top of page
Image by AbsolutVision

NIST SP 800-171/CMMC Compliance

The National Institute of Standards and Technology guidelines for ensuring the safety and confidentiality of sensitive government data.

What is NIST SP 800-171?

In 2003 the Federal Management Information Security Act (FISMA) was passed and brought NIST SP 800-171 into fruition. The result was the emergence of several new security standards and guidelines, developed with the intention of improving cybersecurity. NIST SP 800-171 is a set of rules that suppliers/contractors to the federal government and their accompanying computer systems must follow to store, process and transmit Controlled Unclassified Information (CUI). The guidelines for CUI management have evolved throughout the years, although as of recently these guidelines have become more specific and demanding with the US Department of Defense’s recent release of final guidance for evaluating contract compliance with NIST SP 800-171 during the contact reward process.

The Importance of NIST SP 800-171 Compliance

NIST SP 800-171 requirements provide comprehensive guidance against keeping critical DoD information safe and secure from malicious observance and threats. Although, up to this point, implementation of NIST SP 800-171 guidelines have been an act of self validation. Due to the increase over time of inter-connectedness between business interactions and flow of information, as well as notable breaches of critical government information, the DoD has began to roll out a more intensive method of validation, hence the emergence of Cybersecurity Maturity Model Certification (CMMC). CMMC is a new certification scheme built to ensure compliance of the prescribed security controls for your business. CMMC certification will be an absolute requirement to bid on DoD RFPs and/or have a contract awarded. Compliance to NIST SP 800-171 is now more important than ever as it is heavily correlated with CMMC compliance.

NIST SP 800-171 vs CMMC

NIST SP 800-171 covers 110 of the 130 controls required for CMMC Level 3 certification. A CMMC Level 3 audit will cover 100% of the NIST 800-171 CUI controls and an additional 21 controls from various sources. The additional controls are as follows:

  • AM-C005-P1035. Identify, categorize, and label all CUI data.

  • AM-C005-P1036. Define procedures for the handling of CUI data.

  • AA-C008-P1048. Collect audit logs into a central repository.

  • AA-C010-P1044. Review audit logs.

  • IR-C017-P1093. Detect and report events.

  • IR-C017-P1094. Analyze and triage events to support event resolution and incident declaration.

  • IR-C018-P1096. Develop and implement responses to declared incidents according to pre-defined procedures.

  • IR-C019-P1097. Perform root cause analysis on incidents to determine underlying causes.

  • RE-C029-P1137. Regularly perform and test data back-ups.

  • RE-C029-P1139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.

  • RM-C031-P1144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

  • RM-C032-P1146. Develop and implement risk mitigation plans.

  • RM-C032-P1147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

  • SAS-C036-P1162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements.

  • SA-C037-P1169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.

  • SCP-C039-P1179. Use encrypted sessions for the management of network devices.

  • SCP-C040-P1192. Implement Domain Name System (DNS) filtering services.

  • SCP-C040-P1193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.).

  • SII-C043-P1218. Employ spam protection mechanisms at information system access entry and exit points.

  • SII-C044-P1219. Implement DNS or asymmetric cryptography email protections.

  • SII-C044-P1220. Utilize email sandboxing to detect or block potentially malicious email attachments.

Going Over Data

Why is a consultant important?

Through the process of implementation, a company may encounter several road blocks such as: time, money and know-how. With the help of a consultant, you can expect to save time and money. Relying on their expertise guides you through the process in the most efficient way.

Services Overview

Encompass Consultants preliminarily recommend our Gap Analysis service to all clients. By starting here your company can save time and money by minimizing unnecessary work on controls that have already been met. After the gap analysis we are here to support your company in the pursuit of reaching compliance for the remaining controls. 

Encompass Consultants Remediation Process



We perform effective training sessions with key individuals in your organization to distill the necessary practices for compliance to NIST SP 800-171/CMMC.


Final Analysis

We validate your entire system and provide additional coaching. The output is an internal audit report, in addition to future action items.



Gap Analysis

We will work with your company and IT team to perform a comprehensive analysis of your company's cybersecurity framework against the NIST SP 800-171/CMMC (Up to level 3) controls. Output is Gap Report and POA&M.



We create and distribute all procedures and policies specific to your company and necessary for compliance to NIST SP 800-171/CMMC compliance.

NIST Gap Analysis Icon
Gap Analysis

We will work with your company and IT team to perform a comprehensive analysis of your company's cybersecurity framework against the NIST SP 800-171/CMMC (Up to level 3) controls. Output is Gap Report and POA&M.

NIST Documentation Icon
Documentation Service

We will provide your company with a curated and extensive documentation package to meet your company's needs and the requirements of NIST SP 800-171/CMMC controls.

NIST Remediation Icon
Remediation Service

Comprehensive NIST SP 800-171/ CMMC (Up to level 3) package. Includes gap analysis, implementation, employee training and final analysis. 

Curated to your organization

Encompass Consultants spends the time and energy to work closely with your team to learn more about your business and its operations. We then provide precisely the services that you need, no more or no less. Ranging from full NIST/CMMC implementation to customized documentation support. We strive to provide services curated specifically to your organization's needs.

Low Market Pricing

Encompass Consultants is family owned and operated, thus have no excessive overhead. As a result, we direct all of these cost savings to you, our customer. We are local to California and charge no extra for travel expenses throughout California. Despite our low pricing we continue to deliver high quality consulting services to any and all businesses in need.

Rely On Our Expertise

Expertise is an important aspect in performing a clean, cost-efficient and timely implementation. At Encompass Consultants, our years of accumulated knowledge result in a comprehensive complaince process.

Who will you be working with?

Michael Schrader


For seven years, with Encompass Consultants, Mike has served many companies in their pursuits towards more robust security systems and improved customer satisfaction. He has worked with small and large companies on ISO 27001:2013 implementation and auditing projects. In addition to, NIST 800-53 and NIST 800-171 auditing and implementation guidance projects.

Working with Cisco Systems in his earlier years, Mike built the backbone of his knowledge through 22 years working in Network Security and Quality positions.

Some of his notable certifications include:

  • ASQ - Certified Quality Auditor

  • PECB – ISMS Master, Risk Manager, Cybersecurity Manager, Lead Senior Auditor ISO 27001, Lead Implementor ISO 27001

  • Cisco Systems Inc. - Hardware and Software Security Ninja Blackbelt

  • Schneider Electric - (DCCA) Data Center Certified Associate

Apart from Mike's 1000+ of hours of network security design, auditing, managing IT system networks and decades of experience. What sets him apart from the rest is his deep passion for helping companies thrive in the increasingly complex and interconnected world we live in today.

Untitled design-5 copy 8.png

Certified Lead Implementer and Auditor for ISO 27001:2013

ISO 27001 Audit

Cisco Systems Security Ninja Black Belt #98

Educational Icon

Learn More

Contact (NIST/CMMC)


For a free quote from a NIST specialist, contact: 

Encompass Head Offices:

San Jose


San Bernardino

Extended Locations:



Los Angeles


San Diego


San Francisco

Northern California

Southern California

Tele: (408) 657-8269


bottom of page