Skip to main content

All 110 NIST 800-171 r2 controls. 14 families. Weekly evidence refresh.

NIST Special Publication 800-171 Revision 2 defines 110 security controls across 14 control families. CMMC Level 2 requires all 110. FileFlo for Defense provides audit-ready coverage for every family, with evidence collected automatically, refreshed weekly, and ready for your C3PAO assessment.

Get your free CMMC readiness score

3 minutes. No signup required. See exactly which of the 110 controls you're missing.

15-minute call. No sales pressure. Bring your specific situation.

  • Founder-led

    Built by Chad Griffith, a decade in aviation / defense / real estate ops

  • Anthropic ZDR

    Zero data retention with our AI provider. Your CUI never trains a model.

  • 110 NIST 800-171 controls

    Full Rev 2 coverage: 14 control families, weekly evidence refresh.

  • G2 verified

    2 reviews · Neil C., Marlon U.

14 control families · 110 controls

The full NIST SP 800-171 Revision 2 control list, grouped by family. FileFlo for Defense provides coverage for every one.

110 controls across 14 NIST 800-171 r2 control families. All covered by FileFlo for Defense.
FamilyNameControlsExample controlCovered
ACAccess Control22AC.L2-3.1.1: limit system access to authorized users
ATAwareness and Training3AT.L2-3.2.1: security awareness training for personnel
AUAudit and Accountability9AU.L2-3.3.1: create and retain audit records
CMConfiguration Management9CM.L2-3.4.1: establish baseline configurations
IAIdentification and Authentication11IA.L2-3.5.3: multi-factor authentication for privileged + remote access
IRIncident Response3IR.L2-3.6.1: incident handling capability
MAMaintenance6MA.L2-3.7.1: perform maintenance on organizational systems
MPMedia Protection9MP.L2-3.8.3: sanitize or destroy media containing CUI
PSPersonnel Security2PS.L2-3.9.1: screen individuals prior to authorizing access
PEPhysical Protection6PE.L2-3.10.1: limit physical access to organizational systems
RARisk Assessment3RA.L2-3.11.1: periodically assess risk
CASecurity Assessment4CA.L2-3.12.1: periodically assess security controls
SCSystem and Communications Protection16SC.L2-3.13.1: monitor and control communications at boundaries
SISystem and Information Integrity7SI.L2-3.14.1: identify, report, and correct system flaws

Frequently Asked Questions

What is NIST SP 800-171?

NIST Special Publication 800-171 Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." It defines 110 security controls across 14 families that contractors handling CUI must implement.

How does NIST 800-171 relate to CMMC?

CMMC Level 2 requires implementation of all 110 NIST 800-171 r2 controls and verification through assessment (C3PAO or self-assessment). CMMC is the assessment framework; NIST 800-171 is the underlying control set.

How are NIST 800-171 controls scored?

Each control has a point value (1, 3, or 5). Maximum score is 110. Missing or partially-implemented controls lose points. Conditional CMMC Status requires score ≥ 88/110 with remaining gaps in POAM-eligible controls.

What if a control is technically infeasible in our environment?

NIST 800-171 allows alternative compensating measures with documented justification. The compensating measure must achieve the security objective of the original control. C3PAO assessors evaluate compensating measures case-by-case.

Does FileFlo cover the NIST 800-172 enhanced controls for Level 3?

Level 3 (800-172 enhanced controls layered on top of 800-171 r2) is in private beta on the Autopilot tier. ~1,500 contractors nationwide need Level 3, so we ship it with manual provisioning + Chad-led onboarding while the playbook stabilizes. General availability planned Q4 2026. Level 1 (17 practices) and Level 2 (110 controls) are GA today.

How often is evidence refreshed in the coverage matrix?

Weekly by default; configurable per control family. Some controls require near-real-time monitoring (incident response, audit logging). Felix pulls those continuously. Static evidence (policies, plans, training records) refreshes monthly or on change-trigger.

What is the SPRS and how does FileFlo help with it?

Supplier Performance Risk System, the DoD database where you submit your NIST 800-171 self-assessment score. FileFlo computes your score from the coverage matrix using the official weighted methodology, generates the submission artifact, and tracks score history. The actual submission still happens through your SPRS account login.