← Nuclear Cybersecurity Compliance

On-site consultants · Nashville · Memphis · Knoxville · Chattanooga · Jackson · Tri-Cities

NIST SP 800-171: All 14 Control Families Explained

NIST SP 800-171 contains 110 security requirements organized across 14 control families. If your facility handles Controlled Unclassified Information for a nuclear or defense customer, all 14 families apply. Here is what each one covers in plain language.

No commitment required.

NIST SP 800-171 was published by the National Institute of Standards and Technology to protect Controlled Unclassified Information in non-federal systems. It is the compliance foundation for both DOE nuclear supplier cybersecurity programs and CMMC Level two certification for DOD defense suppliers. The standard is organized into 14 control families covering 110 individual requirements.

The 14 Control Families

Each family groups related requirements. The number of requirements per family ranges from two to twenty-two. Manufacturers are assessed against all of them.

Access Control

22 requirements · 3.1

Controls who can access your systems, networks, and CUI — including user account management, role-based permissions, remote access restrictions, and controls on mobile devices and external systems. This is the largest family in the standard and covers both physical and logical access.

Awareness and Training

3 requirements · 3.2

Requires that employees who handle CUI understand their cybersecurity responsibilities and the risks associated with their activities. Training must be role-specific — someone with elevated system access has different training requirements than a general user.

Audit and Accountability

9 requirements · 3.3

Requires that your systems log user activity — logins, file access, configuration changes — and that those logs are retained, reviewed, and protected from tampering. Auditors will ask to see your logging configuration and review cycle. Many manufacturers have logging gaps on shop floor equipment and network appliances.

Configuration Management

9 requirements · 3.4

Requires that systems are configured securely from the start and that those configurations are documented, maintained, and changed only through a controlled process. Covers baseline configurations, software inventory, least-functionality settings, and restrictions on unauthorized software. CNC equipment and PLCs often have undocumented default configurations that fail here.

Identification and Authentication

11 requirements · 3.5

Requires that every user and device be uniquely identified and authenticated before accessing systems that process CUI. Covers password complexity, multi-factor authentication for privileged accounts and remote access, and controls on shared or group accounts. Shared logins on shop floor terminals are a common finding.

Incident Response

3 requirements · 3.6

Requires a documented incident response capability — a written plan covering how your organization detects, contains, reports, and recovers from a cybersecurity incident. The plan must be tested. Most small manufacturers have no documented IR plan at all, making this a near-universal gap at the start of an engagement.

Maintenance

6 requirements · 3.7

Covers how maintenance is performed on systems that store or process CUI — including controls on remote maintenance sessions, requirements to sanitize equipment before off-site servicing, and oversight of outside maintenance personnel. Remote vendor access to CNC or inspection equipment is a frequent gap area.

Media Protection

9 requirements · 3.8

Controls how CUI is stored and transported on physical media — USB drives, external hard drives, printed documents, optical discs. Covers labeling, access restrictions, transport controls, and sanitization or destruction before disposal. Uncontrolled USB use on shop floor equipment is one of the most common findings in manufacturing environments.

Personnel Security

2 requirements · 3.9

The smallest family — two requirements covering screening of individuals before granting access to CUI systems, and a defined termination or transfer process to revoke access when someone leaves a role. Simple in concept but often informal in practice, particularly access revocation for departing employees or contractors.

Physical Protection

6 requirements · 3.10

Requires that physical access to systems and facilities where CUI is processed or stored is controlled and monitored. Covers visitor logs, escort requirements, physical access devices, and output controls — ensuring that printed CUI is not left unattended. Most manufacturers have basic physical security but lack the documentation auditors expect.

Risk Assessment

3 requirements · 3.11

Requires periodic assessment of organizational risk — identifying vulnerabilities, evaluating likelihood and impact, and scanning systems for known weaknesses. Vulnerability scanning is a specific requirement that many manufacturers have never performed on their network or shop floor equipment. Risk assessment results must be documented.

Security Assessment

4 requirements · 3.12

Requires a documented System Security Plan describing the security controls in place, periodic assessment of those controls to confirm they are working as intended, a Plan of Action and Milestones for any deficiencies found, and ongoing monitoring. The SSP is one of the primary documents a nuclear auditor or CMMC assessor will review.

System and Communications Protection

16 requirements · 3.13

One of the more technically demanding families. Covers network segmentation, encryption of CUI in transit and at rest, boundary protection between internal and external networks, denial of service protections, and controls on mobile code and VoIP. Manufacturers with flat networks — where shop floor equipment sits on the same network as office systems — typically have significant gaps here.

System and Information Integrity

7 requirements · 3.14

Covers keeping systems current and protected — patch management, malware protection, security alert monitoring, and controls to detect unauthorized changes to systems and data. Patch management on legacy manufacturing equipment running older operating systems is a consistent challenge for manufacturers in nuclear and defense supply chains.

Where Manufacturers Typically Start

Most manufacturers with solid basic IT security are compliant with 40 to 60 percent of the 110 requirements before any formal work begins.

The remaining gaps are typically concentrated in a predictable set of areas: audit logging on shop floor equipment, incident response documentation, network segmentation, CUI identification, and System Security Plan development. A gap assessment tells you exactly where your facility stands across all 110 requirements before you commit to any remediation work.

NIST 800-171 Questions, Answered

Do all 110 requirements apply to us, or only some? +

All 110 apply if your facility handles CUI — but the scope of implementation varies based on your IT environment. A small manufacturer with a simple network and a handful of systems has fewer touchpoints to address than a larger operation with complex infrastructure. The standard does not allow you to exclude families, but it does allow you to document where a requirement is not applicable to your environment, with justification. A gap assessment maps your actual environment to the requirements and identifies what is truly in scope.

Is NIST 800-171 the same as CMMC? +

Not exactly — CMMC Level two certification requires that a manufacturer implement all 110 NIST SP 800-171 requirements and have that implementation verified by a third-party assessor. NIST 800-171 is the technical standard; CMMC is the verification and certification framework built on top of it. A manufacturer that achieves NIST 800-171 compliance has completed the substantive work required for CMMC Level two — what remains is the formal third-party assessment process.

What is a System Security Plan and do we need one? +

Yes — a System Security Plan is required by the Security Assessment family (3.12) and is one of the primary documents both nuclear auditors and CMMC assessors will review. It describes your system boundary, the CUI you handle, and the security controls you have in place across all 14 families. It does not need to be lengthy, but it does need to be accurate and current. Most manufacturers do not have one at the start of an engagement.

Where do we start if we have never assessed against NIST 800-171? +

A gap assessment is the right first step. It maps your current environment against all 110 requirements, identifies where you are compliant, where you have partial controls in place, and where you have no controls at all. You receive a written gap report and a prioritized remediation list with a realistic timeline. Tennessee MEP can coordinate that assessment and manage the engagement from gap assessment through audit readiness.

Related Pages

Nuclear and defense cybersecurity resources for Tennessee manufacturers.

Nuclear Cybersecurity Compliance

Nuclear Supply Chain Readiness

Talk to a Solutions Consultant →

Not sure where your facility stands across the 110 requirements?

Tennessee MEP can coordinate a gap assessment that maps your environment to every control family and tells you exactly what needs to be done.

Talk to a Solutions Consultant →