San Antonio, TX · Military City, USA UEI L58JZMKRCLM5  ·  CAGE 203C1  ·  NAICS 541511  ·  SAM.gov Active

We Put Our Own Systems Through NIST 800-171 Before We Did It for Anyone Else

Most firms that sell CMMC help have never been through it themselves. We took the opposite route: before BrandShyp offered NIST 800-171 readiness to anyone, we ran the full self-assessment on our own systems, built a hardened enclave for the controls our daily machines could not meet, and affirmed a CMMC Level 2 (Self-Assessment) posture in SPRS. Here is what that actually takes, and where small firms get stuck.

The score is the easy part. Picking a number out of a worksheet takes an afternoon. The work that survives an assessment is everything underneath it: the evidence, the System Security Plan, and the boundary you draw around your Controlled Unclassified Information. That is where a two-person firm either gets serious or gets caught.

Why We Did It to Ourselves First

BrandShyp bids federal and state IT work. The moment you touch Controlled Unclassified Information (CUI) on a DoD contract, DFARS 252.204-7012 turns NIST SP 800-171 from a recommendation into a contractual obligation, and your implementation gets scored and posted in SPRS. We were not going to advise other contractors on something we had only read about. So we put our own house through the standard, end to end, exactly the way a real assessment would.

The point was not a certificate to hang on the wall. It was to learn precisely where the process hurts for a small firm with no security department, because that is the firm we now help. We found out. The pain is not the 110 requirements in the abstract. It is two specific places nobody warns you about.

The Part Nobody Warns You About: the CUI Boundary

NIST 800-171 Rev 2 is 110 security requirements across 14 control families. Most of them are policy, configuration, and discipline, achievable on the systems you already run if you are willing to do the work. But a handful of controls are different. They demand a level of system lockdown that quietly breaks a daily-driver laptop.




The four controls that forced us to build an enclave

Least functionality, restricted ports and services, application allow-listing, and FIPS-validated cryptography are reasonable on a locked-down, single-purpose machine. They are miserable on the laptop you also use to write proposals, run a browser with thirty tabs, and ship code. Trying to enforce them on your everyday device tends to break the tools you work in, which is exactly why people fudge it and mark the control “met” when it is not.

Our answer was the honest one: stop pretending the daily laptop is in scope. We stood up a separate, hardened CUI enclave, a minimal Linux virtual machine on a hypervisor, with full-disk encryption, the firewall in deny-by-default, application allow-listing, audit logging, and FIPS mode enabled. CUI lives there and only there. The daily machine stays out of the boundary. That single architectural decision is what makes the difference between a defensible posture and a worksheet full of optimistic checkboxes.

What a Real Self-Assessment Actually Produces

An assessment is not a score. It is a stack of documents that a prime contractor, a contracting officer, or eventually a third-party assessor can pick up and verify. Doing our own forced us to generate every one of them:

  • System Security Plan (SSP) — a control-by-control description of how each of the 110 requirements is met, scoped to a defined boundary. This is the document DFARS requires and the one assessors read first.
  • Plan of Action & Milestones (POA&M) — every open gap, ranked by its point value, with an owner and a target date. Honesty about what is not yet done is part of compliance, not a failure of it.
  • An evidence trail — for every control marked met, a link to the artifact that proves it. “Trust me” is not evidence.
  • A policy and procedure set — the written rules that make the controls repeatable instead of a one-time scramble.

The Shortcut That Fails, and the Work That Holds

The shortcut that fails

Run the worksheet, pick an optimistic number, post it in SPRS, and move on. No SSP that matches reality, no evidence behind the “met” controls, and CUI sitting on the same laptop that can’t meet the lockdown requirements. It looks done. It collapses the moment anyone asks for proof.

The work that holds

A defined CUI boundary, all 110 controls assessed against real evidence, an SSP and POA&M that match what is actually deployed, and a hardened enclave for the controls your daily systems can’t meet. The number is whatever the evidence says it is, and you can stand behind it.

What a real NIST 800-171 self-assessment requires

The checklist we wish someone had handed us before we started.

Scope your CUI boundary first
Decide exactly where CUI lives before you assess anything. The boundary determines everything downstream.

Assess all 110 controls against evidence
Every “met” needs an artifact behind it. Every “not met” goes on the POA&M.

Stand up an enclave for the hard controls
Least functionality, port restriction, app allow-listing, and FIPS rarely survive on a daily-driver machine. Separate them.

Write the SSP and POA&M to match reality
Documents that describe an environment you don’t actually run are worse than no documents.

Only affirm a score you can defend
Your SPRS number is a representation to the government. Treat it like one.

The Score Is a Measurement, Not a Trophy

This is the part that matters most, and the part the honest version of this story has to include. The SPRS number is not a grade you are trying to maximize for marketing. It is a representation to the government about the security of the systems that hold its data. Affirming a number you cannot back with evidence is not an optimization, it is a False Claims Act exposure with your name on the affirmation.

That is also why we do not splash our own score across this website. We are proud of the work, the assessment, the enclave, the documentation, the discipline, but a posted number is sensitive, and a perfect-score billboard is the wrong thing to wave at the world. The work is the proof. The number stays where it belongs.

The Bottom Line

We know where small contractors get stuck on NIST 800-171 because we got stuck in the same places, and then worked through them on our own systems. The CUI boundary, the enclave, the evidence, the documents that have to match reality. None of it is exotic. All of it is more work than the worksheet makes it look.

That experience is exactly why we built a readiness service instead of just another opinion. We have the tooling and the playbook because we ran them on ourselves first, and we would rather hand a small firm the map than watch it post a number it cannot defend.

Get assessment-ready without the six-figure bill

We prepare small IT and defense contractors for NIST 800-171 and CMMC, the same standard we hold our own systems to. Start with a free self-check or book a readiness call.

See CMMC Readiness Packages

NIST 800-171
CMMC
SPRS
CUI Enclave
Small Business