
NIST 800-171 rev2 & Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) Compliance Bundles
Our NIST 800-171 & CMMC documentation is "DIBCAC battle tested" where it has been successfully used in DIBCAC audits. That says a great deal about the quality of our content!
ComplianceForge is an industry leader in NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance documentation solutions. Our documentation templates have helped customers that range from the Fortune 500 down to small and medium-sized businesses comply with DFARS requirements for NIST 800-171. Our products are scalable, professionally-written and affordable. The focus of NIST 800-171 & CMMC is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed. Our solutions range from small businesses through to enterprise-class environments.
Our NIST 800-171 / CMMC documentation is updated to address CMMC 2.0 that addresses all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls from NIST SP 800-171 R2.

“DIBCAC Battle Tested” NIST 800-171, NIST 800-171A & CMMC 2.0 Policies, Standards & Procedures
ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.

Focused on NIST 800-171 & CMMC Compliance - Policies, Standards, Procedures and more!
In the downloadable CMMC requirements mapping matrix shown below, you can see how all CMMC 2.0 Levels 1, 2 & 3 requirements are supported by ComplianceForge products.

Comprehensive Coverage for NIST 800-171 Compliance Requirements
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different types of documentation to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the following cybersecurity documentation in place:
- Cybersecurity policies, standards & procedures;
- System Security Plan (SSP) (requirement #3.12.4); and
- Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)

What ComplianceForge Products Apply To NIST 800-171 Compliance?
Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need.

In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171.
ComplianceForge Product |
DFARS Requirement |
Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) |
252.204-7008 252.204-7012 NIST 800-171 (multiple NFO controls) |
Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SCRM SIP) |
252.204-7008 252.204-7012 NIST 800-171 NFO PS-7 |
Cybersecurity Risk Management Program (RMP) |
252.204-7008 252.204-7012 NIST 800-171 NFO RA-1 |
Cybersecurity Risk Assessment Template (CRA) |
252.204-7008 252.204-7012 NIST 800-171 3.11.1 |
Vulnerability & Patch Management Program (VPMP) |
252.204-7008 252.204-7012 NIST 800-171 3.11.2 |
Integrated Incident Response Program (IIRP) |
252.204-7008 252.204-7009 252.204-7010 252.204-7012 NIST 800-171 3.6.1 |
Security & Privacy By Design (SPBD) |
252.204-7008 252.204-7012 NIST 800-171 NFO SA-3 |
System Security Plan (SSP) |
252.204-7008 252.204-7012 NIST 800-171 3.12.4 |
Cybersecurity Standardized Operating Procedures (CSOP) |
252.204-7008 252.204-7012 NIST 800-171 (multiple NFO controls) |
Continuity of Operations Plan (COOP) |
252.204-7008 252.204-7012 NIST 800-171 3.6.1 |
Secure Baseline Configurations (SBC) |
252.204-7008 252.204-7012 NIST 800-171 3.4.1 |
Information Assurance Program (IAP) |
252.204-7008 252.204-7012 NIST 800-171 NFO CA-1 |
Cybersecurity Business Plan (CBP) |
CMMC - C034-L4-P1163 |
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
Given this approach to how documentation is structured, based on "ownership" of the documentation components:
- Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
- Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.

Summary of the Products You'll See In The NIST 800-171 rev2 Bundles
We offer several bundles of our products, based on client needs. Some clients want just enough to get by to be considered compliant with NIST 800-171 and some clients want everything we sell, so we have options to meet every need! The following diagram helps demonstrate the layered nature of cybersecurity documentation. Policies & standards set the stage for teams/departments to create and implement programs that are function-specific.
For example:
- A policy on risk will define management's intent to manage risk (RA section of NIST 800-53);
- One of the standards supporting the risk policy might require an annual risk assessment (RA-3);
- Products such as the Risk Management Program (RMP) provide the middle-ground between the policy/standard and the actual deliverable risk assessment to provide risk-specific guidance on concepts such as acceptable risk, the methodology of risk management the organization aligns to, who within the organization can sign off on various levels of risk, etc.
If you would like to know more about how this works to help manage NIST 800-171, please contact us and we'd be happy to further explain how our documentation links together to create comprehensive, linked cybersecurity and privacy documentation.