The 20 NIST 800-171 Controls That Fail Most Often
Most CMMC assessment failures cluster around the same 20 controls. Knowing which ones trip up small manufacturers gives you a prioritized remediation path.
CMMC Level 2 requires implementing all 110 controls from NIST SP 800-171. But failures are not evenly distributed. Analysis of C3PAO assessment data shows that roughly 20 controls account for over 60% of all findings. If you are a small manufacturer starting your compliance journey, these are the controls to fix first.
Access Control: The Largest Failure Family
AC.L2-3.1.1 (Authorized Access Control): Limit system access to authorized users, processes, and devices. Most manufacturers fail this because they lack a formal access control policy or have shared accounts across production floor systems. The fix: deploy an identity provider (even basic Active Directory), eliminate shared accounts, and document who has access to what.
AC.L2-3.1.5 (Least Privilege): Employ the principle of least privilege. Engineers and floor supervisors often have admin access to systems they only need read access to. Review every account, reduce privileges to the minimum required for each role.
AC.L2-3.1.7 (Privileged Functions): Prevent non-privileged users from executing privileged functions. Closely related to 3.1.5 but specifically about administrative actions. Separate your admin accounts from daily-use accounts.
Audit and Accountability: The Visibility Gap
AU.L2-3.3.1 (System Auditing): Create and retain system audit logs. The most common finding here is simply that logging is not turned on. Windows event logs exist but are not collected. Linux syslog rotates and is never reviewed. Deploy centralized log collection, even a basic syslog server counts.
AU.L2-3.3.2 (Audit Correlation): Ensure actions can be traced to individual users. If five people share a "shopfloor" login, you cannot trace who did what. Eliminate shared accounts first, then logging becomes meaningful.
Configuration Management: The Baseline Problem
CM.L2-3.4.1 (System Baselines): Establish and maintain baseline configurations. Most shops have no documented baseline for their IT systems. What software should be installed? What services should be running? Without a baseline, you cannot detect unauthorized changes.
CM.L2-3.4.2 (Security Configuration Enforcement): Enforce security configuration settings. Even when baselines exist, they drift. Systems get patched, software gets installed, configurations change. Automated compliance scanning tools can detect drift.
Identification and Authentication
IA.L2-3.5.3 (Multi-Factor Authentication): Use MFA for local and network access to privileged accounts and for network access to non-privileged accounts. This is one of the most impactful controls and one of the easiest to implement. Deploy MFA on VPN, email, remote desktop, and any web application that handles CUI.
Start Here
These 8 controls represent the highest-failure-rate items. Fix these first, and you have addressed the majority of common assessment findings. The remaining 12 high-failure controls span incident response documentation, media protection, system integrity monitoring, and personnel screening. A structured gap assessment will identify exactly which of the 110 controls apply to your environment and which are already met.
Run a free gap assessment against all 110 controls at compliance.aegisos.ai.