A practitioner-built playbook that translates 110 technical controls into actionable steps — focused on audit-readiness, organized around our IT Resilience Framework™.
The Operating Model
We sequence NIST 800-171 work across three phases. Each phase produces tangible artifacts an assessor (or your prime contractor) can verify.
Scope CUI, inventory assets, score every control, baseline your SPRS number, and produce the first SSP draft.
Remediate technical gaps with enclave architecture, identity hardening, encryption, logging, and incident-response plumbing — then document everything.
Move from project to program: continuous monitoring, annual control testing, vendor oversight, and an executive cadence that keeps you audit-ready year-round.
The 14 Families, Simplified
Every NIST 800-171 control rolls up to one of 14 families. Below: each family in plain English, the operational owner most manufacturers assign, and the highest-leverage moves.
| Family | In plain English | Owner | Highest-leverage moves |
|---|---|---|---|
| 3.1 Access Control | Who can touch what. | IT + HR | Role-based access · MFA · privileged account vault |
| 3.2 Awareness & Training | Train the humans. | HR + IT | Annual CUI training · phishing drills · role modules |
| 3.3 Audit & Accountability | Log it. Review it. | IT / SOC | Centralized logging · 90-day retention · weekly review |
| 3.4 Configuration Mgmt | Known-good baselines. | IT | Hardened images · change control · allowlisting |
| 3.5 Identification & Auth | Prove who you are. | IT | Unique IDs · FIPS-validated MFA · password policy |
| 3.6 Incident Response | Plan, practice, report. | IT + Ops | IR plan · 72-hr DoD reporting · annual tabletop |
| 3.7 Maintenance | Safe servicing of systems. | IT + Facilities | Sanitize media · escort vendors · log maintenance |
| 3.8 Media Protection | Drives, prints, USBs. | IT + Ops | Encrypt removable media · marking · sanitize at EOL |
| 3.9 Personnel Security | Vet the people. | HR | Background checks · access termination on exit |
| 3.10 Physical Protection | Locks, badges, cameras. | Facilities | Badged entry · visitor logs · alternate work-site rules |
| 3.11 Risk Assessment | Know your exposure. | vCISO / IT | Annual risk assessment · vuln scanning · supplier risk |
| 3.12 Security Assessment | Test the controls. | vCISO / IT | Annual SSP review · POA&M · independent assessment |
| 3.13 System Protection | Encrypt + segment. | IT | TLS 1.2+ · enclave segmentation · DNS filtering |
| 3.14 System Integrity | Patch + monitor. | IT | Patch SLAs · EDR · email filtering · IOC monitoring |
The 90-Day Roadmap
A pragmatic sequence we run with manufacturers entering the DoD supply chain. Adjust durations to your team's bandwidth — but don't skip the order.
Audit-Readiness Checklist
If you can produce these ten artifacts on demand, you're functionally audit-ready. Missing more than three is a near-certain finding.
Any non-federal organization that processes, stores, or transmits Controlled Unclassified Information (CUI) — including manufacturers anywhere in the DoD supply chain — must comply under DFARS 252.204-7012.
CMMC Level 2 maps directly to the 110 NIST 800-171 controls and adds a third-party assessment by a C3PAO. Achieving NIST 800-171 compliance puts you on the runway for CMMC certification.
Your SPRS (Supplier Performance Risk System) score reflects implementation of the 110 controls, ranging from -203 (none) to 110 (all implemented). Primes increasingly require a positive score, and many require 110.
Not always. GCC High is one path, but a properly segmented on-prem enclave or another FedRAMP-aligned environment can also meet the requirements. The right answer depends on your CUI volume, workflows, and budget.
We'll walk through your CUI scope, your current SPRS score, and the three controls most likely to cause a finding in your next assessment. No slides, no pitch — just a working session with a senior engineer.