NIST SP 800-171 Revision 2 & CMMC Related Templates
The following templates are provided free, pro bono, no guarantees, and with no support to the Defense Industrial Base (DIB) to support their NIST SP 800-171 implementation, documentation, and preparation activities for a Cybersecurity Maturity Model Certification (CMMC) Conformity Assessment event.
Policies
Plans
System Security Plan (SSP)
When using the NIST SP 800-171 based free SSP templates below, we really recommend you watch the related As the CMMC Churns videos:
- As the CMMC Churns | Your SSP Sucks, Seriously.: This Churns video explains how you use our SSP templates
- As the CMMC Churns | The Three Types of Evidentiary Objects: This Churns video looks at the three main types of Examination Assess Objects enumerated in NIST SP 800-171A. This video also expounds on part of how to write an effective SSP.
- As the CMMC Churns | Assessors and Toddlers: This explains the Document Traceability Matrix
- As the CMMC Churns | Documenting Your Scope: How to create a scope diagram for your SSP
This free SSP Template is dependent upon using the Document Traceability Matrix (DTM) for mapping requirements to policies, plans, procedures, et al.
This SSP Template is not dependent upon using the Document Traceability Matrix (DTM) for mapping requirements to policies, plans, procedures, et al. It uses a table after each requirement to show traceability.
This is the Document Traceability Matrix (DTM) used for mapping requirements to policies, plans, procedures, et al in an external document.
This is the Scope Diagram template that is used in the free SSP templates. This is useful to illustrate your NIST SP 800-171 and CMMC Scoping boundaries internally or to an assessor.
Procedures
Forms
This “Certificate of Storage Drive-Media Sanitization Form” is an Adobe Acrobat fillable form based on the NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization (https://csrc.nist.gov/pubs/sp/800/88/r1/final) sample “Certificate of Sanitization” from Appendix G.
Supporting Artifacts
These PowerPoint slides help you to communicate critical information which using the ProSci ADKAR model help to reinforce CMMC key areas to your C-suite while they help to transform your organization’s culture.
This Customer Responsibility Matrix (CRM) is used to document the shared services responsibilities between an organization and their providers. Providers could be the parent company, cloud services, provider, MSPs, et al.
Other Artifacts
This is a MS Word version of the draft 32 CFR Part 2002 Cybersecurity Maturity Model Certification (CMMC) Rule at Federal Register :: Cybersecurity Maturity Model Certification (CMMC) Program
This is an Excel template we use for all of our client to help complete their DoD Assessment Methodology (DoDAM) scoring of their NIST SP 800-171 Rev 2 implementation for entry into the Supplier Performance Risk Management System (SPRS).
DoDAM specific guidance is available at NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf (osd.mil).
Thei PDF file can be used to help organizations gauge their readiness to undergo a NIST SP 800-171, Joint Voluntary Surveillance (JSVA) or CMMC Conformity Assessment.
This questionnaire should not be construed as an indicator an OSC can check yes on all the requirements and will successfully pass a Conformity Assessment. If you are unsure of an answer, it is better to answer No and seek qualified expert guidance.
Social Contact