NIST SP 800-171 r2 defines 110 security requirements that any non-federal system handling Controlled Unclassified Information (CUI) must meet. The 110 requirements are grouped into 14 control families, from Access Control to System and Information Integrity. CMMC Level 2 assesses you against all 110, scored on a 110-point scale where each failed control deducts 1, 3, or 5 points. You need 88+ to pass with a conditional certificate, and 110 for a clean one.
Why 800-171 matters
Since December 31, 2017, DFARS 252.204-7012 has required every DoD contractor handling CUI to implement NIST 800-171 and self-attest. CMMC Level 2 simply adds an independent C3PAO assessment of that same standard. So 800-171 is not new — what's new is someone is finally going to check.
How scoring works
Use the DoD Assessment Methodology (DoDAM). You start at 110. Each not-yet-implemented control deducts:
- 5 points for high-impact basic hygiene (MFA, encryption of CUI at rest, FIPS-validated crypto).
- 3 points for medium-impact controls (audit logging, vulnerability scanning).
- 1 point for lower-impact items.
Your SPRS score can go as low as −203. A negative score on a contract that requires CMMC is a non-starter.
The 14 control families
1. Access Control (AC) — 22 controls
Least privilege, separation of duties, session lock, remote access. The biggest family by count.
2. Awareness and Training (AT) — 3 controls
Annual security awareness, role-based training, insider-threat awareness.
3. Audit and Accountability (AU) — 9 controls
Generate, protect, review, and correlate audit logs. SIEM-shaped.
4. Configuration Management (CM) — 9 controls
Baseline configs, change control, least functionality, software allow-listing.
5. Identification and Authentication (IA) — 11 controls
Unique IDs, MFA for privileged and remote access, password complexity, FIPS crypto for authenticators.
6. Incident Response (IR) — 3 controls
IR plan, training and testing, and reporting (ties into DFARS 7012's 72-hour rule).
7. Maintenance (MA) — 6 controls
Controlled maintenance, MFA for non-local maintenance, sanitize equipment before off-site service.
8. Media Protection (MP) — 9 controls
Protect, mark, sanitize, and control CUI media — including USB drives and printouts.
9. Personnel Security (PS) — 2 controls
Screen personnel before granting CUI access; revoke access on termination/transfer.
10. Physical Protection (PE) — 6 controls
Limit physical access, escort visitors, protect alternate work sites (work-from-home counts).
11. Risk Assessment (RA) — 3 controls
Periodic risk assessments and vulnerability scanning with remediation.
12. Security Assessment (CA) — 4 controls
Maintain an SSP and POA&M, perform periodic assessments, monitor controls continuously.
13. System and Communications Protection (SC) — 16 controls
Boundary protection, encryption in transit, deny-by-default networking, FIPS crypto.
14. System and Information Integrity (SI) — 7 controls
Flaw remediation, malicious-code protection, monitoring, alerts and advisories.
The 5 controls that fail people
- 3.5.3 — MFA for privileged and network access. Microsoft Authenticator counts only if your tenant is set up correctly.
- 3.13.11 — Employ FIPS-validated cryptography. Self-signed OpenSSL doesn't count; you need a FIPS 140-2/3 validation certificate.
- 3.1.20 — Verify connections to external systems. Means every SaaS you send CUI to must itself be FedRAMP Moderate (or equivalent).
- 3.3.5 — Correlate audit log review. SIEM, not just "we keep logs in CloudTrail".
- 3.13.8 — Cryptographic mechanisms to prevent unauthorized disclosure of CUI in transit. Email with CUI must be encrypted end-to-end or use a compliant portal.
Scoping: the real cost driver
The cheapest path to Level 2 is to put CUI in a small, walled-off enclave — a dedicated VDI, a GovCloud tenant, a single managed laptop fleet — rather than letting it spread across your whole company. Every machine that "could" touch CUI is in scope, and every in-scope machine adds cost to assessment, monitoring, and remediation. Scope discipline is worth more than any tool you buy.
Frequently asked questions
- What's the difference between NIST 800-171 and 800-172?
- 800-171 covers protecting CUI from standard threats and is what CMMC Level 2 audits. 800-172 adds 35 enhanced requirements for protecting CUI against advanced persistent threats (APT) and is the basis for CMMC Level 3 — required only for a small subset of contracts handling the most sensitive CUI.
- Can I have a POA&M and still pass CMMC Level 2?
- Yes, for a limited set of controls. Under the CMMC 2.0 final rule, you can pass with a conditional certificate if your score is at least 88/110, no 5-point controls are open, and POA&M items are closed within 180 days. After that window you must close them or you lose the certificate.
- Do I need FIPS-validated encryption for all data, or just CUI?
- Just for CUI. You need FIPS 140-2 or 140-3 validated cryptographic modules wherever CUI is encrypted at rest or in transit and wherever you authenticate users with access to CUI. The validation must be current — products with expired validations don't count.
- System Security Plan (SSP) Template for Small Defense ContractorsSSP · 11 min read
- How to Write a CMMC POA&M That a C3PAO Will AcceptPOA&M · 8 min read
- CMMC Level 1 vs Level 2: Which Do You Actually Need?CMMC Basics · 7 min read
- CMMC 2.0 Cost and Timeline for Small Defense Contractors (2026)Cost & Timeline · 10 min read