

Controls That Require Organizational Change

Some controls cannot be solved with technology alone—they require process and cultural changes:

AT.L2-3.2.1 through 3.2.3 (Awareness and Training)

Training must reach all personnel and be role-specific. This requires:

  • Training program development or acquisition
  • Time allocation for training completion
  • Ongoing awareness reinforcement
  • Documentation and tracking

IR.L2-3.6.1 through 3.6.3 (Incident Response)

Incident response requires organizational capability, not just a document:

  • Designated response personnel
  • Tested procedures
  • Communication channels
  • Evidence preservation capability

PS.L2-3.9.1 and 3.9.2 (Personnel Security)

Personnel controls require HR process changes:

  • Background screening before CUI access
  • Timely access termination procedures
  • Coordination between HR, IT, and security

CA.L2-3.12.1 through 3.12.4 (Security Assessment)

Self-assessment and continuous monitoring require ongoing commitment:

  • Regular control evaluation
  • POA&M management
  • Remediation tracking
  • Continuous improvement

POA&M stands for Plan of Action and Milestones—documenting security gaps and remediation plans.

Implementation Sequencing Strategy

Not all controls should be implemented simultaneously. A strategic sequence improves efficiency:

Phase 1: Foundation (Months 1-3)

Establish core capabilities that other controls depend on:

  • Identity and authentication infrastructure
  • Basic access control framework
  • Logging infrastructure
  • Endpoint protection

Phase 2: Protection (Months 3-6)

Implement protective controls:

  • Encryption (at rest and in transit)
  • Network segmentation and boundary protection
  • Configuration management
  • Malware protection

Phase 3: Detection and Response (Months 6-9)

Build detection and response capabilities:

  • SIEM deployment and configuration
  • Log review processes
  • Incident response procedures
  • Vulnerability management

Phase 4: Management and Governance (Months 9-12)

Formalize management controls:

  • Policy and procedure documentation
  • Training program implementation
  • Risk assessment processes
  • Continuous monitoring

Phase 5: Validation (Months 12-15)

Validate implementation and prepare for assessment:

  • Internal assessment against all controls
  • Evidence collection and organization
  • Gap remediation
  • Readiness assessment

Common Control Dependencies

Some controls depend on others being implemented first:

Log Review Requires Logging

AU.L2-3.3.3 (Review logged events) cannot be implemented until AU.L2-3.3.1 (Create audit logs) is complete.

Incident Response Requires Detection

IR.L2-3.6.1 (Incident handling) requires logging and monitoring capabilities to detect incidents.

Access Reviews Require Access Control

CA.L2-3.12.1 (Assess security controls) requires controls to exist before they can be assessed.

Training Requires Policies

AT.L2-3.2.1 (Security awareness) should reference policies that must exist first.

Map dependencies before beginning implementation to avoid rework.

Controls Requiring External Resources

Some controls may require resources beyond internal capability:

Vulnerability Scanning (RA.L2-3.11.2)

Requires vulnerability scanning tools or services. Options:

  • Commercial scanning tools (Nessus, Qualys, Rapid7)
  • Managed vulnerability scanning services
  • Open-source alternatives for budget constraints

Penetration Testing (CA.L2-3.12.1)

While not explicitly required, a thorough security assessment may include penetration testing:

  • Third-party penetration testing services
  • Qualified internal resources (if available)

Forensic Capability (IR.L2-3.6.1)

Evidence collection and analysis may require:

  • Forensic tools and training
  • Retainer with an incident response firm
  • Cyber insurance with IR services

Documentation Requirements Across Controls

Every control requires documentation demonstrating implementation:

Policy Documentation

Each control family should have a policy coverage establishing organizational requirements.

Procedure Documentation

Operational controls need step-by-step procedures.

Configuration Documentation

Technical controls need configuration evidence showing the settings.

Operational Evidence

Ongoing controls need records of activities (log reviews, training completion, assessments).

Plan documentation effort as part of implementation—it typically represents 30-40% of total effort.

Key Takeaways

The 110 NIST SP 800-171 controls represent a comprehensive security program organized into 14 families. Controls are weighted differently for SPRS scoring, with 5-point controls being most critical for achieving passing scores.

Access Control, Audit and Accountability, System and Communications Protection, and Identification and Authentication typically present the greatest implementation challenges. Some controls require organizational change, not just technology.

Sequence implementation strategically, address dependencies, and plan for significant documentation effort. Understanding the full scope of Level 2 helps you plan realistically and implement effectively.

Related Articles:

Official Sources: This article is based on NIST SP 800-171 Revision 2, NIST SP 800-171A, and the DoD CMMC Assessment Methodology.

Level 2 is complex, but you do not have to figure it out alone. Contact Greypike for expert guidance through all 110 controls. If you are starting your compliance journey, begin with Level 1—Obolix covers all 15 Level 1 requirements and gets you compliant in a week or less, building your foundation for Level 2.

Table of Contents