This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171
Please help others in the community by leaving a comment about your experiences!
DoD Environmental Research Programs templates for NIST SP 800-171
Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are all in one long document, which means you will need to do some cross-referencing to show which chapter relates to which control. It is in PDF format which makes it difficult to edit (you will need to do a lot of cut-and-paste and formatting). No sign-up required. This looks like the best free template set on the Internet. The documents were updated in 2018 and 2019, which makes them quite recent.
Educause.edu NIST SP 800-171 Compliance Template
Evaluation: This is a free excel spreadsheet with a row for each NIST SP 800-171 control. The control text is included. It cross-references each 800-171 control to other compliance standards (NIST 800-53, DFARS 7012), ISO 27002:2013). This spreadsheet will save you from re-creating the wheel if you use Excel to track your progress. No sign-up required to download.
Complyup.com CMMC and 800-171 Assessment Platform
Evaluation: Complyup.com is positioned to be a major influencer for the CMMC preparation and audit community. They offer a secure, cloud-based application which guides you through preparation, self-assessment, and evidence collection. The tool comes with 25+ policies. While I haven’t used it myself, it looks very user friendly. The website says that their assessment platform will automatically upgrade to include CMMC with the subscription.
The bad: The minimum commitment is $3,600 for a small business. Complyup offers a 14 day free trial, but if you don’t cancel before it ends, you are obligated to pay for at least one year’s subscription. The refund policy says that they do not give any refunds after the first 14 days. If you choose them, I would plan for this to be an annual subscription that continues year over year. In most cases, this makes sense – the compliance frameworks require regular review and update of your policies and evidence. It may be hard to edit this documentation outside of the app.
NIST SP 800-171 System Security Plan Template
Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment. However, it doesn’t include additional guidance and it would be annoying to adapt for the CMMC. The word document lists each control and gives you room to provide descriptions, evidence, and compliance status. You could use this document to overview your entire self certification process and print it out for an auditor.