Editable NIST 800-171 Compliance Documentation

We encourage you to visit ComplianceForge.com, where you review product examples and securely purchase these products online. We strive to deliver our orders within 1-2 business days, with most orders processed the same day.

Product Selection - 2020.1 - cybersecuri

NIST 800-171 Documentation: Affordable | Editable | Easily Implemented

Below is a highlight of products that can help address NIST 800-171 compliance needs:

NIST 800-171 Compliance Program (NCP) - Most cost-effective & simple solution 

  • The NCP product is as close as you can get to an "easy button" for NIST 800-171 compliance documentation. It comes with all of the documentation that you need to comply with DFARS/NIST 800-171 cybersecurity requirements.

  • NIST 800-171 policies and standards - policies and standards specific to NIST 800-171 that come in an editable Microsoft Word format.

  • NIST 800-171 procedures - cybersecurity procedures that are directly linked to the policies and standards in an editable Microsoft Word format.

  • System Security Plan (SSP) template - SSP template that is specific to documenting how your Controlled Unclassified Information (CUI) is stored, transmitted and processed. 

  • Plan of Action & Milestones (POA&M) template - POA&M template that allows you to easily track any control deficiencies.

  • Supplemental guidance documentation - in addition to an Incident Response Plan (IRP) and other useful templates, the NCP comes with a complete breakdown of all CUI and Non-Federal Organization (NFO) controls with guidance on what is expected to be in place from an auditor's perspective. 

 

NIST 800-53 Based Written Information Security Program (WISP)

  • NIST 800-53 based cybersecurity policies & standards in an editable Microsoft Word format.

  • The WISP addresses the “why?” and “what?” questions in an audit, since policies and standards form the foundation for your cybersecurity program.

  • Each of the NIST 800-53 rev4 families has a policy associated with it, so there is a total of 26 policies.

  • Under each of the policies are standards that support those policy statements. These standards equate to the moderate control set from NIST 800-53 rev 4, which is needed for NIST 800-171.

NIST 800-171 & CMMC Compliance Criteria (NC3)

  • This is our “consultant in a box” NIST 800-171 checklist in an editable Microsoft Excel format.

  • Each of the NIST 800-171 controls from Appendix D is mapped to its corresponding NIST 800-53 control.

  • Each of the NIST 800-53 controls are broken down to identify: 

    • Reasonably-expected criteria to address the control.

    • Applicable compliance guidance;

    • Methods to address the requirement; and

    • Status of compliance for each control so you can use it for a self-assessment.

  • The NC3 also covers Appendix E Non-Federal Organization (NFO) controls.

  • The NC3 maps into the WISP and DSP products, so they work in concert together for helping you comply with NIST 800-171.

  • System Security Plan (SSP) & Plan of Action & Milestones (POA&M) Templates (SSP)

  • These are fully editable templates.

  • One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations.

  • One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.

 

System Security Plan (SSP) & Plan of Action & Milestones (POA&M) Templates (SSP)

  • These are fully editable templates.

  • One template is a Microsoft Word-based System Security Plan (SSP) that contains all the criteria necessary to have your SSP documented to meet NIST 800-171 compliance expectations.

  • One template is a Microsoft Excel-based Plan of Action & Milestones (POA&M) that contains fields necessary to track control deficiencies from identification through remediation.

NIST 800-53 Cybersecurity Standardized Operating Procedures Template (CSOP)

  • The CSOP is a template for procedures. This is an expectation that companies have to demonstrate HOW cybersecurity controls are actually implemented. 

  • This is an editable Microsoft Word document.

  • Given the difficult nature of writing templated procedure statements, we aimed for approximately a "80% solution" since it is impossible write a 100% complete cookie cutter procedure statement that can be equally applied across multiple organizations. What this means is ComplianceForge did the heavy lifting and you just need to fine-tune the procedure with the specifics that only you would know to make it applicable to your organization. It is pretty much filling in the blanks and following the helpful guidance that we provide to identify the who/what/when/where/why/how to make it complete.

  • The NIST 800-53 CSOP is mapped to NIST 800-171, NIST 800-53, and other requirements. 

 

Integrated Incident Response Program (IIRP)

  • The IIRP addresses the “how?” questions for how your company manages cybersecurity incidents.

  • This is primarily an editable Microsoft Word document, but it comes with Microsoft Excel, PowerPoint and Visio templates.

  • In summary, this addresses fundamental needs when it comes to incident response requirements:

    • Defines the hierarchical approach to handling incidents.

    • Categorizes eleven different types of incidents and four different classifications of incident severity.

    • Defines the phases of incident response operations, including deliverables expected for each phase.

    • Defines the Integrated Security Incident Response Team (ISIRT) to enable a unified approach to incident response operations.

    • Defines the scientific method approach to incident response operations.

    • Provides guidance on how to write up incident reports (e.g., lessons learned).

    • Provides guidance on forensics evidence acquisition.

    • Identifies and defines Indicators of Compromise (IoC).

    • Identifies and defines sources of evidence.   

  • The IIRP contains “tabletop exercise” scenarios, based on the categories of incidents.

  • This helps provide evidence of due care in how your company handles cybersecurity incidents.

  • The IIRP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.

 

Risk Management Program (RMP)

  • The RMP addresses the “how?” questions for how your company manages risk.

  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing cybersecurity risk.

  • In summary, this addresses fundamental needs when it comes to risk management requirements:

    • How risk is defined.

    • Who can accept risk.

    • How risk is calculated by defining potential impact and likelihood.

    • Necessary steps to reduce risk.

    • Risk considerations for vulnerability management.

  • The RMP is based on leading frameworks, such as NIST 800-37, NIST 800-39, ISO 31010 and COSO 2013.

 

Cybersecurity Risk Assessment (CRA) Template

  • The CRA supports the RMP product in answering the “how?” questions for how your company manages risk.

  • This contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.

  • The CRA directly supports the RMP, as well as the WISP and DSP policies and standards, for managing cybersecurity risk. It does this by enabling your company to produce risk assessment reports.

 

Vulnerability & Patch Management Program (VPMP)

  • The VPMP addresses the “how?” questions for how your company manages technical vulnerabilities and patch management operations.

  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for managing vulnerabilities.

  • In summary, this addresses fundamental needs when it comes to vulnerability management requirements:

    • Who is responsible for managing vulnerabilities.

    • What is in scope for patching and vulnerability management.

    • Defines the vulnerability management methodology.

    • Defines timelines for conducting patch management operations.

    • Considerations for assessing risk with vulnerability management.

    • Vulnerability scanning and penetration testing guidance.

    • Information Assurance (IA) guidance to support secure engineering activities.

 

Vendor Compliance Program (VCP)

  • The VCP addresses the “how?” questions for how your company manages risk with third parties (e.g., service provides, vendors, contractors, etc.).

  • This is an editable Microsoft Word document that is essentially a “mini-WISP” document that is intended to be shared with third parties, as compared to sharing detailed policies and standards.

  • The VCP contains concise cybersecurity-related expectations that your company expects your third parties to abide by.

  • The text from the VCP can be used in a contract addendum or shared as a stand-alone document.

  • The VCP helps provide evidence of due care in how your company informs third parties about their cybersecurity obligations.

 

Security & Privacy by Design (SPBD)

  • The SPBD addresses the “how?” questions for how your company ensures both security and privacy principles are operationalized.

  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for ensuring secure engineering and privacy principles are operationalized on a daily basis.

  • The concept of “secure engineering” is mandatory in numerous statutory, regulatory and contractual requirements. The SPBD provides a “paint by numbers” approach to ensure your company has evidence of both due care and due diligence for operationalizing security and privacy principles.

  • The CIRP is based on numerous frameworks, but the core is NIST 800-160, which is the de facto standard on secure engineering. 

 

Continuity of Operations Program (COOP)

  • The COOP addresses the “how?” questions for how your company plans to respond to disasters to maintain business continuity.

  • This is an editable Microsoft Word document that provides program-level guidance to directly supports the WISP and DSP policies and standards for disaster recovery and business continuity operations.

  • The concept of “continuity operations” spans incident response to disaster recovery to business continuity operations. This is a very common requirement in numerous statutory, regulatory and contractual requirements. The COOP provides your organization with the documentation to prove it addresses both disaster recovery and business continuity.

  • The COOP is based on numerous frameworks to provide a holistic approach to DR and BC operations. 

2018.1 - NIST 800-171 Cybersecurity Prog
2020 Product - Integrated Incident Respo
2020 Product - NIST 800-171 & CMMC Compl

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.