Plain English Guide to NIST 800-171: CMMC Compliance Without the Overwhelm - EP #17

Feeling overwhelmed by CMMC compliance and NIST 800-171’s 110 controls? You’re not alone — but you don’t have to be stuck. In this episode of the CMMC Compliance Guide Podcast, Brooke and Austin break down NIST 800-171 Revision 2 in plain English — no government-speak, no tech jargon — so you can finally understand what each control family means for your business. You'll learn: ✅ What NIST 800-171 really requires (and why it matters for your SPRS score) ✅ How to tackle key control families like Access Control, Awareness & Training, and Audit & Accountability ✅ The critical mistakes contractors make (and how to avoid them) ✅ Why documentation is the #1 secret weapon for CMMC success ✅Real-world tips for manufacturing, machine shop, and aerospace contractors navigating CMMC Level 2 🔥 Don’t wait until an assessor says “No Soup for You” — build a compliance system that actually protects your business and wins contracts. 👉 Need help fast-tracking your compliance journey? Visit https://cmmccomplianceguide.com to download free resources or schedule a discovery call. 🎧 Listen, learn, and stay compliant. Hit LIKE and SUBSCRIBE for more real-world CMMC guidance! TIMESTAMPS 00:00 – Intro: What to Expect from Today’s Episode 00:37 – What is NIST 800-171 and Why It Matters 02:22 – What’s the SPRS Score and Where You Enter It 03:48 – What Are Control Families (and Why They Matter) 04:33 – Access Control (Who Can Access What) 09:17 – Shared Accounts in Manufacturing – Real Talk 14:08 – Admin Rights, Local Users, and Least Privilege 16:31 – Awareness and Training (What You Must Track) 19:00 – DoD Mandatory CUI Training – Gotchas 20:19 – Documenting Access Control the Right Way 22:02 – Audit and Accountability (What You Must Log) 25:36 – Why You Probably Need a SIM + SOC Team 29:10 – Configuration Management (Don’t Skip This One) 32:44 – Why IT Teams Often Miss Config Baselines 34:51 – Identification and Authentication (MFA Musts) 38:50 – Windows Hello for Business as MFA 40:12 – Incident Response (Why You Need a Plan) 44:12 – Reporting Timeline + Certificate Warning 47:30 – Real-Life Incident Story – MFA Saves the Day 50:45 – Maintenance (Proof of Patching & Escorting Vendors) 52:28 – Media Protection (Encrypting USBs & Paper CUI) 56:55 – FIPS Validated Encryption vs. “Compliant” 59:04 – Personnel Security (Screening & Offboarding) 01:00:57 – Physical Protection (Locks, Logs, & Keys) 01:02:48 – Risk Assessment (Vulnerability Scans & Gaps) 01:04:40 – Security Assessment (Review Your Controls) 01:06:03 – System & Communications Protection 01:08:08 – System & Information Integrity (Patch Everything) 01:10:38 – Most Commonly Missed Requirement (Documentation) 01:13:44 – “No Soup for You” if You Don’t Document It 01:15:25 – Outro #CMMC #CMMCCompliance #NIST800171 #DFARS #CybersecurityCompliance #ManufacturingCompliance #DefenseContractor #CUIProtection #SPRSScore #AccessControl #CybersecurityPodcast