How a Contractor Aced the NIST SP 800-171 DIBCAC Audit

A federal contractor handling CUI faced an impending NIST SP 800-171 DIBCAC audit. The contractor knew the importance and challenges of complying with the NIST SP 800-171 standard. They understood that the standard aimed at protecting the confidentiality and integrity of CUI in non-federal systems and organizations. The contractor knew that failing to comply with the standard could result in losing their DoD contracts, damaging their reputation, and exposing their sensitive data to cyber threats. They also knew that the DIBCAC audit was not a trivial task. It involved a rigorous and comprehensive evaluation of their cybersecurity practices and documentation by a team of experts from the DCMA. The contractor needed a reliable and experienced partner to help them fully implement the NIST SP 800-171 controls and prepare for the DIBCAC audit.

That’s why they contacted Cleared Systems, a cybersecurity consulting firm specializing in helping federal contractors with NIST SP 800-171 and other DoD regulations.


  • To provide the federal contractor with a clear and actionable plan to achieve and maintain compliance with NIST SP 800-171 and other DoD regulations.
  • To identify and close the gaps between the contractor’s current cybersecurity posture and the NIST SP 800-171 requirements.
  • To implement and configure the necessary security controls to protect the confidentiality and integrity of CUI in the contractor’s systems and networks.
  • To create and update the required documentation to demonstrate compliance with NIST SP 800-171 and support the NIST SP 800-171 DIBCAC audit process.
  • To conduct a mock audit to test the contractor’s readiness and identify any potential issues or weaknesses before the actual DIBCAC audit.


Complex IT Environment and CUI Classification

Their IT environment was complex, with multiple systems and networks that handled CUI. The scope and boundaries of their systems and networks had to be mapped out. There also was a need to identify and classify the types and sources of CUI in the contractor’s environment. This required a thorough and accurate inventory of the contractor’s IT assets and data flows. Collecting and analyzing the information required a lot of time and effort.

Limited Resources and Expertise

The federal contractor had limited resources and expertise to implement and document the required security controls. Their staff had to be guided and trained to effectively apply the NIST SP 800-171 requirements. Allocating and managing the resources necessary for the project meant introducing significant changes to the contractor’s cybersecurity culture and practices.

Balancing Security with Operational Needs

Implementing security requirements required balancing with the operational needs of the business and customers. The implementation had to be done so that security controls didn’t interfere with productivity and performance. It was essential to consider how the security controls would affect customer satisfaction and compliance with service-level agreements. This required a careful trade-off between security and usability. The security controls had to be designed and implemented in a way that minimized the disruption and inconvenience for the contractor and their customers.

Tight Timeframes for Compliance

The federal contractor was under tight timeframes to achieve and demonstrate compliance with NIST SP 800-171 before the DIBCAC audit. This meant that the remediation plan had to be prioritized and executed in a timely and efficient manner. The federal contractor also had to coordinate and communicate with the DIBCAC auditor throughout the project. This imposed high pressure and urgency on the project, which required careful management of the project schedule and scope. Ensuring that critical tasks or issues were missed or delayed was of the essence.

Preparing for Audit Uncertainties

The uncertainty and complexity of the NIST SP 800-171 DIBCAC audit process meant the federal contractor had to thoroughly prepare for the various scenarios and contingencies. This was a challenge because it involved a lot of unknowns and variables that could affect the outcome of the audit. We had to anticipate any potential issues or weaknesses that could arise during the audit and craft the perfect response. This was necessary to ensure the contractor could respond effectively and confidently during the audit.


Gap Analysis

We conducted a comprehensive gap analysis to identify the current state of the contractor’s cybersecurity posture and areas that needed improvement. This involved assessing how the contractor had implemented each of the 110 security controls in NIST SP 800-171 using a standardized questionnaire and scoring method. The outcome was a detailed report that showed the compliance status, gaps, and recommendations for each control.

Remediation Plan

Cleared Systems developed a robust remediation plan to address identified gaps. We prioritized actions based on risk and impact, ensuring that critical issues were addressed first. Our team meticulously documented the remediation plan and tracked progress using a spreadsheet and a dashboard, providing real-time visibility into the status of each action.

Implementation of Security Controls

Our team implemented and configured necessary security controls such as encryption, multifactor authentication, access control, audit logging, incident response, etc., following best practices provided by NIST SP 800-171 and other relevant sources. We verified and tested the effectiveness of each security control using various tools and techniques like vulnerability scanning, penetration testing, log analysis, etc., ensuring robust security.


We created and updated required documentation such as system security plan (SSP), plan of action and milestones (POA&M), policies, procedures, etc., using templates and examples provided by NIST SP 800-171 and other relevant sources. We also checked and validated the quality and completeness of the documentation using various tools and techniques like document review, document analysis, document comparison, etc.

Mock Audit

Cleared Systems conducted a mock audit to test the contractor’s readiness for the NIST SP 800-171 DIBCAC audit. We simulated the audit process using a realistic scenario and a set of questions and criteria. The mock audit report showed findings, observations, and recommendations, providing valuable insights into potential issues or weaknesses that needed to be addressed before the actual audit.


  • The contractor successfully passed the NIST SP 800-171 DIBCAC audit with no major findings or recommendations. They demonstrated the implementation and configuration of all required security controls. The contractor had documented their system security plan, policies, and procedures and addressed any gaps or issues effectively and timely. The DIBCAC auditor praised the contractor for their high level of compliance and maturity with NIST SP 800-171.
  • The federal contractor implemented all the NIST SP 800-171 controls without compromising their business operations or customer satisfaction. They also balanced the security requirements with the operational needs of their business and customers. The contractor was able to design and implement the security controls in a way that minimized the disruption and inconvenience for their staff and customers. By reducing the risk of data breaches, cyberattacks, and contract losses, the federal contractor improved their performance and productivity.
  • Through demonstrating their commitment to cybersecurity and data protection, the contractor gained a competitive advantage in the federal market. They enhanced their reputation and credibility among their current and potential customers. The contractor increased their opportunities and revenue by bidding for more DoD contracts that require NIST SP 800-171 compliance
case studies

See More Case Studies

Microsoft 365 GCC High Licensing

Microsoft GCC High: The Ultimate Guide

Microsoft 365 Government Community Cloud (GCC) High is a specialized cloud solution tailored for U.S. federal, state, local, tribal, and territorial government organizations, as well as for contractors who hold or process data subject to specific security regulations. In this article, we will explore the features, benefits, and differences between Microsoft 365 GCC High and other Office 365 offerings.

Learn more
Contact us

Partner with Us for Compliance & Protection

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Your benefits:
What happens next?

Schedule an initial meeting


Arrange a discovery and assessment call


Tailor a proposal and solution

How can we help you?