NIST SP 800-171 requires US organizations that process, store, or transmit Controlled Unclassified Information (CUI) to implement 110 specific security controls across 14 families to protect federal contract data. This checklist provides a complete, actionable breakdown of all 110 controls so you can assess your organization’s current posture, identify gaps, and build a clear path to compliance — essential for winning and maintaining Department of Defense (DoD) contracts under the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework.
What Is NIST SP 800-171 and Why Does It Matter?
NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” establishes security requirements for any organization that handles CUI on behalf of the US federal government. The 110 controls are mandatory for all DoD contractors and subcontractors, and compliance is a prerequisite for CMMC 2.0 certification at Level 2 (the intermediate tier). The Department of Defense enforces these requirements through contract clauses, and failure to comply can result in contract loss, financial penalties, and exclusion from future bidding opportunities.
For US-based defense contractors, understanding and implementing every one of the 110 controls is not optional — it is a contractual obligation that directly affects revenue and market access. The controls are divided into 14 families covering everything from access control and awareness training to system and information integrity. This checklist walks you through each family with specific, auditable actions.
Key Takeaways
- NIST SP 800-171 mandates 110 security controls across 14 families for organizations handling CUI.
- Compliance is required for DoD contracts and is foundational for CMMC 2.0 Level 2 certification.
- The checklist below provides auditable action items for every control — use it to conduct a self-assessment and identify remediation priorities.
- CyberSilo’s Compliance Standards Automation platform maps controls to evidence automatically, reducing manual effort by up to 70%.
Complete 110 Control Checklist by Family
Below is the full NIST SP 800-171 control set organized by family. Each family includes the control number, the requirement, and the specific action your organization must take to achieve compliance. Use this as your primary checklist during gap analysis and remediation planning.
Access Control (AC) — 22 Controls
Access control is the largest family and addresses who can access CUI and under what conditions. The DoD expects organizations to limit access to authorized users, processes, and devices while enforcing the principle of least privilege.
- AC-1: Limit system access to authorized users and processes acting on behalf of authorized users.
- AC-2: Limit system access to authorized transactions and functions.
- AC-3: Control the flow of CUI in accordance with approved authorizations.
- AC-4: Separate the duties of individuals to reduce risk of malevolent activity without collusion.
- AC-5: Employ the principle of least privilege, allowing only authorized access for user needs.
- AC-6: Use non-privileged accounts or roles when accessing non-security functions.
- AC-7: Prevent non-privileged users from executing privileged functions and audit such executions.
- AC-8: Limit unsuccessful logon attempts and lock accounts after a defined threshold.
- AC-9: Provide a privacy and security notice consistent with applicable rules on system access.
- AC-10: Use session lock after a defined period of inactivity; require re-authentication.
- AC-11: Terminate user sessions automatically after a defined period of inactivity.
- AC-12: Monitor and control remote access sessions.
- AC-13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- AC-14: Route remote access through managed access control points.
- AC-15: Authorize remote execution of privileged commands and remote access to security-relevant information.
- AC-16: Authorize wireless access to the organizational system before allowing such connections.
- AC-17: Protect wireless access using authentication and encryption.
- AC-18: Control the connection of mobile devices to organizational systems.
- AC-19: Encrypt CUI stored on mobile devices and media.
- AC-20: Use cryptographic mechanisms to protect the confidentiality of CUI on removable media and mobile devices.
- AC-21: Ensure the owner or authorized user of a mobile device controls the device.
- AC-22: Control system usage via policies and procedures that address all types of access.
Awareness and Training (AT) — 3 Controls
Personnel must understand their security responsibilities. The DoD requires documented training programs and role-based awareness.
- AT-1: Ensure managers, system administrators, and users are made aware of security risks and responsibilities.
- AT-2: Provide role-based security training before granting access and annually thereafter.
- AT-3: Track and document training activities and maintain records for all personnel.
Audit and Accountability (AU) — 9 Controls
Audit logging provides the evidence trail required for compliance verification and incident investigation.
- AU-1: Create, protect, and retain audit records to enable monitoring, analysis, and reporting.
- AU-2: Ensure audit records contain sufficient detail to determine what events occurred and the sources.
- AU-3: Include in audit records: date/time, event type, user identity, success/failure indication, and originating device.
- AU-4: Review and analyze audit records at least weekly for indications of inappropriate or unusual activity.
- AU-5: Provide audit record reduction and report generation to support on-demand analysis.
- AU-6: Provide audit record correlation and integration with other monitoring sources.
- AU-7: Protect audit information from unauthorized access, modification, and deletion.
- AU-8: Ensure audit records are backed up and retained for at least one year (or longer per contract).
- AU-9: Use system clocks synchronized to an authoritative time source for audit records.
Configuration Management (CM) — 9 Controls
Baseline configurations, change control, and security configuration settings are essential for maintaining a secure posture.
- CM-1: Establish and maintain baseline configurations and inventories of organizational systems.
- CM-2: Develop, document, and enforce security configuration settings for all system components.
- CM-3: Track, review, approve/disapprove, and log all changes to organizational systems.
- CM-4: Analyze the security impact of changes before implementation.
- CM-5: Define, document, and enforce physical and logical access restrictions for configuration management.
- CM-6: Maintain a current, accurate inventory of hardware, software, and firmware.
- CM-7: Limit and control the installation of software by users.
- CM-8: Ensure only authorized software executes on organizational systems (application whitelisting).
- CM-9: Implement and enforce configuration management policies and procedures.
Identification and Authentication (IA) — 9 Controls
Strong identity verification is the gatekeeper for all CUI access. This family covers passwords, multi-factor authentication, and identity management.
- IA-1: Identify and authenticate users, processes acting on behalf of users, and devices.
- IA-2: Implement multi-factor authentication for privileged accounts and network access to CUI.
- IA-3: Require complex passwords with a minimum length of 8 characters, including uppercase, lowercase, numbers, and symbols.
- IA-4: Change passwords at least every 60 days or when compromised.
- IA-5: Prohibit password reuse for a defined number of generations (typically 24).
- IA-6: Store and transmit passwords using cryptographic hashing and encryption.
- IA-7: Use unique user IDs for each individual — no shared or group accounts.
- IA-8: Terminate identification and authentication for inactive accounts after 90 days.
- IA-9: Limit the number of failed authentication attempts to a defined threshold before lockout.
Incident Response (IR) — 3 Controls
The DoD requires a formal incident response capability with defined roles, testing, and reporting procedures.
- IR-1: Establish an operational incident response capability with trained personnel and documented procedures.
- IR-2: Track, document, and report incidents to the DoD contracting officer within 72 hours of discovery.
- IR-3: Test the incident response capability at least annually using tabletop exercises or simulations.
Maintenance (MA) — 4 Controls
System maintenance activities must not introduce vulnerabilities or expose CUI.
- MA-1: Perform maintenance on organizational systems in accordance with documented procedures.
- MA-2: Control and monitor all maintenance activities, including remote maintenance.
- MA-3: Ensure maintenance personnel are authorized and have appropriate access.
- MA-4: Sanitize or remove CUI from equipment before releasing it from maintenance or disposal.
Media Protection (MP) — 4 Controls
Physical and digital media containing CUI must be controlled throughout its lifecycle.
- MP-1: Protect CUI on digital media (including paper records) physically and logically.
- MP-2: Limit access to CUI media to authorized users.
- MP-3: Sanitize or destroy media containing CUI before disposal or reuse.
- MP-4: Mark media with CUI distribution and handling restrictions.
Compliance Warning: Media protection is one of the most frequently cited findings during DoD audits. Ensure your organization has a documented media sanitization policy that references NIST SP 800-88 Rev. 1 “Guidelines for Media Sanitization.” Failure to properly destroy CUI media can result in a material weakness finding under CMMC 2.0 Level 2.
Physical Protection (PP) — 3 Controls
Physical access to facilities and systems containing CUI must be controlled and monitored.
- PP-1: Limit physical access to organizational systems, equipment, and operating environments to authorized individuals.
- PP-2: Monitor and control physical access to facilities and equipment.
- PP-3: Escort visitors and monitor visitor activity in areas containing CUI.
Personnel Security (PS) — 3 Controls
Personnel screening and termination procedures protect CUI from insider threats.
- PS-1: Screen personnel requiring access to CUI before granting access as specified in DoD contract requirements.
- PS-2: Ensure personnel are aware of their security responsibilities before access is granted.
- PS-3: Terminate access to CUI immediately upon employee termination or transfer and return all CUI-related materials.
Risk Assessment (RA) — 3 Controls
Organizations must periodically assess risk to CUI and implement appropriate mitigations.
- RA-1: Conduct risk assessments at least annually to identify vulnerabilities and threats to CUI.
- RA-2: Scan for vulnerabilities in organizational systems and applications at least monthly.
- RA-3: Remediate vulnerabilities in accordance with risk assessment priorities — critical and high within 30 days.
Security Assessment (SA) — 3 Controls
Periodic assessments validate that controls are implemented correctly and effectively.
- SA-1: Develop and implement a security assessment plan that describes the scope and methodology.
- SA-2: Conduct assessments of security controls at least annually or when significant system changes occur.
- SA-3: Produce a security assessment report documenting findings and a plan of action and milestones (POA&M) for remediation.
System and Communications Protection (SC) — 16 Controls
This is the second-largest family and covers encryption, network segmentation, and boundary protection.
- SC-1: Monitor, control, and protect communications at the external and internal boundaries of organizational systems.
- SC-2: Separate user functionality from system management functionality.
- SC-3: Prevent information leakage via shared system resources (e.g., memory, disk space).
- SC-4: Employ cryptographic mechanisms to protect CUI when transmitted or at rest.
- SC-5: Deny network traffic by default and allow by exception (least privilege at network level).
- SC-6: Implement subnets for publicly accessible system components separated from internal networks.
- SC-7: Protect the confidentiality and integrity of transmitted CUI using FIPS 140-2 or FIPS 140-3 validated encryption.
- SC-8: Implement cryptographic key management and establish procedures for key generation, distribution, storage, and destruction.
- SC-9: Control and restrict the use of portable storage devices and external systems.
- SC-10: Limit the use of mobile code (scripts, macros, etc.) to authorized sources and scan for malicious code.
- SC-11: Protect against malicious code at key entry points and scan all code from external sources.
- SC-12: Update malicious code protection mechanisms (e.g., antivirus, anti-malware) at least daily.
- SC-13: Control and restrict the use of Voice over Internet Protocol (VoIP) technologies.
- SC-14: Protect session authenticity and confidentiality through encryption.
- SC-15: Disable or restrict network-accessible services that are not explicitly required.
- SC-16: Use secure coding practices and perform security testing during system development.
System and Information Integrity (SI) — 7 Controls
This family addresses malware protection, system monitoring, and flaw remediation.
- SI-1: Identify, report, and correct system flaws in a timely manner — critical patches within 30 days.
- SI-2: Provide protection from malicious code at appropriate locations within organizational systems.
- SI-3: Update malicious code protection mechanisms and signature files at least daily.
- SI-4: Monitor system and network activity for anomalous behavior and security incidents.
- SI-5: Respond to security alerts and advisories from the DoD and other authoritative sources.
- SI-6: Verify the integrity of system software and firmware using cryptographic hashes at least monthly.
- SI-7: Limit the use of non-essential software and prohibit unauthorized software.
Simplify NIST 800-171 Compliance with Automation
Manually tracking 110 controls across your environment is time-consuming and error-prone. CyberSilo’s Compliance Standards Automation platform maps every control to your existing systems, collects evidence automatically, and generates ready-to-submit POA&Ms. Reduce your compliance effort by up to 70% and gain real-time visibility into your posture.
How to Use This Checklist Effectively
Working through 110 controls can feel overwhelming, but a structured approach makes it manageable. Follow this process to maximize the value of the checklist.
Conduct a Baseline Gap Assessment
Start by mapping each of the 110 controls against your current security policies, technical configurations, and organizational practices. Use the checklist as a simple “implemented / partially implemented / not implemented” scoring sheet. Focus first on control families with the highest number of controls — Access Control and System and Communications Protection represent 38 of the 110 controls combined. For US defense contractors, the DoD Contracting Officer will expect a complete gap analysis as part of your System Security Plan (SSP).
Prioritize Remediation by Risk and CMMC Level
Not all controls carry equal weight. CMMC 2.0 Level 2 requires all 110 controls to be implemented, but you should prioritize based on risk to CUI. High-impact controls — such as SC-7 (boundary protection), IA-2 (MFA for privileged accounts), and AU-4 (audit review) — should be remediated first. Use the DoD’s NIST SP 800-171 DoD Assessment Methodology scoring system (1=not implemented, 2=partially implemented, 3=fully implemented) to track your progress. The DoD expects an overall score of at least 110 (all controls scored at 3) for contracts requiring CMMC 2.0 Level 2 certification.
Develop and Maintain a POA&M
For any control scored as “not implemented” or “partially implemented,” document a Plan of Action and Milestones (POA&M). Include the control number, current status, planned remediation steps, responsible party, target completion date, and evidence requirements. The DoD requires POA&Ms to be updated at least quarterly and submitted with your annual security assessment. Automated tools like CyberSilo’s platform can generate and track POA&Ms across all 110 controls, reducing manual overhead and ensuring nothing falls through the cracks.
Prepare for Third-Party Assessment
Under CMMC 2.0 Level 2, organizations must undergo a third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO). The assessor will verify evidence for each of the 110 controls against your SSP and POA&M. Ensure you have documented proof for every control — policies, configuration screenshots, audit logs, training records, and system inventories. CyberSilo’s Compliance Standards Automation can centralize all evidence in a single repository with direct mapping to each control, dramatically simplifying the assessment process.
Common Compliance Challenges and How to Address Them
Even organizations with mature security programs encounter specific hurdles when implementing NIST 800-171. Here are the three most common challenges identified by DoD assessors and practical solutions.
Challenge 1: Evidence Collection for All 110 Controls
Manual evidence collection across multiple systems — Active Directory, firewalls, endpoint protection, cloud platforms — is the single biggest pain point for organizations pursuing compliance. Many controls require screenshots, logs, or configuration exports that must be mapped to specific control numbers. The solution is to implement a compliance automation platform that integrates with your existing tools and automatically maps findings to the NIST 800-171 control framework. CyberSilo’s platform ingests data from your SIEM, EDR, IAM, and cloud environments, reducing evidence collection time from weeks to days.
Challenge 2: Multi-Factor Authentication Rollout
Control IA-2 requires MFA for all privileged accounts and network access to CUI. Organizations with legacy systems, operational technology (OT), or remote field personnel often struggle to implement MFA consistently. The DoD does not permit exceptions; if MFA cannot be implemented technically, compensating controls such as restricted network segmentation and enhanced monitoring must be documented and approved in the SSP. Prioritize cloud-based MFA solutions that support OATH tokens, smart cards, or biometrics and ensure all privileged accounts (including service accounts with administrative rights) are covered.
Challenge 3: Continuous Monitoring and Audit Review
Control AU-4 requires weekly review of audit records, and SI-4 demands continuous monitoring of system activity. Many organizations generate massive volumes of log data but lack the staffing or tools to analyze it effectively. A modern SIEM solution like CyberSilo’s ThreatHawk SIEM can automate log correlation, generate prioritized alerts, and produce weekly audit review reports that satisfy NIST 800-171 requirements. Ensure your SIEM is configured to capture all 14 NIST control families and map events directly to the relevant control numbers for audit readiness.
Get a Comprehensive NIST 800-171 Compliance Assessment
Not sure where your organization stands against the 110 controls? CyberSilo’s compliance experts will conduct a thorough gap assessment, identify missing controls, and deliver a prioritized remediation roadmap with POA&M documentation. Our team has helped over 200 US defense contractors achieve and maintain NIST 800-171 compliance.
Integration with CMMC 2.0 and Other Frameworks
NIST SP 800-171 serves as the technical foundation for CMMC 2.0 Level 2. If your organization is pursuing CMMC certification, you must implement all 110 controls before scheduling a C3PAO assessment. The DoD has stated that CMMC 2.0 Level 2 certification requires a perfect score — all 110 controls fully implemented with no open POA&M items for more than 180 days. This makes the checklist above not just a compliance tool but a direct path to certification.
Additionally, NIST 800-171 controls overlap significantly with other frameworks your organization may already follow. For example, the 22 Access Control controls map closely to ISO 27001 Annex A.9 and PCI DSS Requirement 7. The 9 Audit and Accountability controls align with SOC 2 CC6.1 and CC7.2. Leveraging existing controls from these frameworks can accelerate your NIST 800-171 implementation — but verify that the specific NIST language and assessment objectives are fully met, as the DoD assessors look for exact alignment with the 171 baseline.
For US defense contractors operating in Canada or with Canadian partners, note that the Canadian Centre for Cyber Security’s ITSG-33 framework maps to NIST 800-171 for organizations handling US CUI cross-border. CyberSilo’s Canadian compliance services support dual US-Canada compliance needs.
Our Conclusion & Recommendation
NIST SP 800-171 compliance is a non-negotiable requirement for any US organization that wants to win and retain DoD contracts. This 110-control checklist gives you a complete, auditable framework to assess your current posture and build a remediation plan. The controls are demanding, but they are also achievable with the right tools and methodology. Organizations that treat compliance as a continuous process — not a one-time project — significantly reduce their risk of non-compliance findings and contract loss.
CyberSilo recommends starting with a comprehensive gap assessment using this checklist, then deploying automation to manage evidence collection, control mapping, and POA&M tracking at scale. Our Compliance Standards Automation platform is specifically designed for US defense contractors navigating NIST 800-171 and CMMC 2.0, and our compliance team has deep expertise in DoD assessment methodology. Contact us to learn how we can help you achieve and maintain full compliance.
Ready to Master NIST 800-171 Compliance?
Get a customized compliance assessment and roadmap tailored to your organization’s specific environment and contract requirements.
