$6,510.00 $4,200.00
(You save $2,310.00)

NIST 800-171 Compliance Program (NCP)

Email Delivery Within 1-2 Business Days

file types are bmp, gif, jpg, jpeg, jpe, jif, jfif, jfi, png, wbmp, xbm, tiff

NIST 800-171 "Easy Button" - Editable & Affordable Compliance Documentation 

This package contains editable compliance documentation that is specifically-tailored for NIST 800-171:

  • NIST 800-171 Policies
  • NIST 800-171 Standards
  • NIST 800-171 Procedures
  • System Security Plan (SSP) Template To Document Your CUI Environment
  • Plan of Action & Milestones (POA&M) Template To Document Any Control Deficiencies

We listened to our customers and created the NIST 800-171 Compliance Program (NCP), based on the growing demand from small and medium businesses that want a simplified approach to NIST 800-171 compliance. The NCP is a streamlined product that is made up of other tailored ComplianceForge products to specifically address NIST 800-171 compliance needs.

In simple terms, the NCP gives you everything you need to comply with NIST 800-171 -  cybersecurity policies, standards, procedures, a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). We also provide a pared-down version of our NIST 800-171 Compliance Criteria (NCC) product to provide simplified compliance guidance.


Product Example - NIST 800-171 Compliance Criteria (NCP)

Our customers choose the NIST 800-171 Compliance Program (NCP) because they:

  • Need an efficient way to comply with NIST 800-171 and make the process as simple as possible
  • Need to be able to edit the document to their specific needs
  • Need an affordable solution

Don't take our word for it - take a look at the example below to see for yourself the level of professionalism and detail that went into it.


2018.1-download-example-nist-800-171-compliance-program-cybersecurity-policies-standards.jpg 2018.1-download-example-nist-800-171-mapping-to-best-practices-nist-800-53-iso-27002-nist-csf-nist-800-160.jpg   2018.2-download-example-nist-800-171-cybersecurity-procedures.jpg   2018.1-download-example-nist-800-171-system-security-plan-ssp-template.jpg   2018.1-download-example-nist-800-171-plan-of-action-and-milestones-template-compliance-criteria.jpg 


Cost Savings Estimate - NIST 800-171 Compliance Program (NCP)

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the NCP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

  • For your internal staff to generate comparable documentation, it would take them an estimated 720 internal staff work hours, which equates to a cost of approximately $49,800 in staff-related expenses. This is about 9-12 months of development time where your staff would be diverted from other work.
  • If you hire a consultant to generate this documentation, it would take them an 400 consultant work hours, which equates to a cost of approximately $120,000. This is about 4-8 months of development time for a contractor to provide you with the deliverable.
  • The NCP is approximately 4% of the cost for a consultant or 8% of the cost of your internal staff to generate equivalent documentation.
  • We process most orders the same business day so you can potentially start working with the NCP the same day you place your order.


The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 


Affordable NIST 800-171 Compliance Documentation

The NCP is comparable to the NIST 800-171 Compliance Bundle #1 that provides the NIST 800-53 based version of these products, but offers a price break of over $700! 

ComplianceForge took existing documentation and pared it down for smaller organizations that do not need or want the complexity of NIST 800-53 when complying with NIST 800-171. The NCP includes the following documents as part of its own unique bundle:

  • NIST 800-171 Compliance Program - Microsoft Word document that addresses NIST 800-171 policies and standards.
  • Cybersecurity Standardized Operating Procedures (CSOP) - Microsoft Word document that contains cybersecurity procedures that correspond to the policies and standards.
  • System Security Plan (SSP) - Microsoft Word document that is a simplified version of our SSP product.
  • NIST 800-171 Cybersecurity Program Mapping - Microsoft Excel document that contains several components:
    • Plan of Action & Milestones (POA&M) template.
    • Mapping from the NCP to NIST 800-171, NIST 800-53, NIST 800-160, ISO 27002 and NIST CSF.
    • Methods to comply with NIST 800-171 (essentially a pared down NIST 800-171 Compliance Criteria (NCC) spreadsheet)
    • Roles and responsibilities (corresponds to the Cybersecurity Standardized Operating Procedures)
  • Cybersecurity Awareness Training - Microsoft PowerPoint template to provide cybersecurity awareness training.

 The NCP is designed for companies that do not need or want to use the NIST 800-53 framework to manage NIST 800-171 compliance needs. This can significantly reduce complexity for companies that need to comply with NIST 800-171. 


What Problem Does The NCP Solve?

  • Lack of In House Security Experience - Most smaller contractors lack expertise in NIST 800-171. Tasking your managers, IT personnel or security staff to research and write comprehensive documentation is not a wise use of their time. The NCP is an efficient method to obtain comprehensive compliance documentation that can be implemented by either your in-house staff or outsourced IT vendor. Most small contractors cannot afford tens of thousands of dollars in consultant fees to help become compliant with NIST 800-171, so the NCP is designed with affordable compliance in mind to give your business the NIST 800-171 compliance documentation it needs. 
  • Compliance Requirements - NIST 800-171 is a reality for companies in scope for DFARS and FAR. The NCP is designed with compliance in mind, since it focuses on reasonably-expected security requirements to address the NIST 800-171 controls. The documentation contained in the NCP gives you everything you need to comply with NIST 800-171 from policies to standards to procedures to templates for your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
  • Audit Failures - Without being able to demonstrate compliance with NIST 800-171, your organization will likely lose government contracts - it is as simple as that. The NCP is a tool that can jump start your organization towards being compliant with NIST 800-171 requirements.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The NCP can provide this evidence!

How Does The NCP Solve It?

  • Clear Documentation - The NCP comes in editable Microsoft Office format (e.g., Word, Excel and PowerPoint), so it is customizable for your needs. 
  • Time Savings - The time savings are immense, as compared to writing something equivalent of the NCP yourself or hiring a consultant to write it for you!
  • Alignment With Leading Practices - The NCP has direct mapping to several leading cybersecurity frameworks, including:
    • NIST 800-53
    • ISO 27002
    • NIST Cybersecurity Framework (CSF)
    • NIST 800-160
    • Secure Controls Framework (SCF)  

FAR vs DFARS Implications for NIST 800-171

NIST 800-171 isn’t just for Department of Defense (DoD) contractors. 

In addition to DoD contractors that had to comply with NIST 800-171 by the end of 2017, US Federal contractors are increasingly being required to comply with NIST 800-171. We often hear from DoD and US Government contractors that they do not know where to start, but they just know that NIST 800-171 is a requirement they cannot run from. Both DFARS and FAR point to NIST 800-171 as the expectation for contractors to implement a minimum set of cybersecurity capabilities. 

The NCP addresses both Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) requirements. Many people overlook the NFO requirements that are listed in Appendix E of NIST 800-171, but the NCP includes both CUI and NFO controls so that you have complete coverage for NIST 800-171 compliance documentation.

Work Smarter and Not Harder - NIST 800-171 Scoping Considerations

NIST 800-171 allows contractors to limit the scope of the CUI security requirements to those particular systems or components that store, process or transmit CUI. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both. 


Click here for a FREE GUIDE 

We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.

When you look at NIST 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). If scoping is done poorly, a company's Cardholder Data Environment (CDE) can encompass the enterprise's entire network, which means PCI DSS requirements would apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST 800-171 should be viewed in the very same manner.

We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.

Consulting Services Are Available

If you need consulting services, ComplianceForge does have experts available to consult with you on your specific NIST 800-171 compliance needs.

Related Products


  • 1. Perfect fit 5

    The ComplianceForge NIST 800-171 Compliance Program (NCP) is a perfect fit for our small company’s compliance requirements. It provides all of the necessary policies, procedures, System Security Plan and Plan of Action Milestones to help our company comply with the NIST 800-171, both easily and cost effectively, without added complexity. ComplianceForge products reflect the company’s exceptional in-depth compliance knowledge and experience. We recommend ComplianceForge products for any company with compliance goals.

    - GB on Aug 31st 2018
  • 2. Gamechanger for NIST 800-171 5

    As luck would have it, our organization was selected for a security audit on the heels of the Dec. 31, 2017 deadline for NIST 800-171 compliance. We’re a very busy small business and everyone wears multiple hats. We struggled for more than 6 months, bouncing back and forth between the published NIST 800-171 and 800-53 documents, trying to get organized, sort out all the controls and decipher what was required to ensure our Cyber Security program would be deemed compliant. Finally, as the deadline (and our security audit) was closing in, we decided we needed some external help. We thoroughly evaluated several options before landing on the ComplianceForge site. We reviewed the NIST bundles, which seemed more comprehensive, yet straightforward, than any other option out there, but we were still unsure of what we REALLY needed to be compliant, as a small business, so we gave them a call. Game Changer. The gentleman we talked with was extremely helpful in guiding us to the most appropriate (not most expensive) option for our organization and gave us some great tips on how to get started. The spreadsheet is a perfect road map to compliance, complete with examples and suggestions on how to get there. This, along with the bundled templates, enabled us to achieve in a few short weeks what we were completely unable to achieve by ourselves over the previous 6+ months.

    - LT on Aug 16th 2018

Find Out Exclusive Information On Cybersecurity