Summary
No, you don’t have to implement NIST 800‑171 controls in their listed order. Organizations can follow one of several organized approaches. Each method supports different workflows, but expert guidance ensures efficiency, accuracy, and cost savings. Summit 7 provides trusted support for tailored, effective CMMC compliance implementation.
Introduction
National Institute of Standards and Technology (NIST) 800-171 maintains the 110 security controls that must be met to comply with Cybersecurity Maturity Model Certification (CMMC). You may already be familiar with the 14 control families, which NIST 800-171 lists in the following order:
- AC — Access Control
- AT — Awareness & Training
- AU — Audit & Accountability
- CM — Configuration Management
- IA — Identification & Authentication
- IR — Incident Response
- MA — Maintenance
- MP — Media Protection
- PS — Personnel Security
- PE — Physical Protection
- RA — Risk Assessment
- CA — Security Assessment
- SC — System & Communications Protection
- SI — System & Information Integrity
Many don’t realize that this order is only alphabetical and does not necessarily represent the importance or required implementation order of the families or individual controls. Here’s our compliance team’s insight on NIST 800-171 implementation order.
Do I have to implement NIST 800-171 controls in the order they are listed?
No, you may implement your NIST 800-171 controls in any order that makes the most sense to your organization. In the same vein, your Certified Third-Party Assessor Organization (C3PAO) may assess them in any order they wish. That said, there are a few methodologies to consider before deciding to implement them in a random order.
Common Approaches to Implementation Order
Alphabetically
Though not required, many choose to implement controls in the order listed above. In doing so, you’ll already have gathered the evidence you need for the SC and SI families by the time you reach them.
By Engineering Relationship
There is an argument to be made for implementing NIST 800-171 controls by engineering relationship. For example, one might:
- Start with AC and AU at the same time as identity, access, and usage visibility are a natural starting point
- Move on to SC, SI, and CM work ties in architecture and security engineering
- End with security monitoring and auditing work based on the foundation you’ve built so far
Ordering by engineering relationship allows you to focus on developing your architecture by function.
The RMF Approach
Rather than using a step-by-step implementation structure, you can tailor it to your scope and organization needs by following NIST’s Risk Management Framework (RMF).
RMF steps:
- Prepare
- Categorize
- Select
- Implement
- Assess
- Authorize
- Monitor
To translate these steps into NIST 800-171 implementation, you could:
- Start with AU to understand your organization’s Controlled Unclassified Information (CUI) flow and scope
- Perform a gap assessment
- Build the System Security Plan (SSP) as a planning document, not just final documentation
- Follow your SSP to determine implementation order
This approach allows you to customize implementation order to best suit your business needs.
By Group
Another implementation strategy breaks the families into four groups, following an assessment methodology adopted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Each group shares people and technology being assessed.
Group 1: Access, Identity, and Auditing
Families: AC, AU, IA
Staff Involved:
- Account Managers
- Domain Administrators
- HR
- Manager/CISO
- Marketing/Communications
- Network Administrators
- System Administrators
Group 2: Governance, Risk, and Physical Security
Families: AT, CA, PE, PS, RA
Staff Involved:
- Domain Administrators
- Facilities
- HR
- Manager/CISO
- Marketing/Communications
- Network Administrators
- SOC
- System Administrators
Group 3: Operational Configuration and Asset Protection
Families: CM, MA, MP
Staff Involved:
- Facilities
- Manager/CISO
- Network Administrators
- System Administrators
Group 4: Security Operations and Defensive Architecture
Families: IR, SC, SI
Staff Involved:
- Architects
- Domain Administrators
- Manager/CISO
- Network Administrators
- SOC
- System Administrators
Note: If a physical facility is within your scope, PE should be saved for last. You would do an on-site audit on your last day of assessment.
Implementing in this order helps focus people and technology on all areas of the respective groups. Considering each area as a whole minimizes the risk that pieces will be missed.
Start with expertise.
Regardless of exact implementation order, consulting with an expert is always the best starting point. Summit 7 has 100+ CMMC Level 2 certified clients and the highest number of Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) in the industry.
Using trusted Managed Service Provider (MSP), Managed Security Service Provider (MSSP), and/or Governance, Risk Management, and Compliance (GRC) services offered by Summit 7 can save you time, headaches, and 56-70% of the cost compared to implementing CMMC in house.
Reach out to a Summit 7 expert to begin your CMMC compliance journey.


