NIST 800-171 Compliance Bundles
ComplianceForge is an industry leader in NIST 800-171 compliance. Our solutions have helped customers that range from the Fortune 500 down to small and medium-sized businesses comply with this DFARS requirement. Our products are scalable, professionally-written and affordable.
Comprehensive Coverage for NIST 800-171 Compliance Requirements
As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different types of documentation to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the following cybersecurity documentation in place:
- NIST 800-53 based cybersecurity policies, standards & procedures
- System Security Plan (SSP) (requirement #3.12.4)
- Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)
Summary of the Products You'll See In The NIST 800-171 Bundles
We offer several bundles of our products, based on client needs. Some clients want just enough to get by to be considered compliant with NIST 800-171 and some clients want everything we sell, so we have options to meet every need!
Note - If you are interested in the Digital Security Program (DSP), instead of the WISP, we offer several NIST 800-171 bundles that contain the DSP. If you are not sure if you need the DSP or WISP, click here to learn more about the differences.
- Cybersecurity policies & standards in an editable Microsoft Word format.
- The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.
- For the NIST 800-53 version of the WISP, each of the NIST 800-53 rev4 families has a policy associated with it, so there is a total of 26 policies. For the DSP, there are 32 different domains with a policy associated with each domain.
- Under each of the policies are standards that support those policy statements. These standards provide you with coverage for the moderate control set from NIST 800-53 rev 4, which is needed for NIST 800-171 compliance when you look at both CUI and NFO control requirements.
NIST 800-171 Compliance Criteria (NCC)
- This is our “consultant in a box” NIST 800-171 checklist in an editable Microsoft Excel format.
- Each of the NIST 800-171 controls from Appendix D is mapped to its corresponding NIST 800-53 control.
- The NCC also covers Appendix E Non-Federal Organization (NFO) controls.
- The NCC maps into the WISP and DSP products, so they work in concert together for helping you comply with NIST 800-171.
System Security Plan (SSP) & Plan of Action & Milestones (POA&M) Templates (SSP)
- These are fully editable templates.
- One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations.
- One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.
NIST 800-171 Cybersecurity Standardized Operating Procedures Template (CSOP)
- The CSOP is a template for procedures. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented.
- This is an editable Microsoft Word document.
- Given the difficult nature of writing templated procedure statements, we aimed for approximately a "75% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete.
- The NIST 800-171 CSOP is mapped to NIST 800-53 and NIST 800-171 requirements.
Cybersecurity Incident Response Program (CIRP)
- The CIRP addresses the “how?” questions for how your company manages cybersecurity incidents.
- This is primarily an editable Microsoft Word document, but it comes with Microsoft Excel and Microsoft Visio templates.
- The CIRP contains “tabletop exercise” scenarios, based on the categories of incidents.
- This helps provide evidence of due care in how your company handles cybersecurity incidents.
- The CIRP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.
Risk Management Program (RMP)
- The RMP addresses the “how?” questions for how your company manages risk.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk.
- The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.
Cybersecurity Risk Assessment (CRAT)
- The CRAT supports the RMP product in answering the “how?” questions for how your company manages risk.
- This contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.
- The CRAT directly supports the RMP, as well as the WISP and DSP policies and standards, for managing cybersecurity risk. It does this by enabling your company to produce risk assessment reports.
Vulnerability & Patch Management Program (VPMP)
- The VPMP addresses the “how?” questions for how your company manages technical vulnerabilities and patch management operations.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing vulnerabilities.
Vendor Compliance Program (VCP)
- The VCP addresses the “how?” questions for how your company manages risk with third parties (e.g., service provides, vendors, contractors, etc.).
- This is an editable Microsoft Word document that is essentially a “mini-WISP” document that is intended to be shared with third parties, as compared to sharing detailed policies and standards.
- The VCP contains concise cybersecurity-related expectations that your company expects your third parties to abide by.
- The text from the VCP can be used in a contract addendum or shared as a stand-alone document.
- The VCP helps provide evidence of due care in how your company informs third parties about their cybersecurity obligations.
Security & Privacy by Design (SPBD)
- The SPBD addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.
- This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for ensuring secure engineering and privacy principles are operationalized on a daily basis.
- The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements. The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.
- The CIRP is based on numerous frameworks, but the core is NIST 800-160, which is the de facto standard on secure engineering.