NIST 800-171 & CMMC Policy Templates

ComplianceForge is a leader in NIST 800-171 & CMMC policy templates. We have been writing affordable, high-quality cybersecurity documentation since 2005 and NIST 800-171 policy templates since 2016. Our NIST 800-171 clients range from micro-small Defense Industrial Base (DIB) contractors to large multinational organizations. Our NIST 800-171 & CMMC policy templates can scale from a singular focus on NIST 800-171 / CMMC compliance all the way to complex compliance requirements that span multiple laws, regulations and frameworks. We have a solution for your specific needs.

The focus of NIST 800-171 is to protect Controlled Unclassified Information (CUI) anywhere it is stored, transmitted and processed. These controls are directly linked to NIST 800-53, based on the moderate baseline from NIST 800-53B. The controls in NIST 800-171 are required to be assessed against the Assessment Objectives (AOs) in NIST 800-171A.

NIST 800-171 Controls & NIST 800-171A Assessment Objective Coverage

Our NIST 800-171 policy templates clearly map policies, standards and procedures to the controls in NIST 800-171 R2, as well as the Assessment Objectives (AOs) in NIST 800-171A. We include both footnotes in the Microsoft Word documents, as well as crosswalk mapping in Microsoft Excel. This helps make it very clear for how the policies, standards and procedures directly relate to NIST 800-171 & CMMC requirements.

ComplianceForge also has several products that include mapping for NIST 800-171 R3 Final Public Draft (FPD) and NIST 800-171A R3 Initial Public Draft (IPD). 

Comprehensive NIST 800-171 Compliance Documentation

To comply with NIST 800-171 you are expected to have several different documentation artifacts to prove that your cybersecurity program exists (e.g., policies, standards, procedures, SSP, POA&M, etc.). The reality with compliance assessments is that if something is not documented, you cannot prove it exists. Given that documentation expectation, you need to ensure your company has the proper cybersecurity documentation in place. 

ComplianceForge offers quite a few options for CMMC / NIST 800-171 compliance efforts. It really depends on the focus of your compliance efforts, since the right solution depends on if you just need to comply with CMMC / NIST 800-171 or if you have other compliance obligations that you need to address:

• NIST 800-171 Compliance Program (NCP) - This is as close to the “easy button” that we can make from a documentation perspective. The NCP focuses only on CMMC Level 2 / NIST 800-171. This is where the NCP is the most cost-effective and efficient solution. It contains all the policies, standards, procedures, SSP/POA&M and other templates that you legitimately need to demonstrate compliance with NIST 800-171 and pass a CMMC assessment. The NCP includes one year of updates, so when NIST 800-171 R3 is finalized, you will receive updated versions of the documentation.
• NIST 800-171 / CMMC Bundle #2 - If you need to “speak NIST 800-53” for other contracts (e.g., FedRAMP, RMF, FISMA, etc.) then Bundle #2 is a great option. This version is directly aligned with the moderate baseline from NIST 800-53B and leverages NIST 800-53 terminology/taxonomy (e.g., coverage for all 20 NIST 800-53 control families). Unless you have other obligations that require the entire moderage baseline from NIST 800-53, this may be considered overkill for companies that just need to comply with CMMC / NIST 800-171.
• NIST 800-171 / CMMC Bundle #3 - Bundle #3 is similar to Bundle #2, but has coverage for the high baseline from NIST 800-53B. This is meant for those select organizations that need to adhere to the high baseline from NIST 800-53, which includes coverage for NIST 800-172. 
• NIST 800-171 / CMMC Bundle #4 - If you need “the whole enchilada” with robust compliance for far more than just CMMC / NIST 800-171, then CMMC bundle #4 is the best option for an enterprise-class environment, especially one that is going to leverage a GRC platform to help manage documentation. This leverages the Secure Controls Framework (SCF) that covers over 100 cybersecurity and privacy laws, regulations and frameworks, including NIST 800-171, NIST 800-172, NIST 800-53, NIST CSF, ISO 27001/2, CMMC, and many others. The Digital Security Program (DSP) includes one year of updates, so when NIST 800-171 R3 is finalized, you will receive updated versions of the documentation.

We do offer discounted bundles to tie together our products into packages that can meet your unique needs, since each product serves a different purpose. Each of these products has a detailed product page that you can read more about the products and see examples:

• We have different products that cover the policies and standards component, but our most common is the NIST 800-53 version of the Cybersecurity & Data Protection Program (CDPP)
• We have one product that is a templatized set of NIST 800-171 procedures and that is the Cybersecurity Standardized Operating Procedures (CSOP)
• We have one product that is a template for both a SSP & POA&M and that is the System Security Plan (SSP)
• The NIST 800-171 Compliance Criteria (NCC) is essentially a “consultant in a box” that gets you the equivalent of 80 hours worth of a consultant’s time to break down the NIST 800-171 requirements into real criteria for you to implement.

The diagram below depicts all NIST 800-171 requirements and every one has some form of documentation requirement to demonstrate how the control is implemented:

NIST 800-171 Scoping Considerations - CUI Scoping Guide

We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST 800-171 and was falls outside of scope.

Click here for a FREE GUIDE

When you look at NIST 800-171 rev 1 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). From the perspective of PCI DSS, if scoping is done poorly, a company's entire network may be in-scope as the CDE, which means PCI DSS requirements would apply uniformly throughout the entire company. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently-designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. We feel that NIST 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST 800-171 and potentially find ways to minimize scope through isolation or controlled access. Not sure what CUI is or if you have CUI on your network? Go to the US Government's authoritative source on the matter, the US Archives CUI Registry at https://www.archives.gov/cui/registry/category-list.

 

• What Is NIST CSF?

  The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...

• Supply Chain Risk Management (SCRM) Plan

  Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...

• Efficient CMMC Scoping

  Determining the scope of controls (e.g., assessment boundary) is different than determining control...

• What Is NIST 800-171?

  NIST 800-171 focuses on protecting Controlled Unclassified Information (CUI) anywhere it is stored,...

---