This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171
**Updated April 3, 2024**
Please help others in the community by leaving a comment with resource links!
Policies Templates
SANS Institute – Security Policies
https://www.sans.org/information-security-policy/
SANS Institute provides a set of best practices security policies in both PDF and DOC format. No registration required. These policies aren’t designed for 800-171 or CMMC so you will need to rework them significantly.
StateRAMP Policy Templates for 800-53 controls
https://stateramp.org/templates-resources/
These policy templates are overkill for CMMC and expect you to do a lot of writing to fill in the specifics, but if you are subject to FedRAMP because you offer cloud storage for CUI, I would start here.
*sponsored* Kieri Compliance Documentation
If you are seeking a set of CMMC-specific policy, procedures, and a partially written system security plan (which would take 200 hours worth of work to build from scratch) and you are willing to pay, Kieri Solutions sells an excellent product called the Kieri Compliance Documentation. Even if you want to create your own policies from scratch, we recommend watching the demo video anyways because it shows what a full-featured CMMC compliance program should look like.
DoD Environmental Research Programs templates for NIST SP 800-171
Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are all in one long document, which means you will need to do some cross-referencing to show which chapter relates to which control. Update: ESTCP has re-pushed this in DOC (Microsoft Word) format to make it easier to edit (cheers!) No sign-up required. This looks like the best free template set on the Internet. The documents were updated in 2018 and 2019.
System Security Plan and Other Key Templates
NIST SP 800-171 System Security Plan Template
This is a template for the DFARS 7012 System Security Plan provided by NIST. System Security Plans are currently required for DoD contractors that hold Controlled Unclassified Information (CUI).
How to write a System Security Plan
This training video shows the thought process and level of detail you should use when writing a system security plan using the NIST SSP template. If you are new to compliance, it is a must watch!
NIST SP 800-171 Plan of Action & Milestones (POAM) Template
This is a template for the DFARS 7012 Plan of Action & Milestones (POA&M) which is currently required for DoD contractors that hold Controlled Unclassified Information (CUI).
Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment or to support your CMMC compliance efforts. You could use this document to overview your entire self certification process and print it out for an auditor.
This resource can help you meet the CMMC requirement to have a Plan of Action.
Peak InfoSec templates for CMMC
System Security Plan: https://peakinfosec.com/wp-content/uploads/2024/03/ACME-Anvil-NIST-SP-800-171-System-Security-Plan-wo-DTM-Master-Template-20240312.docx
Customer Responsibility Matrix: https://peakinfosec.com/wp-content/uploads/2022/08/Peak_InfoSec_Customer_Responsibility_Matrix_Template.xlsx
NIST SP 800-171 DoD Assessment Methodology scoring template: https://peakinfosec.com/wp-content/uploads/2024/03/Peak-InfoSec-NIST-SP-800-171-rev-2-DoDAM-Scoring-Template.xlsx
Educational Institutions – Reference System Security Plan
https://www.regulatedresearch.org/resources/peer-practices/ssp
This System Security Plan can be requested for free by anyone with an .edu email address. It has sample responses to about 40 of the 800-171 and CMMC Level 2 requirements.
Shared Responsibility Matrix template for CMMC
This template is not perfect (double-check the numbering) but is a great starting point to have a conversation with your Managed Services Provider or MSSP about their services.
Typically, your supporting organization will fill this template out entirely and provide it back to you under NDA. This is a great way to define a service offering that supports CMMC. MSPs typically realize that they need to change their pricing structure and take over more responsibilities when they complete a Shared Responsibility Matrix at this level of detail.
Awareness and Threat Sharing resources
DoD Cybersecurity Awareness Training
https://public.cyber.mil/training/cyber-awareness-challenge/
This training includes general cybersecurity awareness as well as indicators of insider threat. Small businesses can send their employees to this link and collect the certificates of completion to meet two CMMC requirements.
Free CUI Training from Department of Defense
https://securityawareness.usalearning.gov/cui/index.html
This training course introduces Controlled Unclassified Information and provides guidance for marking and protecting it.
DCISE – Cyber Threat Information Sharing
https://www.dc3.mil/Missions/DIB-Cybersecurity/DIB-Cybersecurity-DCISE/
The public-private cybersecurity partnership provides a collaborative environment for crowd-sourced threat sharing at both unclassified and classified levels. DCISE performs cyber threat analysis and diagnostics, offers mitigation and remediation strategies, provides best practices, and conducts analyst-to-analyst exchanges with DIB participants ranging in size from small to enterprise-sized companies.
US-CERT – Threat Intelligence
https://www.cisa.gov/cybersecurity
Subscription page for Threat Intelligence bulletins
Both CMMC and NIST SP 800-171 require that you pay attention to sources of cyber threat intelligence. For most of us, the easiest way to achieve this is to subscribe to the U.S. Cybersecurity & Infrastructure Security Agency (CISA) bulletins.
Check the bottom of the CISA page for a subscribe link. The information they provide is eye-opening.
Incident Response resources
DoD Cyber incident reporting procedures
https://www.acq.osd.mil/dpap/dars/pgi/pgi_htm/current/PGI204_73.htm
DoD contractors with CUI (this translates to CMMC Level 2 and 3) are currently required to report cyber-incidents to the DoD.
This is the Procedures Guidelines Instructions document which describes the back-and-forth process of reporting, and potential investigation, after a cyber incident.
Incident Response Tabletop Exercises
https://www.cisa.gov/cisa-tabletop-exercise-packages
These are packages of incident scenarios that CISA.GOV makes available for free to everyone. By reviewing these, you can utilize more creative scenarios or realize weaknesses in your current incident training program.
DIBNET / DC3 Incident Reporting Portal
If you are a defense contractor and you suffer a cyber incident, you are probably required to report the incident to DC3. Check here for more information.
Assessment Training for CMMC and 800-171
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
This page on the Defense Contract Management Agency’s (DCMA) website has several great resources for defense contractors in the final stages of preparation for 800-171 or CMMC assessment.
In particular, check out the following:
Public 800-171 Self-Assessment Database – This is an Access database that captures data during an assessment and calculates scores based on findings.
Pre-assessment package for candidate C3PAO assessments. – This package gives some expectations for inheritance, not applicable practices, and evidence. Real CMMC assessments of defense contractors will ask many of these questions during planning.
DoD Assessment Methodology – How DIBCAC performs an 800-171 assessment and scores it
DoD Cybersecurity Toolbox – Answers to tough questions about defense cybersecurity, referenced by DIBCAC and CMMC assessors as clarification.
Configuration Management / System Hardening Resources
NIST Cryptographic Module Validation Program (CMVP)
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/Search
You will want to use this website to verify that your cryptographic modules are “validated” according to FIPS 140-2. Assessors want to see the actual certificates relating to the encryption you use in your environment, if that encryption protects the confidentiality of CUI.
This resource is used to provide evidence that you are performing the CMMC requirement to use FIPS validated cryptography.
National Checklist Program
https://ncp.nist.gov/repository
Detailed guidance on how to apply secure configurations to hundreds of types of systems. Used primarily by the U.S. federal government.
This resource can help you meet the CMMC requirement for secure configurations.
Secure Technical Implementation Guidance (STIGs)
https://nvd.nist.gov/ncp/repository
One of the CMMC requirements is CM.2.064 “Establish and enforce security configuration settings for information technology products employed in organizational information systems.” While this can be interpreted in MANY ways, one way to meet this is to apply STIGs on your environment.
NIST provides security configuration settings at the above link. This is a pretty complex topic and a lot of work. I recommend talking to a security consultant with DoD experience if you haven’t encountered STIGs before.
This resource can help you meet the CMMC requirement for secure configurations.
Secure Cloud Business Applications (SCuBA)
This website, hosted by CISA.GOV, contains detailed guidance on secure configurations for Microsoft 365 cloud and Google Cloud. Will eventually have configurations for other popular cloud products.
This resource can help you meet the CMMC requirement for secure configurations.
Manual Vulnerability Search
https://nvd.nist.gov/vuln/search
One of the most basic cybersecurity requirements (included in CMMC level 1, “FAR Critical 17”, and NIST 800-171) requires that you identify and correct vulnerabilities.
CMMC SI.1.210: “Identify, report, and correct information and information system flaws in a timely manner.”
This database, provided by NIST, has a list of all US Government published software and hardware vulnerabilities. Each vulnerability (called a CVE) is described in detail with links for patches or manual corrective action (if exists). This database is moderately difficult to use since the results can be overwhelming.
To get started, I recommend searching for a specific software on your computers or mobile phones. For example, try searching “Zoom Client” which is a popular meeting app with major vulnerabilities that were fixed in mid-2020.
This resource can help you meet the CMMC requirement for identifying vulnerabilities.
*sponsored* Kieri Reference Architecture
If you have an existing M365 GCC-High implementation, or are thinking about migrating to GCC-High, this package from our sponsor, Kieri Solutions, includes instructions, configuration baselines, and pre-written system security plan to build, configure, and maintain a functional Windows-based network that can pass CMMC Level 2.
Security Content Automation Program (SCAP)
https://csrc.nist.gov/Projects/scap-validation-program/validated-products-and-modules
If you’d like to automate checking your secure configurations, look into the SCAP program. For specific products, especially Windows-based, the SCAP compliance checker can be used to quickly verify that settings are applied.
National Checklist Program
https://ncp.nist.gov/repository
The National Checklist Program (NCP), defined by the NIST SP 800-70, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
Community Resources
CMMC Forum – Cooey Center of Excellence
This irreverent Discord forum is where a few thousand of the top minds in CMMC hang out. Chat with peers on the Thursday night happy hour.
Checklist to evaluate your Managed Service Provider
https://ndisac.org/wp-content/uploads/2022/12/NDISAC-SMB-WG-MSP-Shopping-Questionnaire-Rev-4.5.pdf
National Defense – Information Sharing & Analysis Center (ND-ISAC) published this guide for evaluating an outsourced IT provider for CMMC support. This document is half training, half scoring template. It is designed to help a small or medium sized defense contractor evaluate Managed Services Providers for CMMC. Very few MSPs know what they are doing in regard to CMMC compliance. If you don’t have a big enough company to staff a full IT and cybersecurity department, choosing a CMMC-knowledgeable MSP is critical.
C3PAO Shopping Guide
National Defense – Information Sharing & Analysis Center (ND-ISAC) published this guide and scoring sheet that can be used to evaluate a third party assessor for your CMMC assessment.
FedRAMP approved vendors list
https://marketplace.fedramp.gov/#!/products?sort=productName
DoD contractors are required to use only Cloud Providers that are at least FedRAMP Moderate for the storage, processing, or transmission of CUI. The FedRAMP marketplace lists companies that are either in-progress or approved, and their FedRAMP level.
CMMC educational videos from Kieri Solutions
https://www.youtube.com/@kierilf
The Kieri Solutions YouTube channel hosts dozens of videos about CMMC and cybersecurity topics. Presented by CMMC assessors and subject matter experts, these videos provide great context and explanation about tough subjects.
Rulemaking and CMMC videos from Summit 7
https://www.youtube.com/@Summit7
The Summit 7 YouTube Channel hosts great content about CMMC, rulemaking, DFARS compliance, and cybersecurity.
Know of a great CMMC resource that isn’t listed here? Please reach out via LinkedIn and let us know!
Please sign up for our newsletter for timely updates about CMMC and DFARS 252.204-7012 . You can unsubscribe at any time.
Can i get a list of procedures that should be documented for CMMC 2 compliance?
Regards,
Great Post! Thank you for sharing.
Great post. On the opening advisory on using compliance tools and the sensitivity — I agree 100% (and I say that as the provider of a platform that does this). Our company (ThreatSwitch, full disclosure) has been processing PHI/PII related to classified contracts for a long time so we built on a Fedramp environment (AWS Govcloud) and got SOC2 compliant very early on. I have not seen a single vendor other than us do anything remotely similar. As far as I know, we’re the only one using a FEDRAMP medium environment. Do be cautious — especially of products that only do the compliance crosswalk at a very low price. If it’s cheap, there is no early possibility that they are spending adequately on data security.
Thank you for putting this is straightforward explanations but also providing the links and summary of each! Extremely helpful!
Just wish to point out that the site listed in the comments for https://www.dodcui.mil is NOT sponsored by the OUSD(A&S). It is sponsored by the OUSD(I&S) which has the DoD charter to establish DoD CUI policy. (DoDI 5200.48 2.1.a)…This is an entirely different organization.
And the link to the CMMC page on the site gets the DFARS clause wrong…
Hello Randy,
Whoops! I fixed the attribution from A&S to I&S on this page. I can’t do anything about the dodcui.mil website having the wrong DFARS clause quoted… it looks like they link to the correct place though. Thanks for the feedback!
Amira
Great information! Thanks!
I have a question regarding the overall process. I am an IT Consultant that has a client that is planning on becoming Level 3 certified. I handle all of their IT. Do I, as an individual, need to be certified Level 3 as well in order for my client to be Level 3? Or can this be handled by an NDA of some sort?
Hello Rodney,
I recommend checking this recent webinar from Defense Acquisition University (the slide deck can be reached from this link)
https://www.dau.edu/events/Cybersecurity%20Maturity%20Model%20Certification
To my understanding, a consultant needs a CMMC Level 3 information system if they ….
1) Store or process security vulnerability information (CUI) regarding their client’s network on the consultant’s information system. Example: You have a document on your personal laptop which lists firewall rules for the client network.
2) Manage the client’s network (CUI systems) using the consultant’s information system. Example: You use your personal laptop to VPN into the client network and manage their file server.
If the client issues you an account and a client-issued workstation to perform your work, and you don’t remove their sensitive documents from their network, you shouldn’t need any special certification or information system. In this situation, you would be roughly equivalent to the client’s in-house IT employee from a security standpoint.
I perused the policies and procedures availabe on here, and found policies – but not procedures/processes. I am probably missing something.
Do anyone have a CMMC template available?
Hi Jeff,
When you ask for a CMMC template, could you give a bit more information about what you are thinking of? A CMMC-specific policy? System security plan? What level of CMMC? There are some great resources here that absolutely fit CMMC (even the 800-171 stuff is a great fit), but it can be hard to see the trees for the forest.
Hello Amira,
The kind of “template” I would like to see if a mapping of CMMC Practices to remediation tool. I realize that many of the remediation solutions are met with an organizational policy, but many of the practices require “technology”. I find the “technology” to be very interpretive, I could use a FW, or AD, or IDS, … hard to say, … has anyone constructed a good mapping of CMMC practices to Technology Remediations?
Hello Elliot,
I recommend checking the link to the CMMC Center Of Awesomeness (CMMC-COA). There is a spreadsheet with recommended solutions on their site. Please note that I have concerns that some of their cloud vendor solutions (specifically Rapid 7) are not appropriate for CUI, as they are not FedRAMP accredited. Some cybersecurity professionals feel that antivirus and vulnerability scans are out of scope, but the DCMA has indicated that an antivirus that processes files with CUI can be in scope. CMMC, CUI, and Cloud Vendors – do you need FedRAMP?
CMMC, thanks for informing ESCTP the Information Systems Policies and Procedures template was posted in pdf format. The Word version will be posted so folks will not have to copy and paste.
We are also posting a Ransomware Table-Top Exercise and After-Action Report templates in Word format.
You guys rock, thanks!
The Installations and Environment Facilities Community created the various templates and checklist to cyber secure both corporate IT systems and Facility-Related Control Systems (HVAC, fire, lighting, etc.). Over the past 3 years as the Architect&Engineering, Construction and Operations community has been required to use these templates, and the cost to complete continues to come down. For a small/medium size business, multiple companies have achieved Level 3/4 at at cost of approximately $5000 to complete the RMF core documents, 2 security audits and a Table-Top exercise (all templates on the ESCTP website). Companies may need to acquire additional hardware and software (with most spending less than $3000-4000) for Continuous Monitoring/Auditing, and recurring costs of $1000-2000 per month to conduct audits. Key to an effective Cyber Risk Management Plan and CMMC certifcation is to have all staff fully engaged and involved, every end point is an entry point into DoD CUI.