NIST 800-171 Do-It-Yourself Compliance Class Update, More Training Scheduled


CyberDefenses hosted my third NIST 800-171 DIY Controlled Unclassified Information (CUI) class the second week of September and according to the students, it went really well. The class continues to evolve, from four separate webinars, to an on-premise two-day class, to an online two-day class. This version allowed time to add a three-hour security control and standards practical exercise to the four modules:

  • Part 1 – CUI – Brace yourself
  • Part 2 – Build cybersecurity
  • Part 3 – CUI Self-Assessment
  • Part 4 – CUI Self-Attestation

It’s become clear that many companies aren’t ready for the DFARS and FAR contract information security requirements covering 110 information security controls. To assist, CyberDefenses and I created the DIY class to establish initial compliance through self-assessment, documenting security control implementation, and creating a high-level Plan of Actions & Milestones (POA&M). Class materials include a detailed checklist with controls, standards, and POA&M framework sufficient to meet most requirements for December 2017 compliance. Also included is a self-attestation template for companies to provide to their downstream suppliers and sub-contractors.

We’ll soon add an online self-assessment tool providing both DoD and Federal Contractors a streamlined method to identify their strengths and weaknesses.  And within a week or so we’ll publish a CUI specific Written Information Security Program (CUI-WISP) bundle with customizable templates for documenting an auditable compliance package.  A pre-release version of the bundle is available at

The class fee is $495; the full amount can be applied to the separate $1,995 CUI-WISP bundle price.

Class registration for online classes Oct 9-11, Nov 13-14, and Dec 5-6 is open now at

New to NIST 800-171 planning?  Here is an overview that will help you and your colleagues accelerate your strategies:

About the author

Dave Gray

Dave Gray is a CISSP, CAP and PMP certified CyberSecurity Leader skilled in securing information systems to achieve information Confidentiality, Integrity and Availability. Dave’s focus is Governance, Risk Management and Compliance (GRC) using information security frameworks established by the National Institute of Standards and Technology (NIST) and the Center for Information Security 20 Critical Security Controls. Dave’s focus area is NIST 800-171, NIST 800-53 and CIS CSC 20 implementation.