Custom live training that walks your team through CUI handling, all 110 NIST SP 800-171 controls, DFARS 252.204-7012 obligations, and CMMC 2.0 Level 2 readiness — taught by a working compliance assessor.
Custom training from $3,995 · Tailored to your CMMC level · Response within 1 business day
A 3-hour live training tailored to your CUI categories, your CMMC level, and your specific compliance gaps. We don't run boilerplate slides — we build a session around your actual contract obligations.
What Controlled Unclassified Information actually is, the difference between CUI Basic and CUI Specified, the categories your DoD contract pulls in, and how the ISOO CUI Registry governs the program. We cover banner markings, cover sheets, and limited dissemination controls in plain language.
Walk through the 110 security requirements across all 14 control families — Access Control, Audit and Accountability, Configuration Management, Incident Response, and the rest. We map each requirement to your environment and identify which controls you've implemented, which need work, and which need compensating controls in your POA&M.
The Safeguarding Covered Defense Information clause is the contractual mechanism that makes NIST 800-171 enforceable. We cover what triggers the 72-hour reporting clock, how to file through the DoD DIBNet portal, what forensic preservation requires, and the flow-down obligations to your subcontractors.
How CMMC 2.0 Level 2 assessment differs from a NIST 800-171 self-assessment, what evidence a C3PAO will demand, how the DoD Assessment Methodology scoring works, and exactly what to post to the Supplier Performance Risk System (SPRS) per DFARS 252.204-7019. We finish with a realistic remediation timeline.
The SSP is the single document that every assessor opens first. We cover the structure assessors expect, how to document each of the 110 requirements, the right level of detail, and how to track unimplemented requirements in a defensible Plan of Action and Milestones. Audit-ready, not check-box.
The questions assessors actually ask. The mistakes contractors actually make. Live Q&A on your specific CUI handling workflows, your supply chain, your subcontractor management, your incident response runbook. We adapt this section to whatever your team needs most.
NIST 800-171 Assessor, CMMC RP, 20+ Years DoD Compliance Experience
Carl is a working NIST 800-171 Assessor and author of several CUI, compliance, and ITAR books, whitepapers, and playbooks used by hundreds of DoD contractors. He has spent more than two decades helping DoD prime contractors and subcontractors stand up audit-ready compliance programs — building System Security Plans, leading Plan of Action and Milestones remediation, and walking teams through the DoD Assessment Methodology before SPRS scores get posted.
Every training Carl runs is informed by what he sees inside contractor environments week after week: where teams genuinely struggle with CUI marking, which NIST controls trip up actual assessments, how DFARS 252.204-7012 reporting plays out under pressure, and what a C3PAO looks for in CMMC Level 2 evidence. The training is practical because the work is practical.
Defense industrial base primes carrying DFARS 252.204-7012 down to subcontractors. Train your program offices, your security team, and your contract managers in one coordinated session.
Small and mid-sized subs who handle CUI under flow-down obligations from a prime. We focus on what you actually need to implement at your scale — without burning budget on enterprise-grade overkill.
Teams handling Controlled Technical Information (CTI), engineering drawings, and export-controlled data subject to ITAR or EAR. We cover the Specified rules that go beyond CUI Basic.
MSPs and MSSPs serving the defense industrial base who need their own teams compliant — and who advise contractor clients on NIST 800-171 implementation and CMMC Level 2 prep.
Tell us about your team. Carl B. Johnson reviews every request personally and sends back a tailored proposal and invoice within 1 business day. Custom training from $3,995.
NIST Special Publication 800-171 is the foundational standard for protecting Controlled Unclassified Information on contractor systems. It defines 110 security requirements across 14 control families that DoD contractors must implement under DFARS 252.204-7012 and that form the technical basis for CMMC 2.0 Level 2 certification.
NIST 800-171 is the technical standard — the rulebook of 110 security requirements you must implement. CMMC is the DoD assessment and certification program — the exam that verifies you have those controls in place. You implement NIST 800-171 to pass a CMMC Level 2 assessment.
Any DoD contractor or subcontractor handling Controlled Unclassified Information needs CUI and NIST 800-171 training — primes, subs at every tier, and individual employees with CUI access. DFARS 252.204-7012 and CMMC 2.0 Level 2 mandate it as part of compliance.
Custom CUI & NIST 800-171 training runs approximately 3 hours and is tailored to your team's CMMC level, the CUI categories you handle, and your specific compliance gaps.
Yes. All participants receive a certificate of completion that serves as audit-ready documentation of CUI and NIST 800-171 training compliance for DFARS and CMMC assessments.
We adapt the agenda, examples, scenarios, and Q&A to your contract obligations, your CUI categories, your CMMC target level, and the gaps your team needs to close. No boilerplate slides.