Editable Cybersecurity Documentation For NIST SP 800-171 & CMMC Compliance

The first step towards passing an audit is having appropriate documentation that you can use to prove you are doing what is required. If you are looking to jump start your NIST SP 800-171 compliance and Cybersecurity Maturity Model Certification (CMMC) audit readiness with editable cybersecurity policies, standards, controls, procedures and metrics then you have found the right place! Our documentation is widely used throughout the US Defense Industrial Base (DIB) as a way for prime and subcontractors to solve the problems associated with weak or non-existent cybersecurity documentation. Our solution is:

  • Affordable

  • Editable

  • Scalable

  • Professionally-written

We have a wide-range of solutions that scale from the largest prime contractors down to small subcontractors and our documentation has direct mapping to the frameworks identified in CMMC: 

  • FAR 52.204-21

  • DFARS 252.204-7012 & 252.204-7021 

  • NIST SP 800-53 rev 5

  • NIST SP 800-171 rev2

  • NIST SP 800-172 

  • NIST Cybersecurity Framework

  • CERT Resiliency Management Model (RMM)

  • ISO 27002:2013

  • CIS CSC 7.1

One common misconception is that CMMC compliance is the same thing as NIST SP 800-171. That is not entirely true, especially in the higher-levels of CMMC that include requirements from frameworks other than NIST SP 800-171.

  • CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.

  • CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.

  • CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.

  • CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks:

    • CERT RMM v1.2

    • NIST SP 800-53

    • NIST SP 800-172

    • ISO 27002

    • CIS CSC 7.1

    • Unattributed “CMMC” references that are not attributed to existing frameworks.

2019 - CMMC Compliance Frameworks.jpg

Based on version 1.02 of the CMMC, there are 5 levels and each has its own specific set of controls that will be in scope for a CMMC audit. This article will cover this breakdown in more detail:

  • CMMC Level 1: 17 Controls

  • CMMC Level 2: 72 Controls (includes Level 1 controls)

  • CMMC Level 3: 130 Controls (includes Level 2 controls)

  • CMMC Level 4: 156 Controls (includes Level 3 controls)

  • CMMC Level 5: 171 Controls (includes Level 4 controls)

2020 - CMMC v1.02 matrix.JPG

   Understanding NIST SP 800-171 Compliance vs CMMC Assessments   

Compliance with NIST SP 800-171 is required for any contractor or subcontractor that stores, transmits or processes Controlled Unclassified Information (CUI). This has been a requirement since 1 January 2018 and it is still a requirement under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Compliance efforts consisted of "self-attestation" vs. a more traditional third-party auditor evaluation and this partially led to a low rate of compliance across the Defense Industrial Base (DIB). 


Cybersecurity Capability Maturity Model (CMMC) certification is the US Government's solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) recognizes that all contractors are not alike, as well as the nature of how subcontractors are used. The CMMC is a tiered model that addresses every business in the DIB, from the largest contractors down to small subcontractors (e.g., IT service providers, bookkeepers, janitorial services, etc.) that could impact CUI.

ComplianceForge offers a cost-effective and timely solution to the poorly-constructed or outdated cybersecurity documentation that hamper the onboarding and overall functionality of GRC platforms. Without documentation designed for a GRC platform, it is equivalent of buying a new car and having your old engine installed. Your GRC platform is designed to make you more efficient, so you need the content that will deliver on that promised functionality.

When discussing NIST SP 800-171, most people are familiar with the Controlled Unclassified Information (CUI) controls listed in Appendix D. However, Appendix E contains additional Non Federal Organization (NFO) controls that are expected for contractors to already have in place as minimum levels of security. Please not that only doing CMMC minimums and ignoring applicable NIST SP 800-171 controls would be a possible violation of the False Claims Act (FCA). CMMC levels do not address NFO controls, but to be compliant with NIST SP 800-171 a contractor still has to address:

  • All applicable CUI controls; and

  • NFO controls.

NIST SP 800-171

  • Required by DFARS 252.204-7012.

  • Became a requirement on 1 January 2018.

  • Relied upon self-attestation.


  • CMMC is current requirement based on updated DFARS.

  • Is a result of low compliance rates for NIST SP 800-171.

  • Relies on a yet-to-be-determined network of third-party auditors.

  • Results will feed a database that contracting officials will use to validate the compliance status of primes and subcontractors.

Preparing For A CMMC Assessment

There is no current guidance on what a Certified 3rd Party Assessment Organizations (C3PAO) will use for these assessments, but the current assumption by many is NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will serve as the basis for the criteria used by a 3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST SP 800-171 rev2 control. Until final guidance on what C3PAOs will use for the assessment, the main focus of CMMC audit preparation should be on clear, concise documentation (e.g., CMMC/NIST SP 800-171 specific policies, standards, procedures, SSP, POA&M, etc.). The reason for this is from a financial perspective, you will be paying a C3PAO an hourly rate (likely $300/hr +/- $100) and the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate. Therefore, clear and concise documentation can potentially save tens of thousands of dollars in future C3PAO audit-related costs. 


One thing to keep in mind as you prepare for a CMMC assessment - in the audit world there are two constants:

  • Time is money; and

  • Nothing exists unless it is documented.


A documentation review will likely occur before the C3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less your staff will have to fill in the blanks with auditor questions. This is really where good documentation is half the battle in an audit! Expect your C3PAO to start their assessment by:

  • Performing a thorough review of your System Security Plan (SSP) to understand the who/what/when/where/how/why of your CUI environment;

  • Assessing your Plan of Action & Milestones (POA&M) to understand what controls are not addressed (if applicable) and how your compensating controls exist to remediate the risk of non-compliance on a certain control; and

  • Evaluating your policies, standards and procedures to see if those line up with the SSP and if that documentation supports all the requirements of NIST SP 800-171 / CMMC. 

CMMC Level 1 Overview

There are 17 controls that make up CMMC Level 1 and each of those controls are directly mapped to Federal Acquisition Regulation (FAR) 52.204-21. Even though there are only 15 FAR 52.204-21 controls, the CMMC spread that basic coverage to make up 17 CMMC controls. Why? Most likely, it is due to the high-level nature of the FAR requirements, so there was subjective interpretation that made the case for 17 CMMC controls being needed to adequately address the 15 FAR controls. Regardless, CMMC Level 1 is essentially just complying with FAR 52.204-21 under the lens of NIST SP 800-171.

A CMMC Level 1 assessment will cover 15% of the NIST SP 800-171 CUI controls.




CMMC Level 2 Overview

There are 72 controls that make up CMMC Level 2, which encompasses the CMMC Level 1 controls. A CMMC Level 2 audit will cover 65% of the NIST 800-171 CUI controls.


CMMC Level 3 Overview

There are 130 controls that make up CMMC Level 3, which encompasses the CMMC Level 1 & 2 controls. A CMMC Level 3 audit will cover 100% of the 110 NIST SP 800-171 CUI controls and adds an additional 20 controls from various sources.


The additional 20 non-NIST 800-171 controls are:

  • AM.3.036. Define procedures for the handling of CUI data.

  • AU.3.048. Collect audit logs into a central repository.

  • AU.2.044. Review audit logs.

  • IR.2.093. Detect and report events.

  • IR.2.094. Analyze and triage events to support event resolution and incident declaration.

  • IR.2.095. Develop and implement responses to declared incidents according to pre-defined procedures.

  • IR.2.097. Perform root cause analysis on incidents to determine underlying causes.

  • RE.2.137. Regularly perform and test data back-ups.

  • RE.3.139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.

  • RM.3.144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

  • RM.3.146. Develop and implement risk mitigation plans.

  • RM.3.147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

  • CA.3.162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements.

  • SA.3.169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.

  • SC.2.179. Use encrypted sessions for the management of network devices.

  • SC.3.192. Implement Domain Name System (DNS) filtering services.

  • SC.3.193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.).

  • SI.3.218. Employ spam protection mechanisms at information system access entry and exit points.

  • SI.3.219. Implement DNS or asymmetric cryptography email protections.

  • SI.3.220. Utilize email sandboxing to detect or block potentially malicious email attachments.


What Do CMMC Levels 4 & 5 Look Like?

For CMMC Level 4, there are 156 controls. For CMMC Level 5, there are 171 controls. As you can see, these numbers exceed the 110 CUI controls found in NIST 800-171. CMMC Levels 4 & 5 build off CMMC Level 3 with controls from a range of frameworks:

  • CERT RMM v1.2

  • NIST 800-53

  • NIST 800-172

  • ISO 27002

  • CIS CSC 7.1

  • Unattributed “CMMC” references that are not attributed to existing frameworks.

2020 - CMMC - Cybersecurity Maturity Mod
2020 - CMMC - Cybersecurity Maturity Mod
2020 - NIST 800-171 rev2 vs CMMC v1.02.J

   Leading Cybersecurity Framework Alignment   

NIST SP 800-171? NIST 800-53 R5? CERT RMM? Yes! We can provide policies, standards, procedures and more for those common cybersecurity frameworks to help you with NIST 800-171 and CMMC compliance! Our documentation solutions are based on leading cybersecurity and privacy practices.

Industry Best Practices - Picking The Ri

   Solving The Documentation Problem For CMMC Compliance  

ComplianceForge offers a unique product lineup to provide semi-customized, editable cybersecurity documentation for customers who need to comply with NIST 800-171 and prepare for a CMMC audit. Our NIST SP 800-171 significantly help with CMMC compliance by providing our customers with a “tooth to tail” documentation solution:

  • Policies are mapped to control objectives.

  • Control objectives are mapped to standards.

  • Standards are mapped to controls.

  • Controls are mapped to procedures.

  • Metrics are mapped to controls.

  • Roles & responsibilities for procedures are mapped to the NIST NICE Cybersecurity Workforce Framework.

  • Program-level documentation exists to help clients operationalize the policies & standards.

   "Full Stack" Cybersecurity Documentation - More Than Policies & Standards   

We offer more than just policies & standards! Written cybersecurity & data protection policies and standards are just part of the requirements that organizations need to implement and maintain a NIST SP 800-171 / CMMC compliant program. When it boils down to it, companies implement cybersecurity documentation for several key business reasons:

  • Comply with statutory, regulatory and contractual obligations;

  • Reduce operational losses from cybersecurity incidents; and

  • Maintain a competitive advantage through protecting Intellectual Property (IP).


From the compliance perspective, it is a two-sided coin where a company must demonstrate evidence of (1) due care and (2) due diligence. Written cybersecurity documentation is great at providing a written artifact to demonstrate due care, but it will not provide evidence of due diligence. ComplianceForge’s product line contains operational-level guidance for key cybersecurity components to help organizations provide evidence of due diligence.

The diagram shown below helps visualize the linkages in documentation that involve written procedures:


  • STANDARDS are written to support CONTROL OBJECTIVES

  • PROCEDURES are written to implement the requirements that STANDARDS establish

  • CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning

  • METRICS exist as a way to measure the performance of CONTROLS

2019 - CSOP - Cybersecurity Standardized

   NIST SP 800-171 Compliance & CMMC Assessments   

Cybersecurity documentation is an active defense and is an integral component of risk management. What can possibly go wrong with non-compliance with a law, regulation or contract? 

  • Contract Termination. It is reasonably expected that the other party will terminate contracts over non-compliance with major cybersecurity and privacy requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance may also cause a prime contractor to be non-compliant, as a whole.

  • Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).

  • Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a non-compliance related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., no documented procedures).

  • Fines. The Federal Trade Commission (FTC) has authority to investigate and fine companies found to have poor security programs. In addition to fines, companies can be forced to pay for recurring, annual audits to demonstrate cybersecurity program effectiveness.