(You save $3,750.00 )

NIST 800-171 Compliance Program (NCP): CMMC Level 2

Email Delivery Within 1-2 Business Days

Maximum file size is 15000KB, file types are bmp, gif, jpg, jpeg, jpe, jif, jfif, jfi, png, wbmp, xbm, tiff

Adding to cart… The item has been added

nist 800-171 & cmmc policies standards procedures compliance template documentationcomplianceforge product example

NIST SP 800-171 & CMMC Editable & Affordable Cybersecurity Documentation

This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive.

NIST 800-171 Rev 3 Changes

NIST 800 171 Rev 3 was released on 14 May 2024 and it contains significant changes from the NIST 800-171 Rev 2. As stated by Ron Ross from NIST, the official government requirements from the Office of Management and Budget (OMB) requires organizations to adopt the most current version of NIST one year after its release. From a NIST 800-171 perspective, this means NIST 800-171 Rev3 will be expected to be used for contracts going forward and at that time NIST 800-171 Rev 2 will be deprecated (outdated). Therefore, it is essential for businesses to start now to implement required controls to comply with NIST 800-171 Rev 3. 

With this new revision, NIST provided the following information on what changed:

What makes the NCP great is that it saves you time and money! The NCP was designed to make it less painful to upgrade to the latest version of NIST 800-171. One of its key features of the NCP is that it is backwards compatible with NIST 800-171 Rev 2, in addition to providing coverage for NIST 800-171 Rev 3. This is beneficial, since you can demonstrate coverage for the current version of NIST 800-171 (Rev 2), while you implement the new controls from NIST 800-171 Rev 3. 

What Is The NIST 800-171 Compliance Program (NCP)?

The NCP is a compilation of editable Microsoft Word, Excel and PowerPoint templates. There is no software to install and it is a one-time purchase. You get the following material as part of the NCP:

  • Updated Coverage For Both NIST 800-171 R2 & R3 (mapped to the Assessment Objective level of NIST 800-171A)
  • Cybersecurity Policies (policies specific to NIST 800-171 and CMMC 2.0 L2)
  • Cybersecurity Standards (standards that are specific to NIST 800-171 and CMMC 2.0 L2)
  • Cybersecurity Standardized Operating Procedures (SOP) (procedures that are specific to NIST 800-171 and CMMC 2.0 L2)
  • - NEW ADDITION -   Supply Chain Risk Management (SCRM) Plan
  • Risk Assessment Worksheet & Report Template (perform a risk & threat assessment using Microsoft Word and Excel)
  • System Security Plan (SSP) Template  
  • Plan of Action & Milestones (POA&M) Template
  • Provides coverage for related compliance requirements found in:
    • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008, 252.204-7012, 252.204-7019, 252.204-7020 and 252.204-7021
    • Federal Acquisition Regulation (FAR) 52.204-21, 52.204-27 and Section 889
    • International Traffic in Arms Regulation (ITAR)
  • A Considerable Number of Reference Documents and Other Templates:
    • Risk catalog
    • Threat catalog
    • Evidence Request List (ERL)
    • Incident Response Plan (IRP) template
    • Business Impact Analysis (BIA) template
    • Business Continuity / Disaster Recovery (BC/DR) template
    • Data classification & handling guidelines
    • Data retention guidelines
    • Rules of behavior (acceptable use)
    • Mobile device usage guidelines
    • Risk management guidelines
    • System hardening guidelines
    • and more!

The NCP is "battle tested" - our clients have successfully passed DIBCAC assessments with this documentation, including a CMMC Third-Party Assessment Organization (C3PAO). You receive a lifetime license to use the NCP at your company and the purchase price includes one year of updates. After the first year, you can choose to subscribe to updates or not. We expect NIST SP 800-171 R3 to be released in mid-2024 and "CMMC 3.0" soon afterwards, so clients who buy the NCP in 2024 will receive updated documentation to address those changes. 

The NCP is designed to fit the needs of small to medium businesses in need of a “square peg for a square hole” to singularly address NIST 800-171 and CMMC compliance requirements. The NCP provides coverage for all Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) controls found in Appendix E of NIST 800-171, as well as the Assessment Objectives (AOs) from NIST 800-171A (note - if you are unclear what NFO controls are, ComplianceForge has a page on its website that is dedicated to the topic that is worth reading). Given the coverage of NIST 800-171 and 800-171A, the NCP also provides necessary coverage for CMMC Level 1 and Level 2 controls.

The core NCP documents include:

  • Cybersecurity & Data Protection Program (CDPP) – cybersecurity policies & standards tailored for NIST SP 800-171 & CMMC 2.0
  • Cybersecurity Standardized Operating Procedures (CSOP) – cybersecurity procedures tailored for NIST SP 800-171 & CMMC 2.0
  • System Security Plan (SSP)
  • Plan of Action & Milestones (POA&M)
  • Third-Party Security Management (TPSM) - third-party Cybersecurity Supply Chain Risk Management (C-SCRM) guidance

nist 800-171 policies standards procedures scrm plan

What Problems Does The NCP Solve?

  • Lack of In House Security Experience - Most smaller contractors lack expertise in NIST SP 800-171. Tasking your managers, IT personnel or security staff to research and write comprehensive documentation is not a wise use of their time. The NCP is an efficient method to obtain comprehensive compliance documentation that can be implemented by either your in-house staff or outsourced IT vendor. Most small contractors cannot afford tens of thousands of dollars in consultant fees to help become compliant with NIST SP 800-171, so the NCP is designed with affordable compliance in mind to give your business the NIST SP 800-171 compliance documentation it needs. 
  • Compliance Requirements - NIST SP 800-171 is a reality for companies in scope for DFARS and FAR. The NCP is designed with compliance in mind, since it focuses on reasonably-expected security requirements to address the NIST SP 800-171 controls. The documentation contained in the NCP gives you everything you need to comply with NIST SP 800-171 from policies to standards to procedures to templates for your System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
  • Audit Failures - Without being able to demonstrate compliance with NIST SP 800-171, your organization will likely lose government contracts - it is as simple as that. The NCP is a tool that can jump start your organization towards being compliant with NIST SP 800-171 requirements.  
  • Vendor Requirements - It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The NCP can provide this evidence!

We listened to our customers and created the NIST SP 800-171 Compliance Program (NCP), based on the growing demand from small and medium businesses that want a simplified approach to NIST SP 800-171 & Cybersecurity Maturity Model Certification (CMMC) compliance. The NCP is a set of editable cybersecurity documentation templates that are tailored for small and medium businesses to address NIST 800-171 / CMMC 2.0 compliance. The NCP is streamlined to singularly focus on what is required to comply with NIST 800-171 R2 and CMMC 2.0. Both the policies & standards document (CDPP) and procedures document (CSOP) have footnotes to clearly identify which NIST 800-171, NIST 800-171A and/or CMMC requirement is addressed. The NCP is meant to provide coverage for the “who, what, when, how & why” considerations for your cybersecurity program that address scoping from your strategic, operational and tactical needs. We've performed the heavy lifting to build these documentation templates and you (or your IT consultants) just need to fill in the details that only you will know. We do have consulting services available, if you need assistance.

How Does The NCP Solve These Problems?

nist 800-171 cmmc documentation cost

  • Clear Documentation - The NCP comes in editable Microsoft Office format (e.g., Word, Excel and PowerPoint), so it is customizable for your needs. 
  • Time Savings - The time savings are immense, as compared to writing something equivalent of the NCP yourself or hiring a consultant to write it for you!
  • Alignment With Leading Practices - The NCP has direct mapping to several leading cybersecurity frameworks, including:
    • NIST SP 800-53
    • ISO 27002
    • NIST Cybersecurity Framework (CSF)
    • NIST SP 800-160
    • Secure Controls Framework (SCF)  

The NCP is a bundle of editable documentation templates that is designed to save your organization hundreds of hours in labor. These are the policy sections that address the 14 sections of CUI from NIST SP 800-171 (as well as Non-Federal Organization (NFO) controls from Appendix E) and the 17 sections of CMMC that overlap what is in NIST SP 800-171. Most people forget or ignore the NFO controls component, which is a basic expectation of being compliant with NIST SP 800-171 but we include NFO, CUI and CMMC requirements in the NCP.

The NCP is architected so that each of the policies shown below are supported by granular standards that directly map to NIST SP 800-171 & CMMC requirements:

  1. Cybersecurity & Data Privacy Governance (GOV) Policy
  2. Asset Management (AST) Policy
  3. Business Continuity & Disaster Recovery (BCD) Policy
  4. Change Management (CHG) Policy
  5. Cloud Security (CLD) Policy
  6. Compliance (CPL) Policy
  7. Configuration Management (CFG) Policy
  8. Continuous Monitoring (MON) Policy
  9. Cryptographic Protections (CRY) Policy
  10. Data Classification & Handling (DCH) Policy
  11. Endpoint Security (END) Policy
  12. Human Resources Security (HRS) Policy
  13. Identification & Authentication (IAC) Policy
  14. Incident Response (IRO) Policy
  15. Information Assurance (IAO) Policy
  16. Maintenance (MNT) Policy
  17. Mobile Device Management (MDM) Policy
  18. Network Security (NET) Policy
  19. Physical & Environmental Security (PES) Policy
  20. Project & Resource Management (PRM) Policy
  21. Risk Management (RSK) Policy
  22. Secure Engineering & Architecture (SEA) Policy
  23. Security Operations (OPS) Policy
  24. Security Awareness & Training (SAT) Policy
  25. Technology Development & Acquisition (TDA) Policy
  26. Third-Party Management (TPM) Policy
  27. Threat Management (THR) Policy
  28. Vulnerability & Patch Management (VPM) Policy

There is no getting around the necessity to read and be familiar with NIST 800-171 and CMMC - that can’t be avoided. One of the best things you can to start off is make yourself a pot of coffee and familiarize yourself with the CMMC Kill Chain since you really need to have a prioritized plan to address NIST 800-171 / CMMC requirements. This is the process we recommend for using the NCP:

  1. Familiarize yourself with all the documents that come as part of the NCP. At least read through the table of contents and appendices to see what is contained so you understand where to find things.
  2. Start with the policies & standards – that is a relatively easy win and establishes requirements that other practices will be expected to meet.
  3. Understand the scope of your CUI environment:
  4. Based on finalizing your policies and standards, start working through the “low hanging fruit” in the SSP since those are the items already known and can be documented. The SSP is a living document so add to it as you work through requirements.
  5. From a procedural perspective, you have to identify the stakeholders and work with them to document their procedures.
  6. The CSOP serves as the “buffet table” for those stakeholders to cut & paste procedure templates for the controls they are responsible for so they have a defined starting point to document how they implement control.
  7. Stakeholders are the subject matter experts and only they know how the processes function and they are the ones who need to document the procedures. 

The NIST 800-171 Compliance Program (NCP) Is Built On Industry-Leading Practices & Definitions

We recognize there are other options on the market for "NIST 800-171 & CMMC documentation" and we strive to make the highest-quality products on the market. Our obsession with making quality documentation can be demonstrated in the architecture we use to create our documentation. As shown in the swimlane diagram below, the Hierarchical Cybersecurity Governance Framework (HCGF) is the "ComplianceForge Reference Model" of cybersecurity and privacy documentation. The HCGF is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization's cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics.

Hierarchical Cybersecurity Governance Framework - policies standards procedures controls metrics 

“DIBCAC Battle Tested” Policies, Standards & Procedures - NIST 800-171, NIST 800-171A & CMMC 2.0 Compliance

ComplianceForge’s NIST 800-171 / CMMC documentation has been used successfully by multiple companies during DIBCAC assessments to efficiently and effectively generate the necessary artifact documentation to demonstrate compliance with NIST SP 800-171 controls and NIST SP 800-171A control objectives. This battle tested documentation includes the necessary policies, standards, procedures, SSP, POA&M, Incident Response Plan (IRP) and other documentation that are expected to exist to successfully pass a third-party assessment, be it DIBCAC or a C3PAO.

The NCP covers 20 domains that equates to 20 policies with 188 standards that support those policies. The reason there are 20 policies and 188 standards is to address the actual requirements in NIST SP 800-171 and CMMC 2.0. "CMMC compliance" is more than just 110 requirements - those are just the CUI controls. When you take into account the Non-Federal Organization (NFO) controls from Appendix E of NIST SP 800-171 and the Assessment Objectives (AOs) from NIST SP 800-171A (equivalent to CMMC 2.0 AOs), there are more than just 110 requirements. The Excel crosswalk spreadsheet that comes with the NCP maps the standards to the requirements, so it is straightforward to understand why a requirement in the NCP exists. 

policies standards procedures matrix

NIST SP 800-171 & CMMC 2.0 Level 2 (Advanced) Policies, Standards, Procedures, SSP & POA&M Templates and More!

In simple terms, the NCP gives you everything you need to comply with NIST SP 800-171 & CMMC v2.0 - cybersecurity policies, standards, procedures, a System Security Plan (SSP) and a Plan of Action & Milestones (POA&M). As depicted in the graphic below, the NCP is its own bundle of products that makes up the documentation you need to demonstrate compliance with NIST SP 800-171 and CMMC:

Frequently Asked Questions (FAQs) On The NCP

Below are some common questions that we receive about the NCP so we decided to help provide further transparency to help with your purchasing decision:

  • How does the NCP address CMMC v2.0 Level 2 (Advanced)?
    • The NCP was specifically written to address all NFO & CUI controls in NIST SP 800-171 R2, as well as CMMC v2.0 Level 2 (Advanced) controls. The NCP is our "easy button" solution for CMMC 2.0 L2.
    • The NCP contains editable policies, standards, procedures, SSP & POA&M templates, and much more. Continue reading to the "What Does The NIST SP 800-171 Compliance Program (NCP) Contain?" section about all that the NCP contains.
  • How is the NCP different from CMMC Bundle #2? 
    • CMMC Bundle #2 is similar to the NIST SP 800-171 Compliance Program (NCP), in that both products cover CMMC 2.0 levels 1-2. Both equally cover CMMC 2.0 1-2 and NIST SP 800-171 requirements. However, the main differences are in coverage and framework alignment.
    • The NCP is a pared-down version of the Digital Security Program (DSP), our flagship product. The NCP is tailored to be a "square peg for a square hole" to address only CMMC 2.0 L1-2 and NIST SP 800-171 requirements in the most efficient manner we can provide.
    • CMMC Bundle #2 is based on the NIST SP 800-53 R5 framework, so it is great if you need to "speak NIST SP 800-53" or have other US government-based requirements (e.g., FISMA, RMF, HIPAA, etc.) that are based on NIST SP 800-53. This bundle is aligned with NIST SP 800-53 (low & moderate baseline coverage) so that is ideal for an organization that wants to align its policies and standards directly with NIST SP 800-53. 
    • If you are just looking for CMMC & NIST SP 800-171 coverage, then the NCP is a better fit.
  • Why does the NCP leverage Secure Controls Framework (SCF) controls? 
    • The hierarchical and scalable structure of the Secure Controls Framework (SCF) makes it an ideal choice to address NIST 800-171 / CMMC compliance, so that is why the NCP leverages this structure.
    • The SCF is a “metaframework” that maps to over 100 cybersecurity and privacy-related laws, regulations and frameworks, including NIST CSF, ISO 27001/2, NIST 800-53, NIST 800-171 and CMMC. The SCF is logically organized into thirty-three (33) domains. ComplianceForge’s Digital Security Program (DSP) has 1-1 mapping to the SCF and the NCP is merely a pared-down version of the DSP to focus specifically on the CUI and NFO controls from NIST 800-171, AOs from NIST 800-171 and CMMC 2.0 controls.
    • The NIST OLIR Program will has SCF to NIST 800-171 R2 mappings, so that is another benefit to leveraging the SCF to structure the NCP’s policies, standards and procedures. You can read more about that here - https://csrc.nist.gov/projects/olir/informative-reference-catalog/details?frameworkVersionId=87 
  • Can you provide us with examples of the documentation & templates that are part of the NCP?
  • What are the gaps in the NCP for CMMC 2.0 Level 2 once we purchase this?
    • The NCP provides fully-mapped requirements within the policies, standards, procedures, etc. Therefore, any "gaps" in coverage are specific to your implementation of the requirements to become compliant with NIST SP 800-171 & CMMC.
    • We are "tool makers" that provide you with templates that identify the Minimum Security Requirements (MSR) in an editable, efficient template format. You have to implement those requirements to be considered compliant with NIST SP 800-171 & CMMC.
    • There are no professional service hours included in the purchase of the NCP, but we do have consultants that are available for customization/consulting via a separate Statement of Work (SOW).
  • How often is the NCP updated?
    • As NIST SP 800-171 & CMMC change, we update the NCP. There is no set schedule for updates, since we update products based on new guidance from the DoD, NIST and CMMC-AB.
    • The NCP comes with one-year of updates, so as long as you have an active subscription you will receive updated versions of the documentation, along with errata that identifies what changed.
    • After the first year, you can purchase updates for $800/yr, as described on our updates page
  • Is the NCP a subscription? How long does a license last?
    • The NCP is perpetual and a single-site license. However, if you want to keep getting updates, you just have to pay for updates after the first year.
    • NIST SP 800-171 & CMMC evolve, so that is why we offer updates. It takes considerable effort for us to develop and maintain this documentation, so that is why we charge for updates.
  • Can I upgrade to a different bundle if my needs change?
    • Yes! We can credit your purchase towards an upgraded bundle if your business needs change and you have to address CMMC 2.0 L3 requirements.

Product Example - NIST SP 800-171 Compliance Program (NCP)

Our customers choose the NIST SP 800-171 Compliance Program (NCP) because they:

  • Need an efficient way to comply with NIST SP 800-171 / CMMC and make the process as simple as possible
  • Need to be able to edit the document to their specific needs
  • Need an affordable solution

Don't take our word for it - take a look at the examples below to see for yourself the level of professionalism and detail that went into making these products:

download-example-nist-800-171-cmmc-compliance-program-cybersecurity-policies-standards.jpg Policies & Standards


download-example-nist-800-171-cmmc-system-security-plan-ssp-template.jpgSSP Template

download-example-nist-800-171-cmmc-mapping-to-best-practices-nist-800-53-iso-27002-nist-csf-nist-800-160.jpgCrosswalk Mapping

download-example-nist-800-171-cmmc-plan-of-action-and-milestones-template-poa-m.jpgPO&AM Template

What Is Included With The NCP?

NIST 800-171 & CMMC compliance documentation

Cost Savings Estimate - NIST SP 800-171 Compliance Program (NCP)

When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the NCP from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:

  • For your internal staff to generate comparable documentation, it would take them an estimated 1,000 internal staff work hours, which equates to a cost of approximately $76,000 in staff-related expenses. This is about 9-18 months of development time where your staff would be diverted from other work.
  • If you hire a consultant to generate this documentation, it would take them an estimated 700 consultant work hours, which equates to a cost of approximately $210,000. This is about 4-12 months of development time for a contractor to provide you with the deliverable.
  • The NCP is approximately 2% of the cost for a consultant or 7% of the cost of your internal staff to generate equivalent documentation.
  • We process most orders the same business day so you can potentially start working with the NCP the same day you place your order.

nist 800-171 cmmc compliance costs

The process of writing cybersecurity documentation can take an internal team many months and it involves pulling your most senior and experienced cybersecurity experts away from operational duties to assist in the process, which is generally not the most efficient use of their time. In addition to the immense cost of hiring a cybersecurity consultant at $300/hr+ to write this documentation for you, the time to schedule a consultant, provide guidance and get the deliverable product can take months. Even when you bring in a consultant, this also requires involvement from your internal team for quality control and answering questions, so the impact is not limited to just the consultant's time being consumed. 

What Does The NIST SP 800-171 Compliance Program (NCP) Contain?

The NIST 800-171 R2 version of the NCP comes with the following policies, standards and procedures that map directly to the standards:

# Policy Domain Standard # Standard Name NIST
rev 2
CMMC 2.0
Level 1
CMMC 2.0
Level 2
1 Cybersecurity & Data Protection Governance GOV-01 Cybersecurity & Data Protection Governance Program         
2 Cybersecurity & Data Protection Governance GOV-02 Publishing Cybersecurity & Data Protection Documentation    3.4.9[a]
3 Cybersecurity & Data Protection Governance GOV-03 Periodic Review & Update of Cybersecurity & Data Protection Program        
4 Cybersecurity & Data Protection Governance GOV-04 Assigned Cybersecurity & Data Protection Responsibilities         
5 Cybersecurity & Data Protection Governance GOV-06 Contacts With Authorities         
6 Cybersecurity & Data Protection Governance GOV-15 Operationalizing Cybersecurity & Data Protection Practices        
7 Cybersecurity & Data Protection Governance GOV-15.1 Select Controls        
8 Cybersecurity & Data Protection Governance GOV-15.2 Implement Controls        
9 Cybersecurity & Data Protection Governance GOV-15.3 Assess Controls        
10 Cybersecurity & Data Protection Governance GOV-15.4 Authorize Systems, Applications & Services        
11 Cybersecurity & Data Protection Governance GOV-15.5 Monitor Controls        
12 Asset Management AST-01 Asset Governance  3.4.1     CM.L2-3.4.1
13 Asset Management AST-01.1 Asset-Service Dependencies        
14 Asset Management AST-02 Asset Inventories  3.4.1 3.4.1[d]
15 Asset Management AST-02.1 Updates During Installations / Removals   3.4.1[f]    
16 Asset Management AST-02.3 Component Duplication Avoidance  NFO - CM-8(5)      
17 Asset Management AST-04 Network Diagrams & Data Flow Diagrams (DFDs)        
18 Asset Management AST-04.1 Asset Scope Classification        
19 Asset Management AST-04.2 Control Applicability Boundary Graphical Representation        
20 Asset Management AST-04.3 Compliance-Specific Asset Identification        
21 Asset Management AST-05 Security of Assets & Media NFO - MP-1      
22 Asset Management AST-09 Secure Disposal, Destruction or Re-Use of Equipment         
23 Asset Management AST-17 Prohibited Equipment & Services        
24 Business Continuity & Disaster Recovery BCD-01 Business Continuity Management System (BCMS)        
25 Business Continuity & Disaster Recovery BCD-11 Data Backups 3.8.9 3.8.9   MP.L2-3.8.9
26 Business Continuity & Disaster Recovery BCD-11.4 Cryptographic Protection 3.8.9 3.8.9   MP.L2-3.8.9
27 Change Management CHG-01 Change Management Program  3.4.3     CM.L2-3.4.3
28 Change Management CHG-02 Configuration Change Control  3.4.3 3.4.3[a]
29 Change Management CHG-02.2 Test, Validate & Document Changes  NFO - CM-3(2)      
30 Change Management CHG-03 Security Impact Analysis for Changes  3.4.4 3.4.4   CM.L2-3.4.4
31 Change Management CHG-04 Access Restriction For Change 3.4.5 3.4.5[a]
32 Change Management CHG-05 Stakeholder Notification of Changes  NFO - CM-9      
33 Cloud Security CLD-01 Cloud Services NFO – PL-8      
34 Cloud Security CLD-02 Cloud Security Architecture  NFO – PL-8      
35 Cloud Security CLD-03 Cloud Infrastructure Security Subnet 3.13.2
NFO – PL-8
36 Cloud Security CLD-06 Multi-Tenant Environments         
37 Cloud Security CLD-06.1 Customer Responsibility Matrix (CRM)        
38 Cloud Security CLD-09 Geolocation Requirements for Processing, Storage and Service Locations        
39 Cloud Security CLD-10 Sensitive Data In Public Cloud Providers        
40 Cloud Security CLD-13 Hosted Systems, Applications & Services        
41 Cloud Security CLD-13.1 Authorized Individuals For Hosted Systems, Applications & Services        
42 Cloud Security CLD-13.2 Sensitive/Regulated Data On Hosted Systems, Applications & Services        
43 Cloud Security CLD-14 Prohibition On Unverified Hosted Systems, Applications & Services        
44 Compliance CPL-01 Statutory, Regulatory & Contractual Compliance  NFO - PL-1      
45 Compliance CPL-01.1 Non-Compliance Oversight        
46 Compliance CPL-01.2 Compliance Scope        
47 Compliance CPL-02 Cybersecurity & Data Protection Controls Oversight  3.12.1
48 Compliance CPL-02.1 Internal Audit Function 3.12.1     CA.L2-3.12.1
49 Compliance CPL-03 Cybersecurity & Data Protection Assessments  3.12.1     CA.L2-3.12.1
50 Compliance CPL-03.1 Independent Assessors  NFO - CA-7(1)      
51 Configuration Management CFG-01 Configuration Management Program NFO - CM-1
NFO - CM-9
52 Configuration Management CFG-02 System Hardening Through Baseline Configurations  3.4.1
53 Configuration Management CFG-02.1 Reviews & Updates NFO - CM-2(1)      
54 Configuration Management CFG-02.5 Configure Systems, Components or Services for High-Risk Areas  NFO - CM-2(7)      
55 Configuration Management CFG-03 Least Functionality 3.4.6 3.4.6[a]
56 Configuration Management CFG-03.1 Periodic Review 3.4.7 3.4.7[a]
57 Configuration Management CFG-03.2 Prevent Unauthorized Software Execution 3.4.7     CM.L2-3.4.7
58 Configuration Management CFG-03.3 Unauthorized or Authorized Software (Blacklisting or Whitelisting) 3.4.8 3.4.8[a]
59 Configuration Management CFG-03.4 Split Tunneling 3.13.7 3.13.7   SC.L2-3.13.7
60 Configuration Management CFG-05 User-Installed Software 3.4.9 3.4.9[b]
61 Configuration Management CFG-08 Sensitive / Regulated Data Access Enforcement        
62 Continuous Monitoring MON-01 Continuous Monitoring NFO - AU-1      
63 Continuous Monitoring MON-01.3 Inbound & Outbound Communications Traffic  3.14.6 3.14.6[a]
64 Continuous Monitoring MON-01.4 System Generated Alerts  NFO - SI-4(5)      
65 Continuous Monitoring MON-01.8 Reviews & Updates  3.3.3
66 Continuous Monitoring MON-02 Centralized Collection of Security Event Logs 3.3.1
67 Continuous Monitoring MON-02.1 Correlate Monitoring Information 3.3.5
68 Continuous Monitoring MON-03 Content of Event Logs 3.3.2 3.3.1[a]
69 Continuous Monitoring MON-03.1 Sensitive Audit Information 3.3.8     AU.L2-3.3.8
70 Continuous Monitoring MON-03.2 Audit Trails   3.3.2[a]
71 Continuous Monitoring MON-03.7 Database Logging   3.3.2[a]    
72 Continuous Monitoring MON-05 Response To Event Log Processing Failures 3.3.4 3.3.4[a]
73 Continuous Monitoring MON-06 Monitoring Reporting  3.3.6 3.3.6[a]
74 Continuous Monitoring MON-07 Time Stamps    3.3.7[a]
75 Continuous Monitoring MON-07.1 Synchronization With Authoritative Time Source 3.3.7 3.3.7[b]
76 Continuous Monitoring MON-08 Protection of Event Logs  3.3.8 3.3.8[a]
77 Continuous Monitoring MON-08.2 Access by Subset of Privileged Users  3.3.9 3.3.9[a]
78 Continuous Monitoring MON-10 Event Log Retention 3.3.1 3.3.1[e]
79 Cryptographic Protections  CRY-01 Use of Cryptographic Controls  3.13.11 3.13.8[a]
80 Cryptographic Protections  CRY-01.1 Alternate Physical Protection  3.13.8 3.13.8[b]
81 Cryptographic Protections  CRY-03 Transmission Confidentiality  3.13.8 3.13.8[a]
82 Cryptographic Protections  CRY-04 Transmission Integrity  NFO - SI-1      
83 Cryptographic Protections  CRY-05 Encrypting Data At Rest  3.8.6 3.8.6   MP.L2-3.8.6
84 Cryptographic Protections  CRY-08 Public Key Infrastructure (PKI)  3.13.10 3.13.10[a]
85 Cryptographic Protections  CRY-09 Cryptographic Key Management  3.13.10 3.13.10[a]
86 Cryptographic Protections  CRY-09.1 Symmetric Keys        
87 Cryptographic Protections  CRY-09.2 Asymmetric Keys        
88 Cryptographic Protections  CRY-09.3 Cryptographic Key Loss or Change        
89 Cryptographic Protections  CRY-09.4 Control & Distribution of Cryptographic Keys        
90 Data Classification & Handling  DCH-01 Data Protection  3.8.1
NFO - MP-1
91 Data Classification & Handling  DCH-01.1 Data Stewardship         
92 Data Classification & Handling  DCH-01.2 Sensitive / Regulated Data Protection        
93 Data Classification & Handling  DCH-01.4 Defining Access Authorizations for Sensitive/Regulated Data        
94 Data Classification & Handling  DCH-02 Data & Asset Classification         
95 Data Classification & Handling  DCH-03 Media Access  3.1.3
96 Data Classification & Handling  DCH-03.1 Disclosure of Information        
97 Data Classification & Handling  DCH-04 Media Marking  3.8.4 3.8.4[a]
98 Data Classification & Handling  DCH-06 Media Storage 3.8.1     MP.L2-3.8.1
99 Data Classification & Handling  DCH-07 Media Transportation  3.8.5 3.8.5[a]
100 Data Classification & Handling  DCH-08 Physical Media Disposal        
101 Data Classification & Handling  DCH-09 System Media Sanitization 3.7.3
MP.L1-3.8.3 MA.L2-3.7.3
102 Data Classification & Handling  DCH-10 Media Use 3.8.7 3.8.7   MP.L2-3.8.7
103 Data Classification & Handling  DCH-10.1 Limitations on Use         
104 Data Classification & Handling  DCH-10.2 Prohibit Use Without Owner 3.8.8 3.8.8   MP.L2-3.8.8
105 Data Classification & Handling  DCH-11 Data Reclassification         
106 Data Classification & Handling  DCH-13 Use of External Information Systems  3.1.20 3.1.20[a]
AC.L1-3.1.20 AC.L1-3.1.20
107 Data Classification & Handling  DCH-13.1 Limits of Authorized Use  3.1.20   AC.L1-3.1.20 AC.L1-3.1.20
108 Data Classification & Handling  DCH-13.2 Portable Storage Devices 3.1.21 3.1.21[a]
109 Data Classification & Handling  DCH-13.3 Protecting Sensitive Data on External Systems        
110 Data Classification & Handling  DCH-14 Information Sharing         
111 Data Classification & Handling  DCH-15 Publicly Accessible Content 3.1.22 3.1.22[a]
AC.L1-3.1.22 AC.L1-3.1.22
112 Data Classification & Handling  DCH-17 Ad-Hoc Transfers         
113 Data Classification & Handling  DCH-19 Geographic Location of Data        
114 Data Classification & Handling  DCH-21 Information Disposal        
115 Data Classification & Handling  DCH-24 Information Location        
116 Data Classification & Handling  DCH-25 Transfer of Sensitive and/or Regulated Data        
117 Endpoint Security END-01 Endpoint Security    3.4.1[a]
118 Endpoint Security END-02 Endpoint Protection Measures  3.13.16 3.13.16   SC.L2-3.13.16
119 Endpoint Security END-03 Prohibit Installation Without Privileged Status  3.4.9     CM.L2-3.4.9
120 Endpoint Security END-03.2 Governing Access Restriction for Change   3.4.5[a]
121 Endpoint Security END-04 Malicious Code Protection (Anti-Malware)  3.14.2 3.14.2[a]
SI.L1-3.14.2 SI.L1-3.14.2
122 Endpoint Security END-04.1 Automatic Antimalware Signature Updates 3.14.4 3.14.4 SI.L1-3.14.4 SI.L1-3.14.4
123 Endpoint Security END-04.7 Always On Protection 3.14.5 3.14.5[c]  SI.L1-3.14.5 SI.L1-3.14.5
124 Endpoint Security END-10 Mobile Code 3.13.13 3.13.13[a]
125 Endpoint Security END-14 Collaborative Computing Devices  3.13.12 3.13.12[a]
126 Human Resources Security HRS-01 Human Resources Security Management NFO - PS-1 3.2.2[a]
127 Human Resources Security HRS-02 Position Categorization         
128 Human Resources Security HRS-02.1 Users With Elevated Privileges        
129 Human Resources Security HRS-03 Roles & Responsibilities         
130 Human Resources Security HRS-03.1 User Awareness         
131 Human Resources Security HRS-03.2 Competency Requirements for Security-Related Positions        
132 Human Resources Security HRS-04 Personnel Screening  3.9.1 3.9.1   PS.L2-3.9.1
133 Human Resources Security HRS-04.1 Roles With Special Protection Measures        
134 Human Resources Security HRS-04.2 Formal Indoctrination        
135 Human Resources Security HRS-05 Terms of Employment  NFO - PL-4      
136 Human Resources Security HRS-05.1 Rules of Behavior NFO - PL-4      
137 Human Resources Security HRS-05.2 Social Media & Social Networking Restrictions NFO - PL-4(1)      
138 Human Resources Security HRS-06 Access Agreements  NFO - PS-6      
139 Human Resources Security HRS-07 Personnel Sanctions NFO - PS-8 3.9.2[a]
140 Human Resources Security HRS-08 Personnel Transfer 3.9.2 3.9.2[a]
141 Human Resources Security HRS-09 Personnel Termination  3.9.2 3.9.2[a]
142 Human Resources Security HRS-10 Third-Party Personnel Security NFO - PS-7      
143 Human Resources Security HRS-11 Separation of Duties (SoD) 3.1.4 3.1.4[a]
144 Identification & Authentication IAC-01 Identity & Access Management (IAM)  NFO - AC-1
145 Identification & Authentication IAC-01.2 Authenticate, Authorize and Audit (AAA)        
146 Identification & Authentication IAC-02 Identification & Authentication for Organizational Users  3.5.1
147 Identification & Authentication IAC-02.1 Group Authentication         
148 Identification & Authentication IAC-02.2 Replay-Resistant Authentication 3.5.4 3.5.4   IA.L2-3.5.4
149 Identification & Authentication IAC-03 Identification & Authentication for Non-Organizational Users         
150 Identification & Authentication IAC-04 Identification & Authentication for Devices  3.5.2   IA.L1-3.5.2 IA.L1-3.5.2
151 Identification & Authentication IAC-05 Identification & Authentication for Third Party Systems & Services        
152 Identification & Authentication IAC-06 Multi-Factor Authentication (MFA) 3.5.3     IA.L2-3.5.3
153 Identification & Authentication IAC-06.1 Network Access to Privileged Accounts 3.5.3 3.5.3[a]
154 Identification & Authentication IAC-06.2 Network Access to Non-Privileged Accounts  3.5.3 3.5.3[d]   IA.L2-3.5.3
155 Identification & Authentication IAC-06.3 Local Access to Privileged Accounts  3.5.3 3.5.3[a]
156 Identification & Authentication IAC-08 Role-Based Access Control (RBAC)  3.1.1
3.1.3[c]   AC.L2-3.1.3
157 Identification & Authentication IAC-09 Identifier Management (User Names) 3.5.5 3.5.5[a]
158 Identification & Authentication IAC-09.1 User Identity (ID) Management         
159 Identification & Authentication IAC-09.2 Identity User Status        
160 Identification & Authentication IAC-10 Authenticator Management 3.5.8
161 Identification & Authentication IAC-10.1 Password-Based Authentication  3.5.7 3.5.7[a]
162 Identification & Authentication IAC-10.5 Protection of Authenticators 3.5.10 3.5.10[a]
163 Identification & Authentication IAC-10.8 Vendor-Supplied Defaults        
164 Identification & Authentication IAC-10.11 Password Managers        
165 Identification & Authentication IAC-11 Authenticator Feedback 3.5.11 3.5.11   IA.L2-3.5.11
166 Identification & Authentication IAC-15 Account Management  3.1.2 3.1.2[a]
AC.L1-3.1.2 AC.L1-3.1.2
167 Identification & Authentication IAC-15.1 Automated System Account Management (Directory Services)  3.1.1      
168 Identification & Authentication IAC-15.3 Disable Inactive Accounts 3.5.6 3.5.6[a]
169 Identification & Authentication IAC-15.9 Emergency Accounts        
170 Identification & Authentication IAC-16 Privileged Account Management (PAM)  3.1.5     AC.L2-3.1.5
171 Identification & Authentication IAC-16.1 Privileged Account Inventories  3.1.5     AC.L2-3.1.5
172 Identification & Authentication IAC-17 Periodic Review of Account Privileges        
173 Identification & Authentication IAC-20 Access Enforcement 3.1.1 3.1.1[a]
AC.L1-3.1.1 AC.L1-3.1.1
174 Identification & Authentication IAC-20.1 Access To Sensitive / Regulated Data        
175 Identification & Authentication IAC-21 Least Privilege  3.1.5 3.1.5[a]
176 Identification & Authentication IAC-21.1 Authorize Access to Security Functions  3.1.5     AC.L2-3.1.5
177 Identification & Authentication IAC-21.2 Non-Privileged Access for Non-Security Functions  3.1.6 3.1.6[a]
178 Identification & Authentication IAC-21.3 Privileged Accounts  3.1.5     AC.L2-3.1.5
179 Identification & Authentication IAC-21.4 Auditing Use of Privileged Functions  3.1.7     AC.L2-3.1.7
180 Identification & Authentication IAC-21.5 Prohibit Non-Privileged Users from Executing Privileged Functions  3.1.7 3.1.7[a]
181 Identification & Authentication IAC-22 Account Lockout  3.1.8 3.1.8[a]
182 Identification & Authentication IAC-24 Session Lock  3.1.10 3.1.10[a]
183 Identification & Authentication IAC-24.1 Pattern-Hiding Displays  3.1.10     AC.L2-3.1.10
184 Identification & Authentication IAC-25 Session Termination  3.1.11 3.1.11[a]
185 Incident Response IRO-01 Incident Response Operations NFO - IR-1 3.6.1[a]
186 Incident Response IRO-02 Incident Handling  3.6.1
187 Incident Response IRO-02.4 Incident Classification & Prioritization        
188 Incident Response IRO-02.5 Correlation with External Organizations        
189 Incident Response IRO-04 Incident Response Plan (IRP)  NFO - IR-8      
190 Incident Response IRO-04.1 Data Breach        
191 Incident Response IRO-04.2 IRP Update NFO - IR-1      
192 Incident Response IRO-05 Incident Response Training  3.6.1     IR.L2-3.6.1
193 Incident Response IRO-06 Incident Response Testing 3.6.3 3.6.3   IR.L2-3.6.3
194 Incident Response IRO-07 Integrated Security Incident Response Team (ISIRT)        
195 Incident Response IRO-08 Chain of Custody & Forensics        
196 Incident Response IRO-10 Incident Stakeholder Reporting         
197 Incident Response IRO-10.2 Cyber Incident Reporting for Sensitive Data        
198 Incident Response IRO-12 Information Spillage Response        
199 Incident Response IRO-12.1 Responsible Personnel        
200 Incident Response IRO-13 Root Cause Analysis (RCA) & Lessons Learned NFO - IR-1      
201 Information Assurance  IAO-01 Information Assurance (IA) Operations NFO - CA-1      
202 Information Assurance  IAO-01.1 Assessment Boundaries        
203 Information Assurance  IAO-02 Assessments  3.12.1     CA.L2-3.12.1
204 Information Assurance  IAO-02.1 Assessor Independence NFO - CA-2(1)      
205 Information Assurance  IAO-03 System Security Plan (SSP) 3.12.4 3.12.4[a]
206 Information Assurance  IAO-03.1 Plan / Coordinate with Other Organizational Entities NFO - PL-2(3)      
207 Information Assurance  IAO-03.2 Adequate Security for Sensitive / Regulated Data In Support of Contracts 3.12.4     CA.L2-3.12.4
208 Information Assurance  IAO-04 Threat Analysis & Flaw Remediation During Development        
209 Information Assurance  IAO-05 Plan of Action & Milestones (POA&M) 3.12.2 3.12.2[a]
210 Maintenance MNT-01 Maintenance Operations  NFO - MA-1      
211 Maintenance MNT-02 Controlled Maintenance  3.7.1 3.7.1   MA.L2-3.7.1
212 Maintenance MNT-04 Maintenance Tools 3.7.2 3.7.2[a]
213 Maintenance MNT-04.1 Inspect Tools  3.7.1     MA.L2-3.7.1
214 Maintenance MNT-04.2 Inspect Media  3.7.4 3.7.4   MA.L2-3.7.4
215 Maintenance MNT-05 Remote Maintenance 3.7.5 3.7.5[a]
216 Maintenance MNT-05.2 Remote Maintenance Notifications NFO - MA-4(2)      
217 Maintenance MNT-06 Authorized Maintenance Personnel 3.7.6 3.7.6   MA.L2-3.7.6
218 Mobile Device Management MDM-01 Centralized Management Of Mobile Devices  3.1.18     AC.L2-3.1.18
219 Mobile Device Management MDM-02 Access Control For Mobile Devices 3.1.18 3.1.18[a]
220 Mobile Device Management MDM-03 Full Device & Container-Based Encryption  3.1.19 3.1.19[a]
221 Mobile Device Management MDM-06 Personally-Owned Mobile Devices  3.1.18     AC.L2-3.1.18
222 Mobile Device Management MDM-07 Organization-Owned Mobile Devices  3.1.18     AC.L2-3.1.18
223 Network Security NET-01 Network Security Controls (NSC) NFO - SC-1      
224 Network Security NET-02 Layered Network Defenses         
225 Network Security NET-02.2 Guest Networks        
226 Network Security NET-03 Boundary Protection  3.13.1 3.13.1[a]
SC.L1-3.13.1 SC.L1-3.13.1
227 Network Security NET-03.1 Limit Network Connections NFO - SC-7(3)      
228 Network Security NET-03.2 External Telecommunications Services  NFO - SC-7(4)      
229 Network Security NET-04 Data Flow Enforcement – Access Control Lists (ACLs) 3.1.3 3.1.3[a]
230 Network Security NET-04.1 Deny Traffic by Default & Allow Traffic by Exception 3.13.6
NFO - CA-3(5)
231 Network Security NET-05 System Interconnections NFO - CA-3      
232 Network Security NET-05.1 External System Connections        
233 Network Security NET-05.2 Internal System Connections NFO - CA-9      
234 Network Security NET-06 Network Segmentation 3.13.5 3.13.5[a]
SC.L1-3.13.5 SC.L1-3.13.5
235 Network Security NET-06.1 Security Management Subnets        
236 Network Security NET-06.2 Virtual Local Area Network (VLAN) Separation        
237 Network Security NET-06.3 Sensitive / Regulated Data Enclave (Secure Zone)        
238 Network Security NET-07 Remote Session Termination 3.13.9 3.13.9[a]
239 Network Security NET-08 Network Intrusion Detection / Prevention Systems (NIDS / NIPS) 3.14.6     SI.L2-3.14.6
240 Network Security NET-09 Session Integrity  3.13.15 3.13.15   SC.L2-3.13.15
241 Network Security NET-10 Domain Name Service (DNS) Resolution  NFO - SC-20      
242 Network Security NET-10.1 Architecture & Provisioning for Name / Address Resolution Service NFO - SC-22      
243 Network Security NET-10.2 Secure Name / Address Resolution Service (Recursive or Caching Resolver) NFO - SC-21      
244 Network Security NET-13 Electronic Messaging 3.13.14 3.13.14[a]
245 Network Security NET-14 Remote Access  3.1.12      AC.L2-3.1.12
246 Network Security NET-14.1 Automated Monitoring & Control  3.1.12 3.1.12[a]
247 Network Security NET-14.2 Protection of Confidentiality / Integrity Using Encryption 3.1.13 3.1.13[a]
248 Network Security NET-14.3 Managed Access Control Points 3.1.14 3.1.14[a]
249 Network Security NET-14.4 Remote Privileged Commands & Sensitive Data Access 3.1.15 3.1.15[a]
250 Network Security NET-14.5 Work From Anywhere (WFA) - Telecommuting Security 3.1.12
251 Network Security NET-14.6 Third-Party Remote Access Governance        
252 Network Security NET-15 Wireless Networking  3.1.16 3.1.16[a]
253 Network Security NET-15.1 Authentication & Encryption 3.1.17 3.1.17[a]
254 Network Security NET-18 DNS & Content Filtering 3.1.3     AC.L2-3.1.3
255 Physical & Environmental Security  PES-01 Physical & Environmental Protections 3.10.2
NFO - PE-1
256 Physical & Environmental Security  PES-02 Physical Access Authorizations  3.10.1 3.10.1[a]
PE.L1-3.10.1 PE.L1-3.10.1
257 Physical & Environmental Security  PES-02.1 Role-Based Physical Access        
258 Physical & Environmental Security  PES-03 Physical Access Control  3.10.5 3.10.5[a]
PE.L1-3.10.5 PE.L1-3.10.5
259 Physical & Environmental Security  PES-03.1 Controlled Ingress & Egress Points        
260 Physical & Environmental Security  PES-03.3 Physical Access Logs  3.10.4
NFO - PE-8
3.10.4 PE.L1-3.10.4 PE.L1-3.10.4
261 Physical & Environmental Security  PES-03.4 Access To Information Systems        
262 Physical & Environmental Security  PES-04 Physical Security of Offices, Rooms & Facilities 3.10.5   PE.L1-3.10.5 PE.L1-3.10.5
263 Physical & Environmental Security  PES-05 Monitoring Physical Access 3.10.2     PE.L2-3.10.2
264 Physical & Environmental Security  PES-05.1 Intrusion Alarms / Surveillance Equipment  3.10.2
NFO - PE-6(1)
265 Physical & Environmental Security  PES-05.2 Monitoring Physical Access To Information Systems 3.10.2     PE.L2-3.10.2
266 Physical & Environmental Security  PES-06 Visitor Control 3.10.3 3.10.3[a]
PE.L1-3.10.3 PE.L1-3.10.3
267 Physical & Environmental Security  PES-06.1 Distinguish Visitors from On-Site Personnel        
268 Physical & Environmental Security  PES-06.2 Identification Requirement        
269 Physical & Environmental Security  PES-06.3 Restrict Unescorted Access 3.10.3 3.10.3[a]
PE.L1-3.10.3 PE.L1-3.10.3
270 Physical & Environmental Security  PES-06.6 Visitor Access Revocation        
271 Physical & Environmental Security  PES-10 Delivery & Removal  NFO - PE-16      
272 Physical & Environmental Security  PES-11 Alternate Work Site 3.10.6 3.10.6[a]
273 Physical & Environmental Security  PES-12 Equipment Siting & Protection  3.10.1   PE.L1-3.10.1 PE.L1-3.10.1
274 Physical & Environmental Security  PES-12.1 Transmission Medium Security 3.10.1   PE.L1-3.10.1 PE.L1-3.10.1
275 Physical & Environmental Security  PES-12.2 Access Control for Output Devices 3.10.1   PE.L1-3.10.1 PE.L1-3.10.1
276 Project & Resource Management PRM-01 Cybersecurity & Data Privacy Portfolio Management NFO - PL-1      
277 Project & Resource Management PRM-02 Cybersecurity & Data Privacy Resource Management        
278 Project & Resource Management PRM-03 Allocation of Resources  NFO - SA-2      
279 Project & Resource Management PRM-04 Cybersecurity & Data Privacy In Project Management         
280 Project & Resource Management PRM-05 Cybersecurity & Data Privacy Requirements Definition        
281 Project & Resource Management PRM-06 Business Process Definition         
282 Project & Resource Management PRM-07 Secure Development Life Cycle (SDLC) Management NFO - SA-3      
283 Risk Management RSK-01 Risk Management Program  NFO - RA-1      
284 Risk Management RSK-01.1 Risk Framing        
285 Risk Management RSK-02 Risk-Based Security Categorization         
286 Risk Management RSK-02.1 Impact-Level Prioritization        
287 Risk Management RSK-03 Risk Identification        
288 Risk Management RSK-03.1 Risk Catalog        
289 Risk Management RSK-04 Risk Assessment  3.11.1 3.11.1[a]
290 Risk Management RSK-04.1 Risk Register        
291 Risk Management RSK-05 Risk Ranking         
292 Risk Management RSK-06 Risk Remediation  3.11.3     RA.L2-3.11.3
293 Risk Management RSK-06.1 Risk Response        
294 Risk Management RSK-06.2 Compensating Countermeasures        
295 Risk Management RSK-07 Risk Assessment Update        
296 Secure Engineering & Architecture  SEA-01 Secure Engineering Principles  3.13.2 3.13.2[a]
297 Secure Engineering & Architecture  SEA-02 Alignment With Enterprise Architecture  NFO - PL-8      
298 Secure Engineering & Architecture  SEA-02.3 Technical Debt Reviews        
299 Secure Engineering & Architecture  SEA-03 Defense-In-Depth (DiD) Architecture 3.13.2     SC.L2-3.13.2
300 Secure Engineering & Architecture  SEA-03.2 Application Partitioning 3.13.3 3.13.3[a]
301 Secure Engineering & Architecture  SEA-04 Process Isolation  NFO - SC-39      
302 Secure Engineering & Architecture  SEA-05 Information In Shared Resources  3.13.4 3.13.4   SC.L2-3.13.4
303 Secure Engineering & Architecture  SEA-07 Predictable Failure Analysis  NFO - SA-3      
304 Secure Engineering & Architecture  SEA-07.1 Technology Lifecycle Management NFO - SA-3      
305 Secure Engineering & Architecture  SEA-10 Memory Protection  NFO - SI-16      
306 Secure Engineering & Architecture  SEA-18 System Use Notification (Logon Banner) 3.1.9 3.1.9[a]
307 Secure Engineering & Architecture  SEA-18.1 Standardized Microsoft Windows Banner 3.1.9 3.1.9[a]
308 Secure Engineering & Architecture  SEA-18.2 Truncated Banner 3.1.9 3.1.9[a]
309 Secure Engineering & Architecture  SEA-20 Clock Synchronization 3.3.7     AU.L2-3.3.7
310 Security Operations OPS-01 Operations Security         
311 Security Operations OPS-01.1 Standardized Operating Procedures (SOP)        
312 Security Awareness & Training  SAT-01 Cybersecurity & Data Privacy-Minded Workforce  NFO - AT-1      
313 Security Awareness & Training  SAT-02 Cybersecurity & Data Privacy Awareness Training 3.2.1 3.2.1[a]
314 Security Awareness & Training  SAT-03 Role-Based Cybersecurity & Data Privacy Training  3.2.2 3.2.2[a]
315 Security Awareness & Training  SAT-04 Cybersecurity & Data Privacy Training Records  NFO - AT-4      
316 Technology Development & Acquisition TDA-01 Technology Development & Acquisition NFO - SA-4      
317 Technology Development & Acquisition TDA-01.1 Product Management        
318 Technology Development & Acquisition TDA-02 Minimum Viable Product (MVP) Security Requirements  NFO - SA-4      
319 Technology Development & Acquisition TDA-02.1 Ports, Protocols & Services In Use NFO - SA-4(9)      
320 Technology Development & Acquisition TDA-02.2 Information Assurance Enabled Products NFO - SA-4(10)      
321 Technology Development & Acquisition TDA-02.3 Development Methods, Techniques & Processes        
322 Technology Development & Acquisition TDA-04 Documentation Requirements NFO - SA-5      
323 Technology Development & Acquisition TDA-04.1 Functional Properties  NFO - SA-4(1)
NFO - SA-4(2)
324 Technology Development & Acquisition TDA-05 Developer Architecture & Design         
325 Technology Development & Acquisition TDA-06 Secure Coding  NFO - SA-1 3.13.2[b]
326 Technology Development & Acquisition TDA-07 Secure Development Environments         
327 Technology Development & Acquisition TDA-08 Separation of Development, Testing and Operational Environments  3.4.5     CM.L2-3.4.5
328 Technology Development & Acquisition TDA-08.1 Secure Migration Practices        
329 Technology Development & Acquisition TDA-09 Cybersecurity & Data Privacy Testing Throughout Development  NFO - SA-11      
330 Technology Development & Acquisition TDA-14 Developer Configuration Management  NFO - SA-10      
331 Technology Development & Acquisition TDA-15 Developer Threat Analysis & Flaw Remediation        
332 Technology Development & Acquisition TDA-17 Unsupported Systems         
333 Third-Party Management  TPM-01 Third-Party Management  NFO - SA-4      
334 Third-Party Management  TPM-01.1 Third-Party Inventories         
335 Third-Party Management  TPM-03 Supply Chain Protection        
336 Third-Party Management  TPM-04 Third-Party Services  NFO -SA-9      
337 Third-Party Management  TPM-04.1 Third-Party Risk Assessments & Approvals        
338 Third-Party Management  TPM-04.2 External Connectivity Requirements - Identification of Ports, Protocols & Services NFO - SA-9(2)      
339 Third-Party Management  TPM-04.4 Third-Party Processing, Storage and Service Locations        
340 Third-Party Management  TPM-05 Third-Party Contract Requirements 3.1.1    AC.L1-3.1.1 AC.L1-3.1.1
341 Third-Party Management  TPM-05.1 Security Compromise Notification Agreements        
342 Third-Party Management  TPM-05.2 Contract Flow-Down Requirements 3.1.1   AC.L1-3.1.1 AC.L1-3.1.1
343 Third-Party Management  TPM-05.4 Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix        
344 Third-Party Management  TPM-05.5 Third-Party Scope Review        
345 Third-Party Management  TPM-05.8 Third-Party Attestation        
346 Third-Party Management  TPM-06 Third-Party Personnel Security         
347 Third-Party Management  TPM-08 Review of Third-Party Services        
348 Third-Party Management  TPM-10 Managing Changes To Third-Party Services NFO - SA-4      
349 Threat Management THR-01 Threat Intelligence Program 3.12.3
350 Threat Management THR-03 Threat Intelligence Feeds 3.14.3     SI.L2-3.14.3
351 Threat Management THR-05 Insider Threat Awareness 3.2.3 3.2.3[a]
352 Threat Management THR-09 Threat Catalog        
353 Threat Management THR-10 Threat Analysis        
354 Vulnerability & Patch Management  VPM-01 Vulnerability & Patch Management Program (VPMP) 3.14.1 3.14.1[a]
SI.L1-3.14.1 SI.L1-3.14.1
355 Vulnerability & Patch Management  VPM-01.1 Attack Surface Scope        
356 Vulnerability & Patch Management  VPM-02 Vulnerability Remediation Process    3.11.3[a]
357 Vulnerability & Patch Management  VPM-03 Vulnerability Ranking         
358 Vulnerability & Patch Management  VPM-03.1 Vulnerability Exploitation Analysis        
359 Vulnerability & Patch Management  VPM-04 Continuous Vulnerability Remediation Activities        
360 Vulnerability & Patch Management  VPM-05 Software & Firmware Patching 3.11.3      RA.L2-3.11.3
361 Vulnerability & Patch Management  VPM-06 Vulnerability Scanning  3.11.2 3.11.2[a]
362 Vulnerability & Patch Management  VPM-06.1 Update Tool Capability NFO - RA-5(1)
NFO - RA-5(2)
363 Vulnerability & Patch Management  VPM-06.2 Breadth / Depth of Coverage         
364 Vulnerability & Patch Management  VPM-06.3 Privileged Access 3.11.2     RA.L2-3.11.2

Supplemental Documentation - Annexes, Templates & References

The NCP also contains the following in the “supplemental documentation” attachment that we provide as part of the NCP:

  • Artifact 1: Data Classification & Handling Guidelines
  • Artifact 2: Data Classification Examples
  • Artifact 3: Data Retention Periods
  • Artifact 4: Baseline Security Categorization Guidelines
  • Artifact 5: Rules of Behavior (Acceptable & Unacceptable Use)
  • Artifact 6: Guidelines for Personal Use of Organizational IT Resources
  • Artifact 7: Risk Management Framework (RMF)
  • Artifact 8: System Hardening
  • Artifact 9: Safety Considerations With Embedded Technology
  • Artifact 10: Indicators of Compromise (IoC)
  • Artifact 11: Management Directive (Policy Authorization)
  • Artifact 12: User Acknowledgement Form
  • Artifact 13: User Equipment Receipt of Issue
  • Artifact 14: Service Provider Non-Disclosure Agreement (NDA)
  • Artifact 15: Incident Response Plan (IRP)
  • Artifact 16: Incident Response Form
  • Artifact 17: Appointment Orders (Information Security Officer)
  • Artifact 18: Privileged User Account Request Form
  • Artifact 19: Change Management Request Form
  • Artifact 20: Change Control Board (CCB) Meeting Minutes
  • Artifact 21: Plan of Action & Milestones (POA&M) / Risk Register
  • Artifact 22: Ports, Protocols & Services (PPS)
  • Artifact 23: Business Impact Analysis (BIA)
  • Artifact 24: Privacy Impact Assessment (PIA)
  • Artifact 25: Disaster Recovery Plan (DRP) & Business Continuity Plan (BCP)
  • Artifact 26: Exception Request Form
  • Artifact 27: Electronic Discovery (eDiscovery) Guidelines
  • Artifact 28: Types of Security Controls
  • Artifact 29: Cybersecurity Mission, Vision & Strategy
  • Artifact 30: Memorandum for Record (MFR) to Define CUI
  • Artifact 31: Cybersecurity Roles & Responsibilities Overview

In addition to that, we include the following documentation to aide in your implementation of the NCP:

  • NIST NICE Cybersecurity Workforce-based Cybersecurity Roles & Responsibilities
  • Cybersecurity Awareness Training (PowerPoint slideshow template)
  • Data Classification Icons (PowerPoint template)
  • Guide to Writing Procedures
  • NIST SP 800-171 Scoping Guide

Affordable NIST SP 800-171 & CMMC 2.0 Compliance Documentation

ComplianceForge took existing documentation and pared it down for smaller organizations that do not need or want the complexity of NIST SP 800-53 when complying with NIST SP 800-171. The NCP includes the following documents as part of its own unique bundle:

  • NIST SP 800-171 Compliance Program - Microsoft Word document that addresses NIST SP 800-171 policies and standards.
  • Cybersecurity Standardized Operating Procedures (CSOP) - Microsoft Word document that contains cybersecurity procedures that correspond to the policies and standards.
  • System Security Plan (SSP) - Microsoft Word document that is a simplified version of our SSP product.
  • NIST SP 800-171 Cybersecurity Program Mapping - Microsoft Excel document that contains several components:
    • Plan of Action & Milestones (POA&M) template.
    • Mapping from the NCP to NIST SP 800-171, NIST SP 800-53, NIST SP 800-160, ISO 27002 and NIST CSF.
    • Methods to comply with NIST SP 800-171 (essentially a pared down NIST SP 800-171 Compliance Criteria (NCC) spreadsheet)
    • Roles and responsibilities (corresponds to the Cybersecurity Standardized Operating Procedures)
  • Cybersecurity Awareness Training - Microsoft PowerPoint template to provide cybersecurity awareness training.

The official overview of CMMC 2.0 can be read at https://dodcio.defense.gov/CMMC/. As you can see from the infographic show below, CMMC evolved from 5 levels to 3 levels. If you store, transmit or process Controlled Unclassified Information (CUI) then you are CMMC v2.0 Level 2 (Advanced). ComplianceForge's NIST 800-171 Compliance Program (NCP) is specifically designed as the "easy button" for CMMC v2.0 Level 2 (Advanced). CMMC v2.0 Level 2 (Advanced) removes the CMMC v1.02 practices and processes. The focus is on NIST SP 800-171 R2 CUI and NFO controls. 

FAR vs DFARS Implications for NIST SP 800-171

NIST SP 800-171 isn’t just for Department of Defense (DoD) contractors. In addition to DoD contractors that had to comply with NIST SP 800-171 by the end of 2017, US Federal contractors are increasingly being required to comply with NIST SP 800-171. We often hear from DoD and US Government contractors that they do not know where to start, but they just know that NIST SP 800-171 is a requirement they cannot run from. Both DFARS and FAR point to NIST SP 800-171 as the expectation for contractors to implement a minimum set of cybersecurity capabilities. 

The NCP addresses both Controlled Unclassified Information (CUI) and Non-Federal Organization (NFO) requirements. Many people overlook the NFO requirements that are listed in Appendix E of NIST SP 800-171, but the NCP includes both CUI and NFO controls so that you have complete coverage for NIST SP 800-171 compliance documentation.

Work Smarter and Not Harder - NIST SP 800-171 Scoping Considerations

NIST SP 800-171 allows contractors to limit the scope of the CUI security requirements to those particular systems or components that store, process or transmit CUI. Isolating CUI into its own security domain by applying architectural design principles or concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for non-federal organizations to satisfy the requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both. 

nist 800-171 cmmc cui fci scoping guide

Click here for a FREE GUIDE 

We put together a guide to help companies scope their computing environment to help identify what is in scope for NIST SP 800-171 and was falls outside of scope.

When you look at NIST SP 800-171 compliance, it has some similarities to the Payment Card Industry Data Security Standard (PCI DSS). If scoping is done poorly, a company's Cardholder Data Environment (CDE) can encompass the enterprise's entire network, which means PCI DSS requirements would apply uniformly throughout the entire organization. In these scenarios, PCI DSS compliance can be prohibitively expensive or even technically impossible. However, when the network is intelligently designed with security in mind, the CDE can be a small fraction of the company's network, which makes compliance much more achievable and affordable. NIST SP 800-171 should be viewed in the very same manner.

We feel that NIST SP 800-171 should be viewed in the very same manner. This guide is meant to help companies identify assets within scope for NIST SP 800-171 and potentially find ways to minimize scope through isolation or controlled access.


Frequently Asked Questions

Where can I see an example NCP?

There is an examples section on the NIST 800-171 Compliance Program (NCP) product page. These examples show the NCP’s policies, standards, procedures and more to help demonstrate the level of professionalism and detail that went into making this documentation. There is also a product overview video that is worth watching that describes what the NCP is and what is included with the purchase.

How is the NCP different from other editable templates that can be found on the Internet?

You get what you pay for. ComplianceForge specializes in cybersecurity documentation and has been writing quality cybersecurity documentation since 2005. We’ve been writing NIST 800-171-related compliance documentation since 2016, so we have nearly a decade of experience and refinements that make up the NIST 800-171 Compliance Program (NCP).

The NCP is "battle tested" - our clients have successfully passed DIBCAC assessments with this documentation, including a CMMC Third-Party Assessment Organization (C3PAO). Our clients choose us, since ComplianceForge understands that “a standard is a standard for a reason” where we follow industry-recognized practices for building our documentation solutions. This Hierarchical Cybersecurity Governance Framework can be read about here, where you can see how the structure follows terminology established by NIST, ISO, ISACA and AICPA for what right looks like for cybersecurity documentation. Look at examples of the NCP to see the quality difference for yourself.

How can I get a quote to purchase a NCP?

If you need a formal quote for a NIST 800-171 Compliance Program (NCP), please use the “Add To Quote” feature on the product page. This will allow us to generate a formal quote for you.

Can I buy the NCP with a Purchase Order (PO) or an offline invoice?

Yes. In addition to accepting all major credit cards, ComplianceForge can process orders for the NIST 800-171 Compliance Program (NCP) through offline invoicing. Please note that for non-credit card orders, we only process the order once payment is received, while credit card purchases are processed generally the same business day.

To place a non-credit card order, select the Invoice / Purchase Order (PO) payment option during the checkout process, since that ensures the order is in the system and that we can generate an invoice for you. You can reference the PO# in the comments section of the order checkout processes, which will ensure the PO# is included on the invoice. You will receive a separate email with the invoice that contains check or ACH payment instructions.

How will I receive the NCP product files?

The NIST 800-171 Compliance Program (NCP) files are available via a ShareFile download link that we send you. We manually process our orders to customize the documentation and then email you the link to download the documentation.

Is the NCP editable?

Yes. The NIST 800-171 Compliance Program (NCP) is fully editable for your needs. The NCP is delivered in editable Microsoft Office formats (e.g., Word, Excel and PowerPoint). These are editable documents that you are able to modify for your organization's unique needs. There is no software to install - it is just templatized documentation that you can edit for your needs.

If you have a logo, have it ready at the time of purchase since you will be prompted to upload it. The cover page of the documentation will have your company's logo prominently displayed. The rest of the document will have your company name throughout, so anyone reading the document will get the feel it was custom created and tailored to your company.

If you do not have a logo, that is no problem. We just leave the logo off. The documentation will still look very professional, even without your logo on the front page.

Is the NCP a software or a subscription service?

Neither. The NIST 800-171 Compliance Program (NCP) is a one-time purchase and no software needs to be installed, since these are editable Microsoft Office documents (e.g., Microsoft Word, Excel and PowerPoint). The NCP does come with one (1) year of product updates. After the first year, you can choose to renew updates to stay current on changes (e.g., NIST 800-171 R3, CMMC 3.0, etc.).

When we send out new versions of the NCP, it comes with highlighted changes and errata. This helps you identify what has changed between the versions. Every organization handles its internal change control and review processes differently, so we do our best to make it as easy as possible to track version changes to help our clients.

How quickly can I receive my NCP order?

Generally, we process NIST 800-171 Compliance Program (NCP) orders the same day they are received. However, depending on the volume of orders, it may be processed the following business day.

Turnaround time is generally the same business day for orders placed by credit card, but we give a buffer of 1-2 business days. Upon completing the online transaction, you will receive a confirmation e-mail. The completed product will be delivered to the e-mail address used to register at the time of purchase. If you pay by PO/Invoice, we do not process the order until payment is received.

Can I get additional customization of the NCP?

Yes. ComplianceForge, or its partners, can offer professional services to provide additional customization. However, it is added cost involved due to labor incurred. Please review the Partners page for consultants who you want to work with for any professional services. There are also CMMC Practitioners listed on the CMMC Center of Awesomeness page that have experience with customizing the NIST 800-171 Compliance Program (NCP).


4 Reviews Hide Reviews Show Reviews

  • 5
    Exactly what we needed

    Posted by Unknown on May 15, 2023

    I am using the NCP documentation to help my company work towards CMMC Lv2 compliance, and I must say that it was exactly what we needed. The documentation provided traceability in a way that eased the burden of assessments, making the entire process smoother and more manageable. Additionally, having a base policy and standards built from best practices in the field rather than a random generic choice gave us more confidence in building our program. Overall, I would highly recommend NCP to any organization looking to achieve CMMC compliance or enhance their cybersecurity program.

  • 5
    Affordable upgrade, fantastic package

    Posted by Unknown on Mar 10, 2020

    ComplianceForge has always been fair and generous in providing updates to purchased products. We appreciate their diligence in staying current with this ever-changing field!

  • 5
    Perfect fit

    Posted by GB on Aug 31, 2018

    The ComplianceForge NIST 800-171 Compliance Program (NCP) is a perfect fit for our small company’s compliance requirements. It provides all of the necessary policies, procedures, System Security Plan and Plan of Action Milestones to help our company comply with the NIST 800-171, both easily and cost effectively, without added complexity. ComplianceForge products reflect the company’s exceptional in-depth compliance knowledge and experience. We recommend ComplianceForge products for any company with compliance goals.

  • 5
    Gamechanger for NIST 800-171

    Posted by LT on Aug 16, 2018

    As luck would have it, our organization was selected for a security audit on the heels of the Dec. 31, 2017 deadline for NIST 800-171 compliance. We’re a very busy small business and everyone wears multiple hats. We struggled for more than 6 months, bouncing back and forth between the published NIST 800-171 and 800-53 documents, trying to get organized, sort out all the controls and decipher what was required to ensure our Cyber Security program would be deemed compliant. Finally, as the deadline (and our security audit) was closing in, we decided we needed some external help. We thoroughly evaluated several options before landing on the ComplianceForge site. We reviewed the NIST bundles, which seemed more comprehensive, yet straightforward, than any other option out there, but we were still unsure of what we REALLY needed to be compliant, as a small business, so we gave them a call. Game Changer. The gentleman we talked with was extremely helpful in guiding us to the most appropriate (not most expensive) option for our organization and gave us some great tips on how to get started. The spreadsheet is a perfect road map to compliance, complete with examples and suggestions on how to get there. This, along with the bundled templates, enabled us to achieve in a few short weeks what we were completely unable to achieve by ourselves over the previous 6+ months.

Learn More About Cybersecurity & Data Privacy