What Documentation Should You Have for NIST SP 800-171?

A cybersecurity program isn’t really a formal program until it is documented.

Join our newsletter:
A cybersecurity program isn’t a real cybersecurity program until it has documentation in place that records policies, plans, and procedures. With the announcement of CMMC 2.0, maturity levels and processes are now gone, however, this doesn't mean that you shouldn’t have any documentation in place. The documentation we will mention below will help support your implementation of NIST SP 800-171 security requirements.

Documentation You Should Have:

  • System Security Plan
  • Plan of action and milestones
  • Hardware Inventory
  • Software Inventory
  • Information Security Policy
  • IT Acceptable Use Policy
  • Configuration Management Plan
  • Information System Contingency Plan
  • Business Impact Analysis
  • Incident Response Plan
  • Physical/Environmental Protection Plan
  • Security/Risk Assessment Plan
  • CUI Handling Procedures
  • IT Standard Operating Procedures
  • Access Control Matrix or similar

Other Documentation Considerations

The above mentioned items are policy, planning, and procedure documents however you still need a method of documenting everyday actions that involve the use of your information system. By this we mean documenting incidents in incident reports, documenting the destruction of hard drives and other media in a certificate of sanitation, documenting changes to the information system in a change request form, and documenting visitor access to your facility. Then there are other items that should be documented such as the creation of user accounts, onboarding new employees, and vulnerability scans. Using an IT ticketing system or similar is a good method to document these.

Where Can I Get These Templates?

Subscribers to Lake Ridge’s Compliance Accelerator app have the ability to download the documentation templates mentioned above at no additional cost to the subscription.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.