Introduction to NIST SP 800-171
NIST Special Publication 800-171, titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is the cornerstone document for CMMC Level 2 compliance. Published by the National Institute of Standards and Technology, this document contains 110 security requirements organized across 14 control families that defense contractors must implement to protect Controlled Unclassified Information. Understanding these requirements in plain language is essential for every organization pursuing CMMC certification.
Many defense contractors find the technical language of NIST SP 800-171 intimidating and difficult to translate into practical actions. This guide breaks down each of the 14 control families, explains what the requirements mean in everyday terms, and provides practical guidance on implementation. Whether you are a business owner, an IT administrator, or a compliance officer, this plain-language breakdown will help you understand exactly what is expected of your organization.
1. Access Control (AC) — 22 Requirements
Access Control is the largest control family with 22 requirements, and it focuses on ensuring that only authorized individuals can access your systems and the CUI stored within them. At its core, access control is about answering three questions: who is allowed in, what are they allowed to do once in, and how do we enforce those rules consistently?
The requirements in this family cover several key areas. First, you must limit system access to authorized users, processes acting on behalf of authorized users, and devices. This means maintaining a list of who is allowed to access each system and ensuring that unauthorized individuals cannot gain entry. You must implement account management procedures including creating, enabling, modifying, disabling, and removing accounts in a timely manner.
Second, you must limit access to the types of transactions and functions that authorized users are permitted to execute. This is the principle of least privilege — giving each user only the minimum level of access needed to perform their job duties. An engineer who needs to read technical drawings should not automatically have the ability to modify financial records or delete system configurations.
Third, you must control the flow of CUI in accordance with approved authorizations. This means understanding how CUI moves through your systems and implementing controls at each point where information could potentially flow to unauthorized locations. This includes controlling remote access, wireless access, and mobile device connections, as well as monitoring and controlling communications at system boundaries like firewalls and network perimeters.
Practical implementation of access control typically involves deploying Active Directory or similar identity management systems, implementing role-based access control policies, configuring firewalls and network segmentation, establishing remote access procedures with VPN and multi-factor authentication, and maintaining detailed access control lists for all systems containing CUI.
2. Awareness and Training (AT) — 3 Requirements
The Awareness and Training family contains only three requirements, but their importance cannot be overstated. Human error remains the leading cause of security incidents, and a well-trained workforce is your most effective defense against many common threats. These requirements mandate that your organization ensures all users of your systems are aware of the security risks associated with their activities and are trained to carry out their security-related duties and responsibilities.
Specifically, you must ensure that managers, system administrators, and users are made aware of the security policies and procedures pertinent to their roles. You must also ensure that personnel are adequately trained to carry out their assigned security responsibilities, including recognizing and reporting potential indicators of insider threats. All training must be documented, and records must be maintained to demonstrate compliance.
Implementing this family effectively means developing a comprehensive security awareness training program that covers phishing recognition, password management, CUI handling procedures, incident reporting, physical security practices, and social engineering awareness. Training should be conducted when new employees are onboarded, when significant system changes occur, and at least annually for all personnel.
3. Audit and Accountability (AU) — 9 Requirements
Audit and Accountability requirements ensure that your organization can track what happens in your systems, who did it, and when it occurred. This family requires you to create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
You must ensure that the actions of individual system users can be uniquely traced back to those users, so they can be held accountable for their actions. This means implementing unique user accounts rather than shared accounts, logging authentication attempts both successful and failed, and recording access to CUI including who accessed it, when, and what actions they performed.
The requirements also address protecting audit information from unauthorized access, modification, and deletion. Audit logs are only valuable if they can be trusted. If an attacker can modify or delete logs to cover their tracks, your entire accountability framework is compromised. You must also review and analyze audit logs regularly, establish an alert mechanism for audit processing failures, and correlate audit review, analysis, and reporting processes to support organizational objectives.
Common implementations include configuring Windows Event Logging and Syslog on all systems, deploying a centralized log management or SIEM solution, establishing log retention policies of at least one year, setting up automated alerts for suspicious activities, and conducting weekly or monthly log reviews focused on anomalous behavior patterns.
4. Configuration Management (CM) — 9 Requirements
Configuration Management ensures that your systems are set up securely and that changes to those configurations are managed in a controlled manner. This family requires you to establish and maintain baseline configurations and inventories of organizational systems throughout their life cycles. In plain terms, you need to know exactly what hardware and software you have, how it is configured, and track every change made to that configuration.
You must establish and enforce security configuration settings for information technology products employed in your systems. This means applying security hardening standards such as CIS Benchmarks or DISA STIGs to your servers, workstations, and network devices. Default configurations from manufacturers are almost never secure enough and must be customized to meet security requirements.
Change management is another critical component. You must track, review, approve or disapprove, and log changes to your systems. Unauthorized or uncontrolled changes can introduce vulnerabilities or disrupt security controls. Additionally, you must analyze the security impact of changes before they are implemented to ensure that modifications do not compromise your security posture.
This family also requires restricting, disabling, or preventing the use of nonessential programs, functions, ports, protocols, and services. Every unnecessary service running on a system represents a potential attack surface. By minimizing the functionality of your systems to only what is required for operations, you significantly reduce the opportunities for attackers to exploit vulnerabilities.
5. Identification and Authentication (IA) — 11 Requirements
Identification and Authentication is about verifying that users, processes, and devices are who or what they claim to be before granting access to your systems. This family contains 11 requirements that address how your organization manages identities and authenticates access requests.
The most significant requirement in this family for most organizations is the implementation of multi-factor authentication for both local and network access to privileged accounts and for network access to non-privileged accounts. Multi-factor authentication requires users to present at least two different types of evidence to prove their identity, typically something they know like a password combined with something they have like a hardware token or smartphone app.
Other requirements address the use of unique identifiers for all users, devices, and processes; the management of authenticators including passwords, tokens, and certificates; the use of cryptographic mechanisms to protect authenticators during transmission and storage; and the handling of obscuring feedback of authentication information during the authentication process.
Replay-resistant authentication mechanisms are required for network access to privileged and non-privileged accounts, which means your authentication systems must be able to detect and reject attempts to reuse previously captured authentication information. This is typically addressed through modern authentication protocols and the use of time-based one-time passwords or challenge-response mechanisms.
6. Incident Response (IR) — 3 Requirements
Despite being one of the smallest control families with only three requirements, Incident Response is critically important. These requirements mandate that your organization establishes an operational incident-handling capability for your systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
You must track, document, and report incidents to designated officials and appropriate external authorities. For defense contractors handling CUI, this includes the requirement under DFARS 252.204-7012 to report cyber incidents to the Department of Defense within 72 hours of discovery. Having clear procedures for incident classification, escalation, and reporting is essential.
You must also test the organizational incident response capability periodically to ensure it is effective. This can include tabletop exercises where your team walks through hypothetical scenarios, functional exercises that test specific response procedures, or full-scale exercises that simulate real incidents. Regular testing helps identify gaps in your procedures and ensures your team is prepared to respond effectively when a real incident occurs.
7. Maintenance (MA) — 6 Requirements
The Maintenance family addresses how your organization performs maintenance on its systems while protecting the information contained within them. You must perform maintenance on your systems in a timely manner, using approved tools and following documented procedures. This includes both physical maintenance of hardware and logical maintenance of software such as patching and updates.
When maintenance requires equipment to be removed from your facility for servicing, you must ensure that all CUI is removed from the equipment before it leaves your control. If CUI cannot be removed, the equipment must be protected during transport and while at the maintenance facility. Similarly, when maintenance personnel who are not regular members of your workforce perform work on your systems, their activities must be supervised or controlled.
Remote maintenance activities require additional safeguards including the use of approved remote access methods, session termination when maintenance is complete, and logging of all remote maintenance activities for audit purposes.
8. Media Protection (MP) — 9 Requirements
Media Protection requirements govern how your organization handles storage media that contains CUI, including hard drives, USB drives, optical discs, paper documents, and any other media capable of storing information. You must protect both digital and non-digital media containing CUI during transport, storage, and disposal.
You must limit access to CUI on system media to authorized users and sanitize or destroy system media before disposal or release for reuse. Sanitization methods must be appropriate for the sensitivity of the information — simple file deletion is not sufficient for media that has contained CUI. NIST SP 800-88 provides guidelines for media sanitization that meet these requirements.
Portable storage devices represent a particular risk. You must control the use of removable media on your systems and prohibit the use of portable storage devices when such devices have no identifiable owner. Many organizations implement policies that restrict or prohibit USB drives entirely, using alternative methods for file transfer that can be better controlled and monitored.
Media marking is also required — you must mark media containing CUI with appropriate distribution limitations and handling caveats. This ensures that anyone who encounters the media understands the sensitivity of its contents and the restrictions on its use.
9. Personnel Security (PS) — 2 Requirements
Personnel Security is the smallest control family with only two requirements. These requirements focus on screening individuals before granting them access to systems containing CUI and ensuring that CUI and systems are protected during and after personnel actions such as terminations and transfers.
Before granting access to CUI, you must screen individuals to determine their trustworthiness. This typically involves background checks appropriate to the level of access required. When personnel leave your organization or transfer to positions that no longer require CUI access, you must promptly disable their system access and retrieve all CUI, credentials, and organizational assets in their possession.
10. Physical Protection (PE) — 6 Requirements
Physical Protection requirements address the physical security of your facilities and equipment. You must limit physical access to your systems and equipment, and to the facilities in which they are housed, to authorized individuals. This means implementing physical access controls such as locked doors, badge readers, visitor sign-in procedures, and escort requirements.
You must also protect and monitor the physical facility and support infrastructure for your systems, maintain audit logs of physical access, and control physical access to output devices such as printers and displays that may present CUI. The physical environment must also be managed to protect against environmental hazards such as flooding, fire, and power failures.
11. Risk Assessment (RA) — 3 Requirements
Risk Assessment requires your organization to periodically assess the risk to your operations, assets, and individuals resulting from the operation of your systems and the processing, storage, and transmission of CUI. You must also scan for vulnerabilities in your systems periodically and when new vulnerabilities are identified.
Additionally, you must remediate vulnerabilities identified through scanning and assessments in accordance with a risk-based approach. Not every vulnerability requires immediate remediation — your risk assessment should help you prioritize your remediation efforts based on the potential impact and likelihood of exploitation.
12. Security Assessment (CA) — 4 Requirements
Security Assessment requirements mandate that your organization periodically assesses the security controls in your systems to determine if they are effective in their application. You must also develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in your systems.
This family also requires monitoring your security controls on an ongoing basis to ensure continued effectiveness and establishing connections to external systems only through the use of controlled interfaces and connections. Your System Security Plan is a key document for this family, as it describes your security controls and how they are implemented.
13. System and Communications Protection (SC) — 16 Requirements
System and Communications Protection is the second largest family with 16 requirements addressing how your systems communicate and how those communications are protected. You must monitor, control, and protect communications at the external boundaries and key internal boundaries of your systems. This typically means implementing properly configured firewalls, intrusion detection systems, and network segmentation.
A critical requirement in this family is the implementation of cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission and at rest. FIPS-validated encryption is required, which means using encryption algorithms and implementations that have been validated through the Cryptographic Module Validation Program. Common implementations include TLS for data in transit and AES-256 or BitLocker for data at rest.
Other key requirements include implementing subnetworks for publicly accessible system components that are physically or logically separated from internal networks, implementing Domain Name System filtering services, and employing architectural designs, software development techniques, and systems engineering principles that promote effective information security.
Network segmentation is particularly important in this family. By separating your CUI processing environment from your general business network, you can reduce your CMMC assessment scope and improve the overall security of your most sensitive information. This approach, often called an enclave strategy, is one of the most cost-effective methods for achieving compliance.
14. System and Information Integrity (SI) — 7 Requirements
The final control family, System and Information Integrity, focuses on keeping your systems and information free from compromise. You must identify, report, and correct information and system flaws in a timely manner. This means implementing a robust patch management program that keeps your operating systems, applications, and firmware up to date with the latest security patches.
You must also provide protection from malicious code at appropriate locations within your systems, which requires deploying and maintaining antivirus and anti-malware solutions on all endpoints and keeping their signature databases current. Monitoring system security alerts and advisories and taking appropriate actions in response is also required.
Email and web protections round out this family. You must monitor your systems to detect attacks and indicators of potential attacks, and you must identify unauthorized use of your systems. This typically involves implementing email filtering solutions to block phishing attempts and malicious attachments, web content filtering to prevent access to known malicious sites, and network monitoring tools to detect anomalous behavior patterns.
Bringing It All Together
The 110 security requirements across these 14 control families may seem overwhelming at first glance, but they represent a comprehensive and logical approach to protecting sensitive information. Each family addresses a specific aspect of security, and together they create a defense-in-depth strategy that protects CUI from a wide range of threats.
The key to successful implementation is approaching these requirements systematically rather than trying to address them all simultaneously. Start with the foundational families like Access Control and Identification and Authentication, which underpin many of the other requirements. Then move to the technical families like System and Communications Protection and System and Information Integrity. Finally, ensure your operational families like Incident Response and Audit and Accountability are in place to maintain ongoing security.
At Easy Compliances, our CMMC training courses walk you through each of these 110 requirements with practical, real-world implementation guidance. Our compliance toolkit includes templates and checklists mapped to each control family, making it easier to track your progress and demonstrate compliance during your C3PAO assessment. Visit our Courses and Toolkit pages to learn more about how we can help you navigate the path to CMMC certification.