// Level 2 · Families

NIST SP 800-171 Rev 3

Protecting Controlled Unclassified Information (CUI) in non-federal systems. 14 control families with 110+ requirements.

22 controls

Access Control

Limit system access to authorized users and processes.

Browse controls

3 controls

Awareness and Training

Ensure personnel are trained on CUI handling and security risks.

Browse controls

9 controls

Audit and Accountability

Create, protect, and review audit records.

Browse controls

9 controls

Configuration Management

Establish and maintain baseline configurations.

Browse controls

11 controls

Identification and Authentication

Identify users and authenticate identities.

Browse controls

3 controls

Incident Response

Establish operational incident-handling capability.

Browse controls

6 controls

Maintenance

Perform maintenance on organizational systems.

Browse controls

9 controls

Media Protection

Protect CUI on system media, both digital and paper.

Browse controls

2 controls

Personnel Security

Screen individuals before granting access to CUI.

Browse controls

6 controls

Physical Protection

Limit physical access to systems handling CUI.

Browse controls

3 controls

Risk Assessment

Periodically assess risks to CUI.

Browse controls

4 controls

Security Assessment

Periodically assess security controls.

Browse controls

16 controls

System and Communications Protection

Monitor and protect communications and system boundaries.

Browse controls

7 controls

System and Information Integrity

Identify and remediate flaws in a timely manner.

Browse controls