I work for a small VA based contracting firm, they want to become NIST 800-171 compliant. I have never worked to bring a company into compliance before and was wondering if anyone here has experience and could recompensed some firms.

On another note, I have been talking to some of the IT leads from other company working with us on contracts. They have stressed to me that most firms have a wait list on top of the 12-16 months it takes to become compliant? My upper management has stressed to me how they want to "be in a gray area" when it comes to compliance. I'm pretty sure you either are or arent compliant. Just want to make sure when I talk to them I can properly explain my concern.

​

Thanks for any advice!