CMMC Bundle 4: Robust Coverage (CMMC 1-5)

Digital Security Program (DSP)
The DSP addresses more than just the “why?” and “what?” questions in an audit, since in addition to the core policies and standards that form the foundation for your cybersecurity program, the DSP comes with controls and metrics! 

• Most popular product for organizations that need to address multiple compliance obligations and cannot be locked into a single framework (e.g., NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
• Maps to over 100 statutory, regulatory and contractual cybersecurity and privacy frameworks to create a hybrid approach to cybersecurity policies, standards, controls and metrics.
• Provides 1-1 mapping with the Secure Controls Framework (SCF), so you can easily align your policies, standards and metrics with the controls you use from the SCF!
• DSP contains many useful supplemental documentation templates:
• Data classification & handling guidelines
• Data retention guidelines
• Rules of behavior (acceptable use)
• and many more templates

• One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations.
• One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.

• This is an editable Microsoft Word document.
• Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete.
• The CSOP is mapped to leading frameworks to help with mapping compliance requirements.

• This is primarily an editable Microsoft Word document, but it comes with Microsoft Excel and Microsoft Visio templates.
• In summary, this addresses fundamental needs when it comes to incident response requirements:
• Defines the hierarchical approach to handling incidents.
• Categorizes eleven different types of incidents and four different classifications of incident severity.
• Defines the phases of incident response operations, including deliverables expected for each phase.
• Defines the Integrated Security Incident Response Team (ISIRT) to enable a unified approach to incident response operations.
• Defines the scientific method approach to incident response operations.
• Provides guidance on how to write up incident reports (e.g., lessons learned).
• Provides guidance on forensics evidence acquisition.
• Identifies and defines Indicators of Compromise (IoC).
• Identifies and defines sources of evidence.  
• The IIRP contains “tabletop exercise” scenarios, based on the categories of incidents.
• This helps provide evidence of due care in how your company handles cybersecurity incidents.
• The IIRP is based on industry-leading practices for incident response.

• This is an editable Microsoft Word document that provides program-level guidance to directly supports the CDPP and DSP policies and standards for managing cybersecurity risk.
• In summary, this addresses fundamental needs when it comes to risk management requirements:
• How risk is defined.
• Who can accept risk.
• How risk is calculated by defining potential impact and likelihood.
• Necessary steps to reduce risk.
• Risk considerations for vulnerability management.
• The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.

• This contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.
• The CRA directly supports the Risk Management Program (RMP), as well as the CDPP/DSP's policies and standards, for managing cybersecurity risk. It does this by enabling your company to produce risk assessment reports.

• This is an editable Microsoft Word document that provides program-level guidance to directly supports the CDPP and DSP policies and standards for managing vulnerabilities.
• In summary, this addresses fundamental needs when it comes to vulnerability management requirements:
• Who is responsible for managing vulnerabilities.
• What is in scope for patching and vulnerability management.
• Defines the vulnerability management methodology.
• Defines timelines for conducting patch management operations.
• Considerations for assessing risk with vulnerability management.
• Vulnerability scanning and penetration testing guidance.

• This is an editable Microsoft Word document that provides program-level guidance to directly supports the CDPP and DSP policies and standards for ensuring secure engineering and privacy principles are operationalized on a daily basis.
• The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements. The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
• The SPBD is based on numerous industry frameworks, but the core is NIST 800-160, which is the de facto standard on secure engineering.

• This is an editable Microsoft Word document that provides program-level guidance to directly supports the CDPP's policies and standards for disaster recovery and business continuity operations.
• The concept of “continuity operations” spans incident response to disaster recovery to business continuity operations. This is a very common requirement in numerous statutory, regulatory and contractual requirements. The COOP provides your organization with the documentation to prove it addresses both disaster recovery and business continuity.
• The COOP is based on numerous frameworks to provide a holistic approach to DR and BC operations. 

• This is an editable Microsoft Word document that provides program-level guidance to direct systems administrators, third-parties and other asset custodians on the expectation to harden operating systems, applications and services.
• The hardening of systems is a basic requirement, but most organization struggle with a way to document the requirements they are using to secure their assets. This is where the SBC comes into play.
• The SBC leverages multiple sources for "industry best practices" and you are able to select what works best for your organization. 

• This is an editable Microsoft Word document that provides program-level guidance to conduct pre-production testing that ties in with existing SDLC/PDLC processes.
• The IAP leverages multiple sources for "industry best practices" and is based on practices used by the US Government for Information Assurance (IA) and Security Testing & Evaluation (ST&E).

• This is an editable Microsoft Word document that provides an easy-to-follow template to build out a cybersecurity strategy and a roadmap to improve the cybersecurity practices of your organization. 
• CMMC requirement CA.4.163 requires organizations to "create, maintain and leverage a security strategy and roadmap for organizational cybersecurity improvement" that is a requirement for all CMMC 4 & 5 organizations.