KCD stands for Kieri Compliance Documentation. It is a package of policies, procedures, user agreements, and partially pre-written compliance docs (like a system security plan) designed to help you operate your IT department in compliance with NIST SP 800-171 and CMMC Level 2. The KCD is optimized for networks with less than 1,000 users, and works especially well for enclaves.

The KCD prioritizes ease-of-use and simplicity. We use small words and expect only 1-2 people to be involved in reviewing it, not a full team of executive staff and lawyers. The KCD is designed for NIST SP 800-171 requirements and CMMC Level 2 and does not try to multi-task for other cybersecurity frameworks. We have added real-world examples wherever possible to illustrate best practices, to include partially writing the system security plan for you. Finally, this documentation package is battle tested – it is based on the same policies and procedures that we used to pass our CMMC assessment.

Check our KCD demonstration video (watch it on YouTube here). We review samples of several documents and discuss how the program works.

A lifetime license to the KCD costs $5,200.

You should consider adding some consulting so that your documentation gets done. If you buy a license, we offer a discounted consulting package of 25 hours which is enough time to explain and quickly customize each document for you (if you are a typical small or medium business). We also offer larger consulting projects to help identify gaps and solutions, provide accountability, and perform vCISO services.

 No, but we wish it were that easy. Using this package will save your organization at least 200 hours of work compared to creating the documents from scratch (that’s an impressive cost saving), but there is still some work left to do. Our most successful clients also request consulting to customize policies, create a Plan of Action, do a first pass on your System Security Plan, and demonstrate how to perform Change Management and the Maintenance Checklist.

Yes. The KCD does not assume that you have any specific technology or automation, other than the ability to edit spreadsheets and word documents. In almost all cases, it references technologies with non-vendor-specific terms like “file share.” It’s easy to modify the policies and procedures to list your specific solutions. As a bonus, we have lots of example answers throughout the templates. Most of the examples are for a Microsoft 365-based enclave, so if you use that, you can accept the examples without much alteration. In short: Yes, any technology is fine!

The “Overview of Kieri Compliance Documentation” document (available without a subscription) provides the recommended order to review, customize, and implement the KCD in your organization. The summary steps are: 1) Create standard locations to store records and track your work. 2) Review and customize policies. 3) Create your Plan of Action based on policy items you aren’t doing. 4) Start formal Change Management and weekly Cybersecurity Maintenance procedures. 5) Update your inventories. 6) Update procedures as you perform them. 7) Update the System Security Plan to describe your implementation of each requirement.

Change Management is a formal program of controlling the actions of your privileged users so that when they build a new solution or replace a system, they make sure the changed system is CMMC-compliant before it goes into production. This handles the CMMC requirements that require specific settings and capabilities to be enabled (like firewalls).

We have developed a proprietary checklist of activities that need to be performed on a schedule in order to be compliant with CMMC. The checklist includes tasks that are performed weekly, monthly, quarterly, bi-annually, and annually. You can customize this checklist to increase or reduce frequency of tasks based on your specific environment (bigger environments should do some tasks more often). We have found that using this checklist is the most effective way to get an IT department to do compliance activities consistently. This handles the CMMC requirements that require regular monitoring and oversight.

Careful record keeping is needed to demonstrate that you are performing the requirements of CMMC. You need to maintain records about your privileged users, your regular users, the hardware you use on your network, your software, any cyber incidents, changes you make, patching, etc. (the list goes on). Our IT Department databases let you create a place to organize these records. The database fields are carefully designed to gather information that is used for CMMC, such as whether mobile devices are authorized for CUI.

The KCD is licensed to be used by a single legal entity. Each entity (such as a corporation) needs their own license to legally use the KCD. If you are a cybersecurity consultant, you are more than welcome to help your clients customize the KCD for their use. If you have many clients that would benefit from the KCD, please reach out to ask about our referral program. We do not offer white-label services at this time.

No, that would be a conflict of interest. We cannot consult for and assess the same company. Providing policy and procedure templates for sale is a form of consulting. If you are torn between the two options, remember, there is only one KCD. There are lots of assessment companies.

We include a 12-month subscription to download the latest templates with your lifetime license purchase. You will have the option to extend this subscription for a small fee every year.

We do all the cross-referencing between documents in the System Security Plan. Because our policies don’t simply restate the practice requirement in vague language, but instead give more detail on how to perform requirements, it gets very cluttered if we try to tag practice IDs inside the policy. Example of SSP cross-mapping from Demo Video.