Plain English Guide to NIST 800-171: CMMC Compliance Without the Overwhelm - EP #17

Feeling overwhelmed by CMMC compliance and NIST 800-171’s 110 controls? You’re not alone — but you don’t have to be stuck.

In this episode of the CMMC Compliance Guide Podcast, Brooke and Austin break down NIST 800-171 Revision 2 in plain English — no government-speak, no tech jargon — so you can finally understand what each control family means for your business.

You'll learn:
✅ What NIST 800-171 really requires (and why it matters for your SPRS score)

✅ How to tackle key control families like Access Control, Awareness & Training, and Audit & Accountability

✅ The critical mistakes contractors make (and how to avoid them)

✅ Why documentation is the #1 secret weapon for CMMC success

✅Real-world tips for manufacturing, machine shop, and aerospace contractors navigating CMMC Level 2

🔥 Don’t wait until an assessor says “No Soup for You” — build a compliance system that actually protects your business and wins contracts.

👉 Need help fast-tracking your compliance journey? Visit https://cmmccomplianceguide.com to download free resources or schedule a discovery call.

🎧 Listen, learn, and stay compliant. Hit LIKE and SUBSCRIBE for more real-world CMMC guidance!

TIMESTAMPS
00:00 – Intro: What to Expect from Today’s Episode
00:37 – What is NIST 800-171 and Why It Matters
02:22 – What’s the SPRS Score and Where You Enter It
03:48 – What Are Control Families (and Why They Matter)
04:33 – Access Control (Who Can Access What)
09:17 – Shared Accounts in Manufacturing – Real Talk
14:08 – Admin Rights, Local Users, and Least Privilege
16:31 – Awareness and Training (What You Must Track)
19:00 – DoD Mandatory CUI Training – Gotchas
20:19 – Documenting Access Control the Right Way
22:02 – Audit and Accountability (What You Must Log)
25:36 – Why You Probably Need a SIM + SOC Team
29:10 – Configuration Management (Don’t Skip This One)
32:44 – Why IT Teams Often Miss Config Baselines
34:51 – Identification and Authentication (MFA Musts)
38:50 – Windows Hello for Business as MFA
40:12 – Incident Response (Why You Need a Plan)
44:12 – Reporting Timeline + Certificate Warning
47:30 – Real-Life Incident Story – MFA Saves the Day
50:45 – Maintenance (Proof of Patching & Escorting Vendors)
52:28 – Media Protection (Encrypting USBs & Paper CUI)
56:55 – FIPS Validated Encryption vs. “Compliant”
59:04 – Personnel Security (Screening & Offboarding)
01:00:57 – Physical Protection (Locks, Logs, & Keys)
01:02:48 – Risk Assessment (Vulnerability Scans & Gaps)
01:04:40 – Security Assessment (Review Your Controls)
01:06:03 – System & Communications Protection
01:08:08 – System & Information Integrity (Patch Everything)
01:10:38 – Most Commonly Missed Requirement (Documentation)
01:13:44 – “No Soup for You” if You Don’t Document It
01:15:25 – Outro

#CMMC #CMMCCompliance #NIST800171 #DFARS #CybersecurityCompliance #ManufacturingCompliance #DefenseContractor #CUIProtection #SPRSScore #AccessControl #CybersecurityPodcast