Every File, Every Template, Every Feature — Complete Breakdown
ee exactly what you’re getting. Over 240 files covering all 110 NIST SP 800-171 controls.
Complete Package Contents
📋Information Security Policies (19 Files)
Complete coverage of all 14 NIST SP 800-171 control families. Each policy includes control mappings, roles & responsibilities, evidence criteria, and evaluation methods.
File List:
- POL-IS-00: Information Security Program Charter
- POL-AC-01: Access Control Policy
- POL-AT-02: Security Awareness & Training Policy
- POL-AU-03: Audit & Accountability Policy
- POL-CM-04: Configuration Management Policy
- POL-IA-05: Identification & Authentication Policy
- POL-IR-06: Incident Response Plan
- POL-MA-07: System Maintenance Policy
- POL-MP-08: Media Protection Policy
- POL-PS-09: Personnel Security Policy
- POL-PE-10: Physical & Environmental Security Policy
- POL-RA-11: Risk Assessment Policy
- POL-CA-12: Security Assessment & Authorization Policy
- POL-SC-13: System & Communications Protection Policy
- POL-SI-14: System & Information Integrity Policy
- POL-CP-15: Contingency Planning & Disaster Recovery
- POL-AU-17: Acceptable Use Policy
- POL-WE-18: Waivers & Exceptions Procedure
Available Formats:
- Markdown (.md)
- Microsoft Word (.docx)
📊 Reference Document Templates (147 Files)
Operational templates for tracking, evidence collection, and compliance management. These are the documents your C3PAO assessor will request during the assessment.
Available in 2 formats:
- 89 Word documents (.docx) – Professional, print-ready templates
- 58 Excel tracking registers (.xlsx) – Interactive spreadsheets with formulas
Template Categories by Control Family
Access Control (AC) – 7 Templates
- REF-AC-01: User Access Request Form
- REF-AC-02: Access Review Log
- REF-AC-03: Privileged Access Tracking
- REF-AC-04: Remote Access Authorization Log
- REF-AC-05: Session Termination Log
- REF-AC-06: Unsuccessful Login Attempts Report
- REF-AC-07: Mobile Device Authorization Registry
Awareness & Training (AT) – 4 Templates
- REF-AT-01: Security Awareness Training Log
- REF-AT-02: Role-Based Training Completion Matrix
- REF-AT-03: Insider Threat Awareness Tracker
- REF-AT-04: Annual Training Acknowledgment Form
Audit & Accountability (AU) – 5 Templates
- REF-AU-01: Audit Event Definitions Matrix
- REF-AU-02: Audit Record Review Log
- REF-AU-03: Audit Failure Response Log
- REF-AU-04: Audit Log Retention Schedule
- REF-AU-05: Time Synchronization Verification Log
Configuration Management (CM) – 6 Templates
- REF-CM-01: Baseline Configuration Register
- REF-CM-02: Configuration Change Request Form
- REF-CM-03: Configuration Change Log
- REF-CM-04: Security Configuration Checklist
- REF-CM-05: Least Functionality Inventory
- REF-CM-06: User-Installed Software Tracking
Identification & Authentication (IA) – 4 Templates
- REF-IA-01: User Identification Registry
- REF-IA-02: Multi-Factor Authentication Enrollment Log
- REF-IA-03: Authenticator Management Log
- REF-IA-04: Password Reset Request Log
Incident Response (IR) – 5 Templates
- REF-IR-01: Incident Detection & Reporting Log
- REF-IR-02: Incident Tracking Register
- REF-IR-03: Incident Response Activity Log
- REF-IR-04: DFARS 252.204-7012 Reporting Tracker
- REF-IR-05: Incident Post-Mortem Report Template
Maintenance (MA) – 3 Templates
- REF-MA-01: Scheduled Maintenance Log
- REF-MA-02: Remote Maintenance Session Log
- REF-MA-03: Maintenance Tools Control Registry
Media Protection (MP) – 4 Templates
- REF-MP-01: Media Handling & Marking Log
- REF-MP-02: Media Sanitization Log
- REF-MP-03: Media Storage Authorization Registry
- REF-MP-04: Media Transport Authorization Log
Personnel Security (PS) – 3 Templates
- REF-PS-01: Background Screening Tracker
- REF-PS-02: Personnel Transfer/Termination Checklist
- REF-PS-03: Personnel Sanctions Log
Physical Protection (PE) – 4 Templates
- REF-PE-01: Physical Access Authorization Registry
- REF-PE-02: Visitor Access Log
- REF-PE-03: Physical Access Device Inventory
- REF-PE-04: Environmental Controls Monitoring Log
Risk Assessment (RA) – 3 Templates
- REF-RA-01: Risk Assessment Register
- REF-RA-02: Vulnerability Scan Results Log
- REF-RA-03: Risk Remediation Tracking Matrix
Security Assessment (CA) – 3 Templates
- REF-CA-01: Security Control Assessment Log
- REF-CA-02: System Interconnection Agreement Tracker
- REF-CA-XX: Control Implementation Status Register
System & Communications Protection (SC) – 4 Templates
- REF-SC-01: Boundary Protection Inventory
- REF-SC-02: Cryptographic Key Management Log
- REF-SC-03: Session Termination Configuration Log
- REF-SC-04: Collaborative Computing Authorization Log
System & Information Integrity (SI) – 5 Templates
- REF-SI-01: Flaw Remediation Tracking Log
- REF-SI-02: Patch Management Log
- REF-SI-03: Malware Detection & Response Log
- REF-SI-04: Security Alert & Advisory Log
- REF-SI-05: Software & Information Integrity Verification Log
Contingency Planning (CP) – 2 Templates
- REF-CP-01: Backup Verification Log
- REF-CP-02: Contingency Plan Testing Log
Third-Party Management (TP) – 3 Templates
- REF-TP-01: Third-Party Risk Assessment Register
- REF-TP-02: Vendor Security Requirements Tracking
- REF-TP-03: Third-Party Access Authorization Log
Program Management (General) – 2 Templates
- REF-EV-01: Evidence Collection Master Register
- REF-PO-01: Plan of Action & Milestones (POA&M) Register
📄 System Security Plan Templates (2 Files)
Two comprehensive SSP templates for different infrastructure types. Both are pre-mapped to all 110 NIST SP 800-171 controls with evidence attachment structure.
File List:
- SSP-MASTER-TEMPLATE_v2.0
- SSP-CLOUD-HYBRID-SHELL_v2.0
Available Formats:
- Markdown (.md)
- Microsoft Word (.docx)
📈 Executive Compliance Dashboard (2 Dashboards)
Two versions of the compliance dashboard: a basic Excel version and a premium Power BI version.
File List:
- Executive_Compliance_Dashboard.xlsx
- Executive_Compliance_Dashboard.pbix
Available Formats:
- Sample_Telemetry_Data_v1.xlsx
- Dashboard Setup Guide
Requirements:
- Power BI Desktop
⚙️ Automation Script (1 File)
Features:
- Replace placeholders across all documents
- Processes Markdown, Word, Excel
- Automatic backup
- Validation report
- Works on Windows, Mac, Linux
📖 Implementation Guide (1 File)
File: README.md
Sections:
- Quick Start Guide
- File Inventory
- Implementation Roadmap
- Control Family Deep Dives
- Common Workflows
- Audit Preparation Checklist
- Troubleshooting & FAQs
- Tool Recommendations
- Cost Estimates
- Official CMMC Resources
🎯 Additional Premium Add-Ons
📋 C3PAO Assessment Cheat Sheets (19 PDFs)
Know exactly what assessors look for before they arrive.
14 Control Family Cheat Sheets:
- Access Control (AC)
- Awareness & Training (AT)
- Audit & Accountability (AU)
- Configuration Management (CM)
- Identification & Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System & Communications Protection (SC)
- System & Information Integrity (SI)
Plus 5 Assessment Preparation Guides:
- CMMC Level 2 Assessment Overview
- Common Assessment Findings (top 20 failure reasons)
- Evidence Collection Checklist
- Interview Preparation Guide
- Technical Testing Guide
Each cheat sheet reveals:
- Exact questions assessors will ask during interviews
- Evidence they’ll request
- Technical tests they’ll perform
- Common reasons organizations fail
- How to fix issues before assessment
⚙️ Technical Implementation Guides (5 PDFs)
Step-by-step instructions with screenshots, commands, and configurations:
- MFA Implementation Guide — Duo, Microsoft, Okta, Google comparisons + setup
- Encryption Implementation Guide — Data-at-rest & data-in-transit
- SIEM/Log Monitoring Guide — Centralized logging architecture
- Endpoint Security Guide — EDR/XDR deployment procedures
- Network Segmentation Guide — VLAN/firewall configurations
🗂️ Evidence Collection Playbook (1 PDF, 50+ pages)
The master checklist for C3PAO assessment preparation:
- Complete evidence requirements for all 110 NIST controls
- Folder structure recommendations
- Format requirements (PDF, Excel, screenshots)
- How to redact sensitive information
- Evidence narrative templates
- Sample evidence package table of contents
- Tips for hard-to-collect evidence (cloud, third parties)
🚨 Incident Response Playbooks (5 PDFs)
Step-by-step procedures for real security incidents:
- Ransomware Response Playbook
- Data Breach Response Playbook
- Phishing Response Playbook
- Insider Threat Response Playbook
- DDoS Response Playbook
Each includes:
- Detection indicators
- Immediate response (first 15 minutes)
- Containment procedures
- DFARS reporting requirements
- Communication templates (internal, customer, DoD)
📊 Assessment Tools (4 Files: 2 Excel + 2 PDF Guides)
Know your compliance score before paying for C3PAO assessment.
CMMC Level 2 Self-Assessment Tool:
- Interactive Excel workbook covering all 110 controls
- Score tracking: Met / Partially Met / Not Met / Not Applicable
- Automatic compliance percentage calculation
- Breakdown by control family
- Gap analysis reporting
- Quarterly progress tracking
SPRS Score Calculator:
- Calculate Supplier Performance Risk System (SPRS) score
- Required for SAM.gov registration
- Score range: -203 to +110
- DoD contractor risk evaluation
- Submission guidance
📝 POAM Templates (15 PDFs)
Pre-written Plans of Action & Milestones for common gaps:
Templates include:
- MFA Not Implemented
- Encryption Not Implemented
- Logging Insufficient
- Patching Behind Schedule
- Training Overdue
- Access Reviews Not Performed
- Incident Response Plan Not Tested
- Vulnerability Scanning Not Performed
- Configuration Management Weak
- Physical Security Inadequate
- ...and 5 more
Each template includes:
- Pre-written problem description
- Affected NIST controls
- Recommended remediation steps
- Estimated timeline and cost
- Risk assessment
- Compensating controls
🔍 Vendor Assessment Questionnaires (4 PDFs)
Third-party risk assessment tools (required by NIST 800-171):
- Standard Vendor Security Assessment (50 questions)
- CUI-Handling Vendor Assessment (75 questions)
- Cloud Service Provider Assessment (SaaS/IaaS specific)
- MSP Assessment Questionnaire (Managed Service Providers)
📚 Additional Resources (5 PDFs)
Strategic guides for the full compliance journey:
- CMMC Ecosystem Guide — Understanding C3PAOs, RPOs, CMMC-AB
- MSP Selection Guide — Choosing CMMC-capable managed service providers
- Budget Planning Guide — Total cost estimates ($50K-$200K typical)
- Contract Language Guide — DFARS clauses and flow-down requirements
- Certification Maintenance Guide — Staying compliant post-certification
Total Package Contents:
19 Security Policies
147 Reference Templates
2 SSP Templates
2 Compliance Dashboards
1 Automation Script
1 Implementation Guide
Available in 3 Formats:
- Markdown (.md)
- Microsoft Word (.docx)
- Excel (.xlsx)
Instant Download | All Files Included
Why This Isn't Just "Another Template Pack"
Generic Templates
- Control mappings missing
- No evidence guidance
- Created by marketers, not practitioners
- One-size-fits-all approach
- No implementation roadmap
- No automation tools
$50K Consultant
- Professional documentation
- Control mappings included
- Evidence guidance
- Implementation support
- Costs $50K–150K
- 12–18 month timeline
- You don't own IP
Keystone Command Package
- Professional documentation
- Control mappings included
- Evidence guidance
- Created by former NSA Technical Director
- Complete implementation roadmap
- Automation tools included
- You own all files
- $4,997
- Start implementing immediately
See Sample Files Before You Buy
Download free samples to review the quality and depth of the documentation.