CMMCDocs.comSome NIST SP 800-171 requirements are straightforward. Others are deceptively complex, requiring technical capabilities, process maturity, and documentation that many small and mid-size contractors simply do not have. Based on industry data and assessment experience, here are the ten controls that most commonly produce gaps.
1. AU.L2-3.3.1 — System Auditing
This requirement demands that you create and retain system audit logs sufficient to establish what events occurred, when, and by whom. Many contractors have basic logging enabled but lack centralized collection, retention policies, or the ability to correlate events across systems. A SIEM or equivalent log aggregation tool is effectively required.
2. AU.L2-3.3.2 — Unique User Accountability
Audit records must trace actions to individual users. Shared accounts, generic administrator credentials, and service accounts without proper attribution are all failures. Every action on a system processing CUI must be attributable to a specific person.
3. SC.L2-3.13.11 — CUI Encryption in Transit
CUI must be encrypted when transmitted. This means TLS 1.2+ for web traffic, encrypted email for CUI sent via email, and VPN or equivalent protection for remote access. Companies that still allow unencrypted FTP, HTTP, or plaintext email for CUI fail this control.
4. IA.L2-3.5.3 — Multi-Factor Authentication
MFA is required for both local and network access to privileged accounts, and for network access to non-privileged accounts. SMS-based one-time codes meet the minimum, but phishing-resistant methods (FIDO2, hardware tokens) are recommended. Many contractors have MFA for some systems but not all.
5. AC.L2-3.1.3 — CUI Flow Control
You must control the flow of CUI in accordance with approved authorizations. This means knowing where CUI can go, implementing technical controls to prevent unauthorized transfers, and monitoring for policy violations. Simple network segmentation is often insufficient.
6. SC.L2-3.13.1 — Boundary Protection
Communications at system boundaries must be monitored, controlled, and protected. This requires properly configured firewalls with deny-by-default rules, intrusion detection or prevention systems, and monitoring of boundary traffic. Default-allow firewall rules are a common finding.
7. IR.L2-3.6.2 — Incident Tracking and Reporting
You must track, document, and report incidents to designated officials. Many companies have no formal incident response process, no tracking mechanism, and no reporting chain defined. An incident response plan on a shelf that has never been tested does not satisfy this requirement.
8. RA.L2-3.11.2 — Vulnerability Scanning
Scanning for vulnerabilities in organizational systems must be performed periodically and when new vulnerabilities are identified. Monthly scanning is the generally accepted cadence. Many contractors either do not scan at all or scan but never remediate the findings.
9. CM.L2-3.4.2 — Security Configuration Enforcement
You must establish and enforce security configuration settings. This means documented baselines (CIS benchmarks, DISA STIGs, or equivalent), automated enforcement where possible, and regular compliance checks. Default installations without hardening fail this control.
10. AT.L2-3.2.2 — Insider Threat Awareness
Security awareness training must include insider threat recognition. Generic cybersecurity training that covers phishing but ignores insider threats does not satisfy this requirement. Your training program must explicitly address indicators of insider threat behavior and reporting procedures.