Quality, Expert-Derived Cybersecurity Documentation To Keep Organizations Secure, Compliant & Resilient - No AI Slop!
Secure Controls Framework

Where Do I Start With Cybersecurity Documentation?

There is a lot of information on the ComplianceForge website, so we made a free guide to help you baseline your understanding and be informed as you navigate our products, guidance documents, and free resources. We want you to make informed, objective decisions about your cybersecurity documentation needs!

Key Takeaways - Start Here
  • ComplianceForge sells editable, expert-written cybersecurity documentation - policies, standards, procedures, and more - aligned to leading frameworks.
  • Start by understanding the differences between frameworks (NIST CSF vs ISO 27001 vs NIST 800-53 vs SCF) and documentation types (policies vs standards vs procedures).
  • Know your compliance obligations: statutory, regulatory, and contractual - this determines which products you need.
  • Defense contractors should start with the NIST 800-171 / CMMC section for DIB-specific guidance.
  • All products are editable (Word, Excel, PowerPoint), customized with your logo and company name, and delivered same-day.
Start Here - Baseline Your Understanding

Cybersecurity Documentation Fundamentals

Before exploring ComplianceForge products, baselining your understanding is critical so that you can make "apples to apples" comparisons from an objective standpoint.

Start Here cybersecurity documentation overview

NIST CSF vs ISO 27001/27002 vs NIST 800-53 vs NIST 800-171 vs SCF

Understand the differences between NIST CSF, ISO 27001/27002, NIST 800-53, NIST 800-171 and the Secure Controls Framework. We put together a useful guide on that topic.

Policies vs Standards vs Controls vs Procedures

Learn the differences between policies, standards, controls and procedures using the Hierarchical Cybersecurity Governance Framework (HCGF). It organizes the differences into a swimlane to make it easy to understand the relationships and the authoritative definitions from sources like ISO, NIST, ISACA and AICPA.

Statutory vs Regulatory vs Contractual Obligations

Prioritize your "must have" vs "nice to have" requirements by understanding statutory, regulatory and contractual compliance.

Strategic vs Operational vs Tactical Considerations

From a scoping perspective, understand strategic vs operational vs tactical considerations.

Threats vs Vulnerabilities vs Risks

Understand the differences between threats, vulnerabilities and risks to appreciate how controls are central to your cybersecurity program.

Not sure where to start?

Read these guides in order from top to bottom. Each builds on the previous and gives you the foundation to select the right products.

Defense Industrial Base (DIB)

Defense Contractor-Specific Guidance

The US Defense Industrial Base has unique cybersecurity challenges around NIST 800-171, CMMC, CUI handling, and ITAR/EAR/DFARS requirements.

NIST 800-171 & CMMC - Where Do I Start?

The comprehensive starting guide for defense contractors navigating NIST SP 800-171 Rev 2/Rev 3 and CMMC 2.0 compliance.

Controlled Unclassified Information (CUI)

Understand the differences between unclassified, CUI, confidential, secret, and top secret data classifications.

ITAR vs EAR vs FAR vs DFARS

Navigate the complex web of export control and federal acquisition regulations and how they relate to CUI and CMMC.

Go Deeper on Governance, Risk & Compliance

GRC Concepts Every Organization Should Know

These guides cover the structural and strategic concepts that separate mature cybersecurity programs from ad-hoc compliance efforts.

Hierarchical Cybersecurity Governance Framework (HCGF)

How policies, standards, controls, procedures, guidelines, and metrics relate in a structured governance hierarchy.

Cybersecurity Risk Management & Materiality

Determine which risks actually matter to your organization and how to communicate them to executives and boards.

Cybersecurity Control Applicability

Scope and tailor controls based on your environment, risk appetite, and compliance obligations.

Cybersecurity Documentation Fundamentals

What cybersecurity documentation is, why it matters, and how to build a program that satisfies auditors and regulators.

Building a program from scratch?

Start with the Hierarchical Cybersecurity Governance Framework (HCGF) to understand the basics and then read the Security, Compliance & Resilience Management System (SCRMS) from the Secure Controls Framework (SCF). That is literally a "how to build a secure, compliant & resilient program" guidebook.

The Foundation Behind Our Products

Understanding the Secure Controls Framework (SCF)

The SCF is a free, open-source metaframework that serves as the foundation for all ComplianceForge documentation. Understanding it helps you see why our products map across 200+ laws, regulations & frameworks simultaneously.

What Is The SCF?

The world's most comprehensive free cybersecurity metaframework - a "Rosetta Stone" mapping controls across NIST, ISO, CMMC, HIPAA, PCI DSS, GDPR, and 200+ frameworks.

SCRMS - How To Implement The SCF

The Security, Compliance & Resilience Management System (SCRMS) is the "how-to" guide for putting the SCF into practice using the Plan-Do-Check-Act approach.

Security, Compliance & Resilience (SCR) Principles

The design philosophy behind the SCF - why "security by design" and "privacy by design" are embedded into every control domain.

Risk Management Model (SCR-RMM)

How policies, standards, procedures, metrics, threats, and risks connect through controls as the central nexus of your GRC program.

Capability Maturity Model (SCR-CMM)

What "right" looks like at each maturity level - from basic documentation through fully optimized, automated controls.

Why does this matter?

ComplianceForge is a SCF Licensed Content Provider (LCP) and many of its products are built to align with the SCF. The flexibility and scalability of the SCF is unparalleled and that is why ComplianceForge supports the SCF.

For Defense Contractors & Federal Supply Chain

NIST 800-171 & CMMC Deep Dive Resources

If your organization handles Controlled Unclassified Information (CUI) or is preparing for Cybersecurity Maturity Model Certification (CMMC) assessment, these resources go beyond the basics into the technical and regulatory details.

How To Upgrade To NIST SP 800-171 Rev 3

Assessment Objective-level analysis of what changed from Rev 2 to Rev 3 and how to plan your upgrade path.

NIST 800-171 R3 Transition Guide

Detailed mapping showing which AOs map directly, require moderate effort, or significant rework.

CMMC Kill Chain - A Prioritized Approach

Prioritize which controls to implement first based on risk impact - make meaningful security progress before full compliance.

Understanding Unclassified vs Classified Data

CUI, FCI, confidential, secret, top secret - clarifying each category and what triggers CUI requirements.

Understanding ITAR vs EAR vs FAR vs DFARS

How export controls and federal acquisition regulations interact with NIST 800-171 and CMMC compliance.

Non-Federal Organization (NFO) Controls

Often-overlooked controls unique to contractors and subcontractors in the defense supply chain.

Facing a CMMC assessment?

If you are new to CMMC, make a cup of coffee and start with the Kill Chain to prioritize. It is also worthwhile to read the NIST 800-171 R3 Transition Guide to understand the heavy lift between NIST 800-171 R2 / CMMC 2.0 Level 2 and NIST 800-171 R3.

Common Product Questions

Product-Related Questions

Before exploring our full product catalog, these are the most common questions new visitors ask:

What industries do you serve?

We serve clients across nearly every industry and business size. Our clients range from Fortune 100 enterprises to Small and Medium Businesses (SMBs) that include defense contractors, manufacturing, hospitality, government agencies, healthcare, financial services (FINSERV), legal, technology, and many, many more!

How are product updates handled?

Select products (SCRP, CSOP, SCF Bundle 1 & NCP) include annual subscription updates. One-time purchase products can be upgraded at a discount when new versions are released.