Policy templates and tools for CMMC and 800-171

This page has links and reviews of available templates and tools relating to the CMMC and NIST SP 800-171

**Updated August 12, 2020**

Please help others in the community by leaving a comment with resource links!

Warning – Assessment / Compliance platforms

I want to warn everyone to be extremely cautious about any vendor that pushes you to subscribe for their “assessment” or “compliance” platform. 

These are generally websites (clouds) that are designed to guide you through your CMMC compliance project.  They give you a place to upload your policies and evidence (screenshots, reports, etc) and cross-link to specific CMMC practices.  Some will provide you sample policies and “best practice” answers to make it even easier. 

The problem with compliance platforms: Can they safely store your data?

As a Defense Industrial Base contractor, the data you enter into an assessment or compliance platform may be considered Controlled Unclassified Information. Specifically “DoD Critical Infrastructure Security Information“.

If you have CUI, then you are responsible for keeping your CUI safe. That means that any company helping you with security needs to be secure before you send them confidential data. This is recognized by the CMMC Accreditation body: auditors for higher CMMC levels are required to meet CMMC Level 3 security for their own network, because the auditor will probably store and process “DoD Critical Infrastructure Security Information” during those audits.

So as you are considering using a compliance website, you should look at whether their system (not their hosting provider) is FedRAMP approved and that they have reporting capabilities in place per DFARS 252.204-7012.  Short story: there aren’t many that meet this requirement… (comment if you know otherwise!). 

In particular, I’ve seen advertisements from “CMMC compliance portals” that aren’t even based in the U.S.  Yikes!

For this reason, I urge you to strongly consider keeping your System Security Plan (SSP), Plan of Action & Milestones (POA&M), network architecture data, inventories, vulnerability reports, and other evidence in-house.  If you work with a cybersecurity consultant, ask them how they plan to store your data securely.


SANS Institute – Security Policies

https://www.sans.org/information-security-policy/

SANS Institute provides a set of best practices security policies in both PDF and DOC format. No registration required. These policies aren’t designed for military or government -specific applications, so you will want to add some language to address sensitive data types.


DoD Environmental Research Programs templates for NIST SP 800-171

https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists

Evaluation: This site has about twenty downloadable documents ranging from Incident Response forms to a full IT policy document. The ESTCP IT Policies and Procedures template looks to have a wide range of standard policies included. They are all in one long document, which means you will need to do some cross-referencing to show which chapter relates to which control. Update: ESTCP has re-pushed this in DOC (Microsoft Word) format to make it easier to edit (cheers!) No sign-up required. This looks like the best free template set on the Internet. The documents were updated in 2018 and 2019, which makes them quite recent.


BYU.edu CMMC Compliance Calculator and Summary

https://docs.google.com/spreadsheets/d/1QYioA4Nk6hyHM21SFrCWitQNTiORXaDeIvVtZwVGQ4U/edit?usp=sharing

Evaluation: This is an elegant and free excel spreadsheet which has transcribed all the CMMC practices for level 1-5. It will save you from re-creating the wheel if you use Excel to track your progress. It calculates automatically to show progress toward 100%.

Don’t be mislead by the column that says “SSP (notes)”, this is not where you enter your System Security Plan (SSP) response. It is intended to link back to specific sections of your (much more detailed) SSP.


Educause.edu NIST SP 800-171 Compliance Template

https://library.educause.edu/resources/2016/9/nist-sp-800-171-compliance-template

Evaluation: This is a free excel spreadsheet with a row for each NIST SP 800-171 control. The control text is included. It cross-references each 800-171 control to other compliance standards (NIST 800-53, DFARS 7012), ISO 27002:2013). This spreadsheet will save you from re-creating the wheel if you use Excel to track your progress. No sign-up required to download.


NIST SP 800-171 System Security Plan Template

https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx

This is a template for the DFARS 7012 System Security Plan which is currently required for DoD contractors that hold Controlled Unclassified Information (CUI).

Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment. However, it doesn’t include additional guidance and it would be annoying to adapt for the CMMC. The word document lists each control and gives you room to provide descriptions, evidence, and compliance status. You could use this document to overview your entire self certification process and print it out for an auditor.


NIST SP 800-171 Plan of Action & Milestones (POAM) Template

https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx

This is a template for the DFARS 7012 Plan of Action & Milestones (POA&M) which is currently required for DoD contractors that hold Controlled Unclassified Information (CUI).

Evaluation: You can’t go wrong by starting with this free template for your 800-171 self-assessment. You could use this document to overview your entire self certification process and print it out for an auditor.


NIST SP 800-171A Assessor’s Guide

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf

Regen Edens (CMMC-AB director) has recommended using this assessor guide to understand the audit expectations while preparing for CMMC (particularly level 3+).


DoD Contractor minimum security requirements

https://www.acquisition.gov/content/52204-21-basic-safeguarding-covered-contractor-information-systems

Any DoD contractor with “Federal Contract Information” (any non-public information provided by the Government, which basically applies to all companies with a DoD contract) is expected to have these cybersecurity controls in place. This is a current requirement which will translate to CMMC Level 1 in the future.


CMMC glossary of terms and major players

https://www.cmmcaudit.org/cmmc-glossary-terms-and-definitions-whos-who-in-cmmc/

Evaluation: This glossary provided by Kieri Solutions LLC is very helpful for orienting yourself to the CMMC ecosystem and various documents, policies, and terms. It lists the major players and their roles. Similar to this page, it links to authoritative sources for more information on each topic.


FedRAMP approved vendors list

https://marketplace.fedramp.gov/#!/products?sort=productName

DoD contractors with CUI (this translates to CMMC Level 3-4-5) are currently required to use only Cloud Providers that are at least FedRAMP Moderate. The FedRAMP marketplace lists companies that are either in-progress or approved, and their FedRAMP level.

Quote from DFARS 7012 regulation:

(D) If the Contractor intends to use an external cloud service provider to store,
process, or transmit any covered defense information in performance of this contract, the Contractor
shall require and ensure that the cloud service provider meets security requirements equivalent to
those established by the Government for the Federal Risk and Authorization Management Program
(FedRAMP) Moderate baseline
(https://www.fedramp.gov/resources/documents/) and that the cloud
service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber
incident reporting, malicious software, media preservation and protection, access to additional
information and equipment necessary for forensic analysis, and cyber incident damage assessment.


DoD Cyber incident reporting procedures

https://www.acq.osd.mil/dpap/dars/pgi/pgi_htm/current/PGI204_73.htm

DoD contractors with CUI (this translates to CMMC Level 3-4-5) are currently required to report cyber-incidents to the DoD.

This is the Procedures Guidelines Instructions document which describes the back-and-forth process of reporting, and potential investigation, after a cyber incident.


Incident Response template

https://www.kieri.com/free-incident-response-templates-scenarios/

Provided by Kieri Solutions, this Word template guides your staff through essential time-stamps, triage, evidence collection, and notifications when you detect a cyber incident. It can be easily customized to fit your needs. The article also includes a description of how to prepare for an incident and 34 scenarios that you can use for internal drills.


CyberAssist’s guidance for specific CMMC practices

https://ndisac.org/dibscc/cyberassist/cybersecurity-maturity-model-certification/cmmc-specific-practices/

Evaluation: This website is a great source of clarification for individual CMMC practices. They do some major copy-and-paste from the official documents for the bulk of their clarifications – so if you have the original CMMC Appendix, you will see the same text in both places. The site’s value is that they provide links to other documents and guidance from authorities such as SANS institute, NIST, and major vendors.


Secure Technical Implementation Guidance (STIGs)

https://nvd.nist.gov/ncp/repository

One of the CMMC requirements is CM.2.064 “Establish and enforce security configuration settings for information technology products employed in organizational information systems.” While this can be interpreted in MANY ways, one way to meet this is to apply STIGs on your environment.

NIST provides security configuration settings at the above link. This is a pretty complex topic and a lot of work. I recommend talking to a security consultant with DoD experience if you haven’t encountered STIGs before.


Manual Vulnerability Search

https://nvd.nist.gov/vuln/search

One of the most basic cybersecurity requirements (included in CMMC level 1, “FAR Critical 17”, and NIST 800-171) requires that you identify and correct vulnerabilities.

CMMC SI.1.210: “Identify, report, and correct information and information system flaws in a timely manner.”

This database, provided by NIST, has a list of all US Government published software and hardware vulnerabilities. Each vulnerability (called a CVE) is described in detail with links for patches or manual corrective action (if exists). This database is moderately difficult to use since the results can be overwhelming.

To get started, I recommend searching for a specific software on your computers or mobile phones. For example, try searching “Zoom Client” which is a popular meeting app with major vulnerabilities that were fixed in mid-2020.


CMMC Big Rocks diagram

Diagram showing major functionality items required by DFARS 7012 and CMMC level 3

Provided by Kieri Solutions LLC, this diagram is meant for initial (early) training on CMMC level 3 requirements, including current DFARS 252.204-7012 requirements for contractors with CUI. It describes and groups major processes and technical requirements which take a lot of effort to implement and mature: “the big rocks”. Use this to identify major tasks while building a more detailed gap assessment and POA&M.


8 thoughts on “Policy templates and tools for CMMC and 800-171

  1. Rodney Bassett says:

    I have a question regarding the overall process. I am an IT Consultant that has a client that is planning on becoming Level 3 certified. I handle all of their IT. Do I, as an individual, need to be certified Level 3 as well in order for my client to be Level 3? Or can this be handled by an NDA of some sort?

    • Amira Armond says:

      Hello Rodney,
      I recommend checking this recent webinar from Defense Acquisition University (the slide deck can be reached from this link)
      https://www.dau.edu/events/Cybersecurity%20Maturity%20Model%20Certification

      To my understanding, a consultant needs a CMMC Level 3 information system if they ….
      1) Store or process security vulnerability information (CUI) regarding their client’s network on the consultant’s information system. Example: You have a document on your personal laptop which lists firewall rules for the client network.
      2) Manage the client’s network (CUI systems) using the consultant’s information system. Example: You use your personal laptop to VPN into the client network and manage their file server.

      If the client issues you an account and a client-issued workstation to perform your work, and you don’t remove their sensitive documents from their network, you shouldn’t need any special certification or information system. In this situation, you would be roughly equivalent to the client’s in-house IT employee from a security standpoint.

  2. Cary Anderson says:

    I perused the policies and procedures availabe on here, and found policies – but not procedures/processes. I am probably missing something.

    • Amira Armond says:

      Hi Jeff,

      When you ask for a CMMC template, could you give a bit more information about what you are thinking of? A CMMC-specific policy? System security plan? What level of CMMC? There are some great resources here that absolutely fit CMMC (even the 800-171 stuff is a great fit), but it can be hard to see the trees for the forest.

  3. Michael Chipley says:

    CMMC, thanks for informing ESCTP the Information Systems Policies and Procedures template was posted in pdf format. The Word version will be posted so folks will not have to copy and paste.

    We are also posting a Ransomware Table-Top Exercise and After-Action Report templates in Word format.

  4. Michael Chipley says:

    The Installations and Environment Facilities Community created the various templates and checklist to cyber secure both corporate IT systems and Facility-Related Control Systems (HVAC, fire, lighting, etc.). Over the past 3 years as the Architect&Engineering, Construction and Operations community has been required to use these templates, and the cost to complete continues to come down. For a small/medium size business, multiple companies have achieved Level 3/4 at at cost of approximately $5000 to complete the RMF core documents, 2 security audits and a Table-Top exercise (all templates on the ESCTP website). Companies may need to acquire additional hardware and software (with most spending less than $3000-4000) for Continuous Monitoring/Auditing, and recurring costs of $1000-2000 per month to conduct audits. Key to an effective Cyber Risk Management Plan and CMMC certifcation is to have all staff fully engaged and involved, every end point is an entry point into DoD CUI.

Leave a Reply

Your email address will not be published. Required fields are marked *