NIST SP 800-171 & CMMC Compliance-Focused Policies & Standards   

At ComplianceForge, we take a unique view towards writing cybersecurity documentation. We developed a comprehensive and scalable way to write cybersecurity documentation that minimizes redundancies and inefficiencies that plague cybersecurity governance. This methodology is ideal for companies that want concise, business-focused cybersecurity policies, standards, procedures and more.

ComplianceForge believes that a standard is a standard for a reason. We provide direct references to industry-leading practices, so that clients can clearly see what requirements impact them, as well as filter requirements to their specific business requirements. Our three main products focused on NIST 800-171 and CMMC compliance are:

2020.1 - ComplianceForge - NIST SP 800-1

Since a picture can be worth 1,000 words, the video to the right helps describe this methodology where you can see examples of the hierarchy structure and overall flow of our documentation.

Our product pages have PDF examples of the policies, standards, procedures and more so you can look at more detailed examples. You can read more about the NCP, WISP and DSP below!

Editable NIST 800-171 compliance documentaion. Editable Microsoft Word Excel Cyberscurity Policies Standard Procedures

   NIST 800-171 Compliance Program (NCP)   

2018.1 - NIST 800-171 Cybersecurity Prog

The NIST 800-171 Compliance Program (NCP) is purpose-built for NIST 800-171 & CMMC compliance. The NCP is designed to address CMMC Levels 1, 2 & 3 audit needs

  • NIST 800-171 policies

  • NIST 800-171 standards

  • NIST 800-171 procedures

  • System Security Plan (SSP) & Plan of Action & Milestones (POA&M) templates

  • "Consultant In A Box" guide to NIST 800-171 compliance 

We listened to our customers and created the NIST 800-171 Compliance Program (NCP), based on the growing demand from small and medium businesses that want a simplified approach to NIST 800-171 compliance. The NCP is a streamlined product that is made up of other tailored ComplianceForge products to specifically address NIST 800-171 compliance needs.

   NIST 800-53 Rev5 Cybersecurity & Data Protection Program (CDPP)   

2021.1 - Cybersecurity & Data Protection

The Cybersecurity & Data Protection Program (CDPP) is designed to align a security program with NIST 800-53 rev4. The NIST 800-53 R5 CDPP is designed to address CMMC Levels 1, 2, 3 & 4 audit needs.

  • NIST 800-53 rev5-based policies, control objectives, standards and guidelines.

  • Organized into multiple domains that correspond to the families of controls in NIST 800-53 rev5 (each with its own policy and associated standards).

  • Two versions are available (most businesses only need the WISP-LM version):

    • CDPP-LM: contains the low & moderate baselines for NIST 800-53 rev5

    • CDPP-LMH: contains the low, moderate & high baselines for NIST 800-53 rev5

   Digital Security Program (DSP)   

For companies that want more than just policies, standards and guidelines, we have several NIST 800-171 bundles that build on the WISP to have near-turnkey documentation for NIST 800-171 and NIST 800-53 needs:



The Digital Security Program (DSP) is purpose-built for larger organizations that have to comply with multuple compliance requirements. As a "best in class" metaframework structure, the Digital Security Program is designed to address CMMC Levels 1, 2, 3, 4 & 5 audit needs. 

  • Hierarchical policies, control objectives, standards, guidelines, controls & metrics!

  • Addresses both cybersecurity and compliance governance!

  • Mapping to over 100 statutory, regulatory and contractual frameworks!

  • Organized into 32 domains (each with its own policy and associated standards) to build a modern, "digital" cybersecurity & privacy program!

  • Importable format into your GRC instance (Microsoft Word and Excel)

When viewed in terms of a "cybersecurity spectrum," the comprehensive nature of the DSP puts it on the robust coverage side of this spectrum. The DSP leverages the Secure Controls Framework (SCF) as its core control set. 

The video to the right helps demonstrate how the DSP ties everything together to create a scalable, comprehensive cybersecurity & privacy governance program:


  • STANDARDS are written to support CONTROL OBJECTIVES

  • PROCEDURES are written to implement the requirements that STANDARDS establish

  • CONTROLS exist as a mechanism to assess/audit both the existence of PROCEDURES / STANDARDS and how well their capabilities are implemented and/or functioning

  • METRICS exist as a way to measure the performance of CONTROLS


For companies that want more than just policies, standards, controls, guidelines and metrics, we have several Digital Security Program (DSP) bundles that build on the DSP to have near-turnkey documentation for NIST 800-171 and NIST 800-53 needs:


© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

This website does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult a cybersecurity or privacy professional to discuss your specific needs. Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.

  • LinkedIn Social Icon
  • Facebook Social Icon
  • Google+ Social Icon