Hello,

I work for an IT company and I have a local non-maintenance client that we use to manage pre 2020. They left us because they were struggling financially. Since then they have received a government contract and are doing really well. When they got a new IT company to manage their IT needs they went with a company that is in another state 3000 miles away. They went with them because of there expertise with dealing with companies that have government contracts. Its my understanding that the NIST SP 800-171 is just a set of rules that have to be met that can/will be audited. The IT company itself doesn't have some type of certification in order to manage these clients, correct? Can anyone can be a consultant for NIST SP 800-171 compliance? Do we need background checks in order to manage them?

I am asking because the VP is frustrated with this company and has called me a lot for support. I am thinking we would be a better fit as we are local and have a lot of the same systems, tech stack that this company uses. The way the VP expressed his concern is that this company is compliant with managing this stuff.

Can anyone shed some light on this or point me in the right direction. Not sure if it matters but I was enlisted for 6 years and was in network security/server admin roles so I understand the rules with needing firewalls, OU groups, deprovisioning users in a timely fashion, etc.