NIST 800-171 rev2 & Cybersecurity Maturity Model Certification v1.02 (CMMC) Compliance Bundles
ComplianceForge is an industry leader in NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance documentation solutions. Our documentation templates have helped customers that range from the Fortune 500 down to small and medium-sized businesses comply with DFARS requirements for NIST 800-171. Our products are scalable, professionally-written and affordable. The focus of NIST 800-171 & CMMC is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed. Our solutions range from small businesses (CMMC Level 1) through to enterprise-class environments (CMMC Level 5).
Focused on NIST 800-171 & CMMC Compliance - Policies, Standards, Procedures and more!
In the downloadable CMMC requirements mapping matrix shown below, you can see how all CMMC Level 1, 2, 3, 4 & 5 requirements are supported by ComplianceForge products.
Comprehensive Coverage for NIST 800-171 Compliance Requirements
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different types of documentation to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the following cybersecurity documentation in place:
- Cybersecurity policies, standards & procedures;
- System Security Plan (SSP) (requirement #3.12.4); and
- Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)
What ComplianceForge Products Apply To NIST 800-171 Compliance?
Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need.
In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171.
| ComplianceForge Product | DFARS Requirement |
| Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) |
252.204-7008 252.204-7012 NIST 800-171 (multiple NFO controls) |
| Vendor Compliance Program (VCP) | 252.204-7008 252.204-7012 NIST 800-171 NFO PS-7 |
| Cybersecurity Risk Management Program (RMP) | 252.204-7008 252.204-7012 NIST 800-171 NFO RA-1 |
| Cybersecurity Risk Assessment Template (CRA) | 252.204-7008 252.204-7012 NIST 800-171 3.11.1 |
| Vulnerability & Patch Management Program (VPMP) | 252.204-7008 252.204-7012 NIST 800-171 3.11.2 |
| Integrated Incident Response Program (IIRP) | 252.204-7008 252.204-7009 252.204-7010 252.204-7012 NIST 800-171 3.6.1 |
| Security & Privacy By Design (SPBD) | 252.204-7008 252.204-7012 NIST 800-171 NFO SA-3 |
| System Security Plan (SSP) | 252.204-7008 252.204-7012 NIST 800-171 3.12.4 |
| Cybersecurity Standardized Operating Procedures (CSOP) | 252.204-7008 252.204-7012 NIST 800-171 (multiple NFO controls) |
| Continuity of Operations Plan (COOP) | 252.204-7008 252.204-7012 NIST 800-171 3.6.1 |
| Secure Baseline Configurations (SBC) | 252.204-7008 252.204-7012 NIST 800-171 3.4.1 |
| Information Assurance Program (IAP) | 252.204-7008 252.204-7012 NIST 800-171 NFO CA-1 |
| Cybersecurity Business Plan (CBP) | CMMC - C034-L4-P1163 |
One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:
- Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
- Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
- Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).
Given this approach to how documentation is structured, based on "ownership" of the documentation components:
- Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
- Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.
Summary of the Products You'll See In The NIST 800-171 rev2 Bundles
We offer several bundles of our products, based on client needs. Some clients want just enough to get by to be considered compliant with NIST 800-171 and some clients want everything we sell, so we have options to meet every need! The following diagram helps demonstrate the layered nature of cybersecurity documentation. Policies & standards set the stage for teams/departments to create and implement programs that are function-specific.
For example:
- A policy on risk will define management's intent to manage risk (RA section of NIST 800-53);
- One of the standards supporting the risk policy might require an annual risk assessment (RA-3);
- Products such as the Risk Management Program (RMP) provide the middle-ground between the policy/standard and the actual deliverable risk assessment to provide risk-specific guidance on concepts such as acceptable risk, the methodology of risk management the organization aligns to, who within the organization can sign off on various levels of risk, etc.
If you would like to know more about how this works to help manage NIST 800-171, please contact us and we'd be happy to further explain how our documentation links together to create comprehensive, linked cybersecurity and privacy documentation.