NIST 800-171 800-171A editable policies standards procedures template example

NIST 800-171 Compliance - DFARS 252.204-7012 & FAR 52.204-21

NIST 800-171 compliance starts with documentation for the very simple fact that when it comes to cybersecurity compliance, if it is not documented then it does not exist. That is the reality of how audits/assessments work and non-existent or weak documentation can lead to non-compliance. We've been involved in NIST 800-171 compliance since 2016, where we have a long track record of successfully supporting our clients with quality documentation and support.

ComplianceForge is an industry-leader in NIST 800-171 compliance. We specialize in cybersecurity compliance documentation and our products include the policies, standards, procedures and POA&M/SSP templates that companies (small, medium and large) need to comply with NIST 800-171. We've been writing cybersecurity documentation since 2005 and we are here to help make NIST 800-171 compliance as easy and as affordable as possible. 

Complying with NIST SP 800-171 & CMMC can be hard enough without arguing over terminology. Terminology pertaining to cybersecurity documentation is often abused, so a simplified concept of the hierarchical nature of cybersecurity documentation is needed to demonstrate the unique nature of these components, as well as the dependencies that exist. ComplianceForge created a reference model that is designed to encourage clear communication by defining cybersecurity documentation components and how those are linked. This model is based on industry-recognized terminology from NIST, ISO, ISACA and AICPA to addresses the inter-connectivity of policies, control objectives, standards, guidelines, controls, assessment objectives, risks, threats, procedures & metrics. This also addresses what SSPs, POA&Ms and secure configurations are and how those integrate into an organization's existing cybersecurity documentation. Click on the image below to download the PDF:

NIST 800-171 & CMMC compliance documentation terminology reference

Our NIST 800-171 compliance products are designed to scale for organizations of any size or level of complexity, so we serve businesses of all sizes, from the Fortune 500 all the way to small and medium businesses. The focus of NIST 800-171 is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed.

editable NIST 800-171 CMMC policies standards procedures

“DIBCAC Battle Tested” NIST 800-171, NIST 800-171A & CMMC 2.0 Policies, Standards & Procedures

ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.

When you look at NIST 800-171 as it compares to other cybersecurity requirements, it is requiring companies to have a relatively-strong set of cybersecurity controls in place that range from administrative processes to protective technologies. We help customers that range from the Fortune 500 down to small and medium-sized businesses comply with this DFARS requirement. Our products are scalable, professionally-written and affordable.

NIST 800-171 CMMC editable cybersecurity policies standards procedures

As a quick summary of your requirements to comply with NIST 800-171, you are expected to have several different "documentation artifacts" to prove that your cybersecurity program exists. The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that reality, you need to ensure your company has the proper cybersecurity documentation in place:

dfars nist cmmc policies standards procedures

FedRAMP Equivalency - NIST SP 800-171 & NIST SP 800-53

The graphic below shows how NIST SP 800-171 R3 IPD (green columns) is significantly less than NIST SP 800-53 R5 moderate baseline (blue columns) and FedRAMP R5 moderate baseline (orange colums). This is an "apples to apples" comparison of control coverage, based on a mapping from NIST SP 800-53 R5, which is the source of the controls from NIST SP 800-171 R3 IPD and FedRAMP R5. The reason we show this is to approach compliance with your eyes wide open to what the requirements actually are.

NIST SP 800-53 vs FedRAMP vs NIST SP 800-171

Cybersecurity Maturity Model Certification (CMMC)

The chart below depicts all Capability Maturity Model Certification (CMMC) v2.0 requirements and how they map to other frameworks:

CMMC Center of Awesomeness (CMMC-COA)

The "NIST 800-171 in a nutshell" graphic show below helps depict NIST 800-171 requirements from either a policy, standard or procedure perspective. This can help better visualize what the various requirements are (e.g., administrative, technical solutions, configurations, etc.). 

CMMC NIST 800-171 in a nutshell

NIST 800-171 Scoping Considerations - Free Guide To Reducing Controlled Unclassified Information (CUI) 

Unified Scoping Guide | CUI Scoping Guide | CMMC Scoping Guide | NIST 800-171 Scoping Guide

Click here for a FREE GUIDE 

We put together a free guide to help identify what is in scope for NIST 800-171. Once you know what your CUI is, the next step is to scope your environment and this is a valuable guide for those efforts. Not sure what CUI is or if you have CUI on your network? Go to the US government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry/category-list

When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). That may sound odd to you, but from the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the Cardholder Data Environment (CDE), which means PCI DSS requirements would apply uniformly throughout the entire company. The same holds true for CUI environments. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. 

Based on a lack of scoping guidance from the DoD, our assessment of scoping NIST 800-171 is that it should following a similar, structured approach to scoping that is used for PCI DSS compliance. The reason for this is the proposed approach is a reasonable method, based on accepted practices to comply with cybersecurity requirements. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.

What ComplianceForge Products Apply To NIST 800-171 Rev 2 Compliance?

Complying with the requirements from DFARS goes beyond just having policies and standards. When you break down the requirements to comply with DFARS / NIST 800-171, you will see how ComplianceForge's products address a specific DFARS compliance need. In the chart, "NFO" stands for Non-Federal Organization. NFO controls are required for contractors and are called out in Appendix E of NIST 800-171. Aligning with NIST 800-53 is the most straightforward approach to complying with NIST 800-171, based on the official mappings in Appendices D & E of NIST 800-171. 

ComplianceForge Product DFARS / NIST 800-171 NIST 800-53

Cybersecurity & Data Protection Program (CDPP) or
Digital Security Program (DSP

 [policies & standards map to all NIST 800-171 rev1 requirements]

252.204-7008
252.204-7012
NIST 800-171 (multiple NFO controls)

PM-1
[multiple sections]

Cybersecurity Supply Chain Risk Management Strategy & Implementation Plan (C-SRCM SIP) 252.204-7008
252.204-7012
NIST 800-171 NFO PS-7

PS-7
SA-4

Cybersecurity Risk Management Program (RMP) 252.204-7008
252.204-7012
NIST 800-171 NFO RA-1

PM-9
RA-1

Cybersecurity Risk Assessment Template (CRA) 252.204-7008
252.204-7012
NIST 800-171 3.11.1
RA-3
Vulnerability & Patch Management Program (VPMP) 252.204-7008
252.204-7012
NIST 800-171 3.11.2

SI-2
SI-3(2)

Integrated Incident Response Program (IIRP) 252.204-7008
252.204-7009
252.204-7010
252.204-7012
NIST 800-171 3.6.1
IR-1
Security & Privacy By Design (SPBD) 252.204-7008
252.204-7012
NIST 800-171 NFO SA-3

Privacy Section
SA-3

System Security Plan (SSP) 252.204-7008
252.204-7012
NIST 800-171 3.12.4
PL-2
Cybersecurity Standardized Operating Procedures (CSOP) 252.204-7008
252.204-7012
NIST 800-171 (multiple NFO controls)

PL-7
[multiple sections]

Continuity of Operations Plan (COOP) 252.204-7008
252.204-7012
NIST 800-171 3.6.1

CP-1
CP-2
IR-4(3)
PM-8

Secure Baseline Configurations (SBC) 252.204-7008
252.204-7012
NIST 800-171 3.4.1

CM-2
CM-6
SA-8

Information Assurance Program (IAP) 252.204-7008
252.204-7012
NIST 800-171 NFO CA-1

CA-1
PM-10

Documentation Done Right - Our Solution Is Designed To Be Scalable, Comprehensive & Efficient

We leverage the Hierarchical Cybersecurity Governance Framework to develop the necessary documentation components that are key to being able to demonstrate evidence of due diligence and due care for our clients. This methodology towards documentation acknowledges the interconnectivity that exists between policies, control objectives, standards, guidelines, controls, risks, procedures & metrics. This documentation model works well with ISO 27002, NIST CSF, NIST 800-171, NIST 800-53, FedRAMP, CIS CSC Top 20, PCI DSS, Secure Controls Framework (SCF) and other control frameworks. 

Essentially, ComplianceForge simplified the concept of the hierarchical nature of cybersecurity and privacy documentation that you can see in the downloadable diagram shown below. This helps demonstrate the unique nature of these components, as well as the dependencies that exist. You can download the example to better understand how we write our documentation that links policies all the way down to metrics. This is a great solution for any organization currently using or migrating to a Governance, Risk & Compliance (GRC) or Integrated Risk Management (IRM) platform to help automate their governance practices.

Hierarchical Cybersecurity Governance Framework - policies standards procedures controls metrics

Framework Alignment Matters For CMMC 2.0 & NIST 800-171 Compliance! 

Many people ask how NIST 800-171 is different from NIST 800-53. In reality, there is no NIST 800-171 vs NIST 800-53, since everything defaults back to NIST 800-53. Our solutions address both DFARS and FAR requirements for protecting Controlled Unclassified Information (CUI) by addressing NIST 800-171 and its corresponding NIST 800-53 requirements.

NIST SP 800-171 CMMC nist csf vs nist 800-171 vs cmmc

When it comes to being "audit ready" for a company with NIST 800-171, there is no such thing as "Bronze, Silver or Gold" levels of compliance since a standard is a standard for a reason. This is where documentation is king, since in cybersecurity compliance audits, if it is not documented then it does not exist.

ComplianceForge can provide you with the documentation you need to demonstrate evidence of due care and due diligence to be considered compliant (e.g., policies, standards, procedures, SSP & POA&M). Our affordable solutions range from cybersecurity policies & standards documentation, to NIST 800-171 compliance checklists, to program-level documentation, such as "turn key" incident responserisk management or vulnerability management program documents. Our focus is on helping you become audit ready! 

CMMC compliance level 1-3 documentation

NIST 800-171 is intended to force contractors to adhere with reasonably-expected security requirements that have been in use by the US government for years. NIST 800-171 establishes a basic set of expectations and maps these requirements to NIST 800-53, which is the de facto standard for US government cybersecurity controls. In some ways, this is a good thing since the US government is not reinventing the wheel with new requirements. Instead, the DoD selected moderate-level controls from an existing set of recognized best practices, commonly used throughout the DoD and Federal agencies. In the long run, this will help both the US government and private businesses speak the same language for cybersecurity. 

The bottom line is NIST 800-171 creates a standardized and uniform set of requirements for all Controlled Unclassified Information (CUI) security needs. This is designed to address common deficiencies in managing and protecting unclassified information by that is being stored, transmitted or processed by private businesses.  

Cost of Non-Compliance With NIST 800-171 (DFARS 252.204-7012)

What can possibly go wrong with non-compliance in a contract with the U.S. Government? 

As you can see from those examples, the cost of non-compliance is quite significant. As always, seek competent legal counsel for any pertinent questions on your specific compliance obligations.

What Problem Does ComplianceForge Solve?

We sell cybersecurity documentation - policies, standards, procedures and more! Our documentation is meant to help companies become audit-ready!

How Does ComplianceForge Solve It?

We take a holistic approach to creating comprehensive cybersecurity documentation that is both scalable and affordable. This is beyond just generic policies and allows you to build out an audit-ready cybersecurity program for your organization!

2021.1-complianceforge-products.jpg

DFARS 252.204-7012 (NIST 800-171 Rev 2) Implications and Federal Acquisition Regulation (FAR)

Many of our clients who need to address DFARS 252.204-7012 (NIST 800-171) also have to address FAR 52.204-21. One common question we receive from clients pertains to aligning with the correct security framework to ensure they have the proper coverage for compliance. This generally revolves around aligning with ISO 27001/27002 or NIST 800-53, since those are the two most common security frameworks.

The bottom line is that utilizing ISO 27001/27002 as a security framework does not meet the requirements of NIST 800-171. In fact, NIST 800-171 (Appendix D) maps out how the CUI security requirements of NIST 800-171 relate to NIST 800-53 and ISO 27001/27002 security controls. This includes callouts where the ISO 27001/27002 framework does not fully satisfy the requirements of NIST 800-171. Therefore, policies and standards based on NIST 800-53 are what is needed to comply with NIST 800-171. This is important to keep in mind, since FAR changes will require all US government contractors to adopt NIST 800-171 requirements in the near future.

NIST 800-171 isn’t just for Department of Defense (DoD) contractors. Representatives from the National Institute of Standards and Technology (NIST) and DoD officials have recently been putting this information out in webinars and other training seminars on NIST 800-171. This means that only the NIST 800-53 framework is going to meet FAR requirements - ISO 27002 and the NIST Cybersecurity Framework are going to be insufficient in coverage. This coming requirement for FAR cybersecurity compliance is specified on page v of NIST 800-171:

Executive Order 13556, Controlled Unclassified Information, November 4, 2010, establishes that the Controlled Unclassified Information (CUI) Executive Agent designated as the National Archives and Records Administration (NARA), shall develop and issue such directives as are necessary to implement the CUI Program. Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government, NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI government-wide. This federal regulation, once enacted, will bind agencies throughout the executive branch to uniformly apply the standard safeguards, markings, dissemination, and decontrol requirements established by the CUI Program.

With regard to federal information systems, requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable government-wide standards and guidelines issued by NIST. The regulation will not create these policies, standards, and guidelines which are already established by OMB and NIST. The regulation will, however, require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch, thereby reducing current complexity for federal agencies and their nonfederal partners, including contractors.

In addition to defining safeguarding requirements for CUI within the federal government, NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST, Special Publication 800-171 — and defining security requirements for protecting CUI in nonfederal systems and organizations. This approach will help nonfederal entities, including contractors, to comply with the security requirements using the systems and practices they already have in place, rather than trying to use government-specific approaches. It will also provide a standardized and uniform set of requirements for all CUI security needs, tailored to nonfederal systems, allowing nonfederal organizations to be in compliance with statutory and regulatory requirements, and to consistently implement safeguards for the protection of CUI.

Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors. This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses, where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies. The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Until the formal process of establishing such a FAR clause takes place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. If necessary, Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause.

 

Affordable, Editable NIST 800-171 Compliance Documentation (DFARS 252.204-7012)

We listened to our customers and we created several products that are specific to NIST 800-171 compliance. We had an overwhelming request from companies to help them become NIST 800-171 compliant and most told us they do not know where to start, but they just know that this is a requirement they cannot run from.

The concept is pretty simple - the NIST 800-171 Compliance Criteria (NCC) goes through each NIST 800-171 requirement and maps it to the corresponding NIST 800-53 rev 4 controls. Each of those NIST 800-53 controls is explained as to what reasonably-expected criteria would be to meet that control. Additionally, the NCC provides applicable "best practice" guidance on what steps you need to take in order to comply. That is exactly what you would expect from a dedicated consultant! What do you get if you buy the NCC?

Background on NIST 800-171 Rev 2 Controls

NIST 800-171 requires private companies to protect the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and non-federal organizations (e.g., government / DoD contractors). The good news is that ComplianceForge can help you with your compliance needs! We have affordable solutions that range from the NIST 800-171 Compliance Criteria (NCC) all the way to providing you with comprehensive cybersecurity policies and standards, such as the NIST 800-53 Cybersecurity & Data Protection Program (CDPP).

Appendix D of NIST 800-171 provides a direct mapping of CUI security requirements to the security controls in NIST 800-53 rev4 and ISO/IEC 27001:2013. This security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO frameworks. NIST 800-53 has direct mapping, where ISO 27001/27002 has gaps that would have to be filled with enhanced policies and standards.

A central tenant to NIST 800-171 is a need to focus on secure engineering. However, it is important to keep in mind that this expectation for operationalizing security and privacy principles is not limited to NIST 800-171:

Key Assumptions For NIST 800-171 That Impact Scoping

NIST 800-171 states that contractors may limit the scope of the CUI security requirements to those particular systems or components. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both.

Is Your Organization Audit Ready for NIST 800-171?

When you "peel back the onion" and prepare for a NIST 800-171 audit, there is a need to address "the how" for certain topics. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW it gets done. We did the heavy lifting and created several program-level documents to address this need and they integrate with either the Cybersecurity & Data Protection Program (CDPP) or Digital Security Program (DSP) to provide your organization with a set of robust documentation to prepare for your audit. This gives you a full stack of documentation that covers your needs for policies, standards, procedures, System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). 

NIST 800-171 Compliance Through A NIST 800-53 Rev5-Based Cybersecurity Program

US Federal agencies require NIST 800-171 compliance for protecting the confidentiality of Controlled Unclassified Information (CUI). The CUI requirements within NIST 800-171 are directly linked to NIST 800-53 MODERATE baseline controls and are intended for use by federal agencies in contracts or other agreements established between those agencies and nonfederal organizations (e.g., government contractors), as it applies to:

The NIST 800-171 requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The good news is that ComplianceForge can help you with your compliance needs!

Controlled Unclassified Information (CUI) - Understanding NIST 800-53 rev 5 MODERATE Controls

Does your company need to comply with NIST 800-171 requirements for MODERATE baseline controls from NIST 800-53? The good news is our NIST 800-53 based Cybersecurity & Data Protection Program (CDPP) has the documentation you need to comply with MODERATE baseline controls.

The CUI requirements developed from the tailored FIPS Publication 200 security requirements and the NIST 800-53 moderate security control baseline represent a subset of the safeguarding measures necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies,

The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST 800-53, with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations. Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST 800-53 and ISO/IEC 27001. The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations.

For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria.

What Does NIST 800-171 Require?

NIST 800-171 describes fourteen (14) families of security requirements for protecting the confidentiality of CUI. The families are aligned with the minimum security requirements for federal information and information systems described in Federal Information Processing Standard (FIPS) 200, with exceptions for contingency planning, system, and services acquisition and planning requirements.

Appendix D of NIST 800-171 maps requirements to both NIST 800-53 rev4 and ISO 27002:2013 best practices. Only NIST 800-53 offers complete coverage for NIST 800-171 requirements. 

 

Browse Our Products

  • Digital Security Program (DSP)

    Digital Security Program (DSP) - SCF Policy Template

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $9,500.00
    Choose Options
  • ISO 27001 27002 policies & standards

    ISO 27001 / 27002 Policy Template

    ComplianceForge ISO 27001 & 27002 Compliance Documentation Templates

    ISO 27001 & 27002 Policy Template   UPDATED FOR ISO 27001:2022 & 27002:2022   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common...

    $1,800.00
    Choose Options
  • NIST 800-53 rev5 policies & standards

    NIST 800-53 R5 (moderate) Policy Template

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    NIST 800-53 Rev5 Policy Template  LOW & MODERATE BASELINE   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...

    $1,800.00
    Choose Options
  • NIST 800-53 rev5 policies & standards - low, moderate & high baselines

    NIST 800-53 R5 (high) Policy Template

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    NIST SP 800-53 Rev5 Policy Template  LOW, MODERATE & HIGH BASELINE   Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about what the CDPP is to help answer common questions we receive...

    $2,700.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST SP 800-171 & CMMC Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. NIST 800-171 Rev 3...

    $8,950.00
    $8,950.00
    $5,200.00
    Choose Options
  • CDPP Bundle 4a: NIST 800-53 R5 Low Moderate Compliance

    NIST 800-53 R5 (moderate) Compliance Templates

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #4a (40% discount) This is a bundle that includes the following fourteen (14) ComplianceForge products that are focused on operationalizing NIST SP 800-53 R5 (low & moderate...

    $36,990.00
    $36,990.00
    $22,194.00
    Choose Options
  • CDPP Bundle 4b: NIST 800-53 R5 Low Moderate High Compliance

    NIST 800-53 R5 (high) Compliance Templates

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    Cybersecurity & Data Protection Program (CDPP) Bundle #4b - Low, Moderate & High Baselines (40% discount) This is a bundle that includes the following fourteen (14) ComplianceForge products that are focused on operationalizing NIST SP...

    $39,065.00
    $39,065.00
    $23,439.00
    Choose Options
  • NIST 800-171 Compliance Bundle 2: NIST 800-53 R5 Moderate Baseline Documentation. CMMC policies & standards. NIST 800-171 policies & standards.

    CMMC Bundle 2: Levels 1-2 (NIST 800-53 Moderate)

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    NIST 800-171 & CMMC 2.0 Compliance Bundle #2 - ADVANCED  CMMC Level 2  (25% discount) This is a bundle that includes the following five (5) ComplianceForge products that are focused on operationalizing NIST SP 800-53 R5 (low,...

    $12,790.00
    $12,790.00
    $9,593.00
    Choose Options
  • NIST 800-171 Compliance Bundle 3: NIST 800-53 R5 High Baseline Documentation. CMMC policies & standards. NIST 800-171 policies & standards.

    CMMC Bundle 3: Levels 1-3 (NIST 800-53 High)

    ComplianceForge NIST 800-53 Compliance Documentation Templates

    NIST 800-171 & CMMC Compliance Bundle #3 - EXPERT  CMMC 2.0 Levels 1-3   (40% discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing NIST SP 800-171...

    $36,065.00
    $36,065.00
    $21,639.00
    Choose Options
  • DSP Bundle 1: DSP-CSOP

    DSP Bundle 1: Policies, Standards, Procedures & Controls

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #1 - SCF-Aligned Policies, Standards & Procedures (25% Discount) This is a bundle that includes the following two (2) ComplianceForge products that are focused on operationalizing the Secure Controls Framework...

    $15,325.00
    $15,325.00
    $11,494.00
    Choose Options
  • DSP Bundle 2

    DSP Bundle 2: Enhanced Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #2 - ENHANCED DIGITAL SECURITY (35% Discount) This is a bundle that includes the following seven (7) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $26,850.00
    $26,850.00
    $17,453.00
    Choose Options
  • DSP Bundle 3: Whole Enchilada

    DSP Bundle 3: Robust Digital Security Documentation

    Secure Controls Framework (SCF)

    Digital Security Plan (DSP) Bundle #3 - ROBUST DIGITAL SECURITY (45% Discount) This is a bundle that includes the following thirteen (13) ComplianceForge products that are focused on operationalizing the Secure Controls Framework (SCF): Digital...

    $45,350.00
    $45,350.00
    $24,943.00
    Choose Options

Learn More About Cybersecurity & Data Privacy