- NIST 800-171 protects Controlled Unclassified Information (CUI) in nonfederal systems. It is the baseline for DFARS 252.204-7012 compliance and the technical basis for CMMC 2.0.
- ComplianceForge documentation has been used in successful DIBCAC assessments to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives.
- Two focused products: the NIST 800-171 Compliance Program (NCP) and the System Security Plan (SSP) Template. Both cover Rev 2 and Rev 3.
- For organizations aligning with broader NIST 800-53, consider the CMMC Bundles instead, which use 800-53 baselines rather than 800-171.
- All documentation is DIB-contractor-focused and addresses the specific documentation artifacts expected in DIBCAC and C3PAO assessments.
NIST 800-171 Controls & NIST 800-171A Assessment Objective Coverage
Our NIST 800-171 policy templates clearly map policies, standards and procedures to the controls in NIST 800-171 R2, as well as the Assessment Objectives (AOs) in NIST 800-171A. We include both footnotes in the Microsoft Word documents, as well as crosswalk mapping in Microsoft Excel. This helps make it very clear for how the policies, standards and procedures directly relate to NIST 800-171 & CMMC requirements.
ComplianceForge also has several products that include mapping for NIST 800-171 R3 Final Public Draft (FPD) and NIST 800-171A R3 Initial Public Draft (IPD).
Comprehensive & Editable NIST 800-171 Policies, Standards & Procedures
To comply with NIST 800-171 you are expected to have several different documentation artifacts to prove that your cybersecurity program exists (e.g., policies, standards, procedures, SSP, POA&M, etc.). The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that documentation expectation, you need to ensure your company has the proper cybersecurity documentation in place.
We do offer discounted bundles to tie together our products into packages that can meet your unique needs, since each product serves a different purpose. Each of these products has a detailed product page that you can read more about the products and see examples:
- We have different products that cover the policies and standards component, but our most common is the NIST 800-53 version of the Cybersecurity & Data Protection Program (CDPP).
- We have one product that is a templatized set of NIST 800-53 procedures and that is the Cybersecurity Standardized Operating Procedures (CSOP).
- We have one product that is a template for both a SSP & POA&M and that is the System Security Plan (SSP).
- The NIST 800-171 Compliance Criteria (NCC) is essentially a “consultant in a box” that gets you the equivalent of 80 hours worth of a consultant’s time to break down the NIST 800-171 requirements into real criteria for you to implement.
NIST 800-171 Scoping Considerations - CUI Scoping Guide
When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.
From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CDE, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable.
We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access.
Not sure what CUI is or if you have CUI on your network? Go to the US Government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry/category-list.
CMMC Doesn't Have To Be Difficult
The NIST 800-171 Compliance Program (NCP) is designed to fit the needs of small to medium businesses in need of a “square peg for a square hole” to singularly address NIST 800-171 and CMMC compliance requirements. The NCP provides coverage for all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls found in Appendix E of NIST 800-171, as well as the Assessment Objectives (AOs) from NIST 800-171A (note - if you are unclear what NFO controls are, ComplianceForge has a page on its website that is dedicated to the topic that is worth reading). Given the coverage of NIST 800-171 and 800-171A, the NCP also provides necessary coverage for CMMC Level 1 and Level 2 controls.
The NIST 800-171 System Security Plan (SSP) is meant to be a "living document" that captures pertinent information on the controls implementation for NIST 800-171. Specifically, the SSP template covers all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls that are listed in Appendices D and E of NIST 800-171. The SSP can serve as a key element in your organization's cybersecurity program. It can stand alone or be paired with other specialized products we offer.
DIBCAC Battle-Tested Documentation
ComplianceForge's NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives.
This battle-tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, whether DIBCAC or a C3PAO.
NIST 800-171 Rev 2 & Rev 3 Coverage
The NCP covers both NIST 800-171 Rev 2 and Rev 3, recognizing that the DIB ecosystem is in transition between the two. Organizations can use either or both depending on their CMMC certification timeline and contract requirements.
Rev 3 (published May 2024) introduced significant changes from Rev 2, including restructuring of controls and removal of NFO (Non-Federal Organization) controls. ComplianceForge's Rev 3 coverage incorporates these changes into a coherent documentation set.
Available NIST 800-171 / CMMC Products
Two focused products aligned specifically with NIST 800-171 Rev 2/3 and CMMC 2.0 Levels 1-2. For broader NIST 800-53-aligned documentation, see the CMMC Bundles.
Comprehensive Coverage
Give us a call or send us an email - we are happy to help you find the right solution for your needs!
There are a lot of choices to pick from when selecting a cybersecurity framework. If you are not sure what works best for you, you can read more here. The most common frameworks are NIST 800-53, ISO 27002, the NIST Cybersecurity Framework and the Secure Controls Framework (SCF). To do NIST CSF, ISO 27002 or NIST SP 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to comply with NIST CSF vs ISO 27002 vs NIST SP 800-53, since there are significantly different levels of expectation.
It is important to understand that picking a cybersecurity framework is more of a business decision and less of a technical decision. Realistically, the process of selecting a cybersecurity framework must be driven by a fundamental understanding of what your organization needs to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:
- Not be considered negligent with reasonable expectations for cybersecurity & data protection;
- Comply with applicable laws, regulations and contractual obligations; and
- Implement the proper controls to secure your systems, applications and processes from reasonable threats, based on your specific business case and industry practices.
This understanding makes it easy to determine where on the "framework spectrum" (shown above) you need to focus for selecting a set of cybersecurity principles to follow. This process generally leads to selecting the NIST Cybersecurity Framework, ISO 27002, NIST SP 800-53 or SCF as a starting point.