NIST Compliance Guide

NIST SP 800-171 Compliance Guide

Everything you need to know about the 110 security controls that form the foundation of CMMC Level 2. Automate your compliance with AI.

Check Your NIST 800-171 Score →

What is NIST SP 800-171?

NIST Special Publication 800-171 ("Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations") defines 110 security requirements across 14 families. Published by the National Institute of Standards and Technology, it's the backbone of CMMC Level 2 certification.

If your organization handles CUI (Controlled Unclassified Information) for the Department of Defense, you must implement all 110 controls and demonstrate compliance through a C3PAO assessment.

The 14 NIST 800-171 Control Families

1. Access Control (AC)

22 requirements covering system access, remote access, and access enforcement. Includes multi-factor authentication, least privilege, and session controls.

2. Awareness & Training (AT)

3 requirements ensuring all users understand security risks and their responsibilities for protecting CUI.

3. Audit & Accountability (AU)

9 requirements for logging, monitoring, and retaining audit records of system activity.

4. Configuration Management (CM)

9 requirements for establishing and maintaining secure configurations across all systems.

5. Identification & Authentication (IA)

11 requirements for identifying users, devices, and processes, including MFA requirements.

6. Incident Response (IR)

3 requirements for preparing, detecting, analyzing, and recovering from security incidents.

7. Maintenance (MA)

6 requirements for performing timely and secure maintenance on organizational systems.

8. Media Protection (MP)

9 requirements for protecting, sanitizing, and disposing of media containing CUI.

9. Personnel Security (PS)

2 requirements for screening individuals and protecting CUI during personnel changes.

10. Physical Protection (PE)

6 requirements for controlling physical access to facilities, equipment, and systems.

11. Risk Assessment (RA)

3 requirements for assessing and managing risk to operations and assets.

12. Security Assessment (CA)

4 requirements for assessing, monitoring, and improving security controls.

13. System & Comm. Protection (SC)

16 requirements for protecting communications and data at system boundaries.

14. System & Info Integrity (SI)

7 requirements for identifying flaws, monitoring events, and ensuring system integrity.

NIST 800-171 vs CMMC: What's the Difference?

AspectNIST 800-171CMMC Level 2
Controls110 security requirementsSame 110 requirements
VerificationSelf-attestation (SPRS)C3PAO third-party assessment
DocumentationSSP + POA&M requiredSSP + POA&M + evidence packages
EnforcementContract clauseCertification required to bid
ScoringSPRS score (-203 to 110)Pass/fail per practice

Automate NIST 800-171 Compliance with Hatty AI

Hatty AI maps your existing security controls against all 110 NIST 800-171 requirements automatically. Our platform:

Check Your NIST 800-171 Score

Free assessment against all 110 controls. Results in 15 minutes.