For DoD & DOE subcontractors
NIST 800-171 self-assessment support — without the audit-prep theater
Z1 Networks helps Tri-Valley defense and national-lab subcontractors meet NIST 800-171 — building the System Security Plan and POA&M, implementing controls on commercial Microsoft 365, and raising your SPRS score honestly. Full CMMC certification audit prep and GCC High migrations are referred to specialist partners, openly.
Get My Free Gap Analysis“Your prime wants an SPRS score, and yours is a guess”
The flow-down letter asks for your NIST 800-171 self-assessment score, and whatever number was posted years ago no longer describes your environment — if it ever did. Inflated scores submitted to the government have become False Claims Act cases; a truthful score with a plan is the only safe position.
“110 requirements, and no IT department”
The 800-171 control set was written for organizations with security staff. A 20-person machine shop or engineering firm has a contract clause, a spreadsheet, and a deadline. The work is doable on commercial Microsoft 365 — but not by improvisation.
“The CMMC clock is running”
From November 10, 2026, CMMC Level 2 certification requirements begin appearing in applicable new solicitations. Whatever level your contracts end up requiring, a truthful SSP, a worked POA&M, and a rising score are the foundation — and they take months, not weeks.
What your company gets
A real System Security Plan
The SSP written against your actual environment — the document every assessment, prime inquiry, and certification path starts from.
A worked POA&M
Every gap dated and owned, with the remediation actually happening — because a plan of action nobody actions is just a confession with milestones.
An SPRS score you can defend
Scored honestly under the DoD methodology, submitted properly, and raised over time — with the evidence to survive a prime's due diligence.
Controls on commercial Microsoft 365
Many of the 110 requirements are met by configuring the tenant you already own — hardening, access control, logging, and encryption done to the standard.
A note on honesty: this niche is full of vendors selling certification promises. Our scope is deliberately narrower — the self-assessment foundation, done truthfully on the tenant you already own. When you need the specialists, we hand you to them by name.
Scope, stated plainly
- DFARS 252.204-7012 / 7019 / 7020:
- The contract clauses requiring 800-171 implementation, a current self-assessment in SPRS, and support for government assessment.
- What we do:
- Self-assessment support: SSP, POA&M, control implementation on commercial M365, SPRS scoring and improvement, and the managed security layer underneath.
- What we refer out:
- CMMC Level 2 C3PAO certification audit preparation and GCC High migrations go to specialist partners we trust. If your CUI or ITAR data requires a government cloud, we'll say so early — and can take on the managed layer after migration.
Local to the Tri-Valley
Livermore's national laboratories anchor an ecosystem of engineering and manufacturing subcontractors across the Tri-Valley — that's where most of this work finds us. Based in Pleasanton, on-site the same day across all five cities.
Pleasanton · Dublin · Livermore · San Ramon · Danville
Common questions
Do you do CMMC certification prep?
No — and we'd rather tell you that in the first paragraph than the last meeting. Our scope is NIST 800-171 self-assessment support: the SSP, the POA&M, control implementation, and SPRS scoring. When you need C3PAO certification audit preparation, we refer you to specialist partners by name. The foundation work we do is required either way, and none of it is wasted.
What is an SPRS score, and why does my prime keep asking about it?
SPRS is the DoD's Supplier Performance Risk System — the database where your NIST 800-171 self-assessment score lives. Primes check it because their contracts require flowing the obligation down to you, and your score is their paper trail. A missing or ancient score makes you the risky line item in their supply chain; a truthful, improving one keeps you on the bid list.
We're a subcontractor in the labs' supply chain. Can you handle NIST 800-171?
Yes, with a clear scope: we support NIST 800-171 self-assessment — building your SSP and POA&M, implementing controls, and improving your SPRS score on commercial Microsoft 365. If you need full CMMC Level 2 certification audit prep or a GCC High migration, we'll refer you to a specialist partner rather than learn on your dime.
Do we need GCC High?
Only sometimes. If your contracts involve ITAR data or specify certain federal cloud requirements, a government cloud may be genuinely required — and if so, we'll tell you early and refer the migration to a specialist partner. Many subcontractors handling ordinary CUI can meet their 800-171 obligations on properly configured commercial Microsoft 365, which costs dramatically less. The honest answer depends on your data, and that's the first thing we scope.
Find out what your score actually is
We'll review your environment against the 110 requirements and give you an honest read — score, gaps, and the realistic path up.
Get My Free Gap Analysis30-minute findings presentation. No obligation.