Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
Understanding the 110 NIST 800-171 Controls for CMMC Level 2
CMMC Level 2 requires implementing all 110 security controls from NIST Special Publication 800-171 Revision 2. These controls represent a comprehensive security program designed to protect Controlled Unclassified Information. Understanding how the controls are organized, which ones present the greatest challenges, and how to approach implementation systematically is essential for certification success.
CMMC stands for Cybersecurity Maturity Model Certification—the DoD’s mandatory cybersecurity program for defense contractors.
CUI stands for Controlled Unclassified Information—sensitive government data requiring protection but not classified as secret.
This guide provides an advanced look at the 110 controls and strategies for tackling them effectively.
How the 110 Controls Are Organized
The controls are organized into 14 families, each addressing a different aspect of security:
| Family | Code | Controls | Focus Area |
|---|---|---|---|
| Access Control | AC | 22 | Who can access what |
| Awareness and Training | AT | 3 | Security education |
| Audit and Accountability | AU | 9 | Logging and monitoring |
| Configuration Management | CM | 9 | System configuration |
| Identification and Authentication | IA | 11 | Verifying identity |
| Incident Response | IR | 3 | Handling security events |
| Maintenance | MA | 6 | System upkeep |
| Media Protection | MP | 9 | Storage media security |
| Personnel Security | PS | 2 | Human element |
| Physical Protection | PE | 6 | Facility security |
| Risk Assessment | RA | 3 | Identifying risks |
| Security Assessment | CA | 4 | Evaluating controls |
| System and Communications Protection | SC | 16 | Network and data protection |
| System and Information Integrity | SI | 7 | System security |
The families with the most controls—Access Control (22), System and Communications Protection (16), and Identification and Authentication (11)—typically require the most implementation effort.
Control Weighting in SPRS Scoring
Not all controls are weighted equally in SPRS scoring. The DoD Assessment Methodology assigns point values:
SPRS stands for Supplier Performance Risk System—the DoD database where contractors report compliance scores.
5-Point Controls (Most Critical)
These controls address fundamental security capabilities. Missing them significantly impacts your score:
- AC.L2-3.1.1: Limit system access to authorized users
- AC.L2-3.1.2: Limit system access to authorized functions
- AC.L2-3.1.20: Verify and control external system connections
- IA.L2-3.5.1: Identify system users and processes
- IA.L2-3.5.2: Authenticate users and processes
- SC.L2-3.13.1: Monitor and control communications at boundaries
- SC.L2-3.13.2: Employ architectural designs for security
- SI.L2-3.14.1: Identify and correct system flaws
- SI.L2-3.14.2: Provide protection from malicious code
3-Point Controls (Important)
Most controls fall into this category, representing significant but not critical security functions.
1-Point Controls (Supporting)
Some controls are weighted lower, representing supporting functions that enhance but are not critical to security.
Scoring Impact
A perfect score is 110. Failing to implement controls deducts their point value:
- Missing one 5-point control: Score of 105
- Missing three 5-point controls: Score of 95
- Missing ten 3-point controls: Score of 80
For conditional certification, you need a minimum score of 80 (88 or higher recommended). Understanding point values helps prioritize remediation.
The Most Challenging Control Families
Based on assessment data and implementation experience, certain families consistently present greater challenges:
Access Control (AC) – 22 Controls
Access Control has the most controls and touches nearly every system.
Key challenges:
- AC.L2-3.1.5 (Least privilege): Requires reviewing and limiting all user permissions
- AC.L2-3.1.7 (Privileged functions): Preventing non-privileged users from executing privileged functions
- AC.L2-3.1.12 (Remote access monitoring): Monitoring and controlling all remote sessions
- AC.L2-3.1.17 (Wireless access protection): Securing all wireless connections
Implementation strategy:
- Conduct a comprehensive access review across all systems
- Document access authorization for each user
- Implement role-based access control where possible
- Use privileged access management (PAM) tools for administrative accounts
Audit and Accountability (AU) – 9 Controls
Logging requirements demand significant infrastructure.
Key challenges:
- AU.L2-3.3.1 (System auditing): Logging all required event types
- AU.L2-3.3.2 (User accountability): Tracing actions to individual users
- AU.L2-3.3.5 (Audit correlation): Correlating logs across systems
Implementation strategy:
- Deploy a SIEM or a centralized logging solution
- Configure all systems to generate required logs
- Establish log review procedures
- Retain logs for the required period (typically 1+ year)
SIEM stands for Security Information and Event Management—software that collects and analyzes security logs.
System and Communications Protection (SC) – 16 Controls
Network and encryption requirements require technical expertise.
Key challenges:
- SC.L2-3.13.1 (Boundary protection): Monitoring all network boundaries
- SC.L2-3.13.8 (Data-in-transit encryption): Encrypting CUI in transit
- SC.L2-3.13.11 (CUI encryption): Encrypting CUI at rest
- SC.L2-3.13.16 (Data-at-rest confidentiality): Protecting stored CUI
Implementation strategy:
- Deploy properly configured firewalls at all boundaries
- Implement FIPS-validated encryption for CUI
- Segment CUI systems from the general network
- Use encrypted protocols for all CUI transmission
FIPS stands for Federal Information Processing Standard—government standards for cryptographic security.
Identification and Authentication (IA) – 11 Controls
Identity controls require comprehensive implementation across all access points.
Key challenges:
- IA.L2-3.5.3 (Multi-factor authentication): MFA for network and privileged access
- IA.L2-3.5.10 (Cryptographic authentication): Replay-resistant authentication
- IA.L2-3.5.11 (Identifier reuse prevention): Managing identifiers across systems
Implementation strategy:
- Deploy MFA for all CUI system access
- Use authenticator apps or hardware tokens (not SMS)
- Implement consistent identity management across systems
- Document authentication requirements and exceptions
Controls That Require Organizational Change
Some controls cannot be solved with technology alone—they require process and cultural changes:
AT.L2-3.2.1 through 3.2.3 (Awareness and Training)
Training must reach all personnel and be role-specific. This requires:
- Training program development or acquisition
- Time allocation for training completion
- Ongoing awareness reinforcement
- Documentation and tracking
IR.L2-3.6.1 through 3.6.3 (Incident Response)
Incident response requires organizational capability, not just a document:
- Designated response personnel
- Tested procedures
- Communication channels
- Evidence preservation capability
PS.L2-3.9.1 and 3.9.2 (Personnel Security)
Personnel controls require HR process changes:
- Background screening before CUI access
- Timely access termination procedures
- Coordination between HR, IT, and security
CA.L2-3.12.1 through 3.12.4 (Security Assessment)
Self-assessment and continuous monitoring require ongoing commitment:
- Regular control evaluation
- POA&M management
- Remediation tracking
- Continuous improvement
POA&M stands for Plan of Action and Milestones—documenting security gaps and remediation plans.
Implementation Sequencing Strategy
Not all controls should be implemented simultaneously. A strategic sequence improves efficiency:
Phase 1: Foundation (Months 1-3)
Establish core capabilities that other controls depend on:
- Identity and authentication infrastructure
- Basic access control framework
- Logging infrastructure
- Endpoint protection
Phase 2: Protection (Months 3-6)
Implement protective controls:
- Encryption (at rest and in transit)
- Network segmentation and boundary protection
- Configuration management
- Malware protection
Phase 3: Detection and Response (Months 6-9)
Build detection and response capabilities:
- SIEM deployment and configuration
- Log review processes
- Incident response procedures
- Vulnerability management
Phase 4: Management and Governance (Months 9-12)
Formalize management controls:
- Policy and procedure documentation
- Training program implementation
- Risk assessment processes
- Continuous monitoring
Phase 5: Validation (Months 12-15)
Validate implementation and prepare for assessment:
- Internal assessment against all controls
- Evidence collection and organization
- Gap remediation
- Readiness assessment
Common Control Dependencies
Some controls depend on others being implemented first:
Log Review Requires Logging
AU.L2-3.3.3 (Review logged events) cannot be implemented until AU.L2-3.3.1 (Create audit logs) is complete.
Incident Response Requires Detection
IR.L2-3.6.1 (Incident handling) requires logging and monitoring capabilities to detect incidents.
Access Reviews Require Access Control
CA.L2-3.12.1 (Assess security controls) requires controls to exist before they can be assessed.
Training Requires Policies
AT.L2-3.2.1 (Security awareness) should reference policies that must exist first.
Map dependencies before beginning implementation to avoid rework.
Controls Requiring External Resources
Some controls may require resources beyond internal capability:
Vulnerability Scanning (RA.L2-3.11.2)
Requires vulnerability scanning tools or services. Options:
- Commercial scanning tools (Nessus, Qualys, Rapid7)
- Managed vulnerability scanning services
- Open-source alternatives for budget constraints
Penetration Testing (CA.L2-3.12.1)
While not explicitly required, a thorough security assessment may include penetration testing:
- Third-party penetration testing services
- Qualified internal resources (if available)
Forensic Capability (IR.L2-3.6.1)
Evidence collection and analysis may require:
- Forensic tools and training
- Retainer with an incident response firm
- Cyber insurance with IR services
Documentation Requirements Across Controls
Every control requires documentation demonstrating implementation:
Policy Documentation
Each control family should have a policy coverage establishing organizational requirements.
Procedure Documentation
Operational controls need step-by-step procedures.
Configuration Documentation
Technical controls need configuration evidence showing the settings.
Operational Evidence
Ongoing controls need records of activities (log reviews, training completion, assessments).
Plan documentation effort as part of implementation—it typically represents 30-40% of total effort.
Key Takeaways
The 110 NIST SP 800-171 controls represent a comprehensive security program organized into 14 families. Controls are weighted differently for SPRS scoring, with 5-point controls being most critical for achieving passing scores.
Access Control, Audit and Accountability, System and Communications Protection, and Identification and Authentication typically present the greatest implementation challenges. Some controls require organizational change, not just technology.
Sequence implementation strategically, address dependencies, and plan for significant documentation effort. Understanding the full scope of Level 2 helps you plan realistically and implement effectively.
Related Articles:
- CMMC Level 2 C3PAO Assessment: What to Expect
- How to Calculate Your SPRS Score
- How Much Does CMMC Certification Cost?
- SIEM Solutions for CMMC Compliance
- NIST SP 800-171 Rev 2
- NIST SP 800-171A – Assessment Procedures
- DoD Assessment Methodology
Official Sources: This article is based on NIST SP 800-171 Revision 2, NIST SP 800-171A, and the DoD CMMC Assessment Methodology.
Level 2 is complex, but you do not have to figure it out alone. Contact Greypike for expert guidance through all 110 controls. If you are starting your compliance journey, begin with Level 1—Obolix covers all 15 Level 1 requirements and gets you compliant in a week or less, building your foundation for Level 2.