Editable Cybersecurity Documentation For NIST 800-171 & CMMC Compliance

The first step towards passing an audit is having appropriate documentation that you can use to prove you are doing what is required. If you are looking to jump start your NIST 800-171 compliance and Cybersecurity Maturity Model Certification (CMMC) audit readiness with editable cybersecurity policies, standards, controls, procedures and metrics then you have found the right place! Our documentation is widely used throughout the US Defense Industrial Base (DIB) as a way for prime and subcontractors to solve the problems associated with weak or non-existent cybersecurity documentation. Our solution is:

  • Affordable

  • Editable

  • Scalable

  • Professionally-written

We have a wide-range of solutions that scale from the largest prime contractors down to small subcontractors and our documentation has direct mapping to the frameworks identified in CMMC*: 

  • FAR 52.204-21

  • NIST 800-53 rev 4

  • NIST 800-171 rev1

  • NIST 800-171B 

  • NIST Cybersecurity Framework

  • CERT Resiliency Management Model (RMM)

  • ISO 27002:2013

  • CIS CSC 7.1

*CMMC v1.0 is the latest working-version of CMMC that is used for our planning purposes

One common misconception is that CMMC compliance is the same thing as NIST 800-171. That is not entirely true, especially in the higher-levels of CMMC that include requirements from frameworks other than NIST 800-171.

  • CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.

  • CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.

  • CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.

  • CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks:

    • CERT RMM v1.2

    • NIST 800-53

    • NIST 800-171B

    • ISO 27002

    • CIS CSC 7.1

    • Unattributed “CMMC” references that are not attributed to existing frameworks.

Based on version 1.02 of the CMMC, there are 5 levels and each has its own specific set of controls that will be in scope for a CMMC audit. This article will cover this breakdown in more detail:

  • CMMC Level 1: 17 Controls

  • CMMC Level 2: 72 Controls (includes Level 1 controls)

  • CMMC Level 3: 130 Controls (includes Level 2 controls)

  • CMMC Level 4: 156 Controls (includes Level 3 controls)

  • CMMC Level 5: 171 Controls (includes Level 4 controls)

2020 - CMMC v1.02 matrix.JPG

   Understanding NIST 800-171 Compliance vs CMMC Audits   

Compliance with NIST 800-171 is required for any contractor or subcontractor that stores, transmits or processes Controlled Unclassified Information (CUI). This has been a requirement since 1 January 2018 and it is still a requirement under the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Compliance efforts consisted of "self-attestation" vs. a more traditional third-party auditor evaluation and this partially led to a low rate of compliance across the Defense Industrial Base (DIB). 


Cybersecurity Capability Maturity Model (CMMC) certification is the US Government's solution to fix low rates of compliance associated with NIST 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) recognizes that all contractors are not alike, as well as the nature of how subcontractors are used. The CMMC is a tiered model that addresses every business in the DIB, from the largest contractors down to small subcontractors (e.g., IT service providers, bookkeepers, janitorial services, etc.) that could impact CUI.

ComplianceForge offers a cost-effective and timely solution to the poorly-constructed or outdated cybersecurity documentation that hamper the onboarding and overall functionality of GRC platforms. Without documentation designed for a GRC platform, it is equivalent of buying a new car and having your old engine installed. Your GRC platform is designed to make you more efficient, so you need the content that will deliver on that promised functionality.

When discussing NIST 800-171, most people are familiar with the Controlled Unclassified Information (CUI) controls listed in Appendix D. However, Appendix E contains additional Non Federal Organization (NFO) controls that are expected for contractors to already have in place as minimum levels of security. Please not that only doing CMMC minimums and ignoring applicable NIST 800-171 controls would be a possible violation of the False Claims Act (FCA). CMMC levels do not address NFO controls, but to be compliant with NIST 800-171 a contractor still has to address:

  • All applicable CUI controls; and

  • NFO controls.

NIST 800-171

  • Required by DFARS 252.204-7012.

  • Became a requirement on 1 January 2018.

  • Relied upon self-attestation.


  • CMMC is a requirement as of 1 January 2020.

  • Is a result of low compliance rates for NIST 800-171.

  • Relies on a yet-to-be-determined network of third-party auditors.

  • Results will feed a database that contracting officials will use to validate the compliance status of primes and subcontractors.

Preparing For A CMMC Audit

There is no current guidance on what 3rd Party Assessment Organizations (3PAO) will use for these assessments, but the current assumption by many is NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, will serve as the basis for the criteria used by a 3PAO when evaluating against a CMMC requirement that is directly mapped to a NIST 800-171 rev1 control. Until final guidance on what 3PAOs will use for the assessment, the main focus of CMMC audit preparation should be on clear, concise documentation (e.g., CMMC/NIST 800-171 specific policies, standards, procedures, SSP, POA&M, etc.). The reason for this is from a financial perspective, you will be paying a 3PAO an hourly rate (likely $300/hr +/- $100) and the longer it takes an auditor to review and understand your environment, the more billable hours will accumulate. Therefore, clear and concise documentation can potentially save tens of thousands of dollars in future 3PAO audit-related costs. 


One thing to keep in mind as you prepare for a CMMC audit - in the audit world there are two constants:

  • Time is money; and

  • Nothing exists unless it is documented.


A documentation review will likely occur before the 3PAO conducts any staff interviews, so the more questions you can address by clear documentation, the less your staff will have to fill in the blanks with auditor questions. This is really where good documentation is half the battle in an audit! Expect your 3PAO to start their assessment by:

  • Performing a thorough review of your System Security Plan (SSP) to understand the who/what/when/where/how/why of your CUI environment;

  • Assessing your Plan of Action & Milestones (POA&M) to understand what controls are not addressed (if applicable) and how your compensating controls exist to remediate the risk of non-compliance on a certain control; and

  • Evaluating your policies, standards and procedures to see if those line up with the SSP and if that documentation supports all the requirements of NIST 800-171 / CMMC. 

CMMC Level 1 Overview

There are 17 controls that make up CMMC Level 1 and each of those controls are directly mapped to Federal Acquisition Regulation (FAR) 52.204-21. Even though there are only 15 FAR 52.204-21 controls, the CMMC spread that basic coverage to make up 17 CMMC controls. Why? Most likely, it is due to the high-level nature of the FAR requirements, so there was subjective interpretation that made the case for 17 CMMC controls being needed to adequately address the 15 FAR controls. Regardless, CMMC Level 1 is essentially just complying with FAR 52.204-21 under the lens of NIST 800-171.

A CMMC Level 1 audit will cover 15% of the NIST 800-171 CUI controls.




CMMC Level 2 Overview

There are 72 controls that make up CMMC Level 2, which encompasses the CMMC Level 1 controls. A CMMC Level 2 audit will cover 65% of the NIST 800-171 CUI controls.


CMMC Level 3 Overview

There are 131 controls that make up CMMC Level 3, which encompasses the CMMC Level 1 & 2 controls. A CMMC Level 3 audit will cover 100% of the 110 NIST 800-171 CUI controls and adds an additional 21 controls from various sources.


The additional 20 non-NIST 800-171 controls are:

  • AM.3.036. Define procedures for the handling of CUI data.

  • AU.3.048. Collect audit logs into a central repository.

  • AU.2.044. Review audit logs.

  • IR.2.093. Detect and report events.

  • IR.2.094. Analyze and triage events to support event resolution and incident declaration.

  • IR.2.095. Develop and implement responses to declared incidents according to pre-defined procedures.

  • IR.2.097. Perform root cause analysis on incidents to determine underlying causes.

  • RE.2.137. Regularly perform and test data back-ups.

  • RE.3.139. Regularly perform complete and comprehensive data back-ups and store them off-site and offline.

  • RM.3.144. Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources, and risk measurement criteria.

  • RM.3.146. Develop and implement risk mitigation plans.

  • RM.3.147. Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.

  • CA.3.162. Employ code reviews of enterprise software developed for internal use to identify areas of concern that require additional improvements.

  • SA.3.169. Receive and respond to cyber threat intelligence from information sharing forums and sources and communicate to stakeholders.

  • SC.2.179. Use encrypted sessions for the management of network devices.

  • SC.3.192. Implement Domain Name System (DNS) filtering services.

  • SC.3.193. Implement a policy restricting the publication of CUI on publicly accessible websites (e.g., Forums, LinkedIn, Facebook, Twitter, etc.).

  • SI.3.218. Employ spam protection mechanisms at information system access entry and exit points.

  • SI.3.219. Implement DNS or asymmetric cryptography email protections.

  • SI.3.220. Utilize email sandboxing to detect or block potentially malicious email attachments.


What Do CMMC Levels 4 & 5 Look Like?

For CMMC Level 4, there are 156 controls. For CMMC Level 5, there are 171 controls. As you can see, these numbers exceed the 110 CUI controls found in NIST 800-171. CMMC Levels 4 & 5 build off CMMC Level 3 with controls from a range of frameworks:

  • CERT RMM v1.2

  • NIST 800-53

  • NIST 800-171B

  • ISO 27002

  • CIS CSC 7.1

  • Unattributed “CMMC” references that are not attributed to existing frameworks.

   Leading Cybersecurity Framework Alignment   

NIST 800-171? NIST 800-53? CERT RMM? Yes! We can provide policies, standards, procedures and more for those common cybersecurity frameworks to help you with NIST 800-171 and CMMC compliance! Our documentation solutions are based on leading cybersecurity and privacy practices.

   Solving The Documentation Problem For CMMC Compliance  

ComplianceForge offers a unique product lineup to provide semi-customized, editable cybersecurity documentation for customers who need to comply with NIST 800-171 and prepare for a CMMC audit. Our NIST 800-171 significantly help with CMMC compliance by providing our customers with a “tooth to tail” documentation solution:

  • Policies are mapped to control objectives.

  • Control objectives are mapped to standards.

  • Standards are mapped to controls.

  • Controls are mapped to procedures.

  • Metrics are mapped to controls.

  • Roles & responsibilities for procedures are mapped to the NIST NICE Cybersecurity Workforce Framework.

  • Program-level documentation exists to help clients operationalize the policies & standards.

   "Full Stack" Cybersecurity Documentation - More Than Policies & Standards   

We offer more than just policies & standards! Written cybersecurity policies and standards are just part of the requirements that organizations need to implement and maintain a NIST 800-171 / CMMC compliant program. When it boils down to it, companies implement cybersecurity documentation for several key business reasons:

  • Comply with statutory, regulatory and contractual obligations;

  • Reduce operational losses from cybersecurity incidents; and

  • Maintain a competitive advantage through protecting Intellectual Property (IP).


From the compliance perspective, it is a two-sided coin where a company must demonstrate evidence of (1) due care and (2) due diligence. Written cybersecurity documentation is great at providing a written artifact to demonstrate due care, but it will not provide evidence of due diligence. ComplianceForge’s product line contains operational-level guidance for key cybersecurity components to help organizations provide evidence of due diligence.

The diagram shown below helps visualize the linkages in documentation that involve written procedures:


  • STANDARDS are written to support CONTROL OBJECTIVES

  • PROCEDURES are written to implement the requirements that STANDARDS establish

  • CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning

  • METRICS exist as a way to measure the performance of CONTROLS

   NIST 800-171 Compliance & CMMC Audits   

Cybersecurity documentation is an active defense and is an integral component of risk management. What can possibly go wrong with non-compliance with a law, regulation or contract? 

  • Contract Termination. It is reasonably expected that the other party will terminate contracts over non-compliance with major cybersecurity and privacy requirements since it is a failure to uphold contract requirements. Subcontractor non-compliance may also cause a prime contractor to be non-compliant, as a whole.

  • Criminal Fraud. If a company states it is compliant when it knowingly is not compliant, that is misrepresentation of material facts. This is a criminal act that is defined as any act intended to deceive through a false representation of some fact, resulting in the legal detriment of the person who relies upon the false information (e.g., False Claims Act).

  • Breach of Contract Lawsuits. Both prime contractors and subcontractors could be exposed legally. A tort is a civil breach committed against another in which the injured party can sue for damages. The likely scenario for a non-compliance related tort would be around negligence on behalf of the accused party by not maintaining a specific code of conduct (e.g., no documented procedures).

  • Fines. The Federal Trade Commission (FTC) has authority to investigate and fine companies found to have poor security programs. In addition to fines, companies can be forced to pay for recurring, annual audits to demonstrate cybersecurity program effectiveness.


© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

  • LinkedIn Social Icon
  • Facebook Social Icon
  • Google+ Social Icon