The 110 NIST 800-171 Controls: Where to Start (Priority List for Machine Shops)
110 security controls.
Across 14 families.
From NIST Special Publication 800-171 Revision 2.
If you're looking at this list for the first time, it's overwhelming. Most machine shops don't have a cybersecurity team. You've got a guy who "knows computers" and maybe an MSP.
How do you implement 110 controls?
Answer: You don't. Not all at once. You prioritize.
The 80/20 Rule for CMMC
20% of the controls will take 80% of your effort.
Conversely, 80% of the controls are relatively straightforward.
The trick is knowing which is which.
This guide breaks down the 110 controls into three tiers:
- Quick wins (do these first — low effort, high impact)
- Medium difficulty (most of the work — requires planning but doable)
- Hard mode (save these for last — expensive or technically complex)
Quick Wins (Do These First)
These controls can be implemented in days to weeks with minimal cost. Start here.
1. Access Control (AC.3.001 - AC.3.017)
AC.3.001: Limit system access to authorized users
Translation: Don't share passwords. Everyone gets their own account.
How to do it:
- Create individual user accounts on all systems
- Disable generic "Administrator" or "Shop" accounts
- Use Active Directory or similar (even Google Workspace counts)
Cost: Free (if you already have AD/Google)
Time: 1-2 days
AC.3.002: Limit system access to authorized processes
Translation: Don't run everything as admin.
How to do it:
- Users run as standard users, not administrators
- Only elevate privileges when installing software
Cost: Free
Time: 1 day (policy change + training)
AC.3.003: Control CUI flow
Translation: Don't let CUI leak everywhere.
How to do it:
- Identify where CUI is stored (which folders, which systems)
- Restrict access to those folders/systems
- Don't email CUI to personal accounts
Cost: Free
Time: 1 week (audit + implement)
2. Identification & Authentication (IA.3.077 - IA.3.083)
IA.3.077: Use unique IDs
Translation: No shared accounts. (Yes, we're saying this twice. It's that important.)
How to do it:
Cost: Free
Time: 1 day
IA.3.078: Enforce minimum password complexity
Translation: No "password123".
How to do it:
- Group Policy (Windows) or equivalent
- Require: 14+ characters, mix of upper/lower/numbers/symbols
- Or use a password manager and generate strong passwords
Cost: Free (OS feature)
Time: 1 hour
IA.3.081: Use multifactor authentication (MFA)
Translation: Password + phone/token to log in.
How to do it:
- Enable MFA on Microsoft 365, Google Workspace, VPN
- Use Duo, Okta, or built-in MFA
- Everyone uses authenticator app or hardware token
Cost: $3-10/user/month
Time: 1 week (rollout + training)
3. Media Protection (MP.3.138 - MP.3.148)
MP.3.138: Sanitize media before disposal
Translation: Don't throw away hard drives with data on them.
How to do it:
- Use DBAN or similar to wipe drives
- Or physically destroy (drill, degausser, shredder)
- Document disposal (date, method, who did it)
Cost: $200-500 for shredder or degausser (one-time)
Time: Ongoing (per disposal event)
MP.3.140: Control access to media containing CUI
Translation: Lock up backups and external drives.
How to do it:
- Store backup drives in locked cabinet or safe
- Don't leave USB drives lying around
- Encrypt external media
Cost: $100-500 for locking cabinet
Time: 1 day
4. Physical Protection (PE.3.131 - PE.3.137)
PE.3.131: Limit physical access
Translation: Lock the server room.
How to do it:
- Server/network equipment in locked room or cage
- Only authorized personnel have keys/codes
- Log who accessed (badge system or sign-in sheet)
Cost: $200-2000 (depends on existing setup)
Time: 1 day to 1 week
5. System & Communications Protection (SC.3.177 - SC.3.191)
SC.3.177: Employ FIPS-validated crypto
Translation: Use built-in Windows/Mac encryption.
How to do it:
- BitLocker (Windows Pro)
- FileVault (Mac)
- VeraCrypt (if you need cross-platform)
Cost: Free (built into OS)
Time: 1-2 days (enable on all systems)
SC.3.185: Use encrypted sessions for remote access
Translation: Use VPN or RDP over SSH.
How to do it:
- Deploy VPN (SonicWall, Fortinet, pfSense)
- Disable direct RDP from internet
- Use RDP gateway or VPN only
Cost: $500-2000 for VPN appliance
Time: 1 week (setup + testing)
SC.3.191: Protect confidentiality of CUI at rest
Translation: Encrypt CUI files and folders.
How to do it:
- Use full-disk encryption (BitLocker/FileVault)
- For network shares: Windows EFS or third-party encryption
Cost: Free to $1000 (depends on tools)
Time: 1-2 weeks
Medium Difficulty (The Bulk of Your Work)
These controls require planning, documentation, and ongoing effort. Budget 3-6 months.
6. Audit & Accountability (AU.3.045 - AU.3.058)
AU.3.045: Create audit records
Translation: Log everything users do.
How to do it:
- Enable audit logging in Windows Event Log
- Configure systems to log: logins, file access, config changes
- Store logs centrally (SIEM or log aggregator)
Cost: $500-2000/month for SIEM (SolarWinds, Splunk, etc.)
Time: 2-4 weeks (setup)
AU.3.049: Protect audit information
Translation: Don't let users delete logs.
How to do it:
- Restrict log file permissions (admin-only)
- Forward logs to separate system (can't delete local copy)
- SIEM with access controls
Cost: Included in SIEM
Time: 1 week
AU.3.051: Review/analyze audit logs
Translation: Actually look at the logs.
How to do it:
- Automated alerts for suspicious activity (failed logins, privilege escalation)
- Weekly manual review of logs
- Document review in log or checklist
Cost: Time (2-4 hours/week)
Time: Ongoing
7. Configuration Management (CM.3.068 - CM.3.070)
CM.3.068: Apply least functionality
Translation: Disable features you don't use.
How to do it:
- Disable Telnet, FTP, unnecessary services
- Uninstall bloatware
- Use baseline configurations (CIS Benchmarks)
Cost: Free
Time: 2-4 weeks (audit + implement)
CM.3.069: Establish/maintain baseline configurations
Translation: Document your "gold image" setup.
How to do it:
- Document standard workstation/server config
- Use Group Policy or MDM to enforce
- Track deviations in change log
Cost: Free
Time: 1-2 weeks (initial), ongoing maintenance
CM.3.070: Track/document changes
Translation: Keep a change log.
How to do it:
- Use ticketing system (ServiceNow, Jira, or simple spreadsheet)
- Log: date, who, what changed, why
Cost: Free to $10/user/month
Time: Ongoing (5-10 min per change)
8. Incident Response (IR.3.098 - IR.3.105)
IR.3.098: Establish incident handling capability
Translation: Have a plan for when shit hits the fan.
How to do it:
- Write incident response plan (who to call, what to do)
- Test annually (tabletop exercise)
- Document in procedures manual
Cost: Free (DIY) or $5K-15K (consultant to write plan)
Time: 1-2 weeks (initial), annual updates
IR.3.100: Track/document incidents
Translation: Write down what happened.
How to do it:
- Incident log (date, description, response, resolution)
- Store in secure location
Cost: Free
Time: Per incident (30 min - 2 hours)
IR.3.105: Report to DoD within 72 hours
Translation: If you get breached, tell the government ASAP.
How to do it:
- Report via DoD Cyber Crime Center (DC3)
- Include: date, what happened, what data affected
- Follow contract-specific reporting requirements
Cost: Free
Time: Per incident (2-4 hours)
9. Maintenance (MA.3.115 - MA.3.118)
MA.3.115: Perform maintenance with authorized personnel
Translation: Don't let random people work on your systems.
How to do it:
- Vet IT contractors (background check or clearance)
- Supervise external technicians
- Use remote viewing tools (don't give admin passwords)
Cost: $50-200 per background check
Time: Ongoing
10. Personnel Security (PS.3.141 - PS.3.142)
PS.3.141: Screen individuals before authorizing access
Translation: Background checks for employees with CUI access.
How to do it:
- Use commercial background check service
- Or require security clearance if government provides
Cost: $50-200/person
Time: 1-2 weeks per person
PS.3.142: Ensure CUI protections when personnel actions occur
Translation: Revoke access when people leave.
How to do it:
- Terminate accounts same day employee leaves
- Retrieve company equipment
- Disable VPN, email, network access
Cost: Free
Time: 1 hour per termination
11. Risk Assessment (RA.3.161 - RA.3.163)
RA.3.161: Perform vulnerability scans
Translation: Scan your network for security holes.
How to do it:
- Use Nessus, OpenVAS, or Qualys
- Scan monthly or quarterly
- Fix critical/high vulnerabilities within 30 days
Cost: $2000-5000/year for scanner
Time: 2-4 hours/month
RA.3.162: Perform risk assessments
Translation: What could go wrong? How bad would it be?
How to do it:
- Identify threats (ransomware, insider threat, etc.)
- Assess likelihood and impact
- Document in risk register
- Update annually or after major changes
Cost: Free (DIY) or $10K-30K (consultant)
Time: 1-2 weeks (initial), annual updates
12. Security Assessment (CA.3.161 - CA.3.167)
CA.3.161: Develop/implement security assessment plan
Translation: Test your controls annually.
How to do it:
- Document testing plan (what to test, how often)
- Annual penetration test or vulnerability assessment
- Internal testing quarterly
Cost: $5K-20K for annual pen test
Time: 1-2 weeks/year
CA.3.165: Develop/maintain System Security Plan (SSP)
Translation: Write down your entire security program.
How to do it:
- Use NIST 800-171A template
- Document all 110 controls (implemented, not implemented, compensating controls)
- Update annually or after major changes
Cost: $10K-30K (consultant) or free (DIY with template)
Time: 2-4 weeks (initial), 1 week annual updates
CA.3.166: Create/maintain Plan of Action & Milestones (POA&M)
Translation: List what you haven't fixed yet and when you'll fix it.
How to do it:
- For each non-implemented control: describe gap, planned fix, target date
- Update monthly
- Track in spreadsheet or tool
Cost: Free
Time: 2-4 hours/month
13. System & Information Integrity (SI.3.212 - SI.3.218)
SI.3.212: Identify/report/correct flaws
Translation: Patch your systems.
How to do it:
- Enable auto-updates (Windows Update, Mac)
- For servers: monthly patch cycle
- Test patches in dev before production
Cost: Free
Time: 4-8 hours/month
SI.3.213: Provide protection from malicious code
Translation: Antivirus/EDR.
How to do it:
- Deploy endpoint protection on all systems (CrowdStrike, SentinelOne, Defender ATP)
- Update signatures daily
- Monitor alerts
Cost: $10-25/user/month
Time: 1 week (deployment), ongoing monitoring
SI.3.214: Monitor system security alerts
Translation: Pay attention to security warnings.
How to do it:
- Configure SIEM to alert on critical events
- Assign someone to review daily
- Respond within 24 hours
Cost: Included in SIEM
Time: 30 min - 1 hour/day
Hard Mode (Save for Last)
These controls are expensive, technically complex, or require specialized expertise.
14. Network Segmentation (AC.3.018, SC.3.183)
AC.3.018: Separate CUI processing
SC.3.183: Employ network segmentation
Translation: Isolate CUI systems from rest of network.
How to do it:
- VLANs for CUI network
- Firewall rules restricting cross-VLAN traffic
- Separate wireless networks (guest vs. employee vs. CUI)
Why it's hard:
- Requires network redesign
- May need new switches/routers
- Careful planning to avoid breaking workflows
Cost: $5K-20K (equipment + labor)
Time: 2-4 weeks
15. SIEM & Continuous Monitoring (AU.3.046, SI.3.215)
AU.3.046: Alert on security events
SI.3.215: Monitor communications at external boundaries
Translation: Real-time security monitoring.
How to do it:
- Deploy SIEM (SolarWinds, Splunk, AlienVault)
- Configure alerts for: failed logins, privilege escalation, data exfiltration
- Monitor network traffic at firewall/IDS
Why it's hard:
- SIEM tuning takes expertise
- High false positive rate initially
- Requires someone to watch alerts 24/7 (or managed SOC service)
Cost: $1K-3K/month (SIEM + SOC)
Time: 4-8 weeks (setup), ongoing monitoring
16. Advanced Threat Protection (SI.3.216)
SI.3.216: Monitor for unauthorized connections
Translation: Detect command-and-control traffic, data exfiltration.
How to do it:
- Deploy IDS/IPS (Snort, Suricata, or appliance-based)
- Monitor for: unusual outbound connections, DNS tunneling, large data uploads
Why it's hard:
- Requires deep packet inspection
- High skill level to configure and interpret
- Can impact network performance if not sized correctly
Cost: $5K-15K (appliance) + $1K/month (monitoring)
Time: 2-4 weeks
17. Wireless Security (AC.3.019)
AC.3.019: Protect wireless access
Translation: Secure your Wi-Fi properly.
How to do it:
- WPA3 encryption (or WPA2 Enterprise if WPA3 not available)
- Separate guest network (no CUI access)
- Hidden SSID (defense in depth, not required)
- Regular password rotation or 802.1X authentication
Why it's hard:
- WPA2 Enterprise requires RADIUS server
- 802.1X requires certificates
- May need to upgrade older access points
Cost: $2K-10K (new APs + RADIUS setup)
Time: 1-2 weeks
DIY vs Hire Help
You Can DIY If:
- You have an IT person with time and willingness to learn
- Your environment is simple (single site, fewer than 20 users)
- You're okay with 6-12 month timeline
- Budget is tight
Hire Help If:
- No internal IT expertise
- Multiple sites or complex infrastructure
- Need to accelerate timeline (consultants work faster)
- Budget allows ($30K-$100K for full implementation)
Hybrid Approach (Recommended for Most Shops):
- Hire consultant for gap analysis and roadmap (1-2 weeks, $5K-$15K)
- Implement quick wins yourself (saves money)
- Hire consultant for hard stuff (SIEM, network segmentation)
- Use consultant for documentation (SSP, POA&M) if you hate paperwork
Realistic Implementation Timeline
Month 1: Quick Wins
- User accounts, MFA, password policy
- Antivirus/EDR
- Full-disk encryption
- Media sanitization process
Month 2-3: Medium Difficulty (Part 1)
- Audit logging
- SIEM deployment
- Vulnerability scanning
- Incident response plan
Month 4-5: Medium Difficulty (Part 2)
- Network segmentation planning
- Configuration baselines
- SSP documentation
- POA&M creation
Month 6-8: Hard Mode
- Network segmentation implementation
- Advanced monitoring
- Wireless security upgrades
- Final testing
Month 9: Assessment Prep
- Internal self-assessment
- Gap remediation
- Documentation finalization
Month 10-12: C3PAO Assessment
- Schedule and complete assessment
- Remediate any findings
- Achieve certification
The Prioritization Shortcut
If you only have time to read one section, here's your priority list:
Do first (this week):
- MFA on email and VPN
- Endpoint protection (antivirus/EDR)
- Full-disk encryption
- Unique user accounts (no sharing passwords)
Do next (this month):
5. Audit logging + SIEM
6. Vulnerability scanning
7. Incident response plan
8. Patch management process
Do soon (next 3 months):
9. Network segmentation
10. SSP and POA&M documentation
Do eventually (before C3PAO):
11. All 110 controls fully implemented and documented
Start at the top. Work down. Don't skip steps.
The Bottom Line
110 controls is a lot. But it's not impossible.
Focus on quick wins first. They're easy, cheap, and get you 40% of the way there.
Then tackle the medium difficulty controls. This is where you'll spend most of your time and budget.
Save the hard stuff for last. By then you'll have momentum and most of your environment will already be secure.
And if you get stuck, hire help. It's cheaper than failing a C3PAO assessment or losing a contract.
Next Steps:
Ready to get started? Download our free CMMC checklist to track your progress.
Need to know your current compliance level? Take our 2-minute quiz.
Not sure if you should DIY or hire help? Read our CMMC tools guide.
