NIST 800-171 Compliance Checklist: All 110 Controls Organized by Priority

Why a Prioritized NIST 800-171 Checklist Matters for Defense Contractors

If your organization handles Controlled Unclassified Information (CUI) under a Department of Defense contract, NIST 800-171 compliance is not optional. It is a contractual obligation embedded in DFARS clause 252.204-7012, and DoD auditors are actively verifying it. The challenge most compliance managers face is not finding the list of controls — it is knowing where to start and what to tackle first when resources are limited and timelines are tight.

This checklist organizes all 110 controls across NIST SP 800-171's 14 control families by implementation priority: high, medium, and foundational. Use it as a working document alongside your System Security Plan (SSP) and Plan of Action and Milestones (POA&M). For a deeper orientation on the standard itself, see The Ultimate Beginner's Guide to NIST SP 800-171 Compliance.

Understanding the 14 Control Families

NIST SP 800-171 groups its 110 security requirements into 14 families. Each family addresses a distinct area of CUI protection. Before diving into priorities, compliance teams should understand what each family governs:

• Access Control (AC) — 22 controls governing who can reach CUI systems and data
• Awareness and Training (AT) — 3 controls ensuring personnel understand security responsibilities
• Audit and Accountability (AU) — 9 controls requiring logging, monitoring, and review of system activity
• Configuration Management (CM) — 9 controls covering baseline configurations and change control
• Identification and Authentication (IA) — 11 controls for verifying user and device identities
• Incident Response (IR) — 3 controls for detecting, reporting, and recovering from security incidents
• Maintenance (MA) — 6 controls for controlled system maintenance activities
• Media Protection (MP) — 9 controls for protecting and sanitizing CUI-bearing media
• Personnel Security (PS) — 2 controls governing personnel screening and termination
• Physical Protection (PE) — 6 controls limiting physical access to CUI systems
• Risk Assessment (RA) — 3 controls requiring periodic risk evaluations
• Security Assessment (CA) — 4 controls for evaluating and monitoring security controls
• System and Communications Protection (SC) — 16 controls for network boundaries and data in transit
• System and Information Integrity (SI) — 7 controls for malware protection, patching, and alerting

For a comparison between this framework and the broader NIST SP 800-53, see our post on Essential Differences: NIST SP 800-171 and NIST SP 800-53 Explained.

Tier 1: High-Priority Controls to Implement First

These controls carry the greatest audit weight and address the most exploited attack vectors. If your organization is starting from scratch or preparing for a DIBCAC audit, address these before anything else.

Access Control (High Priority)

• Limit system access to authorized users, processes, and devices (3.1.1)
• Limit system access to the types of transactions authorized users are permitted to execute (3.1.2)
• Control the flow of CUI in accordance with approved authorizations (3.1.3)
• Separate duties of individuals to reduce risk of malevolent activity (3.1.4)
• Employ the principle of least privilege (3.1.5, 3.1.6)
• Use non-privileged accounts for non-security functions (3.1.7)
• Prevent non-privileged users from executing privileged functions (3.1.8 through 3.1.22 — review all 22 AC controls for applicability)

Identification and Authentication (High Priority)

• Identify system users, processes, and devices (3.5.1)
• Authenticate all users, processes, and devices before allowing access (3.5.2)
• Use multifactor authentication for local and network access to privileged accounts (3.5.3)
• Employ replay-resistant authentication mechanisms (3.5.4)
• Employ cryptographically protected passwords (3.5.10)
• Store and transmit only cryptographically protected passwords (3.5.10)

System and Communications Protection (High Priority)

• Monitor, control, and protect communications at external boundaries and key internal boundaries (3.13.1)
• Employ architectural designs that separate CUI from non-CUI (3.13.3)
• Implement subnetworks for publicly accessible system components (3.13.5)
• Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission (3.13.8)
• Terminate network connections after defined periods of inactivity (3.13.9)
• Establish and manage cryptographic keys (3.13.10)

System and Information Integrity (High Priority)

• Identify, report, and correct system flaws in a timely manner (3.14.1)
• Provide protection from malicious code at appropriate locations (3.14.2)
• Monitor system security alerts and take appropriate action (3.14.3)
• Update malicious code protection mechanisms (3.14.4)
• Perform periodic scans and real-time scans of files from external sources (3.14.5)

Tier 2: Medium-Priority Controls

These controls are frequently assessed and must be in place before a formal review. They build on your Tier 1 foundation and address process, documentation, and operational discipline.

Audit and Accountability

• Create and retain system audit logs to enable monitoring and investigation (3.3.1, 3.3.2)
• Review and update logged events (3.3.3)
• Alert in the event of audit logging process failure (3.3.4)
• Correlate audit review, analysis, and reporting for investigation (3.3.5)
• Provide system capability that compares and synchronizes internal clocks (3.3.6)
• Protect audit information and tools from unauthorized access and modification (3.3.7, 3.3.8, 3.3.9)

Configuration Management

• Establish and maintain baseline configurations for information technology (3.4.1)
• Establish and enforce security configuration settings (3.4.2)
• Track, review, approve, and log changes to systems (3.4.3, 3.4.4)
• Define, document, approve, and enforce physical and logical access restrictions (3.4.5)
• Employ the principle of least functionality — prohibit or restrict use of functions, ports, and protocols (3.4.6, 3.4.7, 3.4.8, 3.4.9)

Incident Response

• Establish an operational incident-handling capability (3.6.1)
• Track, document, and report incidents (3.6.2)
• Test the incident response capability (3.6.3)

Risk Assessment

• Periodically assess risk to operations, assets, and individuals (3.11.1)
• Scan for vulnerabilities in organizational systems periodically and remediate identified vulnerabilities (3.11.2, 3.11.3)

Security Assessment

• Periodically assess security controls to determine effectiveness (3.12.1)
• Develop and implement plans of action to correct deficiencies (3.12.2)
• Monitor security controls on an ongoing basis (3.12.3)
• Develop, document, and periodically update system security plans (3.12.4)

Your SSP and POA&M are foundational documents that auditors will review first. If you need guidance on building these correctly, read our post on SSP and POA&M: Critical Components of a Strong Security Program.

Tier 3: Foundational Controls Supporting the Full Program

These controls round out your compliance posture. While they may carry less individual audit weight, gaps here can surface during assessments and signal broader programmatic weaknesses.

Awareness and Training

• Ensure personnel are aware of security risks associated with their activities (3.2.1)
• Ensure personnel are trained to carry out assigned security responsibilities (3.2.2)
• Provide security awareness training on recognizing and reporting threats (3.2.3)

Maintenance

• Perform maintenance on organizational systems (3.7.1)
• Provide controls on tools, techniques, and personnel for system maintenance (3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6)

Media Protection

• Protect system media containing CUI, both paper and digital (3.8.1, 3.8.2, 3.8.3)
• Mark media with necessary CUI markings and distribution limitations (3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9)

Personnel Security

• Screen individuals prior to authorizing access to systems containing CUI (3.9.1)
• Ensure CUI is protected during and after personnel actions such as terminations and transfers (3.9.2)

Physical Protection

• Limit physical access to systems and equipment to authorized individuals (3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6)

What Has Changed in Revision 3

NIST released Revision 3 of SP 800-171 in 2023, introducing restructured control families, new organization-level requirements, and tighter alignment with NIST SP 800-53 Rev. 5. If you are still working from a Rev. 2 baseline, your gap analysis needs to account for these changes. Our detailed breakdown of NIST SP 800-171 Revision 3 covers what changed and what you need to update.

Connecting NIST 800-171 to CMMC 2.0

CMMC Level 2 certification is built directly on the 110 controls in NIST SP 800-171. If your organization is pursuing CMMC certification, achieving full NIST 800-171 compliance is the prerequisite. Our CMMC, CUI & DFARS Compliance services are specifically designed to guide defense contractors through both frameworks simultaneously, avoiding duplicated effort and ensuring audit readiness.

For manufacturers in the defense supply chain managing CUI on production floors, physical controls and media protection deserve special attention. See our guidance on Protecting and Managing CUI on Shop Floors.

Using This Checklist Effectively

A checklist is only as useful as the process behind it. Here is how compliance managers should operationalize these 110 controls:

1. Define your CUI scope. Identify every system, location, and workflow that touches CUI before assessing any control.
2. Conduct a gap assessment. Map your current state against each control and document deficiencies in your POA&M.
3. Prioritize remediation by tier. Work through Tier 1 controls first, then Tier 2, before addressing Tier 3 gaps.
4. Document everything. Your SSP must describe how each control is implemented, not merely assert that it is.
5. Score yourself in SPRS. Submit your Supplier Performance Risk System score accurately and update it as remediation progresses.
6. Plan for continuous monitoring. NIST 800-171 compliance is not a one-time event. Controls must be monitored, tested, and maintained.

Ready to Close Your NIST 800-171 Gaps?

Working through 110 controls while managing day-to-day operations is a significant undertaking. Cleared Systems helps defense contractors, federal agencies, and regulated organizations build compliance programs that hold up under scrutiny. Whether you need a full gap assessment, SSP development, or ongoing vCISO oversight, our team is ready to help. Request a quote today or explore our Federal and SLED Risk Assessment services to get started with a structured evaluation of your current compliance posture.