Find answers to the most common questions about ComplianceForge products, ordering, customization, and cybersecurity documentation. Can't find your answer? Contact us and we'll respond as soon as we can.
What are controls?
Controls are safeguards or countermeasures that manage risk and protect organizational assets across technical, administrative, and physical domains.
Control procedures are the documented, step-by-step actions that implement a specific security control. They're also the primary evidence that auditors examine…
Statutory compliance means adhering to laws enacted by legislatures. Statutory obligations come directly from legislation, unlike regulatory requirements.
The concept of “security standards” can be answered in one of two ways, since there are two distinct meanings (one being correct and the other incorrect).
"Policies and procedures" is commonly used as a catch-all phrase for all cybersecurity documentation. The shorthand is convenient but hides a meaningful…
The term “operational strategies” is a misnomer. It is an incorrect attempt to define how an organization executes its overarching strategic goals through…
Is it classified information or controlled unclassified?
Executive Orders 12356 and 13526 define classified information. CUI is sensitive but unclassified, requiring safeguarding without a security clearance.
A Self-Assessment Questionnaire (SAQ) is a self-validation tool for merchants handling payment cards as part of Payment Card Industry Data Security Standard…
Getting CMMC certified involves more than implementing controls - you need to find a C3PAO, prepare an evidence package and understand what happens when gaps…
How to create a cybersecurity policy and procedure document?
Creating a “policy and procedure document” is a misnomer, since there is no justifiable reason to have policies and procedures combined into a single document.…
The process of creating a cybersecurity program starts with establishing context, since architecting a cybersecurity program is a systematic, top-down process…
Materiality refers to the significance of an item, transaction, or misstatement to the decision-making process of stakeholders, especially in financial…
Building an effective privacy program is critical for organizations that handle personal data and must comply with regulations such as GDPR, CCPA, HIPAA, or…
The cost to obtain Cybersecurity Maturity Model Certification (CMMC) varies widely depending on factors such as: Organization Size and Complexity. Larger…
NIST SP 800 53 Revision 5 includes a staggering 1,189 controls, divided into the following 20 control families: Access Control; Awareness & Training; Audit &…
Cyber Supply Chain Risk Management (C-SCRM) and Information and Communications Technology Supply Chain Risk Management (ICT SCRM) both focus on managing risks…
The first step to become NIST 800-171 compliant involves identifying which version of NIST 800-171 you have to comply with: NIST 800-171 Rev 3 is the most…
The Digital Security Program (DSP) was ComplianceForge’s legacy name for an enterprise cybersecurity and data privacy documentation set. In 2026, DSP was…
The Data Privacy Program (DPP) is ComplianceForge’s editable privacy program template for organizations that need documented governance for collecting,…