NIST 800-171 rev2 & Cybersecurity Maturity Model Certification v1.02 (CMMC) Compliance Bundles

ComplianceForge is an industry leader in NIST 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance documentation solutions. Our documentation templates have helped customers that range from the Fortune 500 down to small and medium-sized businesses comply with DFARS requirements for NIST 800-171. Our products are scalable, professionally-written and affordable. The focus of NIST 800-171 & CMMC is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed. Our solutions range from small businesses (CMMC Level 1) through to enterprise-class environments (CMMC Level 5).

nist-800-171-cmmc-compliance-solutions.png

Focused on NIST 800-171 & CMMC Compliance - Policies, Standards, Procedures and more!

In the downloadable CMMC requirements mapping matrix shown below, you can see how all CMMC Level 1, 2, 3, 4 & 5 requirements are supported by ComplianceForge products.

 2020-02-03-cmmc-v1.0-requirements-matrix-download.jpg

Comprehensive Coverage for NIST 800-171 Compliance Requirements

As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different types of documentation to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the following cybersecurity documentation in place:

  • Cybersecurity policies, standards & procedures;
  • System Security Plan (SSP) (requirement #3.12.4); and
  • Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)

2020-nist-800-171-rev2-summary.jpg

Save Up To 45% With A Bundle! 

We have several discounted bundles that are specifically tailored for NIST 800-171 & CMMC compliance:

  • NIST 800-171 Compliance Program (NCP) 
    • This is a very popular "EASY BUTTON" bundle that is designed for smaller businesses or those that only need to address NIST 800-171 / CMMC 1-3.
    • The NCP is designed for CMMC levels 1-3, but includes coverage for all NIST 800-171 CUI and NFO controls.
  • NIST 800-171 / CMMC Bundle #1 - BASIC COVERAGE
    • Bundle #1 is similar to the NCP (above), but its Written Information Security Program (WISP) is based on NIST 800-53 rev4 so if you already "speak NIST 800-53" then this is the right product for your CMMC level 1-3 needs.
    • This bundle cover everything needed for NIST 800-171 for CUI and NFO controls and the moderate-baseline approach from NIST 800-53 will address CMMC levels 1-3.
  • NIST 800-171 / CMMC Bundle #2 - ENHANCED COVERAGE
    • Bundle #2 builds off Bundle #1 and adds more content to address CMMC levels 1-4.
    • This bundle is "the whole enchilada" from a NIST 800-53 perspective with all our products that combine to create a robust NIST 800-171 compliance program. 
  • NIST 800-171 / CMMC Bundle #3 - ROBUST COVERAGE
    • Bundle #3 is the same as Bundle #2, with the exception of the Digital Security Program (DSP) instead of the WISP and is designed for enterprise-class environments that need to address multiple compliance requirements in addition to NIST 800-171 (e.g., EU GDPR, SOC 2, etc.).
    • This bundle is not tied to a single framework, so it has the ability to address all CMMC level 1-5 requirements.
logo-product-nist-800-171-cybersecurity-program-ncp-2019.1.jpg 2020-cmmc-compliance-b1-2.jpg 2020-cmmc-compliance-b2-2.jpg 2020-cmmc-compliance-b3-2.jpg

What ComplianceForge Products Apply To NIST 800-171 Compliance?

Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171.

ComplianceForge Product DFARS Requirement
Written Information Security Program (WISP) or
Digital Security Program (DSP)		 252.204-7008
252.204-7012
NIST 800-171 (multiple NFO controls)
Vendor Compliance Program (VCP) 252.204-7008
252.204-7012
NIST 800-171 NFO PS-7
Cybersecurity Risk Management Program (RMP) 252.204-7008
252.204-7012
NIST 800-171 NFO RA-1
Cybersecurity Risk Assessment Template (CRA) 252.204-7008
252.204-7012
NIST 800-171 3.11.1
Vulnerability & Patch Management Program (VPMP) 252.204-7008
252.204-7012
NIST 800-171 3.11.2
Integrated Incident Response Program (IIRP) 252.204-7008
252.204-7009
252.204-7010
252.204-7012
NIST 800-171 3.6.1
Security & Privacy By Design (SPBD) 252.204-7008
252.204-7012
NIST 800-171 NFO SA-3
System Security Plan (SSP) 252.204-7008
252.204-7012
NIST 800-171 3.12.4
Cybersecurity Standardized Operating Procedures (CSOP) 252.204-7008
252.204-7012
NIST 800-171 (multiple NFO controls)
Continuity of Operations Plan (COOP) 252.204-7008
252.204-7012
NIST 800-171 3.6.1
Secure Baseline Configurations (SBC) 252.204-7008
252.204-7012
NIST 800-171 3.4.1
Information Assurance Program (IAP) 252.204-7008
252.204-7012
NIST 800-171 NFO CA-1
Cybersecurity Business Plan (CBP) CMMC - C034-L4-P1163

 

One of the most important things to keep in mind with procedures is that the "ownership" is different than that of policies and standards:

  • Policies, standards and controls are designed to be centrally-managed at the corporate level (e.g., governance, risk & compliance team, CISO, etc.).
  • Controls are assigned to stakeholders, based on applicable statutory, regulatory and contractual obligations.
  • Procedures are by their very nature de-centralized, where control implementation at the team-level is defined to explain how the control is addressed (e.g., network team, desktop support, HR, procurement, etc.).

Given this approach to how documentation is structured, based on "ownership" of the documentation components:

  • Policies, standards and controls are expected to be published for anyone within the organization to have access to, since it applies organization-wide. This may be centrally-managed by a GRC/IRM platform or published as a PDF on a file share, since they are relatively static with infrequent changes.
  • Procedures are "living documents" that require frequent updates based on changes to technologies and staffing. Procedures are often documented in "team share" repositories, such as a wiki, SharePoint page, workflow management tool, etc.

2020-policy-standard-procedure-ownership.jpg

Summary of the Products You'll See In The NIST 800-171 rev2 Bundles

We offer several bundles of our products, based on client needs. Some clients want just enough to get by to be considered compliant with NIST 800-171 and some clients want everything we sell, so we have options to meet every need! The following diagram helps demonstrate the layered nature of cybersecurity documentation. Policies & standards set the stage for teams/departments to create and implement programs that are function-specific.

For example:

  • A policy on risk will define management's intent to manage risk (RA section of NIST 800-53);
  • One of the standards supporting the risk policy might require an annual risk assessment (RA-3);
  • Products such as the Risk Management Program (RMP) provide the middle-ground between the policy/standard and the actual deliverable risk assessment to provide risk-specific guidance on concepts such as acceptable risk, the methodology of risk management the organization aligns to, who within the organization can sign off on various levels of risk, etc. 

If you would like to know more about how this works to help manage NIST 800-171, please contact us and we'd be happy to further explain how our documentation links together to create comprehensive, linked cybersecurity and privacy documentation.

2020.1-cybersecurity-documentation-hierarchy-example-complianceforge-cybersecurity-privacy-documentation.jpg

2020-logo-digital-security-program.jpg

Digital Security Program (DSP)
The DSP addresses more than just the “why?” and “what?” questions in an audit, since in addition to the core policies and standards that form the foundation for your cybersecurity program, the DSP comes with controls and metrics! 

  • Most popular product for organizations that need to address multiple compliance obligations and cannot be locked into a single framework (e.g., NIST 800-53, ISO 27002 or NIST Cybersecurity Framework).
  • Maps to over 100 statutory, regulatory and contractual cybersecurity and privacy frameworks to create a hybrid approach to cybersecurity policies, standards, controls and metrics.
  • Provides 1-1 mapping with the Secure Controls Framework (SCF), so you can easily align your policies, standards and metrics with the controls you use from the SCF!
  • DSP contains many useful supplemental documentation templates:
    • Data classification & handling guidelines
    • Data retention guidelines
    • Rules of behavior (acceptable use)
    • and many more templates
 2020-logo-written-information-security-program-wisp-.jpg

Written Information Security Program (WISP) ISO 27002, NIST CSF or NIST 800-53
Cybersecurity policies & standards in an editable Microsoft Word format.

  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
  • Under each of the policies are standards that support those policy statements.
  • WISP contains many useful supplemental documentation templates:
    • Business Impact Analysis (BIA) template
    • Data classification & handling guidelines
    • Data retention guidelines
    • Rules of behavior (acceptable use)
    • Bring Your Own Device (BYOD) usage guidelines
    • Risk management guidelines
    • System hardening guidelines
    • and more templates
2020-logo-nist-800-171-cmmc-compliance-criteria-nc3-.jpg NIST 800-171 & CMMC Compliance Criteria (NC3)
This is our “consultant in a box” NIST 800-171 checklist in an editable Microsoft Excel format to provide usable guidance on what is expected to reasonably address NIST 800-171 and CMMC controls.
  • Each of the NIST 800-171 controls for Controlled Unclassified Information (CUI) from Appendix D is mapped to its corresponding NIST 800-53 control.
  • In addition to CUI controls, Non-Federal Organization (NFO) controls from Appendix E.
  • Each of the NIST 800-171 controls are broken down to identify:
    • Reasonably-expected criteria to address the control.
    • Applicable compliance guidance;
    • Methods to address the requirement; and
    • Status of compliance for each control so you can use it for a self-assessment.
    • The NC3 maps into the WISP and DSP products, so they work in concert together for helping you comply with NIST 800-171.
2020-logo-nist-800-171-system-security-plan-ssp-template.jpg System Security Plan (SSP) & Plan of Action & Milestones (POA&M) Templates 
These are fully editable templates to address a compliance need for NIST 800-171 and CMMC.
  • One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations.
  • One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.
2020-logo-cybersecurity-standardized-operating-procedures-csop-.jpg Cybersecurity Standardized Operating Procedures Template (CSOP)
The CSOP is a template for procedures. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented.
  • This is an editable Microsoft Word document.
  • Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete.
  • The CSOP is mapped to leading frameworks to help with mapping compliance requirements.
2020-logo-integrated-incident-response-program-iirp-.jpg Integrated Incident Response Program (IIRP)
The IIRP addresses the “how?” questions for how your company manages cybersecurity incidents.
  • This is primarily an editable Microsoft Word document, but it comes with Microsoft Excel and Microsoft Visio templates.
  • In summary, this addresses fundamental needs when it comes to incident response requirements:
    • Defines the hierarchical approach to handling incidents.
    • Categorizes eleven different types of incidents and four different classifications of incident severity.
    • Defines the phases of incident response operations, including deliverables expected for each phase.
    • Defines the Integrated Security Incident Response Team (ISIRT) to enable a unified approach to incident response operations.
    • Defines the scientific method approach to incident response operations.
    • Provides guidance on how to write up incident reports (e.g., lessons learned).
    • Provides guidance on forensics evidence acquisition.
    • Identifies and defines Indicators of Compromise (IoC).
    • Identifies and defines sources of evidence.  
    • The IIRP contains “tabletop exercise” scenarios, based on the categories of incidents.
    • This helps provide evidence of due care in how your company handles cybersecurity incidents.
    • The IIRP is based on industry-leading practices for incident response.
2020-logo-product-risk-management-program-rmp-.jpg Risk Management Program (RMP)
The RMP addresses the “how?” questions for how your company manages risk.
  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk.
  • In summary, this addresses fundamental needs when it comes to risk management requirements:
    • How risk is defined.
    • Who can accept risk.
    • How risk is calculated by defining potential impact and likelihood.
    • Necessary steps to reduce risk.
    • Risk considerations for vulnerability management.
    • The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.
2020-logo-cybersecurity-risk-assessment-cra-template.jpg Cybersecurity Risk Assessment (CRA) Template
The CRA supports the RMP product in answering the “how?” questions for how your company manages risk.
  • This contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.
  • The CRA directly supports the Risk Management Program (RMP), as well as the WISP/DSP's policies and standards, for managing cybersecurity risk. It does this by enabling your company to produce risk assessment reports.
2020-logo-vulnerability-patch-management-program.jpg Vulnerability & Patch Management Program (VPMP)
The VPMP addresses the “how?” questions for how your company manages technical vulnerabilities and patch management operations.
  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing vulnerabilities.
  • In summary, this addresses fundamental needs when it comes to vulnerability management requirements:
    • Who is responsible for managing vulnerabilities.
    • What is in scope for patching and vulnerability management.
    • Defines the vulnerability management methodology.
    • Defines timelines for conducting patch management operations.
    • Considerations for assessing risk with vulnerability management.
    • Vulnerability scanning and penetration testing guidance.
2020-logo-vendor-compliance-program.jpg Vendor Compliance Program (VCP)
The VCP addresses the “how?” questions for how your company manages risk with third parties (e.g., service provides, vendors, contractors, etc.).
  • This is an editable Microsoft Word document that is essentially a “mini-WISP” document that is intended to be shared with third parties, as compared to sharing detailed policies and standards.
  • The VCP contains concise cybersecurity-related expectations that your company expects your third parties to abide by.
  • The text from the VCP can be used in a contract addendum or shared as a stand-alone document.
  • The VCP helps provide evidence of due care in how your company informs third parties about their cybersecurity obligations.
2020-logo-security-privacy-by-design-spbd-.jpg Security & Privacy by Design (SPBD)
The SPBD addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.
  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for ensuring secure engineering and privacy principles are operationalized on a daily basis.
  • The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements. The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
  • The SPBD is based on numerous industry frameworks, but the core is NIST 800-160, which is the de facto standard on secure engineering.
2020-logo-continuity-of-operations-program.jpg Continuity of Operations Program (COOP)
The COOP addresses the “how?” questions for how your company plans to respond to disasters to maintain business continuity.
  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP's policies and standards for disaster recovery and business continuity operations.
  • The concept of “continuity operations” spans incident response to disaster recovery to business continuity operations. This is a very common requirement in numerous statutory, regulatory and contractual requirements. The COOP provides your organization with the documentation to prove it addresses both disaster recovery and business continuity.
  • The COOP is based on numerous frameworks to provide a holistic approach to DR and BC operations. 
2020-logo-secure-baseline-configurations.jpg Secure Baseline Configurations (SBC)
The SBC addresses the “how?” questions for how your company securely configures its technology assets, such as system hardening according to CIS Benchmarks, DISA STIGs or vendor recommendations.
  • This is an editable Microsoft Word document that provides program-level guidance to direct systems administrators, third-parties and other asset custodians on the expectation to harden operating systems, applications and services.
  • The hardening of systems is a basic requirement, but most organization struggle with a way to document the requirements they are using to secure their assets. This is where the SBC comes into play.
  • The SBC leverages multiple sources for "industry best practices" and you are able to select what works best for your organization. 
2020-logo-information-assurance-program-iap-.jpg Information Assurance Program (IAP)
The IAP addresses the “how?” questions for how your company performs pre-production testing to ensure that both cybersecurity and privacy principles are built-in by default.
  • This is an editable Microsoft Word document that provides program-level guidance to conduct pre-production testing that ties in with existing SDLC/PDLC processes.
  • The IAP leverages multiple sources for "industry best practices" and is based on practices used by the US Government for Information Assurance (IA) and Security Testing & Evaluation (ST&E).

Browse Our Products

  • NIST Cybersecurity Framework (NIST CSF) and FAR 52.204-21-based Written Information Security Program (WISP) for CMMC level 1

    CMMC Level 1 Policies & Standards (CMMC 1)

    ComplianceForge

    Editable policies and standards based on the NIST Cybersecurity Framework (CSF). Great choice for smaller organizations that do not have stringent compliance requirements. Easiest framework to implement and maintain.

    $1,200.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 compliance - policies, standards, procedures, SSP & POA&M templates.

    NIST 800-171 Compliance Program (NCP) (CMMC 1-3)

    Review(s) 3

    ComplianceForge

    The NCP is the "easy button" for complying with NIST 800-171. It contains NIST 800-171 specific policies, standards, procedures, SSP and POA&M templates. This is the most cost-effective way to comply with NIST 800-171.

    $6,720.00 $4,350.00
    Choose Options
  • NIST 800-171 Compliance Bundle 1: NC3-WISP-SSP-CSOP-IIRP

    CMMC Bundle 1: Basic Coverage (CMMC 1-3)

    ComplianceForge

    Our most popular NIST 800-171 bundle! This includes everything from bundle #2 but adds robust incident response program documentation, the Cybersecurity Incident Response Program (CIRP). Incident response is key to DFARS compliance.

    $8,370.00 $6,278.00
    Choose Options
  • NIST 800-171 Compliance Bundle 3: NC3-DSP-SSP-CSOP-IIRP-RMP-CRA-VPMP-VCP-SPBD-COOP-SBC-IAP-CBP

    CMMC Bundle 3: Robust Coverage (CMMC 1-5)

    ComplianceForge

    Similar to NIST 800-171 Bundle #4, but contains NIST 800-171 specific documentation. This is our most popular DSP bundle for companies that have to address both NIST 800-171 and the EU General Data Protection Requirement (GDPR).

    $34,800.00 $19,140.00
    Choose Options

Find Out Exclusive Information On Cybersecurity