A comprehensive internal audit and gap analysis for a real estate development firm with Department of Defense contract obligations. The engagement evaluated 107 security controls across 14 families, identified 20 findings, and delivered a prioritized remediation roadmap with an estimated $4k–$8k implementation budget.
A 20-employee real estate development firm contracted by the Department of Defense required a NIST SP 800-171 readiness assessment to meet DFARS 252.204-7012 compliance obligations flowed down from their prime contractor.
The Client: A real estate development and property management firm designing, building, and managing residential housing communities—including military family housing under DoD contract. The prime contractor's agreement included DFARS 252.204-7012, requiring the firm to safeguard Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).
The Challenge: This was the organization's first formal cybersecurity assessment. They had no System Security Plan (SSP), no Incident Response Plan, limited IT staff (2 people), and no visibility into their compliance posture. The CUI status of their contract data was unclear—no formal CUI markings existed on any documents, requiring a conservative risk-based determination.
My Role: Lead Consultant — responsible for the full assessment lifecycle: project planning, stakeholder interviews, technical verification, control assessment, findings documentation, and remediation roadmap. I produced 18 deliverables over a 6-week engagement period.
The Approach: A multi-method readiness assessment combining document review, personnel interviews, technical configuration verification, and physical observation across 3 locations. Evidence was triangulated across multiple sources to ensure findings were defensible and actionable.
NIST SP 800-171 Rev 2
6 Weeks (Jul–Aug 2026)
20 Employees • 5 Departments
DFARS 252.204-7012
8 Systems + 2 Cloud Tenants
70+ Hardware & Software Assets
3 Sites + Remote Workers
Conservative — Treat as CUI
A structured 4-phase methodology combining document analysis, personnel interviews, technical configuration review, and physical observation across 18 discrete deliverables.
Project plan, RASCI chart, company profile, business context, scope definition, system boundary
Asset inventory, data flow diagrams, CUI identification, applicable requirements filtering
Evidence collection, 7 interview sessions, 45+ technical procedures, 107 control ratings
20 findings, gap analysis, costed remediation plan, 12-month compliance roadmap, final report
Every control was assessed using at least two independent evidence sources to ensure findings were corroborated and defensible.
Policies, procedures, plans, contracts, and training records evaluated against NIST requirements for completeness and currency
7 structured sessions across Executive, IT, Property Management, Construction, and Admin roles using role-specific question banks
Configuration review, log analysis, network segmentation verification, encryption checks, and endpoint sampling across 8 workstations
Site walkthroughs of head office, property management offices, server room, and remote work environments
Every deliverable was organized into a traceable folder structure, each building on the previous to produce a complete and defensible audit record.
Key metrics, compliance scores, risk severity, and remediation timeline extracted from the assessment data.
Pattern: Governance families (AT, CM, IR, RA, CA) are weakest. Technical families (IA, PE, SC) are strongest. Typical for a first-time assessment.
Representative excerpts from the assessment deliverables. All client-identifying information has been removed.
Generate a printable executive summary report or download the full findings register.
20 findings identified across 14 control families. Each finding includes evidence references, risk assessment, business impact, and a specific actionable recommendation.
The CUI system operates without an approved SSP. No documentation of the security boundary, control implementation, or responsible personnel exists. This is a foundational DFARS requirement and would be an immediate gap in any third-party assessment.
Incident handling is performed ad hoc. The IT Manager was unaware of the DFARS 72-hour cyber incident reporting requirement to the DoD. No tabletop exercises or IR testing has ever been conducted.
MFA is enforced for M365 cloud access, but approximately 40% of access paths to CUI/PII systems lack MFA—including VPN remote access, Property Management SaaS, and MSP maintenance connections.
The primary CUI document repository stores data in plaintext. Physical theft of the NAS or its drives would expose all contract documents and PII without any authentication barrier.
An estimated 10–12 personal smartphones access corporate email and potentially CUI without device compliance enforcement. No MDM solution deployed. No remote wipe capability exists for lost devices.
No vulnerability scanning is performed on any system. The organization has no visibility into system vulnerabilities beyond what Windows Update reports. Network devices, NAS, and cloud services are never scanned.
All 20 findings are documented in the full Findings Register with evidence references, risk ratings, and remediation recommendations.
18 professional documents delivered as part of the engagement, organized by phase from initial planning through final reporting. Every document follows consulting-quality standards with version control and confidentiality markings.
Engagement overview, scope, RASCI chart, 6-week timeline, deliverables register, communication plan, project risk register
Organizational overview, industry context, regulatory environment (DFARS, CMMC, state breach laws), compliance driver analysis
Operational model across 3 environments, workforce profile (60% field-based), technology dependencies, third-party risk assessment, pain points
In-scope locations (3), systems (8+2 cloud), personnel (20), data categories, explicit exclusions with rationale, scope diagram, sign-off section
Security Protection Asset boundary, detailed network diagram, 20+ boundary components, user access paths, cloud shared responsibility model
70+ assets catalogued with IDs (SRV-NAS-001, HQ-WKS-001, etc.), locations, owners, CUI/PII classifications, BYOD risk flags
5 data flow narratives, trust boundary analysis (TB0-TB4), 8 risk observations, verification plan, Mermaid-based visual diagram
CUI Registry review, evidence analysis of 4 contract data types, formal determination with conservative approach, 5 recommendations to client
107 applicable controls across 14 families, 6 N/A with documented rationale, 113 total requirements enumerated (sub-parts separated)
4-method evidence triangulation approach, rating scale with precise definitions, sampling methodology, 9 documented limitations
80+ evidence items requested with IDs (EVD-AC-01), source, method, priority, schedule, evidence register template, format requirements
Complete field tool — all 107 controls with test procedures, assessment criteria, cross-referenced evidence IDs, and result fields
Role-specific question banks for 7 stakeholder types, process walkthrough prompts, 5 detailed walkthrough scenarios, documentation template
45+ verification procedures across network, server, endpoint (8 sampled), M365 cloud, PM SaaS, mobile, and physical observation
Full assessment results: 57 I, 23 PI, 12 NI, 6 N/A, 9 not assessed, with evidence summaries and rationale for every rating
20 professional findings with standardized format: description, evidence, risk, impact, recommendation, priority, NIST reference
12-month roadmap, effort-vs-impact priority matrix, cost estimates ($4k-8k), owners, target dates, risk acceptance criteria
Executive summary, scope, methodology, results by family, strengths/weaknesses, compliance score (53%), 12-month roadmap, appendices
Tangible outcomes delivered to the client that directly improved their security posture and compliance position.
The organization moved from having zero documented security posture to a complete 107-control baseline with evidence-backed ratings. For the first time, they could show their prime contractor exactly where they stood.
Instead of a list of problems, the client received a prioritized, costed plan with owners and target dates. Estimated $4k–$8k total investment to reach a posture suitable for formal assessment.
The complete audit package serves as the foundation for the SSP, POA&M, and CMMC preparation. The organization now has the documentation framework required for DFARS compliance.
The missing SSP, absent IR Plan, and MFA gaps were escalated to the Executive Sponsor with clear risk scenarios. Budget approval was obtained for the first phase of remediation during the engagement.
M365 Conditional Access policies were reviewed and enhanced. External sharing restrictions were tightened. Recommendations for MDM/MAM deployment were accepted for immediate action.
By identifying the IR Plan gap and DFARS 72-hour reporting requirement, the organization avoided a potential contract compliance violation. The IT Manager was trained on reporting obligations.
Personal observations from the engagement that shaped my approach to compliance consulting.
A missing MFA setting can be enabled in 10 minutes. A missing SSP takes weeks to write because it requires organizational decisions about boundary, ownership, and risk tolerance. The bulk of remediation time in small organizations is governance, not technology.
Some controls exist in policy but not in practice (e.g., termination procedures). Some exist in practice but not in policy (e.g., patching). The interview walkthrough is the only way to catch both gaps. Never rely on document review alone.
Recommending a 24/7 SIEM with dedicated SOC analysts to a 20-person company is not helpful. The best recommendations meet the organization where it is—Microsoft Intune for MDM (included in their existing license), CIS Benchmarks (free), and monthly vulnerability scanning with open-source tools.
In real engagements, CUI markings are frequently absent even when CUI exists. The conservative approach—treating potential CUI as CUI—is the only professionally defensible position. Documenting the determination protects both the consultant and the client.
"No SSP" sounds like a paperwork problem to executives. "Without an SSP, your DoD contract is at risk and CMMC certification cannot be achieved" gets budget approved. Every finding must connect back to the compliance driver the client cares about.