NIST 800 171 Compliance for Small Contractors

Some DoD contractors and subs are very small businesses — sometimes companies of just one person. But the NIST compliance requirements apply to all contractors. So what should a small business owner expect? How does a one-man shop handle documentation with CyberConfirm?

CyberConfirm’s resident cyber expert reported recently about a meeting in which he participated discussing these very issues.

“The topic (of small businesses) was actually discussed with the DoD Cyber Team creating the CMMC regulations”, Linlor said one day after that meeting. “NIST 800-171 and CMMC are both focused primarily on mid- to large-sized firms. But the vast majority of the innovation and contracting companies are small business, some even one-person operations.”

“In short, know that we are advocating for small firms, looking for solutions that are tailored or pre-set based on the number of employees, business setup, etc.” Linlor continued.

For the current version of the required NIST 800 171 documentation, the best solution is to answer ‘yes’ or ‘no’ to each option exactly as presented, then note at the end of each Requirement that you are a one-person shop and outline exactly where you stand at the moment. That will have you in full NIST 800-171 compliance.

In the meantime, CyberConfirm will continue to relay feedback to the DoD CMMC team in their working sessions.

CyberConfirm documentation software is future-proofed: when the new CMMC requirements are formalized, CyberConfirm will notify every customer that an update to our software is available. Then customers can re-purpose their existing answer data into an updated version of each SSP and POAM, pre-tailored for a selectable “small business” CMMC level.

Of course, we will also provide guidance on how to choose that level, and the obligations and opportunities each level will afford and require…