NIST SP 800-171 Rev. 3 Implementation Bootcamp

What This Session Covers

This five-day virtual bootcamp moves sequentially through every control family defined in NIST SP 800-171 Rev. 3, giving compliance practitioners the structured, hands-on time they rarely get in a single-day seminar format. Each day pairs instructor-led instruction with applied exercises so participants are building real program artifacts while they learn — not after they get home.

Day-by-Day Curriculum Overview

The bootcamp is organized so that each day addresses two to three control families, balancing depth of coverage with pacing. Across the five days, the curriculum works through all fourteen control families, including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, System and Information Integrity, and the foundational requirements under Program Management.

For each family, Carl B. Johnson — President and CISO of Cleared Systems — walks through the intent of the controls, common implementation gaps seen in real contractor environments, and the specific documentation that auditors and CMMC Level 2 assessors will look for. Instruction consistently maps requirements back to DFARS 252.204-7012 obligations so participants understand how 800-171 compliance connects to the contractual language in their prime and subcontract agreements.

Hands-On Exercises

Each day includes structured exercises covering three core compliance skills:

• Policy drafting: Participants write or revise policy language that directly satisfies specific control requirements, using provided templates as a starting baseline.
• Control implementation guidance: Working through realistic contractor scenarios, participants map technical and administrative controls to the requirements and document implementation decisions in a System Security Plan (SSP) format.
• Evidence collection: Participants learn how to identify, organize, and label the artifacts — screenshots, configuration exports, access logs, training records — that support each control during a self-assessment or third-party review.

Mock Self-Assessment

The bootcamp closes with a mock self-assessment exercise that simulates the scoring methodology used for NIST SP 800-171 assessments. Participants work through a condensed assessment scenario, apply the DoD assessment methodology to assign practice scores, and identify the types of Plan of Action and Milestones (POA&M) entries that would result from partial or non-implemented controls. This exercise is designed to demystify the self-assessment process and give practitioners confidence before they conduct or support a real one.

What You Will Leave With

Every registered participant receives a downloadable template package and leaves the bootcamp with skills and artifacts they can put to work immediately:

• A set of ready-to-customize policy and procedure templates aligned to the NIST SP 800-171 Rev. 3 control families
• An SSP section framework pre-structured for each control family
• An evidence collection checklist mapped to assessment objectives
• A POA&M template formatted for DoD submission requirements
• Practical experience scoring a mock self-assessment using the current methodology
• A working understanding of how CMMC Level 2 certification requirements layer on top of 800-171 implementation
• Direct access to instructor expertise through live Q&A sessions throughout the week

Participants who need deeper post-bootcamp support can explore Cleared Systems' CMMC, CUI & DFARS compliance services to continue the work with hands-on program assistance.

Who Should Attend

This bootcamp is built for the practitioners doing the daily compliance work inside defense and federal contractors: compliance managers, security engineers, system administrators, IT managers, and program managers who are responsible for building, maintaining, or demonstrating compliance with NIST SP 800-171 and CMMC Level 2 requirements. It is equally well-suited to professionals who have recently inherited a compliance program and need to close knowledge gaps quickly, or to experienced practitioners preparing for an upcoming third-party assessment.

For managers evaluating whether this training is the right investment: if your team is responsible for a DFARS 7012 clause in a contract, is building toward a CMMC Level 2 assessment, or is struggling to produce consistent, auditable evidence from their current compliance processes, this bootcamp directly addresses those gaps in a structured, five-day format. The combination of instruction, templates, and hands-on exercises means participants return with usable output, not just notes.

Organizations that are earlier in their compliance journey and want to understand how a full program should be structured may also want to review Cleared Systems' compliance program development services alongside this training.

Ready to Build a Defensible NIST 800-171 Program?

This bootcamp gives your team the knowledge, the tools, and the practice repetitions to implement NIST SP 800-171 Rev. 3 with confidence. Whether you are preparing for an internal self-assessment, a government audit, or a CMMC Level 2 third-party assessment, five focused days with an experienced instructor will accelerate your program in ways that self-study and one-hour webinars simply cannot. View all upcoming training opportunities on the Cleared Systems events page.