This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171
**Updated November 28, 2022**
Please help others in the community by leaving a comment with resource links!
Free CUI Training from Department of Defense
This training course introduces Controlled Unclassified Information and provides guidance for marking and protecting it.
US-CERT – Threat Intelligence
Both CMMC and NIST SP 800-171 require that you pay attention to sources of cyber threat intelligence. For most of us, the easiest way to achieve this is to subscribe to the U.S. Cybersecurity & Infrastructure Security Agency (CISA) bulletins.
Check the bottom of the CISA page for a subscribe link. The information they provide is eye-opening.
Kieri Compliance Documentation
This is a plug for our sponsor. If you are seeking a set of CMMC-specific policy, procedures, and a partially written system security plan (which would take 200 hours worth of work to build from scratch) and you are willing to pay a modest fee, Kieri Solutions sells an excellent product called the Kieri Compliance Documentation. We feel this is the best CMMC template package available! Kieri Solutions passed their CMMC assessment by the DoD using this core documentation.
Free Cybersecurity Awareness Training
This training includes general cybersecurity awareness as well as indicators of insider threat. Small businesses can send their employees to this link and collect the certificates of completion to meet two CMMC requirements.
SANS Institute – Security Policies
SANS Institute provides a set of best practices security policies in both PDF and DOC format. No registration required. These policies aren’t designed for military or government -specific applications, so you will want to add some language to address sensitive data types.
DoD Environmental Research Programs templates for NIST SP 800-171
Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are all in one long document, which means you will need to do some cross-referencing to show which chapter relates to which control. Update: ESTCP has re-pushed this in DOC (Microsoft Word) format to make it easier to edit (cheers!) No sign-up required. This looks like the best free template set on the Internet. The documents were updated in 2018 and 2019, which makes them quite recent.
Shared Responsibility Matrix template for CMMC
StateRAMP Policy Templates for 800-53 controls
These policy templates are generally overkill for CMMC, but if you are subject to FedRAMP because you offer cloud storage for CUI, I would start here.
NIST SP 800-171 System Security Plan Template
This is a template for the DFARS 7012 System Security Plan provided by NIST. System Security Plans are currently required for DoD contractors that hold Controlled Unclassified Information (CUI).
Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment. It is also a good starting point for CMMC (though you will need to update the requirement IDs). The word document lists each control and gives you room to provide descriptions, evidence, and compliance status. You could use this document to overview your entire self certification process and print it out for an auditor.
NIST SP 800-171 Plan of Action & Milestones (POAM) Template
This is a template for the DFARS 7012 Plan of Action & Milestones (POA&M) which is currently required for DoD contractors that hold Controlled Unclassified Information (CUI).
Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment or to support your CMMC compliance efforts. You could use this document to overview your entire self certification process and print it out for an auditor.
CMMC Official Assessment Guides
This is the official CMMC website hosted by the DoD. The documents on this page are as official as it gets.
Use the Assessment Guides to understand the full complexity of each practice.
NIST SP 800-171A Assessor’s Guide
This guide is very similar to the CMMC Assessment Guides above, but includes additional information such as Appendix D, and the Non-Federal Organization controls, which were left out of CMMC documents.
How to write a System Security Plan
This video shows the thought process and level of detail you should use when writing a system security plan. If you are new to compliance, it is a must watch!
FedRAMP approved vendors list
DoD contractors with CUI (this translates to CMMC Level 3-4-5) are currently required to use only Cloud Providers that are at least FedRAMP Moderate. The FedRAMP marketplace lists companies that are either in-progress or approved, and their FedRAMP level.
Quote from DFARS 7012 regulation:
(D) If the Contractor intends to use an external cloud service provider to store,
process, or transmit any covered defense information in performance of this contract, the Contractor
shall require and ensure that the cloud service provider meets security requirements equivalent to
those established by the Government for the Federal Risk and Authorization Management Program
(FedRAMP) Moderate baseline (https://www.fedramp.gov/resources/documents/) and that the cloud
service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber
incident reporting, malicious software, media preservation and protection, access to additional
information and equipment necessary for forensic analysis, and cyber incident damage assessment.
DoD Cyber incident reporting procedures
DoD contractors with CUI (this translates to CMMC Level 3-4-5) are currently required to report cyber-incidents to the DoD.
This is the Procedures Guidelines Instructions document which describes the back-and-forth process of reporting, and potential investigation, after a cyber incident.
National Checklist Program
Detailed guidance on how to apply secure configurations to hundreds of types of systems. Used primarily by the U.S. federal government.
Secure Technical Implementation Guidance (STIGs)
One of the CMMC requirements is CM.2.064 “Establish and enforce security configuration settings for information technology products employed in organizational information systems.” While this can be interpreted in MANY ways, one way to meet this is to apply STIGs on your environment.
NIST provides security configuration settings at the above link. This is a pretty complex topic and a lot of work. I recommend talking to a security consultant with DoD experience if you haven’t encountered STIGs before.
Manual Vulnerability Search
One of the most basic cybersecurity requirements (included in CMMC level 1, “FAR Critical 17”, and NIST 800-171) requires that you identify and correct vulnerabilities.
CMMC SI.1.210: “Identify, report, and correct information and information system flaws in a timely manner.”
This database, provided by NIST, has a list of all US Government published software and hardware vulnerabilities. Each vulnerability (called a CVE) is described in detail with links for patches or manual corrective action (if exists). This database is moderately difficult to use since the results can be overwhelming.
To get started, I recommend searching for a specific software on your computers or mobile phones. For example, try searching “Zoom Client” which is a popular meeting app with major vulnerabilities that were fixed in mid-2020.
Did you find this information useful? Please sign up for our newsletter for timely updates about CMMC and DFARS 252.204-7012 . You can unsubscribe at any time.