Do I Have to Implement NIST 800-171 Controls in Order? 

Many don't realize they can implement NIST 800-171 controls in any order that makes the most sense to your organization. Discover proven approaches to control order.

Summary 

No, you don’t have to implement NIST 800‑171 controls in their listed order. Organizations can follow one of several organized approaches. Each method supports different workflows, but expert guidance ensures efficiency, accuracy, and cost savings. Summit 7 provides trusted support for tailored, effective CMMC compliance implementation. 

Introduction

National Institute of Standards and Technology (NIST) 800-171 maintains the 110 security controls that must be met to comply with Cybersecurity Maturity Model Certification (CMMC). You may already be familiar with the 14 control families, which NIST 800-171 lists in the following order:  

  1. AC — Access Control  
  1. AT — Awareness & Training  
  1. AU — Audit & Accountability  
  1. CM — Configuration Management  
  1. IA — Identification & Authentication  
  1. IR — Incident Response  
  1. MA — Maintenance  
  1. MP — Media Protection  
  1. PS — Personnel Security  
  1. PE — Physical Protection  
  1. RA — Risk Assessment  
  1. CA — Security Assessment  
  1. SC — System & Communications Protection  
  1. SI — System & Information Integrity 

Many don’t realize that this order is only alphabetical and does not necessarily represent the importance or required implementation order of the families or individual controls. Here’s our compliance team’s insight on NIST 800-171 implementation order.  

Do I have to implement NIST 800-171 controls in the order they are listed?  

No, you may implement your NIST 800-171 controls in any order that makes the most sense to your organization. In the same vein, your Certified Third-Party Assessor Organization (C3PAO) may assess them in any order they wish. That said, there are a few methodologies to consider before deciding to implement them in a random order.  

Common Approaches to Implementation Order 

Alphabetically 

Though not required, many choose to implement controls in the order listed above. In doing so, you’ll already have gathered the evidence you need for the SC and SI families by the time you reach them. 

By Engineering Relationship  

There is an argument to be made for implementing NIST 800-171 controls by engineering relationship. For example, one might: 

  • Start with AC and AU at the same time as identity, access, and usage visibility are a natural starting point 
  • Move on to SC, SI, and CM work ties in architecture and security engineering  
  • End with security monitoring and auditing work based on the foundation you’ve built so far 

Ordering by engineering relationship allows you to focus on developing your architecture by function.  

The RMF Approach 

Rather than using a step-by-step implementation structure, you can tailor it to your scope and organization needs by following NIST’s Risk Management Framework (RMF).  

RMF steps: 

  • Prepare 
  • Categorize 
  • Select  
  • Implement 
  • Assess 
  • Authorize 
  • Monitor 

To translate these steps into NIST 800-171 implementation, you could: 

  • Start with AU to understand your organization’s Controlled Unclassified Information (CUI) flow and scope 
  • Perform a gap assessment  
  • Build the System Security Plan (SSP) as a planning document, not just final documentation  
  • Follow your SSP to determine implementation order 

This approach allows you to customize implementation order to best suit your business needs.  

By Group 

Another implementation strategy breaks the families into four groups, following an assessment methodology adopted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Each group shares people and technology being assessed.  

Group 1: Access, Identity, and Auditing 

Families: AC, AU, IA 

Staff Involved: 

  • Account Managers  
  • Domain Administrators  
  • HR  
  • Manager/CISO  
  • Marketing/Communications  
  • Network Administrators  
  • System Administrators 

Group 2: Governance, Risk, and Physical Security 

Families: AT, CA, PE, PS, RA  

Staff Involved: 

  • Domain Administrators  
  • Facilities  
  • HR  
  • Manager/CISO  
  • Marketing/Communications  
  • Network Administrators  
  • SOC  
  • System Administrators 

Group 3: Operational Configuration and Asset Protection 

Families: CM, MA, MP  

Staff Involved: 

  • Facilities  
  • Manager/CISO  
  • Network Administrators  
  • System Administrators 

Group 4: Security Operations and Defensive Architecture 

Families: IR, SC, SI 

Staff Involved: 

  • Architects  
  • Domain Administrators  
  • Manager/CISO  
  • Network Administrators  
  • SOC  
  • System Administrators 

Note: If a physical facility is within your scope, PE should be saved for last. You would do an on-site audit on your last day of assessment.  

Implementing in this order helps focus people and technology on all areas of the respective groups.  Considering each area as a whole minimizes the risk that pieces will be missed.  

Start with expertise. 

Regardless of exact implementation order, consulting with an expert is always the best starting point. Summit 7 has 100+ CMMC Level 2 certified clients and the highest number of Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) in the industry.  

Using trusted Managed Service Provider (MSP), Managed Security Service Provider (MSSP), and/or Governance, Risk Management, and Compliance (GRC) services offered by Summit 7 can save you time, headaches, and 56-70% of the cost compared to implementing CMMC in house.  

Reach out to a Summit 7 expert to begin your CMMC compliance journey.  

Scroll to Top