Loading...
Loading...
We implement and document the 110 controls in NIST SP 800-171 across the 14 security families, author and maintain your SSP and POA&M, and keep your SPRS score audit-ready — so your South Florida federal contract stays in good standing.
Get Your Free NIST 800-171 Readiness ReviewNIST Special Publication 800-171 is the federal standard for protecting Controlled Unclassified Information (CUI) on non-federal systems. The current required revision is Rev 2, with Rev 3 published in 2024 and DoD adoption expected to follow a DFARS rule update.
Compliance isn't a one-time project. It's a continuous program made up of three artifacts your contracting officer expects to see on demand: a current System Security Plan (SSP), an open Plan of Action & Milestones (POA&M), and a submitted score in the DoD Supplier Performance Risk System (SPRS).
DoD contractors will need CMMC certification on top of 800-171 implementation — CMMC is how the DoD verifies the controls are actually in place.
Per NIST SP 800-171 Rev 2. Rev 3 reorganizes these into a slightly different structure; we track both.
If any of these sound familiar, you're where most of our 800-171 clients started.
DFARS 252.204-7012 (and equivalent FAR clauses) appears in your award and suddenly you owe 110 controls, an SSP, a POA&M, and a SPRS score. We translate the requirement into a sequenced implementation plan.
Your System Security Plan was written once and forgotten, or a consultant emailed you a template that nobody owns. We author living documentation and keep it accurate as your environment changes.
A negative score in the Supplier Performance Risk System knocks you out of competitive bids. We work the POA&M down methodically and resubmit your self-assessment as you close gaps.
Without a defined CUI scope, every endpoint becomes in-scope and the cost of compliance balloons. We help you draw a defensible boundary and keep CUI inside it.
Government assessors don't always book in advance. We keep evidence collected, controls documented, and your team rehearsed so an assessment isn't a fire drill.
IT In Motion is a NIST 800-171 readiness and ongoing managed-compliance partner for South Florida federal contractors. We are not a federal auditor or DCMA assessor — and that separation is intentional. Our job is to implement, document, and maintain the 110 controls so when an assessment arrives, the evidence is already there.
We deliberately don't perform third-party assessments for clients we implement for. CMMC C3PAOs and DoD assessors are separate from us. When the formal assessment comes, we hand off a clean evidence package and support you through the engagement — but the verdict is theirs, not ours.
SSP, POA&M, and a current SPRS score — kept living, kept honest, kept ready. That's the contract.
From initial gap assessment through ongoing managed compliance — every artifact a contracting officer expects.
Side-by-side review of your environment against every requirement in NIST SP 800-171 Rev 2 — produces a scored gap list, prioritized remediation roadmap, and effort estimate.
We identify where Controlled Unclassified Information actually lives, draw a defensible authorization boundary, and shrink scope so you're not spending compliance dollars on systems that never touch CUI.
We draft and maintain your System Security Plan covering all 14 security families — and update it whenever your network, vendors, or workforce change. You remain the responsible party; we do the heavy lifting.
Every open gap gets a Plan of Action & Milestones entry with owner, target date, and status. We drive items to closure and keep the document audit-ready.
We calculate your DoD Supplier Performance Risk System score using the official methodology, prepare your self-assessment, and walk you through submission so your score reflects reality.
Logs, configuration baselines, vulnerability scans, training records, and incident reports — collected on a schedule so the evidence binder is always current, not reconstructed the week before an assessment.
EDR, MFA, encryption at rest and in transit, conditional access, and FIPS-validated cryptography aligned to the Access Control, Identification & Authentication, and System & Communications Protection families.
Role-based and CUI-handling training that satisfies the Awareness & Training family, with completion tracking and phishing simulations as ongoing evidence.
Several of these map to broader services we deliver outside the 800-171 program — see cybersecurity, security awareness training, and email security.
Tell us about your federal contract and a senior compliance engineer will reach out within one business hour with a no-obligation gap snapshot.
NIST SP 800-171 is the underlying control framework — 110 security requirements across 14 families that any non-federal organization handling Controlled Unclassified Information (CUI) must implement. CMMC is the Department of Defense's certification program that verifies a contractor actually meets those requirements (CMMC Level 2 essentially equals 800-171). If you have a DoD contract you'll likely need both: implement 800-171, then get CMMC-certified by a C3PAO. Non-DoD federal contractors typically need 800-171 only, evidenced by a SPRS self-assessment.
Often yes. The requirement flows from contract clauses, not from the agency name on the door. If your contract includes DFARS 252.204-7012 (DoD), FAR 52.204-21 (basic safeguarding), or any clause requiring protection of Controlled Unclassified Information, NIST 800-171 applies. NASA, DOE, GSA, and many state agencies handling federal data carry equivalent requirements. Read your contract — if CUI is mentioned, assume 800-171 is in play.
Honest range: 3 to 9 months depending on starting state. A small contractor with mature IT and well-scoped CUI can reach substantial implementation in roughly a quarter. An organization with sprawling data, no MFA, no logging, and no documentation typically needs the full nine months — sometimes longer for the more invasive controls like FIPS-validated encryption rollout or audit log centralization. We sequence the work so you can submit a SPRS score early and improve it as the POA&M closes.
Yes. We draft your SSP from scratch or rebuild an existing one, document each of the 110 controls as implemented in your environment, and maintain it as a living artifact. You remain the responsible party and signatory — the contract is between your company and the federal government, not us — but the documentation work, evidence collection, and ongoing updates sit with our team.
Rev 3 was published by NIST in May 2024 with a restructured control set, new families (Planning, System and Services Acquisition, Supply Chain Risk Management), and tighter parameters. As of now, federal contracts still cite Rev 2 — DoD has signaled Rev 3 adoption is coming but timing depends on a DFARS rule update. We track the adoption schedule, design your SSP and controls so the migration to Rev 3 is incremental rather than a rewrite, and will manage the transition once your contracting officer formally requires it.
No — and that matters. IT In Motion is an implementation and managed-compliance partner, not a DCMA assessor or CMMC C3PAO. We build the controls, write the documentation, and keep your SPRS score current. When a formal third-party assessment is required, we hand off a clean evidence package to your assessor and support you through the engagement. Keeping implementation and assessment separate is a deliberate independence safeguard.
Adjacent programs and industries we support across South Florida.
DoD certification of your 800-171 implementation — Levels 1, 2, and 3.
Learn moreVertical IT and compliance support for aerospace and defense subcontractors.
Learn moreEDR, MFA, monitoring, and the technical controls behind your 800-171 program.
Learn moreRole-based training that satisfies the Awareness and Training family.
Learn moreAnti-phishing, encryption, and DLP that protect CUI in transit.
Learn moreFederal supply chain manufacturers handling CUI on the shop floor.
Learn moreField-to-office IT for federal construction primes and subs.
Learn moreBroader operational review covering security, backup, and compliance.
Learn moreGet a comprehensive look at your network security, endpoints, and compliance gaps. Free of charge.
Schedule Your Free Assessment NowNo obligation. No sales pressure. Just an honest look at your IT security.