editable CMMC 2.0 policies standards procedures scrm plan template

Editable Cybersecurity Maturity Model Certification (CMMC) Documentation Templates 

We field a lot of questions regarding NIST 800-171 compliance and the DoD's Cybersecurity Maturity Model Certification (CMMC) assessment program. The information on this page relates to the common questions of what CMMC is, how CMMC relates to NIST 800-171 and what ComplianceForge products address both NIST 800-171 and CMMC requirements. With the release of CMMC 2.0 that takes the focus of CMMC back to NIST SP 800-171 controls. NIST 800-171 R3 is expected to be finalized in early 2024, which will require a "CMMC 3.0" release to follow those changes from NIST.

ComplianceForge is an industry-leader in NIST 800-171 compliance documentation and have been evolving our DFARS-specific cybersecurity solutions since 2016. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we are here to help make NIST 800-171 compliance as easy and as affordable as possible. Essentially, CMMC is the DoD's requirement for the Defense Industrial Base (DIB) to obtain a third-party assessment that NIST 800-171 controls are implemented.

editable NIST 800-171 r2 CMMC policies standards procedures

“DIBCAC Battle Tested” CMMC 2.0 Policies, Standards & Procedures Templates

ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.

Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminology pertaining to cybersecurity documentation is often abused, so a simplified concept of the hierarchical nature of cybersecurity documentation is needed to demonstrate the unique nature of these components, as well as the dependencies that exist. ComplianceForge created a reference model that is designed to encourage clear communication by defining cybersecurity documentation components and how those are linked. This model is based on industry-recognized terminology from NIST, ISO, ISACA and AICPA to addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. This also addresses what SSPs, POA&Ms and secure configurations are and how those integrate into an organization's existing cybersecurity documentation. Click on the image below to download the PDF:

NIST 800-171 & CMMC compliance documentation terminology reference

NIST 800-171 R3 Documentation Upgrade Path

Sooner, rather than later, the US Government's global supply chain will have to transition to NIST 800-171 R3.

NIST 800-171 R3 transition

ComplianceForge provides a free resource for organizations migrating from NIST 800-171 R2 to R3. This guide provides an Assessment Objective (AO)-level analysis to address differences:

  • Over 1/3 are minimal effort (clear, direct mapping)
  • Approximately 1/5 are moderate effort (indirect mapping)
  • Approximately 1/2 are significant effort (no clear mapping or new AOs)
This guide also addresses the logical dependencies that exist from "orphaned AOs" that are not in NIST 800-171A R3, but a requirement to demonstrate evidence of due diligence and due care still exists for specific functions (e.g., maintenance operations, roles & responsibilities, inventories, physical security, etc.).
free guide to NIST 800-171 R3 upgrade transition

CMMC v2.0 (DFARS 252.204-7021) Overview

CMMC is a vehicle the US Government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DoD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DoD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB) and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. Interestingly, when NIST 800-171 was initially launched, the DoD would not accept any form of 3rd-party audit for evidence of NIST 800-171 compliance, but that is exactly what CMMC does, so a lot has changed in the past two years from how NIST 800-171 adoption was initially envisioned.

Think of CMMC as a procurement gate that a contractor must pass to even be eligible to bid on, win or participate on a contract - without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from the contract. It is conservatively-estimated that between 200,000 - 300,000 organizations will be in scope for CMMC, with many of those not being considered traditional defense contractors. The reason for that is the trickle-down effect of third-parties that have the ability to impact the confidentiality and/or integrity of Controlled Unclassified Information (CUI) where it is stored, transmitted and/or processed. This trickle-down will impact small organizations from IT support to bookkeepers and even janitorial support services, in addition to component manufacturers that fall in the supply chain.

NIST SP 800-171 CMMC requirements

If you are new to​ CMMC and want to get a neutral explanation of what it is without any Fear, Uncertainty & Doubt (FUD) marketing, you can click on the image to the right to read the "Defense Acquisitions: DOD’s Cybersecurity Maturity Model Certification Framework" from the Congressional Research Services (CRS). This document is meant to help educate members of Congress on CMMC, so it is about as neutral as anyone could expect an overview to be. 

The CRS report to Congress is loaded with references that you can use to verify information for yourself. It is a really good guide to understand the history and some of the challenges pertaining to CMMC, so it is a worthwhile document to read.

official DoD CMMC compliance

Downloadable Excel Spreadsheet - CMMC 2.0 Crosswalk

On 18 March 2020, the US Department of Defense (DoD) released version 1.02 of the CMMC. We took those requirements and made those into a user-friendly requirements matrix that indicates the requirements an organization faces from CMMC level 1 through level 5. We also provide mappings that show how ComplianceForge's products support each CMMC requirement. In the downloadable CMMC v2.0 requirements mapping matrix shown below, you can see how all CMMC 2.0 Level 1-3 requirements are supported by various ComplianceForge products.

 CMMC Center of Awesomeness (CMMC-COA)

That downloadable Excel spreadsheet for CMMC v1.02 provides crosswalk mapping to the following frameworks:

Mapping to the following ComplianceForge products:

New To CMMC? Use The "CMMC Kill Chain" To Build A Project Plan

A common issue facing many front-line IT/cybersecurity practitioners is that they do not know where to start with CMMC, let alone what path they need to follow to pass a CMMC assessment. There is an enormous amount of "What is CMMC?" guidance on LinkedIn, webinars and on the Internet in general, but there is a lack of practical guidance of HOW you are actually supposed to "do CMMC" in realistic terms. The CMMC Kill Chain is designed to provide a roadmap that would be usable for (1) anyone starting out or (2) anyone wanting to double check their approach. You can also download it by clicking on the image below to get a PDF version of the graphic and description. 

CMMC Kill Chain

Cybersecurity Maturity Model Certification (CMMC) v2.0 Requirements - Understanding The People, Processes & Technology Connections

As you can see in the downloadable infographic below, the responsibilities associated with CMMC spread far beyond just the cybersecurity team. Having a clear understanding of who "owns" certain CMMC controls now will payoff significantly as you prepare for your CMMC audit, since these are primarily not "cybersecurity" controls and many are owned by the business process owner or the IT asset custodians.

CMMC Scoping Considerations - Free Guide To Reducing Controlled Unclassified Information (CUI) 

Unified Scoping Guide | CUI Scoping Guide | CMMC Scoping Guide | NIST 800-171 Scoping Guide

Click here for a FREE GUIDE

 

We put together a free guide to help identify what is in scope for NIST 800-171 Rev 2 & Rev 3. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui

When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. 

Based on a lack of scoping guidance from the DoD, our assessment of scoping NIST 800-171 is that it should following a similar, structured approach to scoping that is used for PCI DSS compliance. The reason for this is the proposed approach is a reasonable method, based on accepted practices to comply with cybersecurity requirements. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.

What ComplianceForge Products Apply To CMMC 2.0?

Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171. 

ComplianceForge Product DFARS / NIST 800-171 NIST 800-53

Cybersecurity & Data Protection Program (CDPP) or
Digital Security Program (DSP

 [policies & standards map to all NIST 800-171 Rev 2 & Rev 3 requirements]

252.204-7008
252.204-7012
NIST 800-171 (multiple NFO controls)

PM-1
[multiple sections]

Vendor Compliance Program (VCP) 252.204-7008
252.204-7012
NIST 800-171 NFO PS-7

PS-7
SA-4

Cybersecurity Risk Management Program (RMP) 252.204-7008
252.204-7012
NIST 800-171 NFO RA-1

PM-9
RA-1

Cybersecurity Risk Assessment Template (CRA) 252.204-7008
252.204-7012
NIST 800-171 3.11.1
RA-3
Vulnerability & Patch Management Program (VPMP) 252.204-7008
252.204-7012
NIST 800-171 3.11.2

SI-2
SI-3(2)

Integrated Incident Response Program (IIRP) 252.204-7008
252.204-7009
252.204-7010
252.204-7012
NIST 800-171 3.6.1
IR-1
Security & Privacy By Design (SPBD) 252.204-7008
252.204-7012
NIST 800-171 NFO SA-3

Privacy Section
SA-3

System Security Plan (SSP) 252.204-7008
252.204-7012
NIST 800-171 3.12.4
PL-2
Cybersecurity Standardized Operating Procedures (CSOP) 252.204-7008
252.204-7012
NIST 800-171 (multiple NFO controls)

PL-7
[multiple sections]

Continuity of Operations Plan (COOP) 252.204-7008
252.204-7012
NIST 800-171 3.6.1

CP-1
CP-2
IR-4(3)
PM-8

Secure Baseline Configurations (SBC) 252.204-7008
252.204-7012
NIST 800-171 3.4.1

CM-2
CM-6
SA-8

Information Assurance Program (IAP) 252.204-7008
252.204-7012
NIST 800-171 NFO CA-1

CA-1
PM-10

CMMC Policies, Standards & Procedures Done Right - Designed To Be Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with NIST 800-171, NIST 800-53, ISO 27002, NIST CSF, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks. 

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.

Hierarchical Cybersecurity Governance Framework - policies standards procedures controls metrics

How Should I Prepare For A CMMC Assessment?

Based on version 2.0 of the CMMC, there were 3 levels and each has its own specific set of controls that will be in scope for a CMMC audit. Each level of CMMC maturity has increasing expectations:

NIST SP 800-171AAssessing Security Requirements for Controlled Unclassified Information, is the underlying set of Assessment Objectives (AOs) that serve as the basis for the criteria used by a C3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 Rev 2 or Rev 3 control. Until final guidance on what C3PAOs will use for the assessment, the main focus of CMMC audit preparation should be on clear, concise documentation (e.g., CMMC/NIST 800-171 specific policies, standards, procedures, SSP, POA&M, etc.). The reason for this is from a financial perspective, you will be paying a 3PAO an hourly rate (likely $300/hr +/- $100) and the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate. Therefore, clear and concise documentation can potentially save tens of thousands of dollars in future C3PAO audit-related costs. 

One thing to keep in mind as you prepare for a CMMC assessment - in the audit world there are two constants:

A documentation review will likely occur before the C3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less your staff will have to fill in the blanks with auditor questions. This is really where good documentation is half the battle in an audit! Expect your C3PAO to start their assessment by:

If I Comply With CMMC, Am I Therefore Compliant With NIST 800-171?

No. By itself, passing a CMMC audit does not mean you are compliant with NIST 800-171. If you look in Appendix D of NIST 800-171 Rev 2, you will see it contains 110 Controlled Unclassified Information (CUI) controls and in Appendix E there are also 63 Non-Federal Organization (NFO) controls. While NIST 800-171 is primarily focused on protecting CUI wherever it is stored, transmitted and processed, your organization still needs to comply with both the CUI and NFO controls.

For some reason, CMMC only focuses on CUI controls and does not have NFO controls in scope for the CMMC audits. While this is financially beneficial to contractors to have less controls in scope for an audit, it also lulls most contractors into a false sense of compliance where they focus on the 110 CUI controls and ignore the 63 NFO controls. To reiterate that point, to be considered “NIST 800-171 compliant” you need to comply with both the CUI and NFO controls. Therefore, having a CMMC Level 1, 2, 3, 4 or 5 certification does not mean you are actually compliant with NIST 800-171 and that can run your organization afoul through a violation of the False Claims Act (FCA), since you are required to comply with NIST 800-171. CMMC is merely a 3rd party validation check to see if a basic level of compliance is being done as part of the contracting process.

CMMC vs NIST 800-171 vs NIST 800-53 Requirements - NIST Did Not Re-Invent The Wheel

Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.

NIST SP 800-171 CMMC compliance requirements

When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist. ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready! 

NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity. 

The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.  

Cost of Non-Compliance With Cybersecurity Maturity Model Certification (CMMC)

What can possibly go wrong with non-compliance in a contract with the U.S. Government? 

As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.

What Problem Does ComplianceForge Solve?

We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!

How Does ComplianceForge Solve It?

We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!

Browse Our Products

  • Digital Security Program (DSP)

    Policy, Standards, Controls & Metrics Template - DSP / SCF

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00 - $14,300.00
    Choose Options
  • DSP Bundle 1: DSP-CSOP

    DSP Bundle 1: Policies, Standards, Procedures & Controls

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...

    $11,494.00 - $16,294.00
    Choose Options
  • DSP Bundle 2

    DSP Bundle 2: Enhanced Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $17,453.00 - $22,253.00
    Choose Options
  • DSP Bundle 3: Whole Enchilada

    DSP Bundle 3: Robust Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $24,943.00 - $29,743.00
    Choose Options

Learn More About Cybersecurity & Data Privacy