Bundle 1: CMMC Level 1 (NIST CSF & FAR)

CMMC 2.0 (Foundational) Level 1 - NIST CSF & FAR 52.204-21 Policies, Standards & Procedures -  CMMC Level 1   (20% discount)

This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing NIST CSF & FAR:

• Cybersecurity & Data Protection Program (CDPP) - NIST CSF
• Cybersecurity Standardized Operating Procedures (CSOP)

NIST CSF-based cybersecurity documentation bundle. The NIST Cybersecurity Framework (CSF) and FAR 52.204-21-based Cybersecurity & Data Protection Program's (CDPP) is a set of cybersecurity policies and standards that is tailored for Cybersecurity Maturity Model Certification (CMMC) Level 1 organizations that do not need to address more rigorous requirements that are found in NIST 800-171 or more advanced CMMC levels. This product is ideal for organizations that need to align with a cybersecurity framework and meet CMMC Level 1 requirements.

While the DoD does not have explicit requirements for "policies and procedures" written into CMMC Level 1 practices, Level 1 practices are built directly off FAR 52.204-21 basic cybersecurity requirements for contractors that does have explicit requirements for "policies and procedures." What this means is if your company stores, transmits and/or processes Federal Contract Information (FCI) that is in scope for FAR 52.204-21 or CMMC Level 1, then your organization needs to have documented policies and procedures. That is exactly what this bundle provides - policies, standards and procedures that are mapped to FAR 52.204-21 and CMMC Level 1 practices.

By leveraging the underlying NIST Cybersecurity Framework and adding in the FAR cybersecurity requirements, this makes an "industry best practices" approach to documenting policies and standards for Level 1 CMMC by aligning with an industry-recognized cybersecurity framework. This makes it much easier to defend your policies and standards, since it is based on NIST CSF, a leading cybersecurity framework.

FAR 52.204-21 Forms The Basis For CMMC 2.0 Level 1

The FAR 52.204-21 cybersecurity requirements form the basis for what CMMC Level 1 practices require:

1. Limit access to authorized users.
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify controls on connections to external information systems.
4. Impose controls on information that is posted or processed on publicly accessible information systems.
5. Identify information system users and processes acting on behalf of users or devices.
6. Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
7. Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
8. Limit physical access to information systems, equipment, and operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
10. Monitor, control, and protect organizational communications at external boundaries and key internal boundaries of information systems.
11. Implement sub networks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from scans of files from external sources as files are downloaded, opened, or executed.

Why Are These Products Part of The Bundle?

This bundle is designed for organizations that need a cost-effective and timely solution to obtain NIST Cybersecurity Framework (NIST CSF)-based cybersecurity policies, standards and procedures that map to the low, moderate and privacy baselines. This is a combination of our CDPP cybersecurity policies and standards, along with the Cybersecurity Standard Operating Procedures' (CSOP) procedures. The end result is a comprehensive, customizable, easily implemented set of documentation that your company needs to establish a cybersecurity program. Being Microsoft Word documents, you have the ability to make edits, as needed. 

Please note that if you want a customized bundle, we are happy to create one for you. Just contact us with your needs and we will generate a quote for you.

Products Included in CMMC Bundle #1: 

Cybersecurity & Data Protection Program (CDPP) - NIST CSF & FAR  52.204-21 Coverage (CMMC Level 1) NIST Cybersecurity Framework-based cybersecurity policies & standards in an editable Microsoft Word format. The CDPP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program. Under each of the policies are standards that support those policy statements. CDPP contains many useful supplemental documentation templates: Business Impact Analysis (BIA) template Data classification & handling guidelines Data retention guidelines Rules of behavior (acceptable use) Bring Your Own Device (BYOD) usage guidelines Risk management guidelines System hardening guidelines and more templates

Cybersecurity Standardized Operating Procedures Template (CSOP) - NIST CSF & FAR  52.204-21 Coverage (CMMC Level 1) The CDPP version of the CSOP is a template for procedures that map to the policies and standards in the CDPP. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented.  This is an editable Microsoft Word document. Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete. The CSOP is mapped to leading frameworks to help with mapping compliance requirements.