The domains.
Fourteen families, one page each — once you know which one you need.
Level 2’s 110 security requirements sort into 14 families, defined by NIST SP 800-171 Revision 2. Each family gets its own page: what it protects, what the rule actually says, and where it tends to fail in an ordinary shop. This index is a way to find the family you need — it is not itself a framework, checklist, or crosswalk.
01About this grouping
The 14 rows below mirror NIST SP 800-171 Revision 2’s own structure — the same families the rule itself uses, in the same numbering. Grouping them here is a navigation aid, nothing more: it helps a reader with one specific question (“what does the access-control family actually require?”) find the right page without reading the whole desk in order. It is not a Cyber Labs framework, not a maturity model, and not a crosswalk to any other standard. Every family page traces back to the same primary source: the requirement text and assessment objectives, cited inline.
For what a specific level requires overall, see The Levels. For which assets are actually in scope before any of this applies, see Scope & Boundary.
02The fourteen families
Ordered by family code. All fourteen are published. Counts are Level 2 (NIST SP 800-171 Rev. 2) requirement totals and sum to 110. Each family page opens with an at-a-glance box — count, POA&M sensitivity, what evidence tends to look like — for fast comparison.
| Family | Code | 800-171 R2 § | Count | What it covers |
|---|---|---|---|---|
| Access Control | AC | 3.1 | 22 | Who can touch CUI and how that’s enforced, including remote access. The largest family. |
| Awareness & Training | AT | 3.2 | 3 | Security and insider-threat awareness. Small lift, often skipped. |
| Audit & Accountability | AU | 3.3 | 9 | Logs that can answer questions later — retention and review, not collection for its own sake. |
| Security Assessment | CA | 3.12 | 4 | The SSP lives here (3.12.4) — the document the rest of the program hangs on. |
| Configuration Management | CM | 3.4 | 9 | Baselines, change control, and least functionality. |
| Identification & Authentication | IA | 3.5 | 11 | Multifactor authentication (3.5.3) and replay resistance — the desk’s cross-link into Privacy & Identity. |
| Incident Response | IR | 3.6 | 3 | Capability, reporting, and testing — adjacent to, but distinct from, DFARS 7012’s 72-hour reporting clock. |
| Maintenance | MA | 3.7 | 6 | Maintenance tools, sanitization before off-site work, and nonlocal maintenance MFA. |
| Media Protection | MP | 3.8 | 9 | Marking, sanitizing, and transporting media that carries CUI. |
| Physical Protection | PE | 3.10 | 6 | Physical access, visitor logs, and alternate work sites. |
| Personnel Security | PS | 3.9 | 2 | Screening, and revoking access at termination or transfer. |
| Risk Assessment | RA | 3.11 | 3 | Risk assessment, vulnerability scanning, and remediation cadence. |
| System & Communications Protection | SC | 3.13 | 16 | Boundary protection and FIPS-validated cryptography for CUI (3.13.11), with its own POA&M exception. |
| System & Information Integrity | SI | 3.14 | 7 | Flaw remediation, malicious-code protection, and monitoring. |
Family codes, section numbers, and counts: NIST SP 800-171 Rev. 2. 32 CFR 170.4 (“CMMC Level 2 security requirement”) ties these requirements to CMMC Level 2.