Portfolio Case Study — 2026

NIST SP 800-171
Readiness Assessment

A comprehensive internal audit and gap analysis for a real estate development firm with Department of Defense contract obligations. The engagement evaluated 107 security controls across 14 families, identified 20 findings, and delivered a prioritized remediation roadmap with an estimated $4k–$8k implementation budget.

0 Controls Assessed
0 Professional Findings
0 Deliverables Produced
0 Week Engagement

Engagement Background

A 20-employee real estate development firm contracted by the Department of Defense required a NIST SP 800-171 readiness assessment to meet DFARS 252.204-7012 compliance obligations flowed down from their prime contractor.

The Client: A real estate development and property management firm designing, building, and managing residential housing communities—including military family housing under DoD contract. The prime contractor's agreement included DFARS 252.204-7012, requiring the firm to safeguard Covered Defense Information (CDI) and Controlled Unclassified Information (CUI).

The Challenge: This was the organization's first formal cybersecurity assessment. They had no System Security Plan (SSP), no Incident Response Plan, limited IT staff (2 people), and no visibility into their compliance posture. The CUI status of their contract data was unclear—no formal CUI markings existed on any documents, requiring a conservative risk-based determination.

My Role: Lead Consultant — responsible for the full assessment lifecycle: project planning, stakeholder interviews, technical verification, control assessment, findings documentation, and remediation roadmap. I produced 18 deliverables over a 6-week engagement period.

The Approach: A multi-method readiness assessment combining document review, personnel interviews, technical configuration verification, and physical observation across 3 locations. Evidence was triangulated across multiple sources to ensure findings were defensible and actionable.

Framework

NIST SP 800-171 Rev 2

Duration

6 Weeks (Jul–Aug 2026)

Organization Size

20 Employees • 5 Departments

Compliance Driver

DFARS 252.204-7012

Systems in Scope

8 Systems + 2 Cloud Tenants

Assets Inventoried

70+ Hardware & Software Assets

Locations Assessed

3 Sites + Remote Workers

CUI Determination

Conservative — Treat as CUI

How the Assessment Was Conducted

A structured 4-phase methodology combining document analysis, personnel interviews, technical configuration review, and physical observation across 18 discrete deliverables.

01

Plan & Scope

Project plan, RASCI chart, company profile, business context, scope definition, system boundary

02

Discover & Map

Asset inventory, data flow diagrams, CUI identification, applicable requirements filtering

03

Assess & Verify

Evidence collection, 7 interview sessions, 45+ technical procedures, 107 control ratings

04

Report & Roadmap

20 findings, gap analysis, costed remediation plan, 12-month compliance roadmap, final report

Four Methods of Verification

Every control was assessed using at least two independent evidence sources to ensure findings were corroborated and defensible.

Document Review

Policies, procedures, plans, contracts, and training records evaluated against NIST requirements for completeness and currency

Personnel Interviews

7 structured sessions across Executive, IT, Property Management, Construction, and Admin roles using role-specific question banks

Technical Testing

Configuration review, log analysis, network segmentation verification, encryption checks, and endpoint sampling across 8 workstations

Physical Observation

Site walkthroughs of head office, property management offices, server room, and remote work environments

The 18-Deliverable Audit Package

Every deliverable was organized into a traceable folder structure, each building on the previous to produce a complete and defensible audit record.

01-Project-Planning Engagement overview, RASCI, timeline, risk register
02-Company-Profile  →  03-Business-Context Organizational understanding → Operational mapping
04-Scope  →  05-Boundary  →  06-Assets  →  07-Data-Flow Technical environment mapping
08-CUI-ID  →  09-Applicable-Reqs  →  10-Methodology Framework alignment & assessment approach
11-Evidence-Plan  →  12-Checklist  →  13-Interviews  →  14-Tech-Verification Field tools & collection artifacts
15-Control-Assessment  →  16-Findings  →  17-Gap-Analysis Results & analysis
18-Final-Report The single authoritative deliverable

Assessment Results at a Glance

Key metrics, compliance scores, risk severity, and remediation timeline extracted from the assessment data.

Compliance Score 53% Fully Implemented
53% of 107 controls
Implemented
53%
Partial
22%
Not Impl.
11%
N/A
6%
No Evidence
8%
Risk Heatmap — by Family 14 Families

Pattern: Governance families (AT, CM, IR, RA, CA) are weakest. Technical families (IA, PE, SC) are strongest. Typical for a first-time assessment.

Remediation Roadmap — 12 Months ~266 Hours • $4k–$8k Budget
Foundation
MFA, MDM, NAS encryption, vulnerability scanning, log review
30 days
Governance
SSP, IR Plan, POA&M, data classification, VPN full-tunnel
90 days
Maturation
CIS baselines, role-based training, media sanitization
180 days
Sustain
Annual assessment, POA&M close-out, CMMC preparation
365 days
$500–2kTools & licensing
$3k–5kConsultant (SSP)
$500–1kTraining & destruction
MinimalStaff time only
Sample Deliverable Previews Redacted for Confidentiality

Representative excerpts from the assessment deliverables. All client-identifying information has been removed.

Download Assessment Summary

Generate a printable executive summary report or download the full findings register.

Full Deliverables
53% Compliance Score
20 Findings
107 Controls Assessed
18 Deliverables

Key Assessment Findings

20 findings identified across 14 control families. Each finding includes evidence references, risk assessment, business impact, and a specific actionable recommendation.

3 Critical
7 High
7 Medium
3 Low
Critical No System Security Plan Exists NIST 3.12.4

The CUI system operates without an approved SSP. No documentation of the security boundary, control implementation, or responsible personnel exists. This is a foundational DFARS requirement and would be an immediate gap in any third-party assessment.

Critical No Incident Response Plan NIST 3.6.1–3

Incident handling is performed ad hoc. The IT Manager was unaware of the DFARS 72-hour cyber incident reporting requirement to the DoD. No tabletop exercises or IR testing has ever been conducted.

Critical Multifactor Authentication Not Fully Deployed NIST 3.5.3

MFA is enforced for M365 cloud access, but approximately 40% of access paths to CUI/PII systems lack MFA—including VPN remote access, Property Management SaaS, and MSP maintenance connections.

High NAS File Server Lacks Encryption at Rest NIST 3.13.14

The primary CUI document repository stores data in plaintext. Physical theft of the NAS or its drives would expose all contract documents and PII without any authentication barrier.

High BYOD / Mobile Device Management Not Implemented NIST 3.1.18–19

An estimated 10–12 personal smartphones access corporate email and potentially CUI without device compliance enforcement. No MDM solution deployed. No remote wipe capability exists for lost devices.

High No Vulnerability Scanning Program NIST 3.11.2–3

No vulnerability scanning is performed on any system. The organization has no visibility into system vulnerabilities beyond what Windows Update reports. Network devices, NAS, and cloud services are never scanned.

All 20 findings are documented in the full Findings Register with evidence references, risk ratings, and remediation recommendations.

Complete Audit Package

18 professional documents delivered as part of the engagement, organized by phase from initial planning through final reporting. Every document follows consulting-quality standards with version control and confidentiality markings.

Phase 1

Project Planning Document

Engagement overview, scope, RASCI chart, 6-week timeline, deliverables register, communication plan, project risk register

Phase 2

Company Profile

Organizational overview, industry context, regulatory environment (DFARS, CMMC, state breach laws), compliance driver analysis

Phase 3

Business Context

Operational model across 3 environments, workforce profile (60% field-based), technology dependencies, third-party risk assessment, pain points

Phase 4

Scope Definition

In-scope locations (3), systems (8+2 cloud), personnel (20), data categories, explicit exclusions with rationale, scope diagram, sign-off section

Phase 5

System Boundary

Security Protection Asset boundary, detailed network diagram, 20+ boundary components, user access paths, cloud shared responsibility model

Phase 6

Asset Inventory

70+ assets catalogued with IDs (SRV-NAS-001, HQ-WKS-001, etc.), locations, owners, CUI/PII classifications, BYOD risk flags

Phase 7

Data Flow Diagram

5 data flow narratives, trust boundary analysis (TB0-TB4), 8 risk observations, verification plan, Mermaid-based visual diagram

Phase 8

CUI Identification

CUI Registry review, evidence analysis of 4 contract data types, formal determination with conservative approach, 5 recommendations to client

Phase 9

Applicable Requirements

107 applicable controls across 14 families, 6 N/A with documented rationale, 113 total requirements enumerated (sub-parts separated)

Phase 10

Assessment Methodology

4-method evidence triangulation approach, rating scale with precise definitions, sampling methodology, 9 documented limitations

Phase 11

Evidence Collection Plan

80+ evidence items requested with IDs (EVD-AC-01), source, method, priority, schedule, evidence register template, format requirements

Phase 12

Audit Checklist

Complete field tool — all 107 controls with test procedures, assessment criteria, cross-referenced evidence IDs, and result fields

Phase 13

Interview Questions

Role-specific question banks for 7 stakeholder types, process walkthrough prompts, 5 detailed walkthrough scenarios, documentation template

Phase 14

Technical Verification Plan

45+ verification procedures across network, server, endpoint (8 sampled), M365 cloud, PM SaaS, mobile, and physical observation

Phase 15

Control Assessment Matrix

Full assessment results: 57 I, 23 PI, 12 NI, 6 N/A, 9 not assessed, with evidence summaries and rationale for every rating

Phase 16

Findings Register

20 professional findings with standardized format: description, evidence, risk, impact, recommendation, priority, NIST reference

Phase 17

Gap Analysis & Remediation Plan

12-month roadmap, effort-vs-impact priority matrix, cost estimates ($4k-8k), owners, target dates, risk acceptance criteria

Phase 18

Final Readiness Report

Executive summary, scope, methodology, results by family, strengths/weaknesses, compliance score (53%), 12-month roadmap, appendices

What Changed Because of This Assessment

Tangible outcomes delivered to the client that directly improved their security posture and compliance position.

Visibility Established

The organization moved from having zero documented security posture to a complete 107-control baseline with evidence-backed ratings. For the first time, they could show their prime contractor exactly where they stood.

Actionable 12-Month Roadmap

Instead of a list of problems, the client received a prioritized, costed plan with owners and target dates. Estimated $4k–$8k total investment to reach a posture suitable for formal assessment.

18 Professional Deliverables

The complete audit package serves as the foundation for the SSP, POA&M, and CMMC preparation. The organization now has the documentation framework required for DFARS compliance.

3 Critical Risks Communicated

The missing SSP, absent IR Plan, and MFA gaps were escalated to the Executive Sponsor with clear risk scenarios. Budget approval was obtained for the first phase of remediation during the engagement.

Cloud Security Improvements

M365 Conditional Access policies were reviewed and enhanced. External sharing restrictions were tightened. Recommendations for MDM/MAM deployment were accepted for immediate action.

Contract Risk Mitigated

By identifying the IR Plan gap and DFARS 72-hour reporting requirement, the organization avoided a potential contract compliance violation. The IT Manager was trained on reporting obligations.

Lessons Learned

Personal observations from the engagement that shaped my approach to compliance consulting.

01

Governance gaps are harder to fix than technical gaps

A missing MFA setting can be enabled in 10 minutes. A missing SSP takes weeks to write because it requires organizational decisions about boundary, ownership, and risk tolerance. The bulk of remediation time in small organizations is governance, not technology.

02

"Paper compliance" is a real risk, but so is reverse

Some controls exist in policy but not in practice (e.g., termination procedures). Some exist in practice but not in policy (e.g., patching). The interview walkthrough is the only way to catch both gaps. Never rely on document review alone.

03

Small organizations need scaled recommendations

Recommending a 24/7 SIEM with dedicated SOC analysts to a 20-person company is not helpful. The best recommendations meet the organization where it is—Microsoft Intune for MDM (included in their existing license), CIS Benchmarks (free), and monthly vulnerability scanning with open-source tools.

04

The CUI determination is never black and white

In real engagements, CUI markings are frequently absent even when CUI exists. The conservative approach—treating potential CUI as CUI—is the only professionally defensible position. Documenting the determination protects both the consultant and the client.

05

Findings without business impact are ignored

"No SSP" sounds like a paperwork problem to executives. "Without an SSP, your DoD contract is at risk and CMMC certification cannot be achieved" gets budget approved. Every finding must connect back to the compliance driver the client cares about.

Let's Connect

Interested in the full assessment deliverables or discussing how a similar engagement could help your organization?

This case study contains anonymized client information. Full assessment deliverables are available for review under NDA.