CMMC Level 2 has no security controls of its own. It adopts, one for one, the 110 requirements in NIST SP 800-171 Revision 2 — organized into 14 control families. Implement those 110, and you have met the technical bar for Level 2. Here is how they are structured, how they are scored, and how an assessor actually checks them.
What NIST 800-171 is — and why CMMC runs on it
NIST SP 800-171 is the federal standard for protecting Controlled Unclassified Information (CUI) on the systems of non-federal organizations — contractors, in other words. It defines 110 security requirements a company must implement to safeguard that information.
CMMC does not replace the standard; it verifies it. For Level 2, the program rule maps directly to all 110 NIST SP 800-171 Rev 2 requirements — no additions, no subtractions, no modifications. NIST 800-171 is the "what you must do"; CMMC is the "prove you did it." If you have fully implemented NIST 800-171, you have done the substantive work of Level 2, and what remains is the assessment.
So if you've already confirmed your contract puts you at Level 2 rather than Level 1, these 110 controls are your scope. The rest of this guide is the map.
Rev 2, not Rev 3: the version that counts today
A point of frequent confusion: there are two live versions of NIST 800-171, and only one applies to CMMC right now.
NIST published Revision 3 in May 2024. It restructured the standard into 97 requirements across 17 control families and introduced organization-defined parameters. But CMMC has not adopted Rev 3. A DoD class deviation keeps Revision 2 — the 110 requirements across 14 families — as the active standard for Level 2 today, and Rev 3 enforcement is not expected before late 2026 to 2027.
What this means for you: build to Rev 2. Every control count, score, and assessment objective in this guide reflects the version your contract requires now. Treat Rev 3 as a horizon item, not a current obligation.
The 14 control families
The 110 requirements are grouped into 14 families, each covering one domain of security. They are not equal in size — three families account for nearly half the total, while two have only a handful of requirements each.
Family | Controls | What it covers |
|---|---|---|
Access Control (AC) | 22 | Who and what can reach CUI — accounts, least privilege, remote access, session control, information flow |
Awareness & Training (AT) | 3 | Security awareness and role-based training for people who handle CUI |
Audit & Accountability (AU) | 9 | Logging, log review, and tracing actions back to individuals |
Configuration Management (CM) | 9 | Secure baselines, change control, and system inventory |
Identification & Authentication (IA) | 11 | Verifying users and devices — including multi-factor authentication |
Incident Response (IR) | 3 | Detecting, reporting, and handling security incidents |
Maintenance (MA) | 6 | Controlled system maintenance, including remote and third-party work |
Media Protection (MP) | 9 | Protecting, sanitizing, and controlling media that holds CUI |
Personnel Security (PS) | 2 | Screening before access, and revoking access on departure |
Physical Protection (PE) | 6 | Controlling physical access to systems and facilities |
Risk Assessment (RA) | 3 | Assessing organizational risk and scanning for vulnerabilities |
Security Assessment (CA) | 4 | The System Security Plan, control assessments, and POA&Ms |
System & Communications Protection (SC) | 16 | Boundary protection, network segmentation, FIPS-validated encryption |
System & Information Integrity (SI) | 7 | Patching, malware defense, and monitoring for threats |
Two patterns are worth noting. The largest families — Access Control (22) and System and Communications Protection (16) — are where assessors spend the most time, because they cover the highest-risk attack surface. And the smallest families are deceptive: Personnel Security has just two requirements, but firms routinely lose points there by treating access revocation for departing employees as an administrative afterthought.
Not all controls weigh the same: how scoring works
You do not simply count the controls you've met. CMMC uses a weighted scoring methodology (32 CFR § 170.24). You start at the maximum of 110 points, and each requirement you have not met subtracts its assigned value — 1, 3, or 5 points, depending on how critical it is to protecting CUI. Because the heavier deductions stack, the score can fall well below zero: the full range recorded in your SPRS profile runs from −203 to +110.
That weighting is why "meeting most of the controls" is not the same as a high score. Missing a single 5-point requirement costs more than missing five 1-point requirements. The same math drives the conditional-status path and the 180-day clock that comes with it: to carry gaps on a POA&M and stay eligible for award, your score must reach at least 88 — 80% of the 110-point maximum — with only lower-weighted requirements deferred.
110 requirements, 320 assessment objectives
Here is the detail that catches firms off guard at assessment time: the 110 requirements break down into 320 assessment objectives. A requirement is scored MET only when every one of its underlying objectives is satisfied — there is no partial credit within a requirement, apart from one narrow exception for multi-factor authentication.
An assessor — whether that's you in a self-assessment or a C3PAO in a certification assessment — evaluates each objective using three methods drawn from NIST SP 800-171A: examine (review your documentation), interview (talk to your people), and test (verify the control actually works). Many objectives require all three. The practical scope of Level 2, then, is not 110 checkboxes — it is 320 evidence-backed determinations.
Where small firms most often fall short
A few requirements generate findings out of proportion to their place in the standard:
FIPS-validated encryption (SC). Using encryption is not enough — for CUI, it must be FIPS-validated. Many commodity tools are not, and a lot of firms discover this late.
Multi-factor authentication (IA). One of the most heavily scrutinized requirements, and one of the most commonly missed in full.
Flat networks (SC). When CUI systems share a network with general office systems, the boundary-protection requirements are hard to meet without segmentation.
Audit log review (AU). Collecting logs is common; reviewing them and tracing actions to individuals is where firms fall down.
The System Security Plan (CA). An SSP copied from a template, rather than describing your actual environment, fails on contact with an assessor.
How to use the 14 families to plan
The families are also a project plan. Three principles keep that plan efficient:
Scope before you build. Define exactly which systems process, store, or transmit CUI. A tight boundary — often a dedicated enclave — shrinks how many of the 110 apply and how much they cost to implement.
Sequence by dependency. Some families rely on others: you cannot satisfy Audit and Accountability without the identity infrastructure that Identification and Authentication provides.
Prioritize by weight. Close your highest-value (5- and 3-point) gaps first. They move your SPRS score the most, and several of them cannot be deferred on a POA&M at all.
Key Takeaways
CMMC Level 2 is NIST SP 800-171 Rev 2: all 110 requirements across 14 control families, mapped one-to-one with no changes.
Build to Rev 2, not Rev 3. Rev 3 exists (97 requirements, 17 families) but isn't in CMMC yet; the class deviation keeps Rev 2 as the active standard.
Controls are weighted, not counted. You start at 110 and subtract 1, 3, or 5 per gap; the SPRS score runs from −203 to +110.
The real scope is 320 assessment objectives, checked by examine / interview / test — not 110 checkboxes.
The biggest families (AC, SC, IA) carry the most work; the smallest (PS, PE, IR) cause outsized findings. FIPS-validated encryption, MFA, and an accurate SSP are the usual stumbling blocks.
FAQ
How many controls are in NIST 800-171? NIST SP 800-171 Revision 2 has 110 security requirements, organized into 14 control families ranging from 2 to 22 requirements each. CMMC Level 2 maps to all 110 with no additions or modifications.
Is NIST 800-171 the same as CMMC Level 2? Effectively, for the controls — yes. NIST 800-171 is the technical standard (the 110 requirements); CMMC Level 2 is the framework that verifies you've implemented it, and adds the assessment, scoring, and annual affirmation around it. Meeting all 110 is the substantive work of Level 2.
Should I implement Rev 2 or Rev 3? Rev 2, for CMMC. Revision 3 was published in May 2024 and restructured the standard to 97 requirements, but CMMC has not adopted it; a class deviation keeps Rev 2 as the active standard, and Rev 3 enforcement isn't expected before late 2026–2027.
How is my NIST 800-171 score calculated? With a weighted methodology, not a simple count. You start at 110 points and subtract the value of each unmet requirement — 1, 3, or 5 points depending on its importance — so the score recorded in SPRS can range from −203 to +110.
What's the hardest part of NIST 800-171 for small firms? Usually FIPS-validated encryption, multi-factor authentication, and network segmentation, plus a System Security Plan that reflects your real environment. The 320 assessment objectives behind the 110 requirements also surprise firms that expected a shorter checklist.
SOURCES
All primary. Verified as of June 2026.
NIST SP 800-171 Revision 2 (csrc.nist.gov). The 110 security requirements across 14 control families; basic vs derived requirement structure. Note: the publication was withdrawn May 14, 2024 and superseded by Rev 3, but Rev 2 remains the active CMMC standard via DoD class deviation.
NIST SP 800-171A Revision 2 (csrc.nist.gov). The 320 assessment objectives mapped to the 110 requirements; the examine / interview / test assessment methods.
32 CFR Part 170 (eCFR): § 170.14(c)(3) (Level 2 = the 110 NIST SP 800-171 Rev 2 requirements); § 170.24 (CMMC Scoring Methodology — weighted values, negative scores possible). Update trigger: incorporation of NIST SP 800-171 Rev 3.
DoD NIST SP 800-171 Assessment Methodology (DoD CIO / acquisition.gov). The weighted 5/3/1-point deductions and the −203 to +110 SPRS scoring range.
NIST SP 800-171 Revision 3 (csrc.nist.gov, May 14, 2024). 97 requirements, 17 control families, organization-defined parameters — cited only to establish that Rev 3 is not yet the CMMC standard.