0 Reviews
$8,370.00 $6,278.00
(You save $2,092.00)

CMMC Bundle 1: Basic Coverage (CMMC 1-3)

Email Delivery Within 1-2 Business Days

file types are bmp, gif, jpg, jpeg, jpe, jif, jfif, jfi, png, wbmp, xbm, tiff

NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC) Compliance Bundle #1 (25% discount)

This bundle is designed for organizations that need to comply with NIST 800-171 and CMMC Levels 1-3, but do not need all of ComplianceForge's products. This bundle goes beyond just the cybersecurity policies and standards and addresses the unique compliance needs for NIST 800-171. The end result is a comprehensive, customizable, easily implemented set of documentation that your company needs to establish an NIST 800-53-based cybersecurity program. Being Microsoft Word documents, you have the ability to make edits, as needed. 

We get the question a lot about "Do I buy the NCP or CMMC bundle #1 to address CMMC level 3?" and it really comes down to your other compliance needs. The CMMC Bundle #1 is similar to the NIST 800-171 Compliance Program (NCP), in that both products cover CMMC levels 1-3. Both equally cover CMMC 1-3 and NIST 800-171 requirements. However, the main differences are in coverage and framework alignment:

  • The NCP is a pared-down version of the Digital Security Program (DSP) that is designed to just address NIST 800-171 and CMMC in the most efficient manner possible.
  • CMM Bundle #1 is aligned with NIST 800-53 (low & moderate baseline coverage) so that is ideal for an organization that wants to align its policies and standards directly with NIST 800-53. 
  • The NCP is a better option for companies that only need to address NIST 800-171 and CMMC - it is as close to the "easy button" as we have for NIST 800-171 & CMMC, but it is specific to just NIST 800-171 & CMMC.
  • CMMC Bundle #1 is a better option for companies that “speak NIST 800-53” for other compliance requirements (e.g., FedRAMP, HIPAA, RMF, etc.) but need specific coverage for NIST 800-171 and CMMC.

Focused on NIST 800-171 & CMMC Level 1-3 Compliance - BASIC DOCUMENTATION COVERAGE

In the downloadable CMMC requirements mapping matrix shown below, you can see how all CMMC Level 1, 2 & 3 requirements are supported by the NIST 800-53 Low/Moderate Baseline Version of the Written Information Security Program (WISP-LM).



Cost Savings Estimate - NIST 800-171 Bundle #1

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing this bundle from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

  • For your internal staff to generate comparable documentation, it would take them an estimated 1,080 internal staff work hours, which equates to a cost of approximately $81,000 in staff-related expenses. This is about 10-15 months of development time where your staff would be diverted from other work.
  • If you hire a consultant to generate this documentation, it would take them an estimated 735 contractor work hours, which equates to a cost of approximately $220,500. This is about 6-9 months of development time for a contractor to provide you with the deliverable.
  • This bundle is approximately 4% of the cost for a consultant or 10% of the cost of your internal staff to generate equivalent documentation.
  • We process most orders the same business day so you can potentially start working with the documentation the same day you place your order.


Products Included in NIST 800-171 Bundle #1 (WISP-LM version)


Written Information Security Program (WISP) - NIST 800-53 rev4 LOW/MODERATE BASELINES

NIST 800-53-based cybersecurity policies & standards in an editable Microsoft Word format.

  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
  • Under each of the policies are standards that support those policy statements.
  • WISP contains many useful supplemental documentation templates:
    • Business Impact Analysis (BIA) template
    • Data classification & handling guidelines
    • Data retention guidelines
    • Rules of behavior (acceptable use)
    • Bring Your Own Device (BYOD) usage guidelines
    • Risk management guidelines
    • System hardening guidelines
    • and more templates
2020-logo-nist-800-171-cmmc-compliance-criteria-nc3-.jpg NIST 800-171 & CMMC Compliance Criteria (NC3)
This is our “consultant in a box” NIST 800-171 checklist in an editable Microsoft Excel format to provide usable guidance on what is expected to reasonably address NIST 800-171 and CMMC controls.
  • Each of the NIST 800-171 controls for Controlled Unclassified Information (CUI) from Appendix D is mapped to its corresponding NIST 800-53 control.
  • In addition to CUI controls, Non-Federal Organization (NFO) controls from Appendix E.
  • Each of the NIST 800-171 controls are broken down to identify:
    • Reasonably-expected criteria to address the control.
    • Applicable compliance guidance;
    • Methods to address the requirement; and
    • Status of compliance for each control so you can use it for a self-assessment.
    • The NC3 maps into the WISP and DSP products, so they work in concert together for helping you comply with NIST 800-171.
2020-logo-nist-800-171-system-security-plan-ssp-template.jpg System Security Plan (SSP) & Plan of Action & Milestones (POA&M) Templates 
These are fully editable templates to address a compliance need for NIST 800-171 and CMMC.
  • One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations.
  • One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.

Cybersecurity Standardized Operating Procedures Template (CSOP) - WISP version
The WISP version of the CSOP is a template for procedures. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented. 

  • This is an editable Microsoft Word document.
  • Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete.
  • The CSOP is mapped to leading frameworks to help with mapping compliance requirements.
2020-logo-integrated-incident-response-program-iirp-.jpg Integrated Incident Response Program (IIRP)
The IIRP addresses the “how?” questions for how your company manages cybersecurity incidents.
  • This is primarily an editable Microsoft Word document, but it comes with Microsoft Excel and Microsoft Visio templates.
  • In summary, this addresses fundamental needs when it comes to incident response requirements:
    • Defines the hierarchical approach to handling incidents.
    • Categorizes eleven different types of incidents and four different classifications of incident severity.
    • Defines the phases of incident response operations, including deliverables expected for each phase.
    • Defines the Integrated Security Incident Response Team (ISIRT) to enable a unified approach to incident response operations.
    • Defines the scientific method approach to incident response operations.
    • Provides guidance on how to write up incident reports (e.g., lessons learned).
    • Provides guidance on forensics evidence acquisition.
    • Identifies and defines Indicators of Compromise (IoC).
    • Identifies and defines sources of evidence.  
    • The IIRP contains “tabletop exercise” scenarios, based on the categories of incidents.
    • This helps provide evidence of due care in how your company handles cybersecurity incidents.
    • The IIRP is based on industry-leading practices for incident response.


What ComplianceForge Products Apply To NIST 800-171 Compliance?

Based on the requirements from DFARS, we made this bundle to simplify the efforts to comply. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how the products address a specific compliance need:

ComplianceForge Product DFARS Requirement
Written Information Security Program (WISPNIST 800-53 rev4 low/mod baselines 252.204-7008
NIST 800-171 (multiple NFO controls)
Vendor Compliance Program (VCP) 252.204-7008
NIST 800-171 NFO PS-7
Cybersecurity Risk Management Program (RMP) 252.204-7008
NIST 800-171 NFO RA-1
Cybersecurity Risk Assessment Template (CRA) 252.204-7008
NIST 800-171 3.11.1
Vulnerability & Patch Management Program (VPMP) 252.204-7008
NIST 800-171 3.11.2
Integrated Incident Response Program (IIRP) 252.204-7008
NIST 800-171 3.6.1
Security & Privacy By Design (SPBD) 252.204-7008
NIST 800-171 NFO SA-3
System Security Plan (SSP) 252.204-7008
NIST 800-171 3.12.4
Cybersecurity Standardized Operating Procedures (CSOP) 252.204-7008
NIST 800-171 (multiple NFO controls)
Continuity of Operations Plan (COOP) 252.204-7008
NIST 800-171 3.6.1
Secure Baseline Configurations (SBC) 252.204-7008
NIST 800-171 3.4.1
Information Assurance Program (IAP) 252.204-7008
NIST 800-171 NFO CA-1

Please note that if you want a customized bundle, we are happy to create one for you. Just contact us with your needs and we will generate a quote for you.

Related Products

Related Products


Find Out Exclusive Information On Cybersecurity