Rewrite: choosing-a-nist-800-171-consultant

(156 characters)

Word count: ~2,080

Specificity markers hit:

1. ✅ NIST/CMMC control reference — AC.L2-3.1.1, IA.L2-3.5.3, SC.L2-3.13.8, AU.L2-3.3.1, NIST 800-171A assessment objectives, SPRS score methodology
2. ✅ Cost/time estimate — $150–$300/hr consultant rates, gap assessment 40–80 hours, SPRS score range −203 to 110
3. ✅ Tool/product name — CSET (NIST Cybersecurity Evaluation Tool), NIST 800-171A, DoD SPRS portal, Cyber AB Marketplace
4. ✅ Common mistake — treating 800-171 as a documentation exercise, producing SSPs that don't survive assessor interview phase
5. ✅ Decision point with guidance — generalist IT firm vs. CMMC specialist for organizations at different starting points

---

Choosing a NIST 800-171 Consultant: The Evaluation Checklist

The NIST 800-171 consulting market has a wide distribution. Some consultants have spent years supporting defense contractors through self-assessments, DIBCAC reviews, and C3PAO assessments, and they understand exactly what an assessor will verify for each of the 110 controls. Others have read the standard, built a service offering, and are learning on your engagement.

The credential system doesn't fully resolve this. A Registered Practitioner credential (the Cyber AB's entry-level certification) requires passing an online exam. It doesn't require demonstrated experience with actual NIST 800-171 implementations. A lot of capable consultants hold RP credentials. So do a lot of people who shouldn't be billing at $250 an hour.

This article gives you a concrete evaluation checklist — questions to ask, answers to look for, and signals that tell you whether the consultant in front of you has actually done this work.

What NIST 800-171 Consulting Actually Involves

Before running the checklist, it helps to understand what you're actually buying. A NIST 800-171 engagement covers some combination of these activities:

Gap assessment — evaluating your current environment against all 110 controls, producing a written report with current-state documentation for each control, and calculating your preliminary SPRS score. A real gap assessment involves reviewing system configurations, interviewing technical staff, examining logs, and testing whether controls actually work — not just asking stakeholders "do you have MFA?"

Remediation planning — prioritizing the gaps by risk and effort, and building a realistic plan to close them. A good consultant distinguishes between controls that require significant technical work (network segmentation, FIPS-validated encryption) and controls that are mostly documentation (system use notifications, audit record retention policies).

SSP development — writing or guiding the System Security Plan, which documents how your organization implements each of the 110 controls. The SSP is the document your assessor will scrutinize. Its quality directly affects assessment outcomes.

Policy and procedure writing — the documented policies that back up your technical controls. Access control policy, incident response policy, media protection policy, and so on. These need to be specific to your environment, not generic templates with your logo slapped on them.

Pre-assessment mock assessment — a structured review using NIST 800-171A assessment objectives that simulates what your C3PAO or DIBCAC assessor will do. This is the most valuable service in the portfolio and the most revealing test of consultant quality.

Not every engagement covers all of this. A gap assessment and SPRS score is a reasonable Phase 1. But understand what each phase should produce so you can hold the consultant accountable.

The Evaluation Checklist

1. Ask them to calculate your SPRS score in the proposal conversation

The DoD SPRS (Supplier Performance Risk System) score uses the methodology from the DoD Basic Assessment Methodology — each of the 110 controls carries a point value totaling 110 at full compliance, with the floor at −203 (every control failed, with full-weight findings). A consultant who can't walk you through this methodology — how controls are weighted, how partial credit works, why the floor is −203 — hasn't actually produced a SPRS score for a client.

This isn't a trick question. It's a baseline. If they're fuzzy on the scoring, the gap assessment they produce will be fuzzy too. You'll need to submit your SPRS score to the DoD SPRS portal when you self-assess — that's a real legal attestation. Get a consultant who takes it seriously.

What a good answer looks like: "We score each control as fully implemented, partially implemented, or not implemented. Partial credit applies to some controls under the methodology. We document our score, the rationale for each control determination, and attach the gap assessment report as supporting evidence. The score goes into SPRS and the supporting documentation stays in your files in case DoD questions it."

2. Ask them to describe what they verify for a specific control

Pick any control and ask how they'd assess it. Try AC.L2-3.1.1 (limit system access to authorized users) or IA.L2-3.5.3 (multi-factor authentication for remote access).

A consultant with real assessment experience will describe a multi-method approach: reviewing Active Directory or Azure AD configuration, interviewing IT staff about account provisioning and deprovisioning processes, checking for service accounts and shared accounts, and possibly testing — attempting to access a CUI system without MFA to confirm it's actually enforced, not just configured.

A consultant without that experience will describe a documentation review: "we'd review your access control policy and verify you have MFA enabled." That's not an assessment. That's reading your paperwork and taking your word for it. Your actual assessor won't do that.

NIST 800-171A breaks each control into discrete assessment objectives — roughly 320 total for the 110 controls. Each objective specifies whether it requires examination, interview, testing, or some combination. A consultant should be fluent with this structure. If they're not, they're not working from the right source material.

3. Ask what CSET produces and when to use it

The NIST Cybersecurity Evaluation Tool (CSET) is a free DoD-provided tool that walks organizations through a structured self-assessment and produces a scored gap report. Consultants who have worked in this space know it. Consultants who are newer to NIST 800-171 work may not.

This isn't about whether CSET is the best tool — it's a useful starting point for organizations doing their first self-assessment but has limitations (it's self-reported, not evidence-verified). A good consultant will describe when CSET is useful (a rough first pass, a way to organize your control review) and where it falls short (it doesn't verify your controls are actually implemented, and its outputs won't satisfy a C3PAO assessor). That judgment is what you're paying for.

4. Ask them what's in an SSP that satisfies an assessor vs. one that doesn't

The most common failure mode in CMMC assessments isn't missing controls — it's SSPs that don't hold up to scrutiny. Assessors interview your technical staff and compare their answers to what the SSP says. When they don't match, you get findings.

A good consultant will describe the difference clearly: a weak SSP says "the organization uses MFA for remote access." A strong SSP says "all remote access to CUI systems routes through the Cisco AnyConnect VPN client, which enforces certificate-based MFA via Duo Security before establishing the tunnel. MFA is configured at the identity provider level in Azure AD and applies to all user and administrator accounts. Exceptions require written approval from the ISSO and are documented in the access control exception log."

The first version is defensible only until the assessor asks your sysadmin to describe the MFA setup. If your sysadmin says "we use Duo," but the SSP says nothing about Duo, the assessor notes an inconsistency. That's a finding.

Ask the consultant for a sanitized SSP section from a past client. If they've been doing this work, they have one. If they can't produce an example, either they've never written one that they're proud of or they've never written one at all.

5. Ask whether they work with your specific technology stack

NIST 800-171 controls are technology-agnostic — the framework doesn't care whether you use Azure or AWS, Windows or Linux, Cisco or Palo Alto. But the implementation guidance is deeply technology-specific. Encryption at rest on Windows means BitLocker with FIPS mode confirmed via Group Policy. On Linux it means LUKS with a FIPS-validated kernel module. Logging requirements under AU.L2-3.3.1 look different in Splunk versus Microsoft Sentinel versus a syslog server.

A consultant who has only worked with Microsoft environments will struggle to help you if you're running Linux servers or AWS GovCloud. Ask specifically: "Most of our CUI systems run on [your platform]. Have you implemented NIST 800-171 controls in that environment? Can you describe how you'd handle encryption at rest and centralized logging?"

The answer tells you whether their experience is relevant to your environment or whether you'd be paying for their on-the-job training.

Common Mistakes in NIST 800-171 Consulting

Treating 800-171 as a documentation exercise. The most common consultant mistake is building a paper compliance program — policies, SSPs, and procedures that describe the right controls — without verifying those controls are technically implemented and working. The documentation is necessary. It's not sufficient.

Your C3PAO assessor will test your controls. They'll attempt to access systems to verify access restrictions work. They'll examine your logs to verify the events you claim to capture are actually being captured. They'll interview your personnel to verify the SSP matches reality. A consulting engagement that produces excellent documentation sitting on top of misimplemented technical controls is setting you up to fail the assessment.

The signal to watch for: if your consultant never asks to review actual system configurations, never talks to your sysadmin, and never tests anything — they're doing documentation consulting, not compliance consulting.

Confusing 800-171 with 800-53. NIST SP 800-53 is the full federal information systems control catalog, running to hundreds of controls. NIST SP 800-171 derives from 800-53 but is scoped specifically for non-federal systems protecting CUI — 110 controls, not hundreds. Consultants with a federal IT background sometimes bring 800-53 methodology to a 800-171 engagement. That's not wrong in principle, but it can produce over-engineered recommendations that are harder to implement than the actual requirement and confuse clients about what's actually required for CMMC.

Scope misidentification. A consultant who skips proper scoping — identifying which systems actually store, process, or transmit CUI and which don't — will either over-scope your assessment (driving up your implementation cost) or under-scope it (leaving CUI systems unaccounted for, which your assessor will find). Before any control evaluation begins, your consultant should be able to describe exactly which systems are in scope and produce a draft asset inventory and data flow diagram.

What Your Assessor Expects

Whether your assessment is a DoD DIBCAC review, a C3PAO assessment, or your own internal self-assessment for SPRS submission, the evaluator works from NIST 800-171A — the companion assessment guide that describes what to examine, who to interview, and what to test for each control.

Your consultant should be using that same framework. The SSP should reference specific system names, tool names, and configuration details. Policies should be signed and dated, with version numbers and review dates. Evidence for each control should be organized and available — configuration exports, log samples, training records, access control lists.

The assessor will spend the most time on Access Control, Audit and Accountability, and System and Communications Protection — together covering more than 40 of the 110 Level 2 controls. SC.L2-3.13.8 (FIPS-validated encryption at rest) alone generates more assessment findings than almost any other control, because organizations implement encryption but can't demonstrate it's FIPS 140-3 validated. A good consultant knows this and validates your encryption implementation against the NIST Cryptographic Module Validation Program list before your assessment, not during it.

Generalist IT Firm vs. CMMC Specialist

If your organization has strong existing security controls and mainly needs help with documentation, scoping, and SPRS scoring, a generalist IT firm with CMMC experience can do the job. The documentation work benefits from CMMC knowledge but doesn't require deep C3PAO assessment experience.

If you're starting from a weak security baseline, or if you're preparing for an actual C3PAO assessment, hire a specialist — someone who has supported clients through completed C3PAO assessments and can describe what specific assessors look for. The price difference ($150–$200/hr for a generalist versus $200–$300/hr for an experienced CMMC specialist) is smaller than the cost of a failed assessment or a remediation cycle after the fact.

A gap assessment from a qualified consultant typically runs 40–80 hours for an organization with 25–100 employees and a defined CUI environment. At $200/hr, that's $8,000–$16,000. It's the most important money you'll spend in your CMMC program — it tells you exactly where you stand and what it will cost to get ready.

---

Start your search at the Cyber AB Marketplace (cyberab.org/Catalog), which lists Registered Practitioner Organizations and certified practitioners. Use it as a sourcing tool, then run the checklist above to evaluate who's actually qualified for your engagement.