Frameworks · NIST SP 800-171 · DFARS 252.204-7012
110 requirements.
Zero room for guesswork.
With CMMC third-party assessments suspended, your self-attested SPRS score IS the compliance regime — and the Department of Justice is treating false scores as False Claims Act fraud. Lionfish gets you a score you can defend: a control-by-control assessment against all 110 requirements, an SSP and POA&Ms that hold up, and evidence organized the way assessors are trained to read it — because we train the assessors.
Self-attestation is now the battlefield
Sources: DOJ settlement announcements (Raytheon $8.4M, MORSECORP $4.6M, Georgia Tech $875K — all 2025); DFARS clause requirements; NIST SP 800-171A. Whistleblowers get a cut of FCA settlements — the MORSE relator took home $851K.
Who this is for
For everyone holding a DFARS clause
If 252.204-7012 is in your contract — or your prime's flow-down letter — this is already your obligation, suspension or not.
- ✓Defense subcontractors handling CUI — machine shops, engineering firms, electronics manufacturers, R&D shops — where the "IT department" is two people and a prayer.
- ✓Contractors whose primes demand a SPRS score before award — primes are re-ranking supplier lists by security posture right now.
- ✓MSPs serving the defense industrial base who need to run 800-171 programs for a book of DIB clients without hiring a compliance team per client.
Sound familiar?
The pain we hear on every first call
- !The score you posted is a legal statement. DOJ settlements in 2025 made a false SPRS score an existential risk — and your former IT admin is a potential whistleblower.
- !320+ objectives, one spreadsheet. 800-171's 110 requirements decompose into 320+ assessment objectives. Evidence at that grain doesn't fit in Excel.
- !A moving target. Rev 3 is published, DoD has fixed its parameters, and CMMC is being reformed — you need a system that tracks the change, not a binder that fossilizes.
The platform
How the Cyber Tackle Box™ runs your 800-171 program
The same platform that runs our CMMC Rapid Deployment engagements — because 800-171 is the backbone of both.
SSP & Policy Templates
A System Security Plan built from proven structure, plus the policy set behind every one of the 14 requirement families.
Honest SPRS Scoring
Control-by-control assessment with the real DoD scoring methodology — a number you can post, defend, and improve on a plan.
POA&Ms That Close
Gaps become assigned, dated Plans of Action & Milestones driven to closure — the heart of remediation, managed as living work.
Evidence & the Intel Hub
Artifacts organized by requirement and objective, timestamped and exportable — plus regulatory intel so Rev 3 and CMMC reform never surprise you.
Assessment Playbooks
Runbooks built by instructors who teach the official CCA curriculum — you prepare against the same standard assessors are trained on.
Workforce Training
The awareness and role-based training 800-171 requires (3.2.x), delivered so your people actually finish it — tracked per person.
Why Lionfish
A platform with humans attached
Practitioners, not just software
Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.
One system of record
Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.
Veteran-owned & battle-tested
SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.
Straight answers
800-171 questions we answer every week
Does the CMMC suspension change my 800-171 obligations?
No. On July 13, 2026 the Department of War suspended CMMC Phase II pending a reform review — but DFARS 252.204-7012 contractual obligations, 7019/7020 SPRS posting requirements, and Phase 1 self-assessments all continue. If anything, the suspension raises the stakes on self-attestation accuracy, because the False Claims Act is now the primary enforcement vector.
What SPRS score do I actually need?
The scoring range runs from −203 to +110, and a perfect implementation of all 110 requirements scores 110. Practically: primes compare subs against each other, contracting officers can see your number, and posting a score you can't evidence is the fact pattern behind the 2025 DOJ settlements. Get assessed honestly first — then improve on a documented plan.
Rev 2 or Rev 3 — which applies to me?
Rev 2 (110 requirements) remains the contractual baseline under DFARS via DoD's class deviation. Rev 3 (97 requirements, 88 DoD-defined parameters) is published and DoD has fixed its parameter values — a clear signal it's coming. We track your program against Rev 2 today and map the Rev 3 delta so the transition is a diff, not a do-over.
How is this different from your CMMC service?
Same backbone, different destination. 800-171 is the control set; CMMC is the certification program built on top of it. Our CMMC: Rapid Deployment engagements take you through assessment readiness; this program keeps your 800-171 posture and SPRS score defensible in the meantime — and everything done here counts toward whatever the CMMC reform produces.
Get in touch
Get an 800-171 score you can defend
Tell us about your DFARS clauses and your current SPRS posture — or that you don't know it, which is the most common answer. Straight assessment within one business day.
- 1We reply within one business day — usually faster.
- 2A 30-minute call with someone who can actually answer your questions.
- 3A straight recommendation — even if it's that you don't need us yet.
Prefer to skip the form? Book a time directly or call 1-877-732-6772.