Kieri Compliance Documentation

Log in

Please contact us if you’d like a 30-minute demonstration of our compliance templates and program.

You will need to log in to access content below.

No account? We sell licenses for our CMMC Compliance Documentation templates (for organizations preparing for CMMC Level 2, NIST SP 800-171, or DFARS 252.204-7012). Please send an email to for more details and introductory pricing.

Your KCD documentation is well designed. I reviewed it with our IT implementer, and he felt it was easy to understand and will make his job of implementation easier.  Thank you for keeping it simple. It has been my experience that people throw words at a solution instead of thought.  You have created a well-thought-out package.

V. Delaney, Continuous Process Improvement Systems, LLC (CPISys)

FAQs about the Kieri Compliance Documentation:

  • What is the KCD? KCD stands for Kieri Compliance Documentation. It is a package of policies, procedures, user agreements, and partially pre-written compliance docs (like a system security plan) designed to help you operate your IT department in compliance with CMMC Level 2. The KCD is meant to be used with networks with less than 1,000 users, and works especially well for enclaves.
  • What is the KRA? KRA stands for Kieri Reference Architecture. It is an add-on to the KCD package which gives instructions to build an information system using popular technology solutions. It includes a fully written system security plan (editable to match your environment), FIPS 140-2 validated module documentation, and exact procedures to use with the system. The KRA is expected to be available in November 2022.
  • Can I share or resell the templates? The KCD is licensed to be used by a single legal entity. Each entity (such as a corporation) needs their own license to legally use the KCD. As a cybersecurity consultant, you are more than welcome to help your clients customize the KCD for their specific solution. If you have many clients that would benefit from the KCD, please reach out to ask about our referral program.
  • Can I get a CMMC Assessment from Kieri Solutions if I use the KCD or KRA? No, that would be a conflict of interest. We cannot consult for and assess the same company. Providing policy and procedure templates for sale is a form of consulting.
  • What is the difference between the Kieri Compliance Documentation (KCD) and Kieri Reference Architecture (KRA)? The KCD is a full-fledged program to run a compliant IT Department and focuses on easy to use policies and procedures. The KRA (Reference Architecture) provides steps for building an information system from scratch based on popular technology solutions and includes a fully written System Security Plan and other procedures / records based on that architecture. The KRA is an add-on to the KCD.
  • Why should I choose the KCD instead of other for-sale documentation? The KCD prioritizes ease-of-use and simplicity. It is not “enterprise class” – meaning that we use small words and expect only 1-2 people to be involved in reviewing it, not a full team of executive staff and lawyers. The KCD is designed for CMMC Level 2 and does not try to multi-task for other cybersecurity frameworks. We have added real-world examples wherever possible to illustrate best practices, to include partially writing the system security plan for you. Finally, this documentation package is battle tested – it is based on the same policies and procedures that we used to pass our CMMC assessment.
  • I’m thinking about buying the documents. How can I see some examples? Reach out to and we will schedule a 30 minute screen-share to show you our documents live and answer any questions.
  • How much does the KCD cost? For 2022, we are offering the KCD at an introductory price of $3,000. We also offer subscriptions for updates at $500/year, and twenty hours of KCD customization and training by a subject matter expert for +$5,000.
  • Can I just download all the templates, leave them as-is, and pass CMMC or NIST SP 800-171? No, but we wish it were that easy. Using this package will save your organization at least 200 hours of work compared to creating the documents from scratch (that’s an impressive cost saving), but there is still some work left to do. Our most successful clients also request an initial block of 20 hours of consulting to customize policies, create a Plan of Action, and demonstrate how to perform Change Management and the Maintenance Checklist. We also offer consulting to write your System Security Plan, provide additional training, and help you with separation of duties over time.
  • We don’t use Microsoft 365 for our enclave or information system. Will the KCD still work for us? Yes. The KCD does not assume that you have any specific technology or automation, other than the ability to edit spreadsheets and word documents. In almost all cases, it references technologies with non-vendor-specific terms like “file share.” It’s easy to modify the policies and procedures to list your specific solutions. As a bonus, we have lots of example answers throughout the templates. Most of the examples are for a Microsoft 365-based enclave, so if you use that, you can accept the examples without much alteration. In short: Yes, any technology is fine!
  • I’m going to buy the KCD. How would we get started? The “Overview of Kieri Compliance Documentation” document (available without a subscription) provides the recommended order to review, customize, and implement the KCD in your organization. The summary steps are: 1) Create standard locations to store records and track your work. 2) Review and customize policies. 3) Create your Plan of Action based on policy items you aren’t doing. 4) Start formal Change Management and weekly Cybersecurity Maintenance procedures. 5) Update your inventories. 6) Update procedures as you perform them. 7) Update the System Security Plan to describe your implementation of each requirement.
  • What is Change Management? Change Management is a formal program of controlling the actions of your privileged users so that when they build a new solution or replace a system, they make sure the changed system is CMMC-compliant before it goes into production. This handles the CMMC requirements that require specific settings and capabilities to be enabled (like firewalls).
  • What is the Cybersecurity Maintenance Checklist? We have developed a proprietary checklist of activities that need to be performed on a schedule in order to be compliant with CMMC. The checklist includes tasks that are performed weekly, monthly, quarterly, bi-annually, and annually. You can customize this checklist to increase or reduce frequency of tasks based on your specific environment (bigger environments should do some tasks more often). We have found that using this checklist is the most effective way to get an IT department to do compliance activities consistently. This handles the CMMC requirements that require regular monitoring and oversight.
  • Can you build us the system that the Kieri Reference Architecture (KRA) describes? Yes. We can build an enclave and provide KRA documents to match. This is typically a three-month project from start to finish. We will start the routine compliance procedures like audit log reviews, change management, and inventories for you. Once the enclave is built, we will turn over to you for day-to-day administration and remove our access entirely. You will own the cloud tenant, all subscriptions, and equipment. Please send us an email at to schedule a call to discuss, if you are interested in this option.
  • Why does the KCD include IT Department database definitions? Careful record keeping is needed to demonstrate that you are performing the requirements of CMMC. You need to maintain records about your privileged users, your regular users, the hardware you use on your network, your software, any cyber incidents, changes you make, patching, etc. (the list goes on). Our IT Department database definitions let you create a place to organize these records. The database fields are carefully designed to gather information that is used for CMMC, such as whether mobile devices are authorized for CUI.
  • and more topics to come… (send questions if you have them)

Download Templates (Subscriber-Only)

  • System Security Plan <SIGN IN TO DOWNLOAD>
  • Plan of Action <SIGN IN TO DOWNLOAD>
  • Shared Responsibility Matrix <SIGN IN TO DOWNLOAD>
  • FIPS Validation Strategy and Risk Assessment <SIGN IN TO DOWNLOAD>

  • Importable Database Files (SharePoint only) <SIGN IN TO DOWNLOAD>
  • Account Management Database Definition <SIGN IN TO DOWNLOAD>
  • Change Management Database Definition <SIGN IN TO DOWNLOAD>
  • Hardware Inventory Database Definition <SIGN IN TO DOWNLOAD>
  • Incident Management Database Definition <SIGN IN TO DOWNLOAD>
  • Service Request Database Definition <SIGN IN TO DOWNLOAD>
  • Software Inventory Database Definition <SIGN IN TO DOWNLOAD>
  • Vendor Risk Management Database Definition <SIGN IN TO DOWNLOAD>
  • Access Management Policy <SIGN IN TO DOWNLOAD>
  • Audit Management Policy <SIGN IN TO DOWNLOAD>
  • Change Management Policy <SIGN IN TO DOWNLOAD>
  • Configuration Management Policy <SIGN IN TO DOWNLOAD>
  • Data Management Policy <SIGN IN TO DOWNLOAD>
  • Disaster Recovery Policy <SIGN IN TO DOWNLOAD>
  • Facilities Security Policy <SIGN IN TO DOWNLOAD>
  • Incident Management Policy <SIGN IN TO DOWNLOAD>
  • Risk Assessment Policy <SIGN IN TO DOWNLOAD>
  • Supply Chain Risk Management Policy <SIGN IN TO DOWNLOAD>
  • Systems and Communications Protection Policy <SIGN IN TO DOWNLOAD>
  • Vulnerability and Patch Management Policy <SIGN IN TO DOWNLOAD>

  • Information Systems User Agreement <SIGN IN TO DOWNLOAD>
  • Issued Equipment Agreement <SIGN IN TO DOWNLOAD>
  • Telework Agreement <SIGN IN TO DOWNLOAD>
  • Protection of Sensitive Information Agreement <SIGN IN TO DOWNLOAD>
  • Privileged Access Agreement <SIGN IN TO DOWNLOAD>

  • Access Request Form <SIGN IN TO DOWNLOAD>
  • Administrative Processes <SIGN IN TO DOWNLOAD>
  • Audit Log Procedures <SIGN IN TO DOWNLOAD>
  • Disaster Recovery Plan <SIGN IN TO DOWNLOAD>
  • Facilities Security – Logbook Template <SIGN IN TO DOWNLOAD>
  • Incident Response Form <SIGN IN TO DOWNLOAD>
  • Incident Response Procedure <SIGN IN TO DOWNLOAD>
  • Personnel Offboarding Checklist <SIGN IN TO DOWNLOAD>
  • Publication Review Procedure <SIGN IN TO DOWNLOAD>
  • Risk Assessment Template <SIGN IN TO DOWNLOAD>
  • Risk Management Procedure <SIGN IN TO DOWNLOAD>
  • CAB Meeting Notes Template <SIGN IN TO DOWNLOAD>
  • Change WorkLog Template <SIGN IN TO DOWNLOAD>
  • Cybersecurity Maintenance Checklist <SIGN IN TO DOWNLOAD>

This is the best FIPS documentation we’ve ever seen.

– Kieri Solution’s DIBCAC Assessment Team

Send an email to if you are a subscriber and need help logging on or accessing content.