This mapping helps you translate NIST SP 800-171 control families to the CMMC Level 2 expectations, with suggested artifacts and control owners. Personalize owners and evidence to your environment.
Access Control (AC)
• MFA for all privileged and remote access
• Role-based access; least privilege
• Account lifecycle (provision/change/disable)
• Artifacts: access policy, user lists, MFA logs, access reviews
Audit & Accountability (AU)
• Centralized logging/SIEM
• Time sync; log retention
• Audit review procedures
• Artifacts: SIEM screenshots, log policies, alert runbooks
Configuration Management (CM)
• Baseline configs
• Change control
• Secure images
• Artifacts: baseline docs, change tickets, hardening guides
Identification & Authentication (IA)
• Unique IDs; strong auth
• Device auth
• Password policies
• Artifacts: auth policies, MFA evidence
Incident Response (IR)
• IR plan & tabletop
• Roles and communications
• Post-incident reviews
• Artifacts: IR plan, tabletop reports, training rosters
Maintenance (MA)
• Controlled maintenance
• Remote maintenance rules
• Artifacts: maint. logs, approvals
Media Protection (MP)
• Labeling/handling of CUI media
• Sanitization
• Artifacts: disposal logs, encryption evidence
Personnel Security (PS)
• Screening; termination steps
• Non-disclosure
• Artifacts: HR checklists, NDAs
Physical Protection (PE)
• Facility access controls
• Visitor management
• Artifacts: badge logs, camera policy
Risk Assessment (RA)
• Periodic risk assessments
• Vulnerability scans
• Artifacts: risk reports, scan results, POA&M updates
Security Assessment (CA)
• Internal control testing
• External/independent reviews
• Artifacts: self-assessment records, readiness reports
System & Services Acquisition (SA)
• Vendor security requirements
• Secure SDLC
• Artifacts: contracts with security clauses, test plans
System & Communications Protection (SC)
• FIPS‑validated encryption
• Network segmentation
• TLS for data in transit
• Artifacts: crypto module evidence, firewall configs
System & Information Integrity (SI)
• Anti‑malware/EDR
• Patch management
• Alerts/monitoring
• Artifacts: EDR console reports, patch metrics
Owners & RACI (Template)
Suggested roles: Executive Sponsor, Compliance Lead, IT/SecOps Lead, Contracts, HR, Facilities. Customize per control family and add alternates.
References
– DFARS / CMMC Final Rule & Phased Implementation (effective Nov 10, 2025).
– NIST SP 800-171 control alignment and Level 2 mapping.
– CMMC requirements and subcontractor flow-down expectations.
– State and Local Cybersecurity Grant Program (SLCGP) guidance for Arkansas.