NIST SP 800-171 & CMMC Compliance-Focused Policies & Standards   

At ComplianceForge, we take a unique view towards writing cybersecurity documentation. We developed a comprehensive and scalable way to write cybersecurity documentation that minimizes redundancies and inefficiencies that plague cybersecurity governance. This methodology is ideal for companies that want concise, business-focused cybersecurity policies, standards, procedures and more.

ComplianceForge believes that a standard is a standard for a reason. We provide direct references to industry-leading practices, so that clients can clearly see what requirements impact them, as well as filter requirements to their specific business requirements. Our three main products focused on NIST 800-171 and CMMC compliance are:

2020.1 - ComplianceForge - NIST SP 800-1

Since a picture can be worth 1,000 words, the video to the right helps describe this methodology where you can see examples of the hierarchy structure and overall flow of our documentation.

Our product pages have PDF examples of the policies, standards, procedures and more so you can look at more detailed examples. You can read more about the NCP, WISP and DSP below!

2020 - CMMC v1.02 matrix.JPG
Editable NIST 800-171 compliance documentaion. Editable Microsoft Word Excel Cyberscurity Policies Standard Procedures

   NIST 800-171 Compliance Program (NCP)   

2018.1 - NIST 800-171 Cybersecurity Prog

The NIST 800-171 Compliance Program (NCP) is purpose-built for NIST 800-171 & CMMC compliance. The NCP is designed to address CMMC Levels 1, 2 & 3 audit needs

  • NIST 800-171 policies

  • NIST 800-171 standards

  • NIST 800-171 procedures

  • System Security Plan (SSP) & Plan of Action & Milestones (POA&M) templates

  • "Consultant In A Box" guide to NIST 800-171 compliance 

2019 - NIST 800-171 Compliance Program N

We listened to our customers and created the NIST 800-171 Compliance Program (NCP), based on the growing demand from small and medium businesses that want a simplified approach to NIST 800-171 compliance. The NCP is a streamlined product that is made up of other tailored ComplianceForge products to specifically address NIST 800-171 compliance needs.

   NIST 800-53 Rev5 Cybersecurity & Data Protection Program (CDPP)   

2021.1 - Cybersecurity & Data Protection

The Cybersecurity & Data Protection Program (CDPP) is designed to align a security program with NIST 800-53 rev4. The NIST 800-53 R5 CDPP is designed to address CMMC Levels 1, 2, 3 & 4 audit needs.

  • NIST 800-53 rev5-based policies, control objectives, standards and guidelines.

  • Organized into multiple domains that correspond to the families of controls in NIST 800-53 rev5 (each with its own policy and associated standards).

  • Two versions are available (most businesses only need the WISP-LM version):

    • CDPP-LM: contains the low & moderate baselines for NIST 800-53 rev5

    • CDPP-LMH: contains the low, moderate & high baselines for NIST 800-53 rev5

2019 - NIST 800-53 Written Information S

   Digital Security Program (DSP)   

For companies that want more than just policies, standards and guidelines, we have several NIST 800-171 bundles that build on the WISP to have near-turnkey documentation for NIST 800-171 and NIST 800-53 needs:



The Digital Security Program (DSP) is purpose-built for larger organizations that have to comply with multuple compliance requirements. As a "best in class" metaframework structure, the Digital Security Program is designed to address CMMC Levels 1, 2, 3, 4 & 5 audit needs. 

  • Hierarchical policies, control objectives, standards, guidelines, controls & metrics!

  • Addresses both cybersecurity and compliance governance!

  • Mapping to over 100 statutory, regulatory and contractual frameworks!

  • Organized into 32 domains (each with its own policy and associated standards) to build a modern, "digital" cybersecurity & privacy program!

  • Importable format into your GRC instance (Microsoft Word and Excel)

When viewed in terms of a "cybersecurity spectrum," the comprehensive nature of the DSP puts it on the robust coverage side of this spectrum. The DSP leverages the Secure Controls Framework (SCF) as its core control set. 

2019 - Digital Security Program DSP.JPG

The video to the right helps demonstrate how the DSP ties everything together to create a scalable, comprehensive cybersecurity & privacy governance program:


  • STANDARDS are written to support CONTROL OBJECTIVES

  • PROCEDURES are written to implement the requirements that STANDARDS establish

  • CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning

  • METRICS exist as a way to measure the performance of CONTROLS


For companies that want more than just policies, standards, controls, guidelines and metrics, we have several Digital Security Program (DSP) bundles that build on the DSP to have near-turnkey documentation for NIST 800-171 and NIST 800-53 needs: