All 110 NIST 800-171 r2 controls. 14 families. Weekly evidence refresh.
NIST Special Publication 800-171 Revision 2 defines 110 security controls across 14 control families. CMMC Level 2 requires all 110. FileFlo for Defense provides audit-ready coverage for every family, with evidence collected automatically, refreshed weekly, and ready for your C3PAO assessment.
3 minutes. No signup required. See exactly which of the 110 controls you're missing.
15-minute call. No sales pressure. Bring your specific situation.
Founder-led
Built by Chad Griffith, a decade in aviation / defense / real estate ops
Anthropic ZDR
Zero data retention with our AI provider. Your CUI never trains a model.
Full Rev 2 coverage: 14 control families, weekly evidence refresh.
G2 verified
2 reviews · Neil C., Marlon U.
14 control families · 110 controls
The full NIST SP 800-171 Revision 2 control list, grouped by family. FileFlo for Defense provides coverage for every one.
| Family | Name | Controls | Example control | Covered |
|---|---|---|---|---|
| AC | Access Control | 22 | AC.L2-3.1.1: limit system access to authorized users | |
| AT | Awareness and Training | 3 | AT.L2-3.2.1: security awareness training for personnel | |
| AU | Audit and Accountability | 9 | AU.L2-3.3.1: create and retain audit records | |
| CM | Configuration Management | 9 | CM.L2-3.4.1: establish baseline configurations | |
| IA | Identification and Authentication | 11 | IA.L2-3.5.3: multi-factor authentication for privileged + remote access | |
| IR | Incident Response | 3 | IR.L2-3.6.1: incident handling capability | |
| MA | Maintenance | 6 | MA.L2-3.7.1: perform maintenance on organizational systems | |
| MP | Media Protection | 9 | MP.L2-3.8.3: sanitize or destroy media containing CUI | |
| PS | Personnel Security | 2 | PS.L2-3.9.1: screen individuals prior to authorizing access | |
| PE | Physical Protection | 6 | PE.L2-3.10.1: limit physical access to organizational systems | |
| RA | Risk Assessment | 3 | RA.L2-3.11.1: periodically assess risk | |
| CA | Security Assessment | 4 | CA.L2-3.12.1: periodically assess security controls | |
| SC | System and Communications Protection | 16 | SC.L2-3.13.1: monitor and control communications at boundaries | |
| SI | System and Information Integrity | 7 | SI.L2-3.14.1: identify, report, and correct system flaws |
Frequently Asked Questions
What is NIST SP 800-171?
NIST Special Publication 800-171 Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." It defines 110 security controls across 14 families that contractors handling CUI must implement.
How does NIST 800-171 relate to CMMC?
CMMC Level 2 requires implementation of all 110 NIST 800-171 r2 controls and verification through assessment (C3PAO or self-assessment). CMMC is the assessment framework; NIST 800-171 is the underlying control set.
How are NIST 800-171 controls scored?
Each control has a point value (1, 3, or 5). Maximum score is 110. Missing or partially-implemented controls lose points. Conditional CMMC Status requires score ≥ 88/110 with remaining gaps in POAM-eligible controls.
What if a control is technically infeasible in our environment?
NIST 800-171 allows alternative compensating measures with documented justification. The compensating measure must achieve the security objective of the original control. C3PAO assessors evaluate compensating measures case-by-case.
Does FileFlo cover the NIST 800-172 enhanced controls for Level 3?
Level 3 (800-172 enhanced controls layered on top of 800-171 r2) is in private beta on the Autopilot tier. ~1,500 contractors nationwide need Level 3, so we ship it with manual provisioning + Chad-led onboarding while the playbook stabilizes. General availability planned Q4 2026. Level 1 (17 practices) and Level 2 (110 controls) are GA today.
How often is evidence refreshed in the coverage matrix?
Weekly by default; configurable per control family. Some controls require near-real-time monitoring (incident response, audit logging). Felix pulls those continuously. Static evidence (policies, plans, training records) refreshes monthly or on change-trigger.
What is the SPRS and how does FileFlo help with it?
Supplier Performance Risk System, the DoD database where you submit your NIST 800-171 self-assessment score. FileFlo computes your score from the coverage matrix using the official weighted methodology, generates the submission artifact, and tracks score history. The actual submission still happens through your SPRS account login.