NIST 800-171 Compliance Made Easier

ComplianceForge has NIST 800-171 compliance documentation that applies if you are a prime or sub-contractor. We also offer discounted bundles that can save you up to 45% on the price! 

Comprehensive NIST 800-171 Compliance Documentation

As a quick summary of your requirements to comply with NIST 800-171, your is expected to have several different documentation artifacts to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that documentation expectation, you need to ensure your company has the proper cybersecurity documentation in place and NIST 800-171 requires the following documentation to exist, at a minimum:

• NIST 800-53 based cybersecurity policies, standards & procedures
• System Security Plan (SSP) (requirement #3.12.4)
• Plan of Action & Milestones (POA&M) (requirements #3.12.1, 3.12.2, 3.12.3 & 3.12.4)

Solutions for NIST 800-171 Compliance

ComplianceForge currently offers several products that are designed to assist companies with NIST 800-171:

• NIST 800-171 Compliance Criteria (NCC)
• Written Information Security Program (WISP) - NIST 800-53 Version
• Digital Security Program (DSP)

We do offer discounted bundles to tie together our products into packages that can meet your unique needs, since each product serves a different purpose. Each of these products has a detailed product page that you can read more about the products and see examples:

• We have different products that cover the policies and standards component, but our most common is the NIST 800-53 version of the Written Information Security Program (WISP)
• We have one product that is a templatized set of NIST 800-171 procedures and that is the Cybersecurity Standardized Operating Procedures (CSOP)
• We have one product that is a template for both a SSP & POA&M and that is the System Security Plan (SSP)
• The NIST 800-171 Compliance Criteria (NCC) is essentially a “consultant in a box” that gets you the equivalent of 80 hours worth of a consultant’s time to break down the NIST 800-171 requirements into real criteria for you to implement.

The diagram below depicts all NIST 800-171 requirements and every one has some form of documentation requirement to demonstrate how the control is implemented:

NIST 800-171 Compliance Criteria (NCC)

The NCC product is considered a "consultant in a box" product to provide consultant-level guidance on how to comply with NIST 800-171. The WISP and DSP are program-level policies and standards that will provide you with evidence you need to demonstrate compliance. What do you get if you buy the NIST 800-171 Compliance Criteria (NCC) product?

NIST 800-171 Compliance

• The NCC is a “consultant in a box” solution that is essentially a NIST 800-171 checklist in an editable Microsoft Excel format.
  • The NCC covers all controls in Appendix D of NIST 800-171.
  • It also covers Appendix E Non-Federal Organization (NFO) controls, which are required by contractors.
• Each of the NIST 800-171 controls is mapped to its corresponding NIST 800-53 control.
• Each of the NIST 800-53 controls are broken down to identify:
  • Reasonably-expected criteria to address the control.
  • Applicable compliance guidance;
  • Methods to address the requirement; and
  • Status of compliance for each control so you can use it for a self-assessment.
• The NCC maps into the Written Information Security Program (WISP) and Digital Security Program (DSP) products, so they can work in concert together to make it easier to comply with NIST 800-171 since your organization can have NIST-based policies and standards to support NIST 800-171 compliance efforts.

NIST 800-171 Scoping Considerations

We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.