By Payam Pourkhomami, President & CEO of OSIbeyond
As cybersecurity threats continue to evolve and target sensitive government information, the protection of controlled unclassified information, or CUI, has become a top priority for the Department of Defense and its contractors.
NIST Special Publication 800-171 plays a key role in DOD’s effort by establishing the security requirements for protecting CUI when it resides in nonfederal systems and organizations, and the importance of achieving compliance with it has recently taken on new urgency with the release of the Cybersecurity Maturity Model Certification 2.0 Program Final Rule on Oct. 11.
The CMMC 2.0 Program Final Rule fundamentally changes how defense contractors must approach cybersecurity by, among other things, establishing NIST 800-171 compliance as a mandatory prerequisite for CMMC certification. Starting in 2025, contractors without demonstrable NIST 800-171 compliance will be unable to bid on new DOD contracts.
As a managed service provider—or MSP—and registered practitioner organization—or RPO—committed to supporting our government contractor clients, OSIbeyond has achieved NIST 800-171 compliance in August 2024 and is on track to obtain CMMC Level 2 certification by Q2 2025.
To help other organizations navigate their own compliance journeys, I asked Michael Soepnel, OSIbeyond’s chief information security officer and partner, who is also a Certified CMMC Lead Assessor, a.k.a. CCA, questions about his first-hand experience with NIST 800-171 compliance. I have distilled the interview into this Q&A article.
Payam Pourkhomami: What key factors drove your organization to pursue NIST 800-171 compliance?
Michael Soepnel: As a managed service provider serving government contractors who handle CUI, OSIbeyond’s pursuit of NIST 800-171 compliance was driven by both strategic business needs and evolving regulatory requirements.
From a business perspective, we recognized that our government contractor clients increasingly need assurance that their technology partners can protect sensitive information and support their compliance obligations. Many of our clients must demonstrate NIST 800-171 compliance to maintain their defense contracts, and they need confidence that their MSP won’t become a weak link in their security posture.
Before the publication of the CMMC 2.0 Program Final Rule, external service providers, or ESPs, were expected to become certified at the same level as the organizations seeking certification, dubbed OSCs. While the DOD has streamlined the assessment process by allowing ESPs to be included in their clients’ system security plans, or SSPs, rather than requiring independent certification, OSIbeyond chose to pursue NIST 800-171 compliance regardless to proactively position ourselves ahead of any future regulatory requirements.
Pourkhomami: Can you walk us through your approach to NIST 800-171 compliance?
Soepnel: We began with conducting an in-depth gap assessment of our organization’s current security practices, starting with the creation of a comprehensive controls matrix that listed all the NIST 800-171 assessment objectives. This matrix allowed us to methodically evaluate each control point and determine how our existing measures aligned with the requirements.
Then, we defined where CUI resided within our organization. By narrowing the scope to only those areas that would store or process CUI, we avoided the overwhelming task of evaluating our entire company against all 110 controls, which would have made the process unnecessarily complex and resource intensive. Here, it’s worth noting that, as an MSP, our interaction with CUI is different from that of a typical defense contractor, but we still needed to determine where we would store CUI and how to do that in a compliant way.
The result of all this initial work was a comprehensive to-do list that outlined the specific actions we needed to take to close the gaps between our existing security practices and the NIST 800-171 requirements in order to achieve compliance.
Pourkhomami: What were the main challenges you faced when implementing the NIST 800-171 requirements?
Soepnel: One of the main challenges we faced when implementing the NIST 800-171 requirements was adapting our long-established systems to meet the compliance standards. Our infrastructure had been in place for nearly 20 years, and reconfiguring these legacy systems was both complex and time-consuming.
This undertaking required close collaboration among our core team members, including myself, our compliance manager and our chief technology officer, who handled the technical changes as our internal sysadmin. If we were a startup, we could have designed our systems from the ground up with compliance in mind and made the implementation of NIST 800-171 requirements much more straightforward.
Another major challenge was time. Balancing our ongoing operational responsibilities with the extensive work required for compliance proved difficult and increased the amount of time it took us to become compliant.
Pourkhomami: How long does it realistically take to achieve NIST 800-171 compliance?
Soepnel: In our case, the entire journey took approximately 18 months, though our approach changed significantly over this period. Initially, we worked on the compliance efforts inconsistently, dedicating only an hour or two each week. However, as regulatory deadlines approached—especially with the publication of the draft 32 CFR Rule—we recognized the need to accelerate our efforts.
Even after completing our initial compliance work, the assessment process itself, which we never felt completely “ready” for (we would need unlimited time and money for that), took about 2.5 months—from the start of our C3PAO assessment at the end of May until receiving our verification letter on August 30th.
The length of the assessment process is one of the main reasons why organizations that optimistically believe they can achieve compliance in 30 to 60 days are unrealistic. Another reason is that NIST 800-171 compliance isn’t just about implementing technical controls. It also requires significant documentation, process changes and staff training. That’s why we consider six to 12 months to be a much more realistic timeframe.
Pourkhomami: How did achieving NIST 800-171 compliance change your organization’s operations?
Soepnel: Achieving NIST 800-171 compliance made us more formal and deliberate with our change management and internal systems. Specifically, we created comprehensive documentation detailing how we configure our systems and which software versions are in use across our infrastructure. This evidence-based approach helped prove compliance.
While we have always conducted cybersecurity training during onboarding and annually, achieving compliance required us to expand these programs significantly. We introduced baseline training for all employees that included an overview of CUI, how to recognize it and fundamental principles for handling it securely.
For team members with direct access to CUI, we implemented more specialized training and provided DOD compliance training and detailed internal training on handling data. We also developed role-specific training for positions critical to maintaining compliance, namely system administrators and cybersecurity personnel.
To maintain NIST 800-171 compliance going forward, we have established a clear schedule of recurring activities so that our compliance measures remain effective and up to date, including regular policy reviews and configuration updates. We spend over 10 hours every month on these activities.
Pourkhomami: How does NIST 800-171 compliance relate to CMMC Level 2 certification, and what additional steps are involved?
Soepnel: Achieving NIST 800-171 compliance is a foundational step toward obtaining CMMC Level 2 certification, as the latter essentially builds upon the former. The biggest difference between the two is that CMMC Level 2 requires a formal assessment by a Certified Third-Party Assessment Organization, or C3PAO, whereas NIST 800-171 allows for self-attestation. Despite this we chose to have a C3PAO conduct a NIST 800-171 assessment, in order to provide third party validation for our DOD clients.
To prepare for the CMMC third-party assessment, organizations can follow the 32 CFR Part 170 CMMC rule, which outlines the requirements for defense contractors and subcontractors.
In theory, if an organization has thoroughly implemented all NIST 800-171 controls, the time required to move from NIST 800-171 compliance to CMMC Level 2 certification might be minimal. However, most organizations will benefit from conducting a comprehensive review of all CMMC-specific requirements, which can take a while.
Pourkhomami: Looking back, is there anything else you would like to share with our readers?
Soepnel: One lesson we learned during our compliance journey was the importance of choosing the right C3PAO and establishing a productive relationship with them from the start.
When choosing a C3PAO, start by reaching out to reputable providers and obtaining rough cost and availability estimates, but don’t make your final selection solely based on these factors. Good C3PAOs will conduct a comprehensive vetting process upfront, reviewing your documentation to determine your readiness for assessment (C3PAOs are not allowed to provide consultation services, they can review your documentation for assessment feasibility determination). A C3PAO that doesn’t do this should be avoided. Although consistency is always a goal, CMMC requirements are not interpreted in the same way across all C3PAOs. It is in your interest to be up-front and transparent with the C3PAO during initial scoping discussions to ensure your interpretations are aligned as much as possible.
If a C3PAO does perform an upfront assessment but expresses concerns about your readiness, then it’s far better to spend a few additional months preparing than to proceed with an assessment prematurely and risk failure. After all, a C3PAO’s goal is to help you succeed and establish a long-term relationship for future reassessments rather than see you fail.
