The 5-point controls that move your score most

Every CMMC Level 2 contractor has 110 controls to implement and limited time to do it. The DoD's scoring methodology gives you a built-in priority list: a small subset of controls are worth 5 points each, while the rest are worth 1 or 3. If you're behind on the Nov 10, 2026 deadline, the 5-point controls are where every hour of remediation pays back the most. This guide walks through which controls those are, why they're weighted so heavily, and how to close them.

Why some controls are worth 5 points

The DoD Assessment Methodology assigns one of three weights to every NIST 800-171 control: 1, 3, or 5 points. Heavier weights are reserved for controls where a failure would create the most realistic risk to Controlled Unclassified Information (CUI). The 5-point controls tend to share a few characteristics:

• They prevent unauthorized access outright (authentication, encryption, boundary protection).
• They detect bad behavior early enough to do something about it (logging, monitoring, malware protection).
• They limit blast radius when something goes wrong (least functionality, segmentation, FIPS cryptography).

In practice this means roughly one quarter of the 110 controls account for more than half of all the possible point deductions. Closing them moves your SPRS score the fastest.

The math behind the priority

A simple comparison. Imagine you've assessed yourself and you have 30 open gaps. If they're all 1-point controls, closing all 30 gives you +30 to your score. If those 30 are split evenly across 1, 3, and 5-point controls (10 each), closing them gives you +90. If they're all 5-point controls, closing them gives you +150 (capped at 110, but the point holds — you'd move from a score of -40 to 110).

That's a 5x difference in score gained for roughly comparable amounts of work. The contractor who attacks 5-point gaps first hits the conditional-eligibility threshold of 88 weeks earlier than the contractor who works through the list alphabetically.

The 5-point controls, by family

Here are the NIST 800-171 controls weighted at 5 points each in the DoD Assessment Methodology, organized by family. Each is followed by what the control requires and the practical first step to closing it.

3.1 — Access Control

• 3.1.1 Limit system access to authorized users. The starting point. Disable shared accounts, document who has access, remove dormant accounts. First step: pull a list of every account in every system handling CUI and audit it.
• 3.1.2 Limit access to authorized transactions and functions. Least-privilege role design. Most small shops over-permission by default. First step: review every admin/privileged account and demote where possible.
• 3.1.12 Monitor and control remote access sessions. Remote access has to go through a managed channel (VPN, ZTNA, RDP gateway). First step: inventory every remote-access path and consolidate.
• 3.1.13 Cryptographic mechanisms to protect remote access. The VPN or remote tool must use strong encryption. First step: confirm your VPN uses TLS 1.2+ and modern ciphers.
• 3.1.16 Authorize wireless access prior to connection. No open Wi-Fi. First step: require WPA3 (or WPA2-Enterprise at minimum) and an explicit approval process for new devices.
• 3.1.17 Protect wireless access using authentication and encryption. Companion to 3.1.16. First step: WPA2-Enterprise or WPA3 with certificate-based or MFA-backed auth.
• 3.1.18 Control connection of mobile devices. If phones or tablets connect to CUI systems, they need to be managed. First step: deploy MDM (Intune, Jamf, Kandji) on any device touching CUI.
• 3.1.20 Verify and control connections to external systems. Cloud services, vendor systems, partner systems — all need approval. First step: list every external system that touches CUI and verify each has a signed agreement.

3.2 — Awareness & Training

• 3.2.1 Ensure managers and users are aware of security risks. Annual security awareness training. First step: pick a platform (KnowBe4, Hoxhunt, free DoD training) and assign it to every employee.
• 3.2.2 Ensure personnel are trained on their security responsibilities. Role-based training for anyone with elevated responsibilities. First step: define the roles, define the training, log completion.

3.3 — Audit & Accountability

• 3.3.1 Create and retain system audit logs. Logs must exist and be retained. First step: enable logging on every CUI system and set retention to at least 12 months.
• 3.3.5 Correlate audit record review, analysis, and reporting. Logs without review are worthless. First step: pick a small SIEM or log aggregator (Microsoft Sentinel, Wazuh, Huntress) and define what triggers a review.

3.4 — Configuration Management

• 3.4.1 Establish and maintain baseline configurations. Standard images for endpoints and servers. First step: document the standard build for laptops, workstations, and servers.
• 3.4.2 Enforce security configuration settings. Hardening baselines (CIS, DISA STIG-lite). First step: apply a hardening baseline via group policy or MDM.
• 3.4.6 Employ the principle of least functionality. Disable unused services, ports, software. First step: audit running services on a sample endpoint and disable what doesn't belong.
• 3.4.7 Restrict or disable nonessential programs, ports, services. Companion to 3.4.6. First step: block consumer file-sharing, gaming, and unsanctioned remote-access tools.
• 3.4.8 Apply deny-by-exception software policy. Application allowlisting where possible. First step: turn on Windows AppLocker or Microsoft Defender Application Control for high-risk systems.

3.5 — Identification & Authentication

• 3.5.1 Identify system users, processes, and devices. Unique user IDs. First step: eliminate shared accounts (the “office@” or “shop@” logins).
• 3.5.2 Authenticate identities. Passwords must meet a minimum bar. First step: enforce minimum length and complexity via group policy or your IdP.
• 3.5.3 Use multifactor authentication for privileged and network access. The single most important 5-point control. First step: deploy MFA (Duo, Microsoft Authenticator, Yubikey) for all admin accounts and all remote access.
• 3.5.10 Store and transmit only cryptographically-protected passwords. No plaintext passwords anywhere. First step: audit any place credentials might be stored or transmitted (config files, scripts, password managers).

3.6 — Incident Response

• 3.6.1 Establish an operational incident-handling capability. A documented incident response plan and a designated owner. First step: write a one-page incident response procedure (detection, containment, eradication, recovery, lessons learned) and name the responsible person.
• 3.6.2 Track, document, and report incidents to designated officials. Reportable incidents (especially those involving CUI) go to DoD Cyber Crime Center within 72 hours. First step: bookmark the DC3 reporting portal and write the procedure.

3.7 — Maintenance

• 3.7.2 Provide controls on maintenance tools and personnel. Maintenance access is privileged access. First step: log every remote maintenance session by a vendor.
• 3.7.5 Require MFA for nonlocal maintenance sessions. Any remote troubleshooting tool must require MFA. First step: review vendor remote-access procedures and require MFA.

3.8 — Media Protection

• 3.8.3 Sanitize or destroy media before disposal or reuse. Disk wipes or physical destruction. First step: document a media disposal procedure and either implement it in-house or contract a vendor (any IT asset disposal vendor will provide certificates).
• 3.8.7 Control the use of removable media. USB drives are a common CUI loss vector. First step: disable USB mass-storage by default, allow by exception.

3.10 — Physical Protection

• 3.10.1 Limit physical access to systems and environments. Doors, locks, badge access. First step: identify which rooms host CUI systems and ensure access is controlled and logged.

3.11 — Risk Assessment

• 3.11.2 Scan for vulnerabilities periodically. Vulnerability scanning of CUI systems on a regular cadence. First step: pick a scanner (Nessus, Qualys, Tenable, Rapid7) and schedule monthly scans.

3.12 — Security Assessment

• 3.12.1 Periodically assess security controls. Self-assessment must happen on a regular cadence. First step: schedule a quarterly review (or use the 144 app to maintain a live one).
• 3.12.3 Monitor security controls on an ongoing basis. Continuous monitoring of high-impact controls. First step: build a small dashboard (or use a SIEM) showing the health of MFA, logging, EDR.

3.13 — System & Communications Protection

• 3.13.1 Monitor and protect communications at system boundaries. Firewalls, IDS/IPS at the network edge. First step: review your firewall ruleset and confirm CUI flows are documented.
• 3.13.2 Employ secure architectural and engineering principles. CUI systems segregated where possible. First step: document the network architecture and identify the CUI segment.
• 3.13.5 Implement subnetworks for publicly accessible components. Public-facing systems in a DMZ, not on the same VLAN as CUI. First step: review where any public-facing service sits in your network.
• 3.13.6 Deny network traffic by default, allow by exception. Firewall posture is deny-all, then allow specific traffic. First step: audit firewall rules and remove any catch-all allows.
• 3.13.8 Use cryptography to protect CUI in transmission. TLS or equivalent on every channel carrying CUI. First step: enable HTTPS everywhere and disable SMB1/legacy protocols.
• 3.13.11 Employ FIPS-validated cryptography to protect CUI. The crypto must be FIPS-140-validated, not just “strong.” First step: verify your VPN, file encryption, and email encryption use FIPS-validated modules.
• 3.13.15 Protect the authenticity of communications sessions. Anti-replay, session integrity. First step: ensure TLS is properly configured and certificate validation isn't disabled anywhere.
• 3.13.16 Protect the confidentiality of CUI at rest. Disk encryption everywhere CUI lives. First step: turn on BitLocker / FileVault on every laptop and server holding CUI.

3.14 — System & Information Integrity

• 3.14.1 Identify, report, and correct system flaws. Patch management on a defined schedule. First step: define a patching SLA (e.g., critical within 14 days) and pick a patching tool.
• 3.14.2 Provide protection from malicious code. EDR/AV on every endpoint. First step: deploy a real EDR (CrowdStrike, SentinelOne, Defender for Endpoint, Huntress) on every device.
• 3.14.3 Monitor security alerts and advisories. Subscribe and act on vulnerability advisories. First step: subscribe to CISA alerts and assign someone to triage them weekly.
• 3.14.4 Update malicious code protection mechanisms. EDR signatures must stay current. First step: confirm automatic updates are enabled on your EDR.
• 3.14.6 Monitor the system to detect attacks. Network and host-level monitoring. First step: enable Windows Event Forwarding to a central log (your SIEM or aggregator from 3.3.5).

How to use this list

Pull your current SPRS score. Identify which of these 5-point controls you have marked Not Met or Partial. Sort by “easiest to close given my environment” first — for most small shops that means MFA (3.5.3), at-rest encryption (3.13.16), and EDR (3.14.2), which can usually be implemented in days, not months. Each of those is +5 to your score.

The 144 Roadmap view sorts your open gaps automatically by gain-per-day of effort, which lands on roughly this same priority order. If you'd rather not maintain a spreadsheet of your own, the app does it.