UPDATED FOR CMMC 2.0 NIST SP 800-171 & CMMC "Easy Button" Solution - Editable & Affordable Cybersecurity Documentation
We listened to our customers and created the NIST SP 800-171 Compliance Program (NCP), based on the growing demand from small and medium businesses that want a simplified approach to NIST SP 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance. The NCP is a set of editable cybersecurity documentation templates that are tailored for small and medium businesses to address NIST 800-171 / CMMC 2.0 compliance. The NCP is streamlined to singularly focus on what is required to comply with NIST 800-171 R2 and CMMC 2.0. Both the policies & standards document (CDPP) and procedures document (CSOP) have footnotes to clearly identify which NIST 800-171, NIST 800-171A and/or CMMC requirement is addressed. The NCP is meant to provide coverage for the “who, what, when, how & why” considerations for your cybersecurity program that address scoping from your strategic, operational and tactical needs. We've performed the heavy lifting to build these documentation templates and you (or your IT consultants) just need to fill in the details that only you will know. We do have consulting services available, if you need assistance.
The NCP is "battle tested" - our clients have successfully passed DIBCAC assessments with this documentation, including a CMMC Third-Party Assessment Organization (C3PAO). You receive a lifetime license to use the NCP at your company and the purchase price includes one year of updates. After the first year, you can choose to subscribe to updates or not. We expect NIST SP 800-171 R3 to be released in early 2024 and "CMMC 3.0" soon afterwards, so clients who buy the NCP will receive updated documentation to address those changes.
The NCP is designed to fit the needs of small to medium businesses in need of a “square peg for a square hole” to singularly address NIST 800-171 and CMMC compliance requirements. The NCP provides coverage for all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls found in Appendix E of NIST 800-171, as well as the Assessment Objectives (AOs) from NIST 800-171A (note - if you are unclear what NFO controls are, ComplianceForge has a page on its website that is dedicated to the topic that is worth reading). Given the coverage of NIST 800-171 and 800-171A, the NCP also provides necessary coverage for CMMC Level 1 and Level 2 controls.
The NCP is a bundle of editable documentation templates that is designed to save your organization hundreds of hours in labor. These core documents include:
- Cybersecurity & Data Protection Program (CDPP) – cybersecurity policies & standards tailored for NIST SP 800-171 & CMMC 2.0
- Cybersecurity Standardized Operating Procedures (CSOP) – cybersecurity procedures tailored for NIST SP 800-171 & CMMC 2.0
- System Security Plan (SSP)
- Plan of Action & Milestones (POA&M)
- Third-Party Security Management (TPSM) - third-party Cybersecurity Supply Chain Risk Management (C-SCRM) guidance
- Many useful supplemental documentation templates:
- Incident Response Plan (IRP) template
- Business Impact Analysis (BIA) template
- Business Continuity / Disaster Recovery (BC/DR) template
- Data classification & handling guidelines
- Data retention guidelines
- Rules of behavior (acceptable use)
- Mobile device usage guidelines
- Risk management guidelines
- System hardening guidelines
- and more templates
The NIST 800-171 Compliance Program (NCP) Is Built On Industry-Leading Practices & Definitions
We recognize there are other options on the market for "NIST 800-171 & CMMC documentation" and we strive to make the highest-quality products on the market. Our obsession with making quality documentation can be demonstrated in the architecture we use to create our documentation. As shown in the swimlane diagram below, the Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. The HCGF is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics.
“DIBCAC Battle Tested” Policies, Standards & Procedures - NIST 800-171, NIST 800-171A & CMMC 2.0 Compliance
ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.
The NCP covers 20 domains that equates to 20 policies with 188 standards that support those policies. The reason there are 20 policies and 188 standards is to address the actual requirements in NIST SP 800-171 and CMMC 2.0. "CMMC compliance" is more than just 110 requirements - those are just the CUI controls. When you take into account the Non-Federal Organization (NFO) controls from Appendix E of NIST SP 800-171 and the Assessment Objectives (AOs) from NIST SP 800-171A (equivalent to CMMC 2.0 AOs), there are more than just 110 requirements. The Excel crosswalk spreadsheet that comes with the NCP maps the standards to the requirements, so it is straightforward to understand why a requirement in the NCP exists.
NIST SP 800-171 & CMMC 2.0 Level 2 (Advanced) Policies, Standards, Procedures, SSP & POA&M Templates and More!
In simple terms, the NCP gives you everything you need to comply with NIST SP 800-171 & CMMC v2.0 - cybersecurity policies, standards, procedures, a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). As depicted in the graphic below, the NCP is its own bundle of products that makes up the documentation you need to demonstrate compliance with NIST SP 800-171 and CMMC:
Frequently Asked Questions (FAQ) On The NCP
Below are some common questions that we receive about the NCP so we decided to help provide further transparency to help with your purchasing decision:
- How does the NCP address CMMC v2.0 Level 2 (Advanced)?
- The NCP was specifically written to address all NFO & CUI controls in NIST SP 800-171 R2, as well as CMMC v2.0 Level 2 (Advanced) controls. The NCP is our "easy button" solution for CMMC 2.0 L2.
- The NCP contains editable policies, standards, procedures, SSP & POA&M templates, and much more. Continue reading to the "What Does The NIST SP 800-171 Compliance Program (NCP) Contain?" section about all that the NCP contains.
- How is the NCP different from CMMC Bundle #2?
- CMMC Bundle #2 is similar to the NIST SP 800-171 Compliance Program (NCP), in that both products cover CMMC 2.0 levels 1-2. Both equally cover CMMC 2.0 1-2 and NIST SP 800-171 requirements. However, the main differences are in coverage and framework alignment.
- The NCP is a pared-down version of the Digital Security Program (DSP), our flagship product. The NCP is tailored to be a "square peg for a square hole" to address only CMMC 2.0 L1-2 and NIST SP 800-171 requirements in the most efficient manner we can provide.
- CMMC Bundle #2 is based on the NIST SP 800-53 R5 framework, so it is great if you need to "speak NIST SP 800-53" or have other US government-based requirements (e.g., FISMA, RMF, HIPAA, etc.) that are based on NIST SP 800-53. This bundle is aligned with NIST SP 800-53 (low & moderate baseline coverage) so that is ideal for an organization that wants to align its policies and standards directly with NIST SP 800-53.
- If you are just looking for CMMC & NIST SP 800-171 coverage, then the NCP is a better fit.
- Why does the NCP leverage Secure Controls Framework (SCF) controls?
- The hierarchical and scalable structure of the Secure Controls Framework (SCF) makes it an ideal choice to address NIST 800-171 / CMMC compliance, so that is why the NCP leverages this structure.
- The SCF is a “metaframework” that maps to over 100 cybersecurity and privacy-related laws, regulations and frameworks, including NIST CSF, ISO 27001/2, NIST 800-53, NIST 800-171 and CMMC. The SCF is logically organized into thirty-three (33) domains. ComplianceForge’s Digital Security Program (DSP) has 1-1 mapping to the SCF and the NCP is merely a pared-down version of the DSP to focus specifically on the CUI and NFO controls from NIST 800-171, AOs from NIST 800-171 and CMMC 2.0 controls.
- The NIST OLIR Program will has SCF to NIST 800-171 R2 mappings, so that is another benefit to leveraging the SCF to structure the NCP’s policies, standards and procedures. You can read more about that here - https://csrc.nist.gov/projects/olir/informative-reference-catalog/details?frameworkVersionId=87
- Can you provide us with examples of the documentation & templates that are part of the NCP?
- Yes! If you scroll about 1/3 down the NCP product page, you will see the “Product Example - NIST SP 800-171 Compliance Criteria (NCP)” that contains examples of policies, standards, procedures, etc.
- What are the gaps in the NCP for CMMC 2.0 Level 2 once we purchase this?
- The NCP provides fully-mapped requirements within the policies, standards, procedures, etc. Therefore, any "gaps" in coverage are specific to your implementation of the requirements to become compliant with NIST SP 800-171 & CMMC.
- We are "tool makers" that provide you with templates that identify the Minimum Security Requirements (MSR) in an editable, efficient template format. You have to implement those requirements to be considered compliant with NIST SP 800-171 & CMMC.
- There are no professional service hours included in the purchase of the NCP, but we do have consultants that are available for customization/consulting via a separate Statement of Work (SOW).
- How often is the NCP updated?
- As NIST SP 800-171 & CMMC change, we update the NCP. There is no set schedule for updates, since we update products based on new guidance from the DoD, NIST and CMMC-AB.
- The NCP comes with one-year of updates, so as long as you have an active subscription you will receive updated versions of the documentation, along with errata that identifies what changed.
- After the first year, you can purchase updates for $800/yr, as described on our updates page.
- Is the NCP a subscription? How long does a license last?
- The NCP is perpetual and a single-site license. However, if you want to keep getting updates, you just have to pay for updates after the first year.
- NIST SP 800-171 & CMMC evolve, so that is why we offer updates. It takes considerable effort for us to develop and maintain this documentation, so that is why we charge for updates.
- Can I upgrade to a different bundle if my needs change?
- Yes! We can credit your purchase towards an upgraded bundle if your business needs change and you have to address CMMC 2.0 L3 requirements.
Product Example - NIST SP 800-171 Compliance Program (NCP)
Our customers choose the NIST SP 800-171 Compliance Program (NCP) because they:
- Need an efficient way to comply with NIST SP 800-171 / CMMC and make the process as simple as possible
- Need to be able to edit the document to their specific needs
- Need an affordable solution
Don't take our word for it - take a look at the examples below to see for yourself the level of professionalism and detail that went into making these products:
Cost Savings Estimate - NIST SP 800-171 Compliance Program (NCP)
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the NCP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
- For your internal staff to generate comparable documentation, it would take them an estimated 1,000 internal staff work hours, which equates to a cost of approximately $76,000 in staff-related expenses. This is about 9-18 months of development time where your staff would be diverted from other work.
- If you hire a consultant to generate this documentation, it would take them an estimated 700 consultant work hours, which equates to a cost of approximately $210,000. This is about 4-12 months of development time for a contractor to provide you with the deliverable.
- The NCP is approximately 2% of the cost for a consultant or 7% of the cost of your internal staff to generate equivalent documentation.
- We process most orders the same business day so you can potentially start working with the NCP the same day you place your order.
The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed.
What Does The NIST SP 800-171 Compliance Program (NCP) Contain?
The NIST SP 800-171 Compliance Program (NCP) is a compilation of editable Microsoft Word, Excel and PowerPoint templates. There is no software to install and it is a one-time purchase. You get the following material as part of the NCP:
- Cybersecurity Policies (policies specific to NIST SP 800-171 and CMMC 2.0 L2)
- Cybersecurity Standards (standards that are specific to NIST SP 800-171 and CMMC 2.0 L2)
- Cybersecurity Standardized Operating Procedures (SOP) (procedures that are specific to NIST SP 800-171 and CMMC 2.0 L2)
- System Security Plan (SSP) Template
- Plan of Action & Milestones (POA&M) Template
- Several Reference Documents
Included Policy Sections:
These are the policy sections that address the 14 sections of CUI from NIST SP 800-171 (as well as Non-Federal Organization (NFO) controls from Appendix E) and the 17 sections of CMMC that overlap what is in NIST SP 800-171. Most people forget or ignore the NFO controls component, which is a basic expectation of being compliant with NIST SP 800-171 but we include NFO, CUI and CMMC requirements in the NCP. Each of these policies are supported by standards that directly map to NIST SP 800-171 & CMMC requirements:
- Security & Privacy Governance (GOV) Policy
- Asset Management (AST) Policy
- Business Continuity & Disaster Recovery (BCD) Policy
- Change Management (CHG) Policy
- Cloud Security (CLD) Policy
- Compliance (CPL) Policy
- Configuration Management (CFG) Policy
- Continuous Monitoring (MON) Policy
- Cryptographic Protections (CRY) Policy
- Data Classification & Handling (DCH) Policy
- Endpoint Security (END) Policy
- Human Resources Security (HRS) Policy
- Identification & Authentication (IAC) Policy
- Incident Response (IRO) Policy
- Information Assurance (IAO) Policy
- Maintenance (MNT) Policy
- Mobile Device Management (MDM) Policy
- Network Security (NET) Policy
- Physical & Environmental Security (PES) Policy
- Project & Resource Management (PRM) Policy
- Risk Management (RSK) Policy
- Secure Engineering & Architecture (SEA) Policy
- Security Awareness & Training (SAT) Policy
- Technology Development & Acquisition (TDA) Policy
- Third-Party Management (TPM) Policy
- Threat Management (THR) Policy
- Vulnerability & Patch Management (VPM) Policy
The NCP comes with the following policies and standards, including procedures that map directly to the standards:
|Cybersecurity & Privacy Governance||GOV-02||Publishing Cybersecurity & Privacy Documentation||3.4.9[a]
|Asset Management||AST-01||Asset Governance||3.4.1||CM.L2-3.4.1|
|Asset Management||AST-02||Asset Inventories||3.4.1||3.4.1[d]
|Asset Management||AST-02.1||Updates During Installations / Removals||3.4.1[f]|
|Asset Management||AST-02.3||Component Duplication Avoidance||NFO - CM-8(5)|
|Asset Management||AST-05||Security of Assets & Media||NFO - MP-1|
|Business Continuity & Disaster Recovery||BCD-11||Data Backups||3.8.9||3.8.9||MP.L2-3.8.9|
|Business Continuity & Disaster Recovery||BCD-11.4||Cryptographic Protection||3.8.9||3.8.9||MP.L2-3.8.9|
|Change Management||CHG-01||Change Management Program||3.4.3||CM.L2-3.4.3|
|Change Management||CHG-02||Configuration Change Control||3.4.3||3.4.3[a]
|Change Management||CHG-02.2||Test, Validate & Document Changes||NFO - CM-3(2)|
|Change Management||CHG-03||Security Impact Analysis for Changes||3.4.4||3.4.4||CM.L2-3.4.4|
|Change Management||CHG-04||Access Restriction For Change||3.4.5||3.4.5[a]
|Change Management||CHG-05||Stakeholder Notification of Changes||NFO - CM-9|
|Cloud Security||CLD-01||Cloud Services||NFO – PL-8|
|Cloud Security||CLD-02||Cloud Security Architecture||NFO – PL-8|
|Cloud Security||CLD-03||Cloud Infrastructure Security Subnet||3.13.2
NFO – PL-8
|Compliance||CPL-01||Statutory, Regulatory & Contractual Compliance||NFO - PL-1|
|Compliance||CPL-02||Security & Privacy Controls Oversight||3.12.1
|Compliance||CPL-02.1||Internal Audit Function||3.12.1||CA.L2-3.12.1|
|Compliance||CPL-03.1||Independent Assessors||NFO - CA-7(1)|
|Configuration Management||CFG-01||Configuration Management Program||NFO - CM-1
NFO - CM-9
|Configuration Management||CFG-02||System Hardening Through Baseline Configurations||3.4.1
|Configuration Management||CFG-02.1||Reviews & Updates||NFO - CM-2(1)|
|Configuration Management||CFG-02.5||Configure Systems, Components or Services for High-Risk Areas||NFO - CM-2(7)|
|Configuration Management||CFG-03||Least Functionality||3.4.6||3.4.6[a]
|Configuration Management||CFG-03.1||Periodic Review||3.4.7||3.4.7[a]
|Configuration Management||CFG-03.2||Prevent Unauthorized Software Execution||3.4.7||CM.L2-3.4.7|
|Configuration Management||CFG-03.3||Unauthorized or Authorized Software (Blacklisting or Whitelisting)||3.4.8||3.4.8[a]
|Configuration Management||CFG-03.4||Split Tunneling||3.13.7||3.13.7||SC.L2-3.13.7|
|Configuration Management||CFG-05||User-Installed Software||3.4.9||3.4.9[b]
|Continuous Monitoring||MON-01||Continuous Monitoring||NFO - AU-1|
|Continuous Monitoring||MON-01.3||Inbound & Outbound Communications Traffic||3.14.6||3.14.6[a]
|Continuous Monitoring||MON-01.4||System Generated Alerts||NFO - SI-4(5)|
|Continuous Monitoring||MON-01.8||Reviews & Updates||3.3.3
|Continuous Monitoring||MON-02||Centralized Collection of Security Event Logs||3.3.1
|Continuous Monitoring||MON-02.1||Correlate Monitoring Information||3.3.5
|Continuous Monitoring||MON-03||Content of Event Logs||3.3.2||3.3.1[a]
|Continuous Monitoring||MON-03.1||Sensitive Audit Information||3.3.8||AU.L2-3.3.8|
|Continuous Monitoring||MON-03.2||Audit Trails||3.3.2[a]
|Continuous Monitoring||MON-03.7||Database Logging||3.3.2[a]|
|Continuous Monitoring||MON-05||Response To Event Log Processing Failures||3.3.4||3.3.4[a]
|Continuous Monitoring||MON-06||Monitoring Reporting||3.3.6||3.3.6[a]
|Continuous Monitoring||MON-07||Time Stamps||3.3.7[a]
|Continuous Monitoring||MON-07.1||Synchronization With Authoritative Time Source||3.3.7||3.3.7[b]
|Continuous Monitoring||MON-08||Protection of Event Logs||3.3.8||3.3.8[a]
|Continuous Monitoring||MON-08.2||Access by Subset of Privileged Users||3.3.9||3.3.9[a]
|Continuous Monitoring||MON-10||Event Log Retention||3.3.1||3.3.1[e]
|Cryptographic Protections||CRY-01||Use of Cryptographic Controls||3.13.11||3.13.8[a]
|Cryptographic Protections||CRY-01.1||Alternate Physical Protection||3.13.8||3.13.8[b]
|Cryptographic Protections||CRY-03||Transmission Confidentiality||3.13.8||3.13.8[a]
|Cryptographic Protections||CRY-04||Transmission Integrity||NFO - SI-1|
|Cryptographic Protections||CRY-05||Encrypting Data At Rest||3.8.6||3.8.6||MP.L2-3.8.6|
|Cryptographic Protections||CRY-08||Public Key Infrastructure (PKI)||3.13.10||3.13.10[a]
|Cryptographic Protections||CRY-09||Cryptographic Key Management||3.13.10||3.13.10[a]
|Data Classification & Handling||DCH-01||Data Protection||3.8.1
NFO - MP-1
|Data Classification & Handling||DCH-03||Media Access||3.1.3
|Data Classification & Handling||DCH-04||Media Marking||3.8.4||3.8.4[a]
|Data Classification & Handling||DCH-06||Media Storage||3.8.1||MP.L2-3.8.1|
|Data Classification & Handling||DCH-07||Media Transportation||3.8.5||3.8.5[a]
|Data Classification & Handling||DCH-09||Digital Media Sanitization||3.7.3
|Data Classification & Handling||DCH-10||Media Use||3.8.7||3.8.7||MP.L2-3.8.7|
|Data Classification & Handling||DCH-10.2||Prohibit Use Without Owner||3.8.8||3.8.8||MP.L2-3.8.8|
|Data Classification & Handling||DCH-13||Use of External Information Systems||3.1.20||3.1.20[a]
|Data Classification & Handling||DCH-13.1||Limits of Authorized Use||3.1.20||AC.L1-3.1.20|
|Data Classification & Handling||DCH-13.2||Portable Storage Devices||3.1.21||3.1.21[a]
|Data Classification & Handling||DCH-15||Publicly Accessible Content||3.1.22||3.1.22[a]
|Endpoint Security||END-01||Endpoint Security||3.4.1[a]
|Endpoint Security||END-02||Endpoint Protection Measures||3.13.16||3.13.16||SC.L2-3.13.16|
|Endpoint Security||END-03||Prohibit Installation Without Privileged Status||3.4.9||CM.L2-3.4.9|
|Endpoint Security||END-03.2||Governing Access Restriction for Change||3.4.5[a]
|Endpoint Security||END-04||Malicious Code Protection (Anti-Malware)||3.14.2||3.14.2[a]
|Endpoint Security||END-04.1||Automatic Antimalware Signature Updates||3.14.4||3.14.4||SI.L1-3.14.4|
|Endpoint Security||END-04.7||Always On Protection||3.14.5||3.14.5[c]||SI.L1-3.14.5|
|Endpoint Security||END-10||Mobile Code||3.13.13||3.13.13[a]
|Endpoint Security||END-14||Collaborative Computing Devices||3.13.12||3.13.12[a]
|Human Resources Security||HRS-01||Human Resources Security Management||NFO - PS-1||3.2.2[a]
|Human Resources Security||HRS-04||Personnel Screening||3.9.1||3.9.1||PS.L2-3.9.1|
|Human Resources Security||HRS-05||Terms of Employment||NFO - PL-4|
|Human Resources Security||HRS-05.1||Rules of Behavior||NFO - PL-4|
|Human Resources Security||HRS-05.2||Social Media & Social Networking Restrictions||NFO - PL-4(1)|
|Human Resources Security||HRS-06||Access Agreements||NFO - PS-6|
|Human Resources Security||HRS-07||Personnel Sanctions||NFO - PS-8||3.9.2[a]
|Human Resources Security||HRS-08||Personnel Transfer||3.9.2||3.9.2[a]
|Human Resources Security||HRS-09||Personnel Termination||3.9.2||3.9.2[a]
|Human Resources Security||HRS-10||Third-Party Personnel Security||NFO - PS-7|
|Human Resources Security||HRS-11||Separation of Duties (SoD)||3.1.4||3.1.4[a]
|Identification & Authentication||IAC-01||Identity & Access Management (IAM)||NFO - AC-1
|Identification & Authentication||IAC-02||Identification & Authentication for Organizational Users||3.5.1
|Identification & Authentication||IAC-02.2||Network Access to Privileged Accounts - Replay Resistant||3.5.4||3.5.4||IA.L2-3.5.4|
|Identification & Authentication||IAC-03||Identification & Authentication for Non-Organizational Users||3.12.4[a]
|Identification & Authentication||IAC-04||Identification & Authentication for Devices||3.5.2||IA.L1-3.5.2|
|Identification & Authentication||IAC-05||Identification & Authentication for Third Party Systems & Services||3.12.2[a]
|Identification & Authentication||IAC-06||Multi-Factor Authentication (MFA)||3.5.3||IA.L2-3.5.3|
|Identification & Authentication||IAC-06.1||Network Access to Privileged Accounts||3.5.3||3.5.3[a]
|Identification & Authentication||IAC-06.2||Network Access to Non-Privileged Accounts||3.5.3||3.5.3[d]||IA.L2-3.5.3|
|Identification & Authentication||IAC-06.3||Local Access to Privileged Accounts||3.5.3||3.5.3[a]
|Identification & Authentication||IAC-08||Role-Based Access Control (RBAC)||3.1.3||3.1.3[c]||AC.L2-3.1.3|
|Identification & Authentication||IAC-09||Identifier Management (User Names)||3.5.5||3.5.5[a]
|Identification & Authentication||IAC-10||Authenticator Management||3.5.8
|Identification & Authentication||IAC-10.1||Password-Based Authentication||3.5.7||3.5.7[a]
|Identification & Authentication||IAC-10.5||Protection of Authenticators||3.5.10||3.5.10[a]
|Identification & Authentication||IAC-11||Authenticator Feedback||3.5.11||3.5.11||IA.L2-3.5.11|
|Identification & Authentication||IAC-15||Account Management||3.1.2||3.1.2[a]
|Identification & Authentication||IAC-15.3||Disable Inactive Accounts||3.5.6||3.5.6[a]
|Identification & Authentication||IAC-16||Privileged Account Management (PAM)||3.1.5||AC.L2-3.1.5|
|Identification & Authentication||IAC-16.1||Privileged Account Inventories||3.1.5||AC.L2-3.1.5|
|Identification & Authentication||IAC-20||Access Enforcement||3.1.1||3.1.1[a]
|Identification & Authentication||IAC-21||Least Privilege||3.1.5||3.1.5[a]
|Identification & Authentication||IAC-21.1||Authorize Access to Security Functions||3.1.5||AC.L2-3.1.5|
|Identification & Authentication||IAC-21.2||Non-Privileged Access for Non-Security Functions||3.1.6||3.1.6[a]
|Identification & Authentication||IAC-21.3||Privileged Accounts||3.1.5||AC.L2-3.1.5|
|Identification & Authentication||IAC-21.4||Auditing Use of Privileged Functions||3.1.7||AC.L2-3.1.7|
|Identification & Authentication||IAC-21.5||Prohibit Non-Privileged Users from Executing Privileged Functions||3.1.7||3.1.7[a]
|Identification & Authentication||IAC-22||Account Lockout||3.1.8||3.1.8[a]
|Identification & Authentication||IAC-24||Session Lock||3.1.10||3.1.10[a]
|Identification & Authentication||IAC-24.1||Pattern-Hiding Displays||3.1.10||AC.L2-3.1.10|
|Identification & Authentication||IAC-25||Session Termination||3.1.11||3.1.11[a]
|Incident Response||IRO-01||Incident Response Operations||NFO - IR-1||3.6.1[a]
|Incident Response||IRO-02||Incident Handling||3.6.1
|Incident Response||IRO-04||Incident Response Plan (IRP)||NFO - IR-8|
|Incident Response||IRO-04.2||IRP Update||NFO - IR-1|
|Incident Response||IRO-05||Incident Response Training||3.6.1||IR.L2-3.6.1|
|Incident Response||IRO-06||Incident Response Testing||3.6.3||3.6.3||IR.L2-3.6.3|
|Incident Response||IRO-13||Root Cause Analysis (RCA) & Lessons Learned||NFO - IR-1|
|Information Assurance||IAO-01||Information Assurance (IA) Operations||NFO - CA-1|
|Information Assurance||IAO-02.1||Assessor Independence||NFO - CA-2(1)|
|Information Assurance||IAO-03||System Security & Privacy Plan (SSPP)||3.12.4||CA.L2-3.12.4|
|Information Assurance||IAO-03.1||Plan / Coordinate with Other Organizational Entities||NFO - PL-2(3)|
|Information Assurance||IAO-03.2||Adequate Security for Sensitive / Regulated Data In Support of Contracts||3.12.4||CA.L2-3.12.4|
|Information Assurance||IAO-05||Plan of Action & Milestones (POA&M)||3.12.2||CA.L2-3.12.2|
|Maintenance||MNT-01||Maintenance Operations||NFO - MA-1|
|Maintenance||MNT-05.2||Remote Maintenance Notifications||NFO - MA-4(2)|
|Maintenance||MNT-06||Authorized Maintenance Personnel||3.7.6||3.7.6||MA.L2-3.7.6|
|Mobile Device Management||MDM-01||Centralized Management Of Mobile Devices||3.1.18||AC.L2-3.1.18|
|Mobile Device Management||MDM-02||Access Control For Mobile Devices||3.1.18||3.1.18[a]
|Mobile Device Management||MDM-03||Full Device & Container-Based Encryption||3.1.19||3.1.19[a]
|Mobile Device Management||MDM-06||Personally-Owned Mobile Devices||3.1.18||AC.L2-3.1.18|
|Mobile Device Management||MDM-07||Organization-Owned Mobile Devices||3.1.18||AC.L2-3.1.18|
|Network Security||NET-01||Network Security Controls (NSC)||NFO - SC-1|
|Network Security||NET-03||Boundary Protection||3.13.1||3.13.1[a]
|Network Security||NET-03.1||Limit Network Connections||NFO - SC-7(3)|
|Network Security||NET-03.2||External Telecommunications Services||NFO - SC-7(4)|
|Network Security||NET-04||Data Flow Enforcement – Access Control Lists (ACLs)||3.1.3||3.1.3[a]
|Network Security||NET-04.1||Deny Traffic by Default & Allow Traffic by Exception||3.13.6
NFO - CA-3(5)
|Network Security||NET-05||System Interconnections||NFO - CA-3|
|Network Security||NET-05.2||Internal System Connections||NFO - CA-9|
|Network Security||NET-06||Network Segmentation||3.13.5||3.13.5[a]
|Network Security||NET-07||Remote Session Termination||3.13.9||3.13.9[a]
|Network Security||NET-08||Network Intrusion Detection / Prevention Systems (NIDS / NIPS)||3.14.6||SI.L2-3.14.6|
|Network Security||NET-09||Session Integrity||3.13.15||3.13.15||SC.L2-3.13.15|
|Network Security||NET-10||Domain Name Service (DNS) Resolution||NFO - SC-20|
|Network Security||NET-10.1||Architecture & Provisioning for Name / Address Resolution Service||NFO - SC-22|
|Network Security||NET-10.2||Secure Name / Address Resolution Service (Recursive or Caching Resolver)||NFO - SC-21|
|Network Security||NET-13||Electronic Messaging||3.13.14||3.13.14[a]
|Network Security||NET-14||Remote Access||3.1.12||AC.L2-3.1.12|
|Network Security||NET-14.1||Automated Monitoring & Control||3.1.12||3.1.12[a]
|Network Security||NET-14.2||Protection of Confidentiality / Integrity Using Encryption||3.1.13||3.1.13[a]
|Network Security||NET-14.3||Managed Access Control Points||3.1.14||3.1.14[a]
|Network Security||NET-14.4||Remote Privileged Commands & Sensitive Data Access||3.1.15||3.1.15[a]
|Network Security||NET-14.5||Work From Anywhere (WFA) - Telecommuting Security||3.1.12
|Network Security||NET-15||Wireless Networking||3.1.16||3.1.16[a]
|Network Security||NET-15.1||Authentication & Encryption||3.1.17||3.1.17[a]
|Network Security||NET-18||DNS & Content Filtering||3.1.3||AC.L2-3.1.3|
|Physical & Environmental Security||PES-01||Physical & Environmental Protections||3.10.2
NFO - PE-1
|Physical & Environmental Security||PES-02||Physical Access Authorizations||3.10.1||3.10.1[a]
|Physical & Environmental Security||PES-03||Physical Access Control||3.10.5||3.10.5[a]
|Physical & Environmental Security||PES-03.3||Physical Access Logs||3.10.4
NFO - PE-8
|Physical & Environmental Security||PES-04||Physical Security of Offices, Rooms & Facilities||3.10.5||PE.L1-3.10.5|
|Physical & Environmental Security||PES-05||Monitoring Physical Access||3.10.2||PE.L2-3.10.2|
|Physical & Environmental Security||PES-05.1||Intrusion Alarms / Surveillance Equipment||3.10.2
NFO - PE-6(1)
|Physical & Environmental Security||PES-05.2||Monitoring Physical Access To Information Systems||3.10.2||PE.L2-3.10.2|
|Physical & Environmental Security||PES-06||Visitor Control||3.10.3||3.10.3[a]
|Physical & Environmental Security||PES-06.3||Restrict Unescorted Access||3.10.3||3.10.3[a]
|Physical & Environmental Security||PES-10||Delivery & Removal||NFO - PE-16|
|Physical & Environmental Security||PES-11||Alternate Work Site||3.10.6||3.10.6[a]
|Physical & Environmental Security||PES-12||Equipment Siting & Protection||3.10.1||PE.L1-3.10.1|
|Physical & Environmental Security||PES-12.1||Transmission Medium Security||3.10.1||PE.L1-3.10.1|
|Physical & Environmental Security||PES-12.2||Access Control for Output Devices||3.10.1||PE.L1-3.10.1|
|Project & Resource Management||PRM-01||Security Portfolio Management||NFO - PL-1|
|Project & Resource Management||PRM-03||Allocation of Resources||NFO - SA-2|
|Project & Resource Management||PRM-07||Secure Development Life Cycle (SDLC) Management||NFO - SA-3|
|Risk Management||RSK-01||Risk Management Program||NFO - RA-1|
|Risk Management||RSK-04||Risk Assessment||3.11.1||3.11.1[a]
|Risk Management||RSK-06||Risk Remediation||3.11.3||RA.L2-3.11.3|
|Secure Engineering & Architecture||SEA-01||Secure Engineering Principles||3.13.2||3.13.2[a]
|Secure Engineering & Architecture||SEA-02||Alignment With Enterprise Architecture||NFO - PL-8|
|Secure Engineering & Architecture||SEA-03||Defense-In-Depth (DiD) Architecture||3.13.2||SC.L2-3.13.2|
|Secure Engineering & Architecture||SEA-03.2||Application Partitioning||3.13.3||3.13.3[a]
|Secure Engineering & Architecture||SEA-04||Process Isolation||NFO - SC-39|
|Secure Engineering & Architecture||SEA-05||Information In Shared Resources||3.13.4||3.13.4||SC.L2-3.13.4|
|Secure Engineering & Architecture||SEA-07||Predictable Failure Analysis||NFO - SA-3|
|Secure Engineering & Architecture||SEA-07.1||Technology Lifecycle Management||NFO - SA-3|
|Secure Engineering & Architecture||SEA-10||Memory Protection||NFO - SI-16|
|Secure Engineering & Architecture||SEA-18||System Use Notification (Logon Banner)||3.1.9||3.1.9[a]
|Secure Engineering & Architecture||SEA-18.1||Standardized Microsoft Windows Banner||3.1.9||3.1.9[a]
|Secure Engineering & Architecture||SEA-18.2||Truncated Banner||3.1.9||3.1.9[a]
|Secure Engineering & Architecture||SEA-20||Clock Synchronization||3.3.7||AU.L2-3.3.7|
|Security Awareness & Training||SAT-01||Security & Privacy-Minded Workforce||NFO - AT-1|
|Security Awareness & Training||SAT-02||Security & Privacy Awareness||3.2.1||3.2.1[a]
|Security Awareness & Training||SAT-03||Role-Based Security & Privacy Training||3.2.2||3.2.2[a]
|Security Awareness & Training||SAT-04||Security & Privacy Training Records||NFO - AT-4|
|Technology Development & Acquisition||TDA-01||Technology Development & Acquisition||NFO - SA-4|
|Technology Development & Acquisition||TDA-02||Minimum Viable Product (MVP) Security Requirements||NFO - SA-4|
|Technology Development & Acquisition||TDA-02.1||Ports, Protocols & Services In Use||NFO - SA-4(9)|
|Technology Development & Acquisition||TDA-02.2||Information Assurance Enabled Products||NFO - SA-4(10)|
|Technology Development & Acquisition||TDA-04||Documentation Requirements||NFO - SA-5|
|Technology Development & Acquisition||TDA-04.1||Functional Properties||NFO - SA-4(1)
NFO - SA-4(2)
|Technology Development & Acquisition||TDA-06||Secure Coding||NFO - SA-1||3.13.2[b]
|Technology Development & Acquisition||TDA-08||Separation of Development, Testing and Operational Environments||3.4.5||CM.L2-3.4.5|
|Technology Development & Acquisition||TDA-09||Security & Privacy Testing Throughout Development||NFO - SA-11|
|Technology Development & Acquisition||TDA-14||Developer Configuration Management||NFO - SA-10|
|Third-Party Management||TPM-01||Third-Party Management||NFO - SA-4|
|Third-Party Management||TPM-04||Third-Party Services||NFO -SA-9|
|Third-Party Management||TPM-04.2||External Connectivity Requirements - Identification of Ports, Protocols & Services||NFO - SA-9(2)|
|Third-Party Management||TPM-05||Third-Party Contract Requirements||3.1.1||AC.L1-3.1.1|
|Third-Party Management||TPM-05.2||Contract Flow-Down Requirements||3.1.1||AC.L1-3.1.1|
|Third-Party Management||TPM-10||Managing Changes To Third-Party Services||NFO - SA-4|
|Threat Management||THR-01||Threat Intelligence Program||3.12.3
|Threat Management||THR-03||Threat Intelligence Feeds||3.14.3||SI.L2-3.14.3|
|Threat Management||THR-05||Insider Threat Awareness||3.2.3||3.2.3[a]
|Vulnerability & Patch Management||VPM-01||Vulnerability & Patch Management Program (VPMP)||3.14.1||3.14.1[a]
|Vulnerability & Patch Management||VPM-02||Vulnerability Remediation Process||3.11.3[a]
|Vulnerability & Patch Management||VPM-05||Software & Firmware Patching||3.11.3||RA.L2-3.11.3|
|Vulnerability & Patch Management||VPM-06||Vulnerability Scanning||3.11.2||3.11.2[a]
|Vulnerability & Patch Management||VPM-06.1||Update Tool Capability||NFO - RA-5(1)
NFO - RA-5(2)
|Vulnerability & Patch Management||VPM-06.3||Privileged Access||3.11.2||RA.L2-3.11.2|
Supplemental Documentation - Annexes, Templates & References
The NCP also contains the following in the “supplemental documentation” attachment that we provide as part of the NCP:
- Artifact 1: Data Classification & Handling Guidelines
- Artifact 2: Data Classification Examples
- Artifact 3: Data Retention Periods
- Artifact 4: Baseline Security Categorization Guidelines
- Artifact 5: Rules of Behavior (Acceptable & Unacceptable Use)
- Artifact 6: Guidelines for Personal Use of Organizational IT Resources
- Artifact 7: Risk Management Framework (RMF)
- Artifact 8: System Hardening
- Artifact 9: Safety Considerations With Embedded Technology
- Artifact 10: Indicators of Compromise (IoC)
- Artifact 11: Management Directive (Policy Authorization)
- Artifact 12: User Acknowledgement Form
- Artifact 13: User Equipment Receipt of Issue
- Artifact 14: Service Provider Non-Disclosure Agreement (NDA)
- Artifact 15: Incident Response Plan (IRP)
- Artifact 16: Incident Response Form
- Artifact 17: Appointment Orders (Information Security Officer)
- Artifact 18: Privileged User Account Request Form
- Artifact 19: Change Management Request Form
- Artifact 20: Change Control Board (CCB) Meeting Minutes
- Artifact 21: Plan of Action & Milestones (POA&M) / Risk Register
- Artifact 22: Ports, Protocols & Services (PPS)
- Artifact 23: Business Impact Analysis (BIA)
- Artifact 24: Privacy Impact Assessment (PIA)
- Artifact 25: Disaster Recovery Plan (DRP) & Business Continuity Plan (BCP)
- Artifact 26: Exception Request Form
- Artifact 27: Electronic Discovery (eDiscovery) Guidelines
- Artifact 28: Types of Security Controls
- Artifact 29: Cybersecurity Mission, Vision & Strategy
- Artifact 30: Memorandum for Record (MFR) to Define CUI
- Artifact 31: Cybersecurity Roles & Responsibilities Overview
In addition to that, we include the following documentation to aide in your implementation of the NCP:
- NIST NICE Cybersecurity Workforce-based Cybersecurity Roles & Responsibilities
- Cybersecurity Awareness Training (PowerPoint slideshow template)
- Data Classification Icons (PowerPoint template)
- Guide to Writing Procedures
- NIST SP 800-171 Scoping Guide
Affordable NIST SP 800-171 & CMMC 2.0 Compliance Documentation
ComplianceForge took existing documentation and pared it down for smaller organizations that do not need or want the complexity of NIST SP 800-53 when complying with NIST SP 800-171. The NCP includes the following documents as part of its own unique bundle:
- NIST SP 800-171 Compliance Program - Microsoft Word document that addresses NIST SP 800-171 policies and standards.
- Cybersecurity Standardized Operating Procedures (CSOP) - Microsoft Word document that contains cybersecurity procedures that correspond to the policies and standards.
- System Security Plan (SSP) - Microsoft Word document that is a simplified version of our SSP product.
- NIST SP 800-171 Cybersecurity Program Mapping - Microsoft Excel document that contains several components:
- Plan of Action & Milestones (POA&M) template.
- Mapping from the NCP to NIST SP 800-171, NIST SP 800-53, NIST SP 800-160, ISO 27002 and NIST CSF.
- Methods to comply with NIST SP 800-171 (essentially a pared down NIST SP 800-171 Compliance Criteria (NCC) spreadsheet)
- Roles and responsibilities (corresponds to the Cybersecurity Standardized Operating Procedures)
- Cybersecurity Awareness Training - Microsoft PowerPoint template to provide cybersecurity awareness training.
The official overview of CMMC 2.0 can be read at https://dodcio.defense.gov/CMMC/. As you can see from the infographic show below, CMMC evolved from 5 levels to 3 levels. If you store, transmit or process Controlled Unclassified Information (CUI) then you are CMMC v2.0 Level 2 (Advanced). ComplianceForge's NIST 800-171 Compliance Program (NCP) is specifically designed as the "easy button" for CMMC v2.0 Level 2 (Advanced). CMMC v2.0 Level 2 (Advanced) removes the CMMC v1.02 practices and processes. The focus is on NIST SP 800-171 R2 CUI and NFO controls.
What Problem Does The NCP Solve?
- Lack of In House Security Experience - Most smaller contractors lack expertise in NIST SP 800-171. Tasking your managers, IT personnel or security staff to research and write comprehensive documentation is not a wise use of their time. The NCP is an efficient method to obtain comprehensive compliance documentation that can be implemented by either your in-house staff or outsourced IT vendor. Most small contractors cannot afford tens of thousands of dollars in consultant fees to help become compliant with NIST SP 800-171, so the NCP is designed with affordable compliance in mind to give your business the NIST SP 800-171 compliance documentation it needs.
- Compliance Requirements - NIST SP 800-171 is a reality for companies in scope for DFARS and FAR. The NCP is designed with compliance in mind, since it focuses on reasonably-expected security requirements to address the NIST SP 800-171 controls. The documentation contained in the NCP gives you everything you need to comply with NIST SP 800-171 from policies to standards to procedures to templates for your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
- Audit Failures - Without being able to demonstrate compliance with NIST SP 800-171, your organization will likely lose government contracts - it is as simple as that. The NCP is a tool that can jump start your organization towards being compliant with NIST SP 800-171 requirements.
- Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The NCP can provide this evidence!
How Does The NCP Solve It?
- Clear Documentation - The NCP comes in editable Microsoft Office format (e.g., Word, Excel and PowerPoint), so it is customizable for your needs.
- Time Savings - The time savings are immense, as compared to writing something equivalent of the NCP yourself or hiring a consultant to write it for you!
- Alignment With Leading Practices - The NCP has direct mapping to several leading cybersecurity frameworks, including:
- NIST SP 800-53
- ISO 27002
- NIST Cybersecurity Framework (CSF)
- NIST SP 800-160
- Secure Controls Framework (SCF)
There is no getting around the necessity to read and be familiar with NIST 800-171 and CMMC - that can’t be avoided. One of the best things you can to start off is make yourself a pot of coffee and familiarize yourself with the CMMC Kill Chain since you really need to have a prioritized plan to address NIST 800-171 / CMMC requirements. This is the process we recommend for using the NCP:
- Familiarize yourself with all the documents that come as part of the NCP. At least read through the table of contents and appendices to see what is contained so you understand where to find things.
- Start with the policies & standards – that is a relatively easy win and establishes requirements that other practices will be expected to meet.
- Understand the scope of your CUI environment:
- Make a network diagram and data flow diagram
- Leverage the scoping guide to identify what is in scope: https://www.unified-scoping-guide.com/
FAR vs DFARS Implications for NIST SP 800-171
NIST SP 800-171 isn’t just for Department of Defense (DoD) contractors. In addition to DoD contractors that had to comply with NIST SP 800-171 by the end of 2017, US Federal contractors are increasingly being required to comply with NIST SP 800-171. We often hear from DoD and US Government contractors that they do not know where to start, but they just know that NIST SP 800-171 is a requirement they cannot run from. Both DFARS and FAR point to NIST SP 800-171 as the expectation for contractors to implement a minimum set of cybersecurity capabilities.
The NCP addresses both Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) requirements. Many people overlook the NFO requirements that are listed in Appendix E of NIST SP 800-171, but the NCP includes both CUI and NFO controls so that you have complete coverage for NIST SP 800-171 compliance documentation.
Work Smarter and Not Harder - NIST SP 800-171 Scoping Considerations
NIST SP 800-171 allows contractors to limit the scope of the CUI security requirements to those particular systems or components that store, process or transmit CUI. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.
Click here for a FREE GUIDE
We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST SP 800-171 and was falls outside of scope.
When you look at NIST SP 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). If scoping is done poorly, a company's Cardholder Data Environment (CDE) can encompass the enterprise's entire network, which means PCI DSS requirements would apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST SP 800-171 should be viewed in the very same manner.
We feel that NIST SP 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST SP 800-171 and potentially find ways to minimize scope through isolation or controlled access.
Consulting Services Are Available
If you need consulting services, ComplianceForge does have experts available to consult with you on your specific NIST SP 800-171 compliance needs.