Kieri Compliance Documentation

Log in

Kieri Solutions offers a licensable set of 800-171, DFARS 252.204-7012, and CMMC compliance templates called the Kieri Compliance Documentation (KCD). This is a holistic and user-friendly cybersecurity program which is designed for small and medium networks (less than 1000 users).

The KCD provides a kick-start for companies that don’t have compliant policies, procedures, system security plan, and user agreements because it is pre-written with reasonable best practices and gives prescriptive (but easily customizable) instructions on how to perform each requirement. This program emphasizes record-keeping and processes that generate proof that they are performed over time.

The KCD is battle-tested: we used this program to pass our CMMC assessment by the DoD.

ALERT!!NIST SP 800-171 REV. 3

The draft of NIST SP 800-171 Rev. 3 was released in May 2023.

Rev. 3 is a significant change to cybersecurity requirements for DoD contractors. However, the document will not be finalized until early 2024. We don’t expect CMMC to enforce the new requirements until at least 2025 or later. Rev. 3 is different enough that if you prepare for Rev. 3 exclusively, you will miss some requirements from Rev. 2!

Expect to be assessed against 800-171 Rev. 2 at least once before the transition to Rev. 3 occurs. You still need a compliance program that supports 800-171 Rev. 2.

What about the Kieri Compliance Documentation???

We are already updating the KCD to incorporate the Rev.3 changes!!

When you purchase a license, you get a free 12 month subscription to updates. Our update for Rev. 3 will be released ~October 2023. So don’t worry, the KCD will support both Rev. 2 and Rev. 3!

KCD Demonstration Video (1:03:00)

If you are considering purchasing the KCD, we encourage you to watch this video where we show samples of real documents from the KCD and explain how the system works.

Did you like the demo?

Fill out this form to request a quote for the KCD.

We bought the KCD package and so far we have found that it was well worth the cost and would have cost us 10x more to write it ourselves incorrectly.

Roman V., PAS

Dawson has been pursuing NIST/CMMC compliance since 2016. Even though we met all of the security objectives on our network, the documentation process has been challenging. Interpreting the documentation requirements seems to be a moving target. Many vendors offer documentation packages, but none of them have ever been audited specifically for CMMC v2.0, as far as we could tell. The Kieri documentation set scales to any size company and lays out the roadmap with video explanations. They passed their audit as a C3PAO, which gives them a ton of credibility in my book. If you’re tired of the fear based approach to CMMC, I strongly recommend Kieri.

Andrew Riehemann, CIO (CISSP), Dawson Ohana

As one of your new subscribers, I wanted to share with you my sense of relief, almost elation, at using your system. It is fantastic. My team and I just started digging into the policies, and comparing them with those we have already in place, cross referencing, etc. The templates are such a help to us. Thank you!

A. Carmichael, Measurement Technology

Your KCD documentation is well designed. I reviewed it with our IT implementer, and he felt it was easy to understand and will make his job of implementation easier.  Thank you for keeping it simple. It has been my experience that people throw words at a solution instead of thought.  You have created a well-thought-out package.

V. Delaney, Continuous Process Improvement Systems, LLC (CPISys)

FAQs about the Kieri Compliance Documentation:

  • What is the KCD? KCD stands for Kieri Compliance Documentation. It is a package of policies, procedures, user agreements, and partially pre-written compliance docs (like a system security plan) designed to help you operate your IT department in compliance with CMMC Level 2. The KCD is meant to be used with networks with less than 1,000 users, and works especially well for enclaves. .
  • Why should I choose the KCD instead of other for-sale documentation? The KCD prioritizes ease-of-use and simplicity. It is not “enterprise class” – meaning that we use small words and expect only 1-2 people to be involved in reviewing it, not a full team of executive staff and lawyers. The KCD is designed for CMMC Level 2 and does not try to multi-task for other cybersecurity frameworks. We have added real-world examples wherever possible to illustrate best practices, to include partially writing the system security plan for you. Finally, this documentation package is battle tested – it is based on the same policies and procedures that we used to pass our CMMC assessment.
  • I’m thinking about buying the documents. How can I see some examples? Check our KCD demonstration video (either scroll up or watch it on YouTube here). We review samples of several documents and discuss how the program works.
  • How much does the KCD cost? A lifetime license to the KCD costs $4,700.
  • I’m too busy to deal with documentation. You should consider adding some consulting so that your documentation gets done. If you buy a license, we offer a discounted consulting package of 25 hours for $6,250 which is enough time to explain and quickly customize each document for you (if you are a typical small or medium business). We also offer larger consulting projects to help identify gaps and solutions, provide accountability, and perform vCISO services.
  • Can I just download all the templates, leave them as-is, and pass CMMC or NIST SP 800-171? No, but we wish it were that easy. Using this package will save your organization at least 200 hours of work compared to creating the documents from scratch (that’s an impressive cost saving), but there is still some work left to do. Our most successful clients also request consulting to customize policies, create a Plan of Action, do a first pass on your System Security Plan, and demonstrate how to perform Change Management and the Maintenance Checklist.
  • We don’t use Microsoft 365 for our enclave or information system. Will the KCD still work for us? Yes. The KCD does not assume that you have any specific technology or automation, other than the ability to edit spreadsheets and word documents. In almost all cases, it references technologies with non-vendor-specific terms like “file share.” It’s easy to modify the policies and procedures to list your specific solutions. As a bonus, we have lots of example answers throughout the templates. Most of the examples are for a Microsoft 365-based enclave, so if you use that, you can accept the examples without much alteration. In short: Yes, any technology is fine!
  • I’m going to buy the KCD. How would we get started? The “Overview of Kieri Compliance Documentation” document (available without a subscription) provides the recommended order to review, customize, and implement the KCD in your organization. The summary steps are: 1) Create standard locations to store records and track your work. 2) Review and customize policies. 3) Create your Plan of Action based on policy items you aren’t doing. 4) Start formal Change Management and weekly Cybersecurity Maintenance procedures. 5) Update your inventories. 6) Update procedures as you perform them. 7) Update the System Security Plan to describe your implementation of each requirement.
  • What is Change Management? Change Management is a formal program of controlling the actions of your privileged users so that when they build a new solution or replace a system, they make sure the changed system is CMMC-compliant before it goes into production. This handles the CMMC requirements that require specific settings and capabilities to be enabled (like firewalls).
  • What is the Cybersecurity Maintenance Checklist? We have developed a proprietary checklist of activities that need to be performed on a schedule in order to be compliant with CMMC. The checklist includes tasks that are performed weekly, monthly, quarterly, bi-annually, and annually. You can customize this checklist to increase or reduce frequency of tasks based on your specific environment (bigger environments should do some tasks more often). We have found that using this checklist is the most effective way to get an IT department to do compliance activities consistently. This handles the CMMC requirements that require regular monitoring and oversight.
  • Why does the KCD include IT Department database definitions? Careful record keeping is needed to demonstrate that you are performing the requirements of CMMC. You need to maintain records about your privileged users, your regular users, the hardware you use on your network, your software, any cyber incidents, changes you make, patching, etc. (the list goes on). Our IT Department database definitions let you create a place to organize these records. The database fields are carefully designed to gather information that is used for CMMC, such as whether mobile devices are authorized for CUI.
  • Can I share or resell the templates? The KCD is licensed to be used by a single legal entity. Each entity (such as a corporation) needs their own license to legally use the KCD. If you are a cybersecurity consultant, you are more than welcome to help your clients customize the KCD for their use. If you have many clients that would benefit from the KCD, please reach out to ask about our referral program. We do not offer white-label services at this time.
  • Can I get a CMMC Assessment from Kieri Solutions if I use the KCD? No, that would be a conflict of interest. We cannot consult for and assess the same company. Providing policy and procedure templates for sale is a form of consulting.
  • Can I get updated documentation if CMMC changes? We include a 12-month subscription to download the latest templates with your lifetime license purchase. You will have the option to extend this subscription for a small fee every year.
  • Do you label each policy with the CMMC practice it addresses? We do all the cross-referencing between documents in the System Security Plan. Because our policies don’t simply restate the practice requirement in vague language, but instead give more detail on how to perform requirements, it gets very cluttered if we try to tag practice IDs inside the policy. Example of SSP cross-mapping from Demo Video.
  • and more topics to come… (send questions if you have them)

You will need to log in to access content below.

Download Templates (Subscriber-Only)

  • System Security Plan <SIGN IN TO DOWNLOAD>
  • Plan of Action <SIGN IN TO DOWNLOAD>
  • Shared Responsibility Matrix <SIGN IN TO DOWNLOAD>
  • FIPS Validation Strategy and Risk Assessment <SIGN IN TO DOWNLOAD>
  • Self-Assessment Template <SIGN IN TO DOWNLOAD>

  • Importable Database Files (SharePoint only) <SIGN IN TO DOWNLOAD>
  • Account Management Database Definition <SIGN IN TO DOWNLOAD>
  • Change Management Database Definition <SIGN IN TO DOWNLOAD>
  • Hardware Inventory Database Definition <SIGN IN TO DOWNLOAD>
  • Incident Management Database Definition <SIGN IN TO DOWNLOAD>
  • Service Request Database Definition <SIGN IN TO DOWNLOAD>
  • Software Inventory Database Definition <SIGN IN TO DOWNLOAD>
  • Vendor Risk Management Database Definition <SIGN IN TO DOWNLOAD>
  • Access Management Policy <SIGN IN TO DOWNLOAD>
  • Audit Management Policy <SIGN IN TO DOWNLOAD>
  • Change Management Policy <SIGN IN TO DOWNLOAD>
  • Configuration Management Policy <SIGN IN TO DOWNLOAD>
  • Data Management Policy <SIGN IN TO DOWNLOAD>
  • Disaster Recovery Policy <SIGN IN TO DOWNLOAD>
  • Facilities Security Policy <SIGN IN TO DOWNLOAD>
  • Incident Management Policy <SIGN IN TO DOWNLOAD>
  • Risk Assessment Policy <SIGN IN TO DOWNLOAD>
  • Supply Chain Risk Management Policy <SIGN IN TO DOWNLOAD>
  • Systems and Communications Protection Policy <SIGN IN TO DOWNLOAD>
  • Vulnerability and Patch Management Policy <SIGN IN TO DOWNLOAD>
  • Exception Tracking <SIGN IN TO DOWNLOAD>

  • Information Systems User Agreement <SIGN IN TO DOWNLOAD>
  • Issued Equipment Agreement <SIGN IN TO DOWNLOAD>
  • Telework Agreement <SIGN IN TO DOWNLOAD>
  • Protection of Sensitive Information Agreement <SIGN IN TO DOWNLOAD>
  • Privileged Access Agreement <SIGN IN TO DOWNLOAD>

  • Access Request Form <SIGN IN TO DOWNLOAD>
  • Administrative Processes <SIGN IN TO DOWNLOAD>
  • Audit Log Procedures <SIGN IN TO DOWNLOAD>
  • CUI Marking Template <SIGN IN TO DOWNLOAD>
  • Disaster Recovery Plan <SIGN IN TO DOWNLOAD>
  • Facilities Security – Logbook Template <SIGN IN TO DOWNLOAD>
  • Incident Response Form <SIGN IN TO DOWNLOAD>
  • Incident Response Procedure <SIGN IN TO DOWNLOAD>
  • Personnel Offboarding Checklist <SIGN IN TO DOWNLOAD>
  • Publication Review Procedure <SIGN IN TO DOWNLOAD>
  • Risk Assessment Template <SIGN IN TO DOWNLOAD>
  • Risk Management Procedure <SIGN IN TO DOWNLOAD>
  • CAB Meeting Notes Template <SIGN IN TO DOWNLOAD>
  • Change WorkLog Template <SIGN IN TO DOWNLOAD>
  • Cybersecurity Maintenance Checklist <SIGN IN TO DOWNLOAD>

This is the best FIPS documentation we’ve ever seen.

– Kieri Solution’s DIBCAC Assessment Team

Send an email to if you are a subscriber and need help logging on or accessing content.