Kieri Solutions offers a licensable set of 800-171, DFARS 252.204-7012, and CMMC compliance templates called the Kieri Compliance Documentation (KCD). This is a holistic and user-friendly cybersecurity program which is designed for small and medium networks (less than 1000 users).
Why is the KCD different from all other compliance documentation products?
The KCD does three key things differently:
1) Behavior stacking – This is a critical principle for building new habits. Essentially, you need a trigger to remind you to do compliance tasks. As we wrote the KCD and identified best practice methods to meet each requirement, we linked each action to a scheduled activity. Under our program, your IT department only needs to remember to start a weekly maintenance task and the rest follows with just-in-time procedures and reminders.
2) No blanks – We don’t think it is fair to give you empty templates and hope you “figure it out.” Instead, our compliance templates are fully written for a functional, small, IT department that is performing all the requirements for CMMC Level 2. You can model your efforts to these best practices, or modify them to fit you. Our clients (including Fortune 500 companies) tell us that the examples in the KCD and our training library are a masterclass on how to perform CMMC efficiently.
3) Actionable statements. You won’t see regurgitations of the requirements like “The organization identifies authorized users, processes, and devices” in the KCD anywhere. That doesn’t help companies pass their assessment. Instead, the KCD says HOW each requirement is performed: “We identify authorized users by following the process for new user onboarding in Administrative Processes, Section 2.1. The CIO authorizes the user after reviewing their Account Request Form, background screening, training, and user agreements, to ensure they meet requirements for access. All authorized users and their authorizations are tracked in the Account Management Database.” Isn’t that a better way to do things?
The KCD provides a kick-start for companies that don’t have compliant policies, procedures, system security plan, and user agreements because it is pre-written with reasonable best practices and gives prescriptive (but easily customizable) instructions on how to perform each requirement. This program emphasizes record-keeping and processes that generate proof that they are performed over time.
The KCD is the ONLY set of CMMC compliance templates that includes best-practice sample answers and instructions for every requirement. Our clients tell us that the KCD 1) keeps them from over-thinking requirements, 2) meshes together policy, procedure, databases, and system security plan in an efficient, repeatable way, 3) is a master-class on how to succeed at CMMC Level 2.
The KCD comes with the full support of the Kieri team. We want you to pass your CMMC assessment! Included is a full library of training videos, monthly newsletters, Ask Me Anything webinars, and three free check-ins with our practicing CMMC / 800-171 assessors.
The KCD is battle-tested: we used this program to pass our CMMC assessment by the DoD.
KCD Demonstration Video (1:03:00)
If you are considering purchasing the KCD, we encourage you to watch this video where we show samples of real documents from the KCD and explain how the system works.
Did you like the demo?
Fill out this form to request a quote for the KCD.
We bought the KCD package and so far we have found that it was well worth the cost and would have cost us 10x more to write it ourselves incorrectly.
Roman V., PAS
Dawson has been pursuing NIST/CMMC compliance since 2016. Even though we met all of the security objectives on our network, the documentation process has been challenging. Interpreting the documentation requirements seems to be a moving target. Many vendors offer documentation packages, but none of them have ever been audited specifically for CMMC v2.0, as far as we could tell. The Kieri documentation set scales to any size company and lays out the roadmap with video explanations. They passed their audit as a C3PAO, which gives them a ton of credibility in my book. If you’re tired of the fear based approach to CMMC, I strongly recommend Kieri.
Andrew Riehemann, CIO (CISSP), Dawson Ohana
As one of your new subscribers, I wanted to share with you my sense of relief, almost elation, at using your system. It is fantastic. My team and I just started digging into the policies, and comparing them with those we have already in place, cross referencing, etc. The templates are such a help to us. Thank you!
A. Carmichael, Measurement Technology
Your KCD documentation is well designed. I reviewed it with our IT implementer, and he felt it was easy to understand and will make his job of implementation easier. Thank you for keeping it simple. It has been my experience that people throw words at a solution instead of thought. You have created a well-thought-out package.
V. Delaney, Continuous Process Improvement Systems, LLC (CPISys)
FAQs about the Kieri Compliance Documentation:
- What is the KCD? KCD stands for Kieri Compliance Documentation. It is a package of policies, procedures, user agreements, and partially pre-written compliance docs (like a system security plan) designed to help you operate your IT department in compliance with CMMC Level 2. The KCD is meant to be used with networks with less than 1,000 users, and works especially well for enclaves.
- Why should I choose the KCD instead of other for-sale documentation? The KCD prioritizes ease-of-use and simplicity. It is not “enterprise class” – meaning that we use small words and expect only 1-2 people to be involved in reviewing it, not a full team of executive staff and lawyers. The KCD is designed for CMMC Level 2 and does not try to multi-task for other cybersecurity frameworks. We have added real-world examples wherever possible to illustrate best practices, to include partially writing the system security plan for you. Finally, this documentation package is battle tested – it is based on the same policies and procedures that we used to pass our CMMC assessment.
- I’m thinking about buying the documents. How can I see some examples? Check our KCD demonstration video (either scroll up or watch it on YouTube here). We review samples of several documents and discuss how the program works.
- How much does the KCD cost? A lifetime license to the KCD costs $4,700.
- I’m too busy to deal with documentation. You should consider adding some consulting so that your documentation gets done. If you buy a license, we offer a discounted consulting package of 25 hours for $6,250 which is enough time to explain and quickly customize each document for you (if you are a typical small or medium business). We also offer larger consulting projects to help identify gaps and solutions, provide accountability, and perform vCISO services.
- Can I just download all the templates, leave them as-is, and pass CMMC or NIST SP 800-171? No, but we wish it were that easy. Using this package will save your organization at least 200 hours of work compared to creating the documents from scratch (that’s an impressive cost saving), but there is still some work left to do. Our most successful clients also request consulting to customize policies, create a Plan of Action, do a first pass on your System Security Plan, and demonstrate how to perform Change Management and the Maintenance Checklist.
- We don’t use Microsoft 365 for our enclave or information system. Will the KCD still work for us? Yes. The KCD does not assume that you have any specific technology or automation, other than the ability to edit spreadsheets and word documents. In almost all cases, it references technologies with non-vendor-specific terms like “file share.” It’s easy to modify the policies and procedures to list your specific solutions. As a bonus, we have lots of example answers throughout the templates. Most of the examples are for a Microsoft 365-based enclave, so if you use that, you can accept the examples without much alteration. In short: Yes, any technology is fine!
- I’m going to buy the KCD. How would we get started? The “Overview of Kieri Compliance Documentation” document (available without a subscription) provides the recommended order to review, customize, and implement the KCD in your organization. The summary steps are: 1) Create standard locations to store records and track your work. 2) Review and customize policies. 3) Create your Plan of Action based on policy items you aren’t doing. 4) Start formal Change Management and weekly Cybersecurity Maintenance procedures. 5) Update your inventories. 6) Update procedures as you perform them. 7) Update the System Security Plan to describe your implementation of each requirement.
- What is Change Management? Change Management is a formal program of controlling the actions of your privileged users so that when they build a new solution or replace a system, they make sure the changed system is CMMC-compliant before it goes into production. This handles the CMMC requirements that require specific settings and capabilities to be enabled (like firewalls).
- What is the Cybersecurity Maintenance Checklist? We have developed a proprietary checklist of activities that need to be performed on a schedule in order to be compliant with CMMC. The checklist includes tasks that are performed weekly, monthly, quarterly, bi-annually, and annually. You can customize this checklist to increase or reduce frequency of tasks based on your specific environment (bigger environments should do some tasks more often). We have found that using this checklist is the most effective way to get an IT department to do compliance activities consistently. This handles the CMMC requirements that require regular monitoring and oversight.
- Why does the KCD include IT Department databases? Careful record keeping is needed to demonstrate that you are performing the requirements of CMMC. You need to maintain records about your privileged users, your regular users, the hardware you use on your network, your software, any cyber incidents, changes you make, patching, etc. (the list goes on). Our IT Department databases let you create a place to organize these records. The database fields are carefully designed to gather information that is used for CMMC, such as whether mobile devices are authorized for CUI.
- Can I share or resell the templates? The KCD is licensed to be used by a single legal entity. Each entity (such as a corporation) needs their own license to legally use the KCD. If you are a cybersecurity consultant, you are more than welcome to help your clients customize the KCD for their use. If you have many clients that would benefit from the KCD, please reach out to ask about our referral program. We do not offer white-label services at this time.
- Can I get a CMMC Assessment from Kieri Solutions if I use the KCD? No, that would be a conflict of interest. We cannot consult for and assess the same company. Providing policy and procedure templates for sale is a form of consulting. If you are torn between the two options, remember, there is only one KCD. There are lots of assessment companies.
- Can I get updated documentation if CMMC changes? We include a 12-month subscription to download the latest templates with your lifetime license purchase. You will have the option to extend this subscription for a small fee every year.
- Do you label each policy with the CMMC practice it addresses? We do all the cross-referencing between documents in the System Security Plan. Because our policies don’t simply restate the practice requirement in vague language, but instead give more detail on how to perform requirements, it gets very cluttered if we try to tag practice IDs inside the policy. Example of SSP cross-mapping from Demo Video.
- and more topics to come… (send questions if you have them)
You will need to log in to access content below.
Download Templates (Subscriber-Only)
- PROGRAM OVERVIEW
- Overview of Kieri Compliance Documentation – Updated 10/11/2022
- CORE COMPLIANCE DOCS
- System Security Plan <SIGN IN TO DOWNLOAD>
- Plan of Action <SIGN IN TO DOWNLOAD>
- Shared Responsibility Matrix <SIGN IN TO DOWNLOAD>
- FIPS Validation Strategy and Risk Assessment <SIGN IN TO DOWNLOAD>
- Self-Assessment Template <SIGN IN TO DOWNLOAD>
- IT DEPARTMENT DATABASE DEFINITIONS
- Importable Database Files (SharePoint only) <SIGN IN TO DOWNLOAD>
- Account Management Database Definition <SIGN IN TO DOWNLOAD>
- Change Management Database Definition <SIGN IN TO DOWNLOAD>
- Hardware Inventory Database Definition <SIGN IN TO DOWNLOAD>
- Incident Management Database Definition <SIGN IN TO DOWNLOAD>
- Service Request Database Definition <SIGN IN TO DOWNLOAD>
- Software Inventory Database Definition <SIGN IN TO DOWNLOAD>
- Vendor Risk Management Database Definition <SIGN IN TO DOWNLOAD>
- Access Management Policy <SIGN IN TO DOWNLOAD>
- Audit Management Policy <SIGN IN TO DOWNLOAD>
- Change Management Policy <SIGN IN TO DOWNLOAD>
- Configuration Management Policy <SIGN IN TO DOWNLOAD>
- Data Management Policy <SIGN IN TO DOWNLOAD>
- Disaster Recovery Policy <SIGN IN TO DOWNLOAD>
- Facilities Security Policy <SIGN IN TO DOWNLOAD>
- Incident Management Policy <SIGN IN TO DOWNLOAD>
- Risk Assessment Policy <SIGN IN TO DOWNLOAD>
- Supply Chain Risk Management Policy <SIGN IN TO DOWNLOAD>
- Systems and Communications Protection Policy <SIGN IN TO DOWNLOAD>
- Vulnerability and Patch Management Policy <SIGN IN TO DOWNLOAD>
- Exception Tracking <SIGN IN TO DOWNLOAD>
- USER AGREEMENTS AND TRAINING
- Information Systems User Agreement <SIGN IN TO DOWNLOAD>
- Issued Equipment Agreement <SIGN IN TO DOWNLOAD>
- Telework Agreement <SIGN IN TO DOWNLOAD>
- Protection of Sensitive Information Agreement <SIGN IN TO DOWNLOAD>
- Privileged Access Agreement <SIGN IN TO DOWNLOAD>
- PROCEDURES, FORMS, WORKFLOWS
- Access Request Form <SIGN IN TO DOWNLOAD>
- Administrative Processes <SIGN IN TO DOWNLOAD>
- Audit Log Procedures <SIGN IN TO DOWNLOAD>
- CUI Marking Template <SIGN IN TO DOWNLOAD>
- Disaster Recovery Plan <SIGN IN TO DOWNLOAD>
- Facilities Security – Logbook Template <SIGN IN TO DOWNLOAD>
- Incident Response Form <SIGN IN TO DOWNLOAD>
- Incident Response Procedure <SIGN IN TO DOWNLOAD>
- Personnel Offboarding Checklist <SIGN IN TO DOWNLOAD>
- Publication Review Procedure <SIGN IN TO DOWNLOAD>
- Risk Assessment Template <SIGN IN TO DOWNLOAD>
- Risk Management Procedure <SIGN IN TO DOWNLOAD>
- CAB Meeting Notes Template <SIGN IN TO DOWNLOAD>
- Change WorkLog Template <SIGN IN TO DOWNLOAD>
- Cybersecurity Maintenance Checklist <SIGN IN TO DOWNLOAD>
ALERT!! – NIST SP 800-171 REV. 3
The draft of NIST SP 800-171 Rev. 3 was released in May 2023.
Rev. 3 is a significant change to cybersecurity requirements for DoD contractors. However, the document will not be finalized until early 2024. We don’t expect CMMC to enforce the new requirements until at least 2025 or later. Rev. 3 is different enough that if you prepare for Rev. 3 exclusively, you will miss some requirements from Rev. 2!
Expect to be assessed against 800-171 Rev. 2 at least once before the transition to Rev. 3 occurs. You still need a compliance program that supports 800-171 Rev. 2.
What about the Kieri Compliance Documentation???
We are already updating the KCD to incorporate the Rev.3 changes!!
When you purchase a license, you get a free 12 month subscription to updates. We are already building the updated set of documentation, which will be ready before Rev.3 is finalized. So don’t worry, the KCD will support both Rev. 2 and Rev. 3!
Send an email to firstname.lastname@example.org if you are a subscriber and need help logging on or accessing content.