Quick Answer: NIST SP 800-171 has 110 requirements organized across 14 control families. These requirements apply to any organization that handles Controlled Unclassified Information (CUI) on non-federal systems. Meeting all 110 controls is mandatory for most DoD contractors and is the foundation of CMMC Level 2 certification.
NIST SP 800-171 has 110 requirements that span 14 security control families, from access control to system and communications protection. Whether you're working toward CMMC Level 2 or fulfilling a DoD contract obligation, these requirements represent a serious technical and operational commitment. Most organizations underestimate the scope until they're already behind.
This page breaks down exactly what the 110 requirements cover, where companies typically struggle, and what it realistically takes to get compliant and stay that way.
NIST SP 800-171 was published by the National Institute of Standards and Technology to protect CUI stored or processed on non-federal information systems. The current widely-enforced version is Revision 2, and NIST SP 800-171 Rev. 2 has 110 requirements organized into 14 control families. These are the same 110 requirements that form the backbone of CMMC Level 2.
NIST SP 800-171 Revision 3 was finalized in May 2024 and restructured the requirement count, but most DoD contracts and CMMC assessments still reference Rev. 2 as of 2025. Understanding which revision applies to your contract is the first step before you begin any remediation work.
Here is a breakdown of the 14 control families and their requirement counts under NIST SP 800-171 Rev. 2:
|
Control Family |
Abbreviation |
Number of Requirements |
|
Access Control |
AC |
22 |
|
Awareness and Training |
AT |
3 |
|
Audit and Accountability |
AU |
9 |
|
Configuration Management |
CM |
9 |
|
Identification and Authentication |
IA |
11 |
|
Incident Response |
IR |
3 |
|
Maintenance |
MA |
6 |
|
Media Protection |
MP |
9 |
|
Personnel Security |
PS |
2 |
|
Physical Protection |
PE |
6 |
|
Risk Assessment |
RA |
3 |
|
Security Assessment |
CA |
4 |
|
System and Communications Protection |
SC |
16 |
|
System and Information Integrity |
SI |
7 |
|
Total |
110 |
Each requirement maps directly to a security practice. Some are policy-based, like documenting your incident response procedures. Others are purely technical, like enforcing multi-factor authentication or encrypting CUI in transit and at rest. NIST SP 800-171 Rev. 2 110 requirements controls span both categories, which is why compliance touches your IT team, your security team, and your operations staff simultaneously.
You can verify the full NIST SP 800-171 Rev. 2 requirements directly from NIST's official publication at nvlpubs.nist.gov.
Most organizations that start a NIST 800-171 compliance program underestimate what they're signing up for. The 110 requirements look manageable on paper until you start mapping them to your actual environment.
Here are the most common pain points:
Getting from your current security posture to full compliance with all 110 requirements involves work across several distinct areas. None of them are optional, and they don't happen in a linear sequence. You'll often be working on documentation, technical controls, and training at the same time.
NIST SP 800-171 requires a System Security Plan (SSP) that documents how each of the 110 requirements is implemented in your environment. You'll also need a Plan of Action and Milestones (POA&M) for any requirements you haven't yet met. These aren't lightweight documents. A complete SSP for a mid-size organization can run dozens of pages and must be kept current as your environment changes.
A significant portion of the NIST SP 800-171 110 requirements controls are technical in nature. You'll need multi-factor authentication, encrypted communications, endpoint protection, audit logging, and access control enforcement at minimum. Selecting and configuring the right tools, and proving they're working, requires dedicated engineering time.
NIST 800-171 compliance is not static. You need continuous monitoring of your systems, regular vulnerability assessments, and a process for responding to security events within defined timeframes. Many organizations achieve initial compliance and then fall out of it within a year because they don't have the resources to maintain it.
The Awareness and Training control family requires that all users understand their security responsibilities and that privileged users receive role-based training. Security awareness training must be documented and tracked. If you can't show that your employees completed training, you can't demonstrate compliance with that family of requirements.
Whether you're pursuing a formal CMMC assessment or a self-assessment against NIST SP 800-171 Rev. 2, you'll need to produce evidence for each implemented control. Gathering that evidence, organizing it for reviewers, and responding to findings is a time-intensive process that most internal teams haven't done before. Working with experienced compliance services providers can significantly reduce the back-and-forth.
There are three realistic paths to NIST 800-171 compliance. Each has different cost structures, timelines, and resource requirements. The right choice depends on your team's existing capabilities and how quickly you need to reach compliance.
|
DIY / In-House |
GRC Platform Only (Drata, Vanta) |
Managed Compliance Partner |
|
|
Implementation |
Your team builds it |
Platform guides you, you do the work |
Partner builds it for you |
|
Ongoing maintenance |
Your team |
Your team + automation |
Partner's team + automation |
|
Auditor coordination |
You manage it |
Limited support |
Managed end-to-end |
|
Tech stack |
You select and configure |
Integrations only |
Full security stack deployed |
|
Dedicated team |
Your hires ($84K-$132K+ per person) |
None |
Multi-role team assigned to your account |
|
Typical timeline |
12-18+ months |
6-12 months |
~8 months initial implementation |
|
Starting cost |
$84K-$132K+/year (one hire) |
$10K-$30K/year (platform only) |
~$4,800/month (full service) |
The in-house path gives you full control but requires hiring, onboarding, and retaining staff with the right expertise. A GRC platform alone gives you automation and visibility but leaves the actual implementation work to your team.
A managed compliance partner takes on both the technical work and the ongoing management, which is why it's a practical option for organizations without a dedicated compliance function. If you're weighing your options, this article on how to choose a compliance provider is a useful starting point.
If you're new to NIST 800-171 or haven't formally assessed your posture against all 110 requirements, here's how to approach it:
The challenges covered above, CUI scoping, technical control implementation, documentation, and ongoing maintenance, are exactly where most organizations run into trouble on their own. BEMO is built to handle all of it.
Here's what you get when you work with BEMO on NIST 800-171 compliance:
BEMO owns the outcome. You get a dedicated team, a proven process, and a clear path to meeting all 110 NIST SP 800-171 requirements without building an internal compliance department from scratch.
Book a meeting with BEMO to get started with a GAP assessment.
NIST SP 800-171 has 110 requirements organized across 14 control families. This applies to both Revision 1 and Revision 2, which are the versions most commonly referenced in DoD contracts. NIST SP 800-171 Revision 3 was finalized in 2024 and restructured the requirements, but Rev. 2 remains the standard for most active compliance assessments.
Both NIST SP 800-171 Rev. 1 and Rev. 2 include 110 requirements across the same 14 control families. Revision 2, published in February 2020, added clarifications to several requirements and introduced a new requirement focused on supply chain risk management. For most DoD contractors, Rev. 2 is the version you need to meet.
Yes. NIST SP 800-171 Revision 3 restructures the requirement count and introduces organization-defined parameters, which changes how requirements are counted and applied. As of 2025, most CMMC assessments and DoD contracts still reference Rev. 2 with its 110 requirements. You should confirm with your contracting officer which revision applies to your specific contract.
A realistic timeline is 8 to 12 months for initial implementation, depending on your starting security posture and the size of your environment. Organizations with significant gaps in technical controls or documentation should plan for the longer end of that range. Working with a managed compliance partner can compress the timeline compared to building everything in-house.
A GAP assessment maps your current security controls against all 110 NIST SP 800-171 requirements and identifies which ones you've implemented, which are partially in place, and which are missing entirely. It typically includes a review of your IT environment, existing policies, access controls, and documentation practices. The output is a prioritized list of gaps and a remediation roadmap.
NIST SP 800-171 compliance spans IT, security, HR, and legal, and requires continuous maintenance after initial implementation. A managed compliance partner provides the multi-disciplinary team, tooling, and ongoing management that most organizations can't staff internally. For companies without a dedicated compliance function, it's often faster and more cost-effective than hiring.
BEMO assigns a dedicated team to every client that includes a Customer Success Manager, Project Manager, Delivery Engineer, Security Engineer, SOC Analyst, IT Manager, Support Engineer, and virtual CISO. This team handles implementation, ongoing monitoring, policy management, and auditor coordination throughout your compliance program.