KapacyberKapacyber
Reference 14 min read

The 110 NIST SP 800-171 Controls in Plain English

All 14 control families translated out of NIST-speak, with examples a small shop can actually use. Bookmark this — it's the reference behind every SSP we write.

How to use this reference

NIST SP 800-171 lists controls by number (3.1.1, 3.1.2, etc.) within 14 families. The numbering is precise but not always memorable. Below, every family gets a plain-English summary plus five examples of what "compliant" actually looks like in a small-shop environment.

This isn't a substitute for the full document — the assessment objectives in NIST SP 800-171 Rev 3 and the assessment criteria in NIST SP 800-171A Rev 3 are what your C3PAO will measure you against. But for understanding what each family is trying to achieve, this is enough.

3.1Access Control

22 controls

Who can log in, what they can reach, and how their session is limited.

In a small shop, this looks like:

  • Named accounts (no shared logins).
  • Least-privilege roles (sales doesn't need the CUI file share).
  • Session lock after 15 minutes of inactivity.
  • Remote-access controls — MFA, encrypted channels, no split-tunnel VPN.
  • Separate admin accounts from day-to-day user accounts.

3.2Awareness & Training

3 controls

Everyone with CUI access knows what they're protecting and what the threats look like.

In a small shop, this looks like:

  • Role-based training (a CAD operator and a buyer need different things).
  • Annual refresher at minimum.
  • Insider-threat awareness — yes, this is a required control.

3.3Audit & Accountability

9 controls

Every meaningful action in the CUI environment is logged, the logs are protected, and someone actually reviews them.

In a small shop, this looks like:

  • Logs of every login, file access, and admin action.
  • Logs stored where attackers can't delete them.
  • Time-synced clocks so logs from different systems line up.
  • Documented log-review cadence and named reviewer.

3.4Configuration Management

9 controls

Systems are built to a documented baseline and changes go through a process.

In a small shop, this looks like:

  • Hardened build standards for laptops, servers, network gear.
  • Software allow-list (or at minimum, blocklist) so random EXEs can't run.
  • Change tickets for every CUI-environment change.
  • Documented system inventory — every device that touches CUI.

3.5Identification & Authentication

11 controls

Everyone proves who they are before getting access, and the proof is strong.

In a small shop, this looks like:

  • Multi-factor authentication on every CUI-accessing account.
  • Phishing-resistant MFA (FIDO2 keys or passkeys) for privileged users.
  • Password complexity and rotation rules per NIST guidance.
  • Device authentication for systems that machine-to-machine to CUI services.

3.6Incident Response

3 controls

You have a documented plan, you practise it, and you report to DoD on time.

In a small shop, this looks like:

  • Written IR plan with named roles.
  • Tabletop exercise at least annually.
  • 72-hour incident reporting to DoD under DFARS 252.204-7012.

3.7Maintenance

6 controls

Maintaining systems doesn't become a back-door for CUI exposure.

In a small shop, this looks like:

  • Sanitise devices before sending them out for repair.
  • Supervise remote-maintenance sessions.
  • Personnel checks on outside maintenance technicians.
  • Approved tools only for maintenance work.

3.8Media Protection

9 controls

Anything that can carry CUI off the network is controlled, encrypted, or destroyed.

In a small shop, this looks like:

  • Encrypt CUI at rest on drives, USB sticks, backup media.
  • Mark physical media that holds CUI.
  • Sanitise media before disposal (NIST 800-88 erase or physical destruction).
  • Controlled transport when media leaves the facility.

3.9Personnel Security

2 controls

People are vetted before getting access and access is removed when they leave.

In a small shop, this looks like:

  • Background check appropriate to role before CUI access.
  • Access revoked the day someone leaves — not the week.

3.10Physical Protection

6 controls

Bad guys can't walk in and take CUI off your shop floor.

In a small shop, this looks like:

  • Locked doors and badge access to CUI areas.
  • Visitor log with escort policy.
  • Monitor and review physical-access logs.
  • Protect CUI from being seen through unattended monitors.

3.11Risk Assessment

3 controls

You've looked at your risks honestly, written it down, and you keep looking.

In a small shop, this looks like:

  • Annual written risk assessment of the CUI environment.
  • Vulnerability scanning of the CUI environment.
  • Remediation tracking with documented decisions.

3.12Security Assessment

4 controls

You verify that your controls actually work, and you have an SSP and POAM.

In a small shop, this looks like:

  • Documented System Security Plan (SSP) covering all 14 families.
  • Plan of Action & Milestones (POAM) for residual gaps.
  • Periodic control assessments (internal or external).
  • Continuous monitoring programme.

3.13System & Communications Protection

16 controls

The CUI environment is bounded, encrypted in transit, and segmented from everything else.

In a small shop, this looks like:

  • Firewall and network segmentation isolating the CUI enclave.
  • Encrypted communications across boundaries (TLS 1.2+).
  • Denial-of-service safeguards on internet-facing services.
  • Separate VLAN/subnet for guest Wi-Fi vs CUI systems.

3.14System & Information Integrity

7 controls

You patch promptly, run anti-malware, and notice when something goes wrong.

In a small shop, this looks like:

  • Patch management with timelines for high/critical CVEs.
  • Anti-malware on every endpoint, signature-and-behaviour based.
  • Monitor inbound network communications for malicious activity.
  • Detect unauthorised changes to systems and files.

The five families that fail most

Across the C3PAO assessments we've supported, five families account for the majority of findings:

  1. Access Control (3.1) — usually shared logins, no session timeouts, and remote access without MFA.
  2. Identification & Authentication (3.5) — MFA missing on at least one privileged account, or weak password policy on a legacy system.
  3. Audit & Accountability (3.3) — logs exist but nobody reviews them, or log retention is too short.
  4. System & Communications Protection (3.13) — flat networks with no CUI enclave segmentation.
  5. Configuration Management (3.4) — no documented baseline, no change control, undocumented systems holding CUI.

The 800-171 / SSP relationship

Your System Security Plan (SSP) describes how each of these 110 controls is implemented in your environment. Your Plan of Action & Milestones (POAM)documents any control you don't fully meet today and when you'll close the gap. Both are mandatory before a C3PAO assessment.

Free CMMC readiness check

12 questions, scored by NIST 800-171 family. Tells you which of the 14 families need attention first.

Run the readiness check

Keep Reading

CMMC · Compliance12 min read

CMMC 2.0 Explained — Levels, Timeline & a Small-Manufacturer Guide

Read More
CMMC · Pricing Guide9 min read

CMMC Level 2 Cost — What a Small DoD Subcontractor Actually Pays

Read More
CMMC · Compliance10 min read

How to Prepare for a C3PAO Assessment

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More