Policy templates and tools for CMMC and 800-171

This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171

Please help others in the community by leaving a comment about your experiences!

DoD Environmental Research Programs templates for NIST SP 800-171


Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are all in one long document, which means you will need to do some cross-referencing to show which chapter relates to which control. It is in PDF format which makes it difficult to edit (you will need to do a lot of cut-and-paste and formatting). No sign-up required. This looks like the best free template set on the Internet. The documents were updated in 2018 and 2019, which makes them quite recent.

Educause.edu NIST SP 800-171 Compliance Template


Evaluation: This is a free excel spreadsheet with a row for each NIST SP 800-171 control. The control text is included. It cross-references each 800-171 control to other compliance standards (NIST 800-53, DFARS 7012), ISO 27002:2013). This spreadsheet will save you from re-creating the wheel if you use Excel to track your progress. No sign-up required to download.

Complyup.com CMMC and 800-171 Assessment Platform


Evaluation: Complyup.com is positioned to be a major influencer for the CMMC preparation and audit community. They offer a secure, cloud-based application which guides you through preparation, self-assessment, and evidence collection. The tool comes with 25+ policies. While I haven’t used it myself, it looks very user friendly. The website says that their assessment platform will automatically upgrade to include CMMC with the subscription.

The bad: The minimum commitment is $3,600 for a small business. Complyup offers a 14 day free trial, but if you don’t cancel before it ends, you are obligated to pay for at least one year’s subscription. The refund policy says that they do not give any refunds after the first 14 days. If you choose them, I would plan for this to be an annual subscription that continues year over year. In most cases, this makes sense – the compliance frameworks require regular review and update of your policies and evidence. It may be hard to edit this documentation outside of the app.

NIST SP 800-171 System Security Plan Template


Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment. However, it doesn’t include additional guidance and it would be annoying to adapt for the CMMC. The word document lists each control and gives you room to provide descriptions, evidence, and compliance status. You could use this document to overview your entire self certification process and print it out for an auditor.

3 thoughts on “Policy templates and tools for CMMC and 800-171

  1. Michael Chipley says:

    The Installations and Environment Facilities Community created the various templates and checklist to cyber secure both corporate IT systems and Facility-Related Control Systems (HVAC, fire, lighting, etc.). Over the past 3 years as the Architect&Engineering, Construction and Operations community has been required to use these templates, and the cost to complete continues to come down. For a small/medium size business, multiple companies have achieved Level 3/4 at at cost of approximately $5000 to complete the RMF core documents, 2 security audits and a Table-Top exercise (all templates on the ESCTP website). Companies may need to acquire additional hardware and software (with most spending less than $3000-4000) for Continuous Monitoring/Auditing, and recurring costs of $1000-2000 per month to conduct audits. Key to an effective Cyber Risk Management Plan and CMMC certifcation is to have all staff fully engaged and involved, every end point is an entry point into DoD CUI.

  2. Michael Chipley says:

    CMMC, thanks for informing ESCTP the Information Systems Policies and Procedures template was posted in pdf format. The Word version will be posted so folks will not have to copy and paste.

    We are also posting a Ransomware Table-Top Exercise and After-Action Report templates in Word format.

Leave a Reply

Your email address will not be published. Required fields are marked *