NIST SP 800-171

What are the 14 control families in NIST 800-171?

Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI).

What is the difference between NIST 800-171 r2 and r3?

Revision 2 (current as of 2026 for compliance purposes) contains 110 security requirements with the structure used in CMMC 2.0. Revision 3 (May 2024) reorganized the document, increased the number of requirements, and added structure changes. The DoD has not yet transitioned CMMC to r3 — CMMC 2.0 still references r2. Contractors should implement r2 for CMMC compliance until DoD officially transitions.

Who is responsible for implementing NIST 800-171 in cloud environments?

Implementation responsibility follows the cloud shared responsibility model. The cloud service provider (CSP) implements infrastructure-level controls under their FedRAMP Moderate or equivalent authorization. The contractor (customer) remains responsible for application-level and data-level controls. Both responsibilities must be documented in the SSP.

How is NIST 800-171 scored?

DoD assessment methodology assigns weighted point values to each control. Contractors start with a maximum score of 110 and lose points for missing or partially-implemented controls. Most controls are weighted at 1, 3, or 5 points depending on importance. The DoD Assessment Methodology guide details the scoring approach used in self-assessments and C3PAO assessments.