Article compliance

NIST 800-171 for a 30-Person Contractor: What Actually Matters

If you're a small defense contractor or sub looking at NIST 800-171 and CMMC for the first time, here's the realistic ground-level view.

If you’re a small defense contractor or a sub working in the Robins ecosystem (or anywhere else where the DoD pushes work), you’ve probably been hearing about NIST 800-171 and CMMC 2.0 for a few years. The compliance industry has done a thorough job of making it sound impossibly complicated. It is complicated, but it’s not impossible, and the practical actions a 30-person contractor needs to take aren’t mysterious.

Here’s the realistic ground-level view.

What NIST 800-171 actually is.

NIST Special Publication 800-171 is a federal cybersecurity framework that defines 110 controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. Defense contractors that handle CUI are required to implement these controls under DFARS clause 252.204-7012, which has been in DoD contracts since 2017.

CMMC 2.0 is the DoD’s mechanism for verifying compliance. Level 1 is basic and covers FCI (a less sensitive data category). Level 2 is the one most contractors handling CUI need, and it maps to the 110 NIST 800-171 controls plus a few additional requirements. Level 3 is for the most sensitive contracts and is rare in the small-business space.

The DoD is rolling CMMC 2.0 into contract clauses in phases. Most contractors won’t see the certification requirement land in their contracts until 2026 or 2027, but the underlying NIST 800-171 requirement is already there. The certification is what’s new. The controls aren’t.

What this means for a 30-person shop.

Practically, you need to do four things, in roughly this order.

  1. Figure out what’s in scope. Specifically, identify which of your systems handle CUI. Most small contractors discover that CUI lives in fewer places than they thought, but is in more sensitive places than they expected. CUI scoping is the most important early step. Done right, it limits the surface you have to harden. Done wrong, you end up trying to apply NIST controls to your entire environment, which is unnecessary and expensive.

  2. Build the System Security Plan (SSP). This is a written document describing your environment and how you implement each of the 110 controls. The SSP is the artifact assessors will look at first. It also forces you to actually think through each control instead of hand-waving.

  3. Identify the gaps and build a Plan of Action and Milestones (POA&M). For controls you don’t currently meet, the POA&M lists them, the planned remediation, and the target date. Having a credible POA&M with active progress is much better than pretending everything is already in place.

  4. Calculate and submit your SPRS score. Your SPRS (Supplier Performance Risk System) score is a self-assessment based on the SSP and POA&M. The score ranges from -203 to +110. Most small contractors starting from a typical SMB IT setup land somewhere between -50 and +50 on their first honest pass. The DoD doesn’t require a +110 to win contracts; they require an honest score that’s getting better.

The 110 controls in plain language.

The 110 controls fall into 14 “families,” each covering an area of cybersecurity. Without going family by family, the controls collectively require things like:

  • Multi-factor authentication on every system that touches CUI.
  • Endpoint detection and response (EDR) on every device that handles CUI.
  • Network segmentation between CUI-handling systems and the rest of your environment.
  • Audit logging that captures who did what, when, on systems that touch CUI, with the logs retained for a defined period.
  • Encryption of CUI at rest and in transit.
  • Documented incident response procedures, including reporting requirements to the DoD.
  • Background checks and access agreements for staff who handle CUI.
  • Documented configuration management, including change control.
  • Documented backup and recovery procedures, with verified restore tests.
  • Security awareness training for staff who handle CUI, on a defined schedule.

None of this is unreasonable for a business with sensitive contractual obligations. Most of it overlaps with what cyber insurance underwriters now require independently.

Where small contractors actually get stuck.

Three patterns we see.

Trying to apply NIST 800-171 to the whole environment. Without proper scoping, you end up trying to harden every system, which is expensive and slow. Spend the time on scoping first. Most CUI lives in a small set of systems.

Hiring an IT provider that doesn’t understand compliance. General SMB MSPs are great at running standard business IT. Most are not fluent in the NIST 800-171 control families and the documentation those controls require. The result is a competent IT environment that won’t pass an honest assessment because the documentation isn’t there.

Hiring a CMMC consultancy that doesn’t run IT. The other failure mode. The compliance consultancy produces beautiful documentation, but the underlying environment doesn’t actually implement the controls because the IT provider isn’t part of the conversation. The assessment fails because reality doesn’t match the SSP.

The right answer is a CMMC consultancy that handles the certification path and an IT provider that’s compliance-aware and runs the environment. They have to coordinate. If they don’t, the work doesn’t add up.

What a small contractor’s path actually looks like.

For a 30-person contractor with typical SMB IT (M365, a few servers, mixed workstation environment, mostly local file storage), the realistic path is:

Months 1-2: CUI scoping, SSP outline, baseline gap assessment.

Months 3-6: Remediation of the highest-impact gaps. MFA everywhere, EDR everywhere, audit logging deployed, encryption verified, backup testing documented.

Months 6-9: Documentation cleanup. The SSP gets to a real, defensible state, the POA&M gets honest about what’s still in progress, and the SPRS score gets calculated and submitted.

Months 9-12+: Steady state. The environment is operating to NIST 800-171 standards, documentation is current, and POA&M items are getting closed on schedule. CMMC certification (when contracts require it) becomes a structured engagement rather than a panic.

Not fast, not cheap, but achievable.

Ready to talk?

If you’re staring at a federal contract clause you don’t fully understand, or your prime just sent you a cybersecurity questionnaire, the next step is a conversation. We work alongside CMMC consultancies and run the IT side of compliance for small contractors in the Robins ecosystem and across Middle Georgia.

Author

John-Mark Smith

Founder of CoreSouth Systems. CoreSouth provides managed IT, co-managed IT, cybersecurity, and Microsoft 365 services to owner-led businesses across Middle Georgia.

Recent posts

Ready to talk?

The next step is a conversation. We'll walk through your current setup and what you actually need.

Talk With A Local IT Expert