Professionally written, fill-in-the-blank security templates covering core security policies, AI governance, CMMC compliance, and more.
Bundle · Best Value
Small Business Security Starter Pack - 5 Essential Policies
The 5 policies every small business needs before a breach, audit, or insurance application: Password Policy, Acceptable Use Policy, Remote Work Policy, Security Awareness Policy, and Access Control Policy.
What's inside▾
- Password Policy Template
- Acceptable Use Policy
- Remote Work Security Policy
- Security Awareness Training Policy
- Access Control Policy
- All 5 files instantly editable in Word
Preview▾
Small Business Security Starter Pack
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes security requirements for small businesses handling sensitive data. Five essential policies aligned to cyber insurance requirements and common SMB audit frameworks.
2. BUNDLE CONTENTS
Password Policy • Acceptable Use Policy • Remote Work Security Policy • Security Awareness Training Policy • Access Control Policy
PREVIEW
Bundle · Cyber Insurance
Cyber Insurance Readiness Pack - 5 Templates Underwriters Ask For
Incident Response Policy (with insurer notification checklist), Backup & Recovery Policy, Vendor Management Policy, Data Retention Policy, and Security Awareness Policy - the five areas underwriters scrutinize most.
What's inside▾
- Incident Response Policy
- Insurer notification checklist
- Backup & Recovery Policy
- Vendor Management Policy
- Data Retention Policy
- Security Awareness Training Policy
Preview▾
Cyber Insurance Readiness Pack
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Provides documentation required by cyber insurance underwriters during application and annual renewal. Covers the five security domains underwriters scrutinize most.
2. BUNDLE CONTENTS
Incident Response Policy (with insurer notification checklist) • Backup & Recovery Policy • Vendor Management Policy • Data Retention Policy • Security Awareness Policy
PREVIEW
Bundle · AI Governance
AI Governance Bundle - 3 Templates to Govern AI at Your Organization
AI Governance Policy (executive framework), AI Acceptable Use Policy (employee-facing), and AI Vendor Risk Assessment - everything you need to govern AI responsibly before regulators do it for you.
What's inside▾
- AI Governance Policy
- AI Acceptable Use Policy
- AI Vendor Risk Assessment
- Prohibited use case registry
- AI system inventory template
- Risk tier scoring guide
Preview▾
AI Governance Bundle
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes organizational governance for the responsible procurement, deployment, and use of artificial intelligence systems, covering risk classification, acceptable use, and vendor evaluation.
2. BUNDLE CONTENTS
AI Governance Policy (executive risk framework) • AI Acceptable Use Policy (employee-facing) • AI Vendor Risk Assessment (60-point evaluation)
PREVIEW
Bundle · CMMC Level 2
CMMC Level 2 Assessment Essentials - SSP + Access Control Policy Bundle
The two documents every C3PAO assessor will ask for first: the System Security Plan (all 110 NIST SP 800-171 Rev 2 practices documented) and the Access Control Policy (all 22 AC practices). Get your most critical assessment deliverables done in one step.
What's inside▾
- System Security Plan (SSP)
- Access Control Policy
- All 110 practices documented
- All 22 AC practices mapped
- Evidence column per practice
- Implementation status tracking
Preview▾
CMMC Level 2 Assessment Essentials
Version 1.0 | Effective: [Date] | Owner: [Title]
1. BUNDLE CONTENTS
System Security Plan (SSP) - All 110 NIST SP 800-171 Rev 2 practices across 14 domains, with implementation status tracking, evidence artifact columns, and example policy language.
2. ACCESS CONTROL POLICY
All 22 AC practices (3.1.1-3.1.22): account lifecycle, least privilege, remote access, MFA requirements, wireless access controls, and session management.
PREVIEW
Bundle · Best Value · CMMC Level 2
CMMC Level 2 Complete Domain Policy Bundle - All 12 Domain Policies
Every CMMC Level 2 domain policy in one download: Configuration Management, Audit & Accountability, Risk Assessment, Media Protection, Maintenance, Personnel Security, Physical Protection, Identification & Authentication, System & Communications Protection, System & Information Integrity, Incident Response, and Awareness & Training. Covers all 14 CMMC domains - mapped to NIST SP 800-171 Rev 2.
What's inside▾
- CM, AU, RA, MP, MA policies
- PS, PE, IA, SC, SI policies
- IR Plan and AT Policy
- All 12 domain policy files
- Every practice mapped to 800-171
- Instantly editable Word docs
Preview▾
CMMC Level 2 Complete Domain Policy Bundle
Version 1.0 | Effective: [Date] | Owner: [Title]
1. BUNDLE CONTENTS (12 policies)
CM (3.4.x) • AU (3.3.x) • RA (3.11.x) • MP (3.8.x) • MA (3.7.x) • PS (3.9.x)
2. CONTINUED
PE (3.10.x) • IA (3.5.x) • SC (3.13.x) • SI (3.14.x) • IR Plan (3.6.x) • AT (3.2.x) — Every practice mapped to NIST SP 800-171 Rev 2
PREVIEW
Bundle · Ultimate · CMMC Level 2
CMMC Level 2 Complete Certification Kit - All 14 Documents
Everything you need to walk into a CMMC Level 2 C3PAO assessment fully documented: System Security Plan, POA&M, Access Control Policy, and all 12 domain policies covering every NIST SP 800-171 Rev 2 domain. The complete documentation set assessors expect to see - nothing missing.
What's inside▾
- System Security Plan (SSP)
- POA&M Tracker (.xlsx)
- Access Control Policy
- All 12 domain policies
- All 110 practices documented
- 14 documents total, ready to submit
Preview▾
CMMC Level 2 Complete Certification Kit
Version 1.0 | Effective: [Date] | Owner: [Title]
1. BUNDLE CONTENTS (14 documents)
System Security Plan • POA&M Tracker (.xlsx) • Access Control Policy • All 12 domain policies (CM, AU, RA, MP, MA, PS, PE, IA, SC, SI, IR, AT)
2. COVERAGE
All 110 NIST SP 800-171 Rev 2 practices documented across all 14 CMMC domains. Every artifact a C3PAO assessor expects to see — nothing missing.
PREVIEW
Bundle · Best Value · NIST CSF 2.0
NIST CSF 2.0 Complete Kit - All 3 Templates & Policy Bundles
Everything you need to stand up a documented NIST CSF 2.0 program: the Organizational Profile Template (current and target state gap tracking), the Govern Policy Bundle (all six GV categories), and the Full Policy Bundle covering all six CSF 2.0 functions. Saves $64 vs. purchasing individually.
What's inside▾
- Organizational Profile (.xlsx)
- Govern Policy Bundle (6 categories)
- Full Policy Bundle (all 6 functions)
- All 106 subcategories mapped
- Current vs. target gap tracking
- Board-ready risk reporting layout
Preview▾
NIST CSF 2.0 Complete Kit
Version 1.0 | Effective: [Date] | Owner: [Title]
1. BUNDLE CONTENTS (3 files)
Organizational Profile Template (.xlsx) — All 106 subcategories with current state / target state gap tracking, priority scoring, and implementation tier guidance.
2. POLICY BUNDLES INCLUDED
Govern Policy Bundle (all 6 GV categories) • Full Policy Bundle covering all 6 CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, Recover
PREVIEW
Security Policy
Password Policy Template - NIST-Aligned
NIST SP 800-63B aligned. Covers minimum length, passphrase support, MFA requirements, no mandatory rotation, and account lockout - customizable in under an hour.
What's inside▾
- Minimum length and complexity rules
- Passphrase support language
- MFA requirements section
- No mandatory rotation clause
- Account lockout policy
- Password manager guidance
Preview▾
Password Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes minimum requirements for creating, protecting, and managing passwords to prevent unauthorized access to [Organization] systems and data, aligned to NIST SP 800-63B.
2. PASSWORD REQUIREMENTS
Minimum 12 characters required. Passphrases of 4+ random words are permitted and encouraged. MFA is required for all remote access and all privileged accounts. Mandatory rotation is NOT required.
PREVIEW
Security Policy
Acceptable Use Policy Template - AI, BYOD & Remote Work Ready
Covers AI tool use, BYOD, social media, shadow IT, remote work expectations, email forwarding prohibition, and monitoring rights. Written for the modern workplace.
What's inside▾
- AI tool use restrictions
- BYOD and personal device rules
- Social media and shadow IT policy
- Email forwarding prohibition
- Monitoring rights disclosure
- Remote work expectations
Preview▾
Acceptable Use Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Defines acceptable use of [Organization] technology resources, including computing devices, networks, software, and organizational data.
2. AI TOOLS (SECTION 4.6)
Employees shall not input confidential, proprietary, or customer data into AI tools without prior written approval from the IT Security team. All AI tool usage on company devices is subject to monitoring.
PREVIEW
Security Policy
Incident Response Policy Template - With Cyber Insurance Checklist
NIST 800-61 lifecycle, P1–P4 severity matrix, IRT roles, 6-phase playbook, cyber insurance notification checklist, and regulatory notification table for HIPAA / PCI / state breach laws.
What's inside▾
- 6-phase IR lifecycle
- P1-P4 severity matrix
- IRT roles and responsibilities
- Cyber insurance notification checklist
- Regulatory notification table
- Tabletop exercise requirements
Preview▾
Incident Response Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes [Organization]'s capability to prepare for, detect, contain, and recover from security incidents in a structured manner per NIST SP 800-61r2.
2. INCIDENT SEVERITY MATRIX
P1 CRITICAL: Active breach with confirmed exfiltration — IRT activation within 15 min. • P2 HIGH: Active ransomware — Response within 1 hour. • P3 MEDIUM: Suspected compromise — 4 hours.
PREVIEW
Security Policy
Remote Work Security Policy Template - 2026 Ready
WPA2/WPA3 home network requirements, VPN mandatory use, public Wi-Fi restrictions, physical workspace controls, and BYOD MDM enrollment requirements.
What's inside▾
- VPN mandatory use requirements
- Home network security standards
- Public Wi-Fi restrictions
- Physical workspace controls
- BYOD MDM enrollment rules
- Screen lock and encryption requirements
Preview▾
Remote Work Security Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes security requirements for employees, contractors, and vendors accessing [Organization] systems from locations outside [Organization]-controlled facilities.
2. NETWORK SECURITY
Employees must connect through the approved VPN at all times when working remotely. Public Wi-Fi use without VPN is strictly prohibited. Home routers must use WPA2 or WPA3 encryption.
PREVIEW
Security Policy
Security Awareness Training Policy - With Training Calendar
New hire training timelines, annual refreshers, quarterly phishing simulations, role-specific requirements for IT/Finance/HR/Executives, and a training calendar template included.
What's inside▾
- New hire training timeline
- Annual refresher schedule
- Quarterly phishing simulation program
- Role-based training matrix
- Training calendar template
- Completion tracking requirements
Preview▾
Security Awareness Training Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes requirements for security awareness education to ensure all personnel understand their responsibilities and can recognize common threats including phishing and social engineering.
2. TRAINING REQUIREMENTS
New hires must complete initial training within 5 business days. Annual refresher required for all personnel. Quarterly phishing simulations required. Role-specific modules for IT, Finance, HR, and Executives.
PREVIEW
Security Policy
Backup & Recovery Policy Template - 3-2-1 Rule + Ransomware Ready
RTO/RPO by system tier, 3-2-1 backup rule, immutable backup requirements, cloud/SaaS backup mandates, monthly and quarterly restore testing, and a ransomware response section.
What's inside▾
- 3-2-1 backup rule enforcement
- RTO/RPO targets by system tier
- Immutable backup requirements
- Cloud/SaaS backup mandates
- Monthly/quarterly restore testing
- Ransomware response section
Preview▾
Backup and Recovery Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes minimum requirements for backup, retention, and recovery of [Organization] data to ensure business continuity against ransomware, hardware failure, or human error.
2. 3-2-1 BACKUP RULE
All critical data shall be maintained in at least 3 copies, on 2 different media types, with 1 copy stored offsite or in a geographically separate cloud region. Immutable backups required for all Tier 1 systems.
PREVIEW
Security Policy
Vendor Management Policy Template - With Risk Tier Classification
3-tier vendor risk classification, DPA/NDA requirements, SaaS and AI vendor onboarding rules, least-privilege access management, periodic review schedule, and vendor offboarding checklist.
What's inside▾
- 3-tier vendor risk classification
- DPA/NDA requirement language
- SaaS and AI vendor onboarding rules
- Least-privilege access management
- Vendor offboarding checklist
- Periodic review schedule
Preview▾
Vendor Management Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes requirements for managing third-party vendor relationships, assessing vendor risk, and protecting [Organization] data shared with or accessed by external service providers.
2. VENDOR RISK TIERS
Tier 1 (Critical): Access to sensitive data or systems — Annual review, DPA and security questionnaire required. • Tier 2 (Moderate): Limited access — Biennial review. • Tier 3 (Low): Self-attestation.
PREVIEW
Security Policy
Access Control Policy Template - Least Privilege, MFA & Annual Reviews
RBAC framework, MFA requirements by account type, privileged access controls with quarterly review, annual access recertification, and 1-business-day termination requirement.
What's inside▾
- RBAC framework and role matrix
- MFA requirements by account type
- Privileged access controls
- Quarterly access review schedule
- Annual access recertification
- 1-business-day termination requirement
Preview▾
Access Control Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes requirements for controlling access to [Organization] information systems and data based on least privilege, need-to-know, and role-based access control (RBAC).
2. LEAST PRIVILEGE
All users shall be granted the minimum permissions necessary to perform their job duties. Privileged accounts require quarterly review. All system access must be revoked within 1 business day of termination.
PREVIEW
Security Policy
Data Retention Policy Template - With Retention Schedule Table
12-category retention schedule table, secure disposal requirements by media type, legal hold process, and third-party data handling requirements. Covers 5 data classification types.
What's inside▾
- 12-category retention schedule table
- 5 data classification types
- Secure disposal by media type
- Legal hold process
- Third-party data handling rules
- Destruction certification requirements
Preview▾
Data Retention Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes requirements for the retention, archival, and secure disposal of [Organization] records and data in compliance with applicable legal, regulatory, and business requirements.
2. RETENTION SCHEDULE (EXCERPT)
Financial Records: 7 years • Employee Records: 7 years post-termination • Contracts: 10 years • Audit Logs: 3 years • Customer Data: Per contract + 1 year minimum
PREVIEW
AI Governance
AI Governance Policy Template - Executive Framework for AI Risk
Risk classification (High/Moderate/Low), AI system inventory, owner accountability, data minimization rules, prohibited uses, bias assessment, and AI vendor governance requirements.
What's inside▾
- Risk classification (High/Moderate/Low)
- AI system inventory template
- Prohibited use case registry
- Data minimization requirements
- Bias assessment framework
- AI vendor governance requirements
Preview▾
AI Governance Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes an organizational framework for the responsible procurement, deployment, and use of artificial intelligence systems, ensuring accountability, risk management, and regulatory alignment.
2. AI RISK CLASSIFICATION
HIGH RISK: AI systems influencing decisions on individual rights, safety, or financial outcomes — Requires executive approval and bias assessment before deployment. MODERATE: IT security review required. LOW: Inventory registration required.
PREVIEW
AI Governance
AI Vendor Risk Assessment - 60-Point Evaluation Framework
Structured questionnaire for evaluating AI SaaS vendors before you sign. Covers security posture, AI-specific governance, data handling, access controls, business continuity, and regulatory compliance - with a scoring guide and risk tier output.
What's inside▾
- 60-point evaluation framework
- Security posture assessment
- AI-specific governance questions
- Data handling and encryption review
- Business continuity evaluation
- Risk tier scoring guide
Preview▾
AI Vendor Risk Assessment
Version 1.0 | Effective: [Date] | Owner: [Title]
DOMAIN 1 — SECURITY POSTURE
1.1 SOC 2 Type II or equivalent certification maintained? • 1.2 Data encrypted in transit (TLS 1.2+)? • 1.3 Annual third-party penetration testing conducted?
DOMAIN 2 — AI GOVERNANCE
2.1 Published AI ethics or responsible AI policy? • 2.2 Training data sources disclosed on request? • 2.3 Documented process for AI bias testing and monitoring?
PREVIEW
NIST CSF 2.0
NIST CSF 2.0 Organizational Profile Template
Map your current and target cybersecurity outcomes against all six CSF 2.0 functions and 22 categories. Built for the CSF 2.0 Profiles concept - track gaps, prioritize improvements, and produce board-ready risk reporting. Pre-populated with all 106 subcategories and implementation tier guidance.
What's inside▾
- All 106 subcategories pre-populated
- Current vs. target state columns
- 22-category gap analysis
- Implementation tier (1-4) guidance
- Board-ready risk reporting layout
- Priority scoring for each gap
Preview▾
NIST CSF 2.0 Organizational Profile
Version 1.0 | Effective: [Date] | Owner: [Title]
SAMPLE ROW 1 (GV.OC-01)
Cybersecurity risk management objectives are established and communicated | Current Tier: 1 | Target Tier: 3 | Gap: Yes | Priority: High
SAMPLE ROW 2 (ID.AM-01)
IT asset inventories are maintained and communicated | Current Tier: 2 | Target Tier: 3 | Gap: Yes | Priority: Medium
PREVIEW
NIST CSF 2.0
NIST CSF 2.0 Govern Policy Bundle
Ready-to-adapt policy language for all six Govern function categories: GV.OC (Organizational Context), GV.RM (Risk Management Strategy), GV.RR (Roles & Responsibilities), GV.PO (Policy), GV.OV (Oversight), and GV.SC (Supply Chain Risk). The most commonly assessed - and most commonly missing - CSF 2.0 documentation.
What's inside▾
- GV.OC Organizational Context
- GV.RM Risk Management Strategy
- GV.RR Roles and Responsibilities
- GV.PO Policy requirements
- GV.OV Oversight language
- GV.SC Supply Chain Risk policy
Preview▾
NIST CSF 2.0 Govern Policy Bundle
Version 1.0 | Effective: [Date] | Owner: [Title]
GV.OC — ORGANIZATIONAL CONTEXT
[Organization] shall document and communicate its mission, stakeholder expectations, and cybersecurity risk tolerance to relevant personnel annually and upon material change.
GV.RM — RISK MANAGEMENT STRATEGY
The Board of Directors shall receive cybersecurity risk reporting at least quarterly. Risk appetite and tolerance statements shall be reviewed and approved annually by executive leadership.
PREVIEW
NIST CSF 2.0
NIST CSF 2.0 Full Policy Bundle - All Six Functions
Comprehensive policy documentation for every CSF 2.0 function: Govern, Identify, Protect, Detect, Respond, and Recover. Covers all 22 categories with structured policy language aligned to each function's expected outcomes. The complete policy layer for organizations building or maturing a CSF 2.0 program.
What's inside▾
- Govern function (6 categories)
- Identify and Protect functions
- Detect and Respond functions
- Recover function
- All 22 CSF 2.0 categories covered
- Ready-to-adapt policy language
Preview▾
NIST CSF 2.0 Full Policy Bundle
Version 1.0 | Effective: [Date] | Owner: [Title]
TABLE OF CONTENTS
GOVERN (GV) — 6 categories • IDENTIFY (ID) — Asset management, risk assessment • PROTECT (PR) — Access control, data security, training
CONTINUED
DETECT (DE) — Continuous monitoring, anomaly detection • RESPOND (RS) — Incident management, communications • RECOVER (RC) — Recovery planning, improvements
PREVIEW
CMMC Level 2
CMMC Level 2 System Security Plan (SSP) Template
The document every C3PAO assessor reads first. All 110 NIST SP 800-171 Rev 2 practices across 14 domains - with implementation status tracking, example language, and an evidence column for every practice.
What's inside▾
- All 110 practices documented
- 14 domain sections
- Implementation status column
- Evidence artifact column per practice
- Example policy language included
- System boundary and CUI scope sections
Preview▾
System Security Plan (SSP) — NIST SP 800-171 Rev 2
Version 1.0 | Effective: [Date] | Owner: [Title]
SYSTEM INFORMATION
System Name: [System Name] | System Owner: [Name/Title] | Data Classification: CUI | Assessment Date: [Date] | SPRS Score: [Score]
PRACTICE 3.1.1 (AC) — SAMPLE
Requirement: Limit system access to authorized users... | Status: [ ] Implemented [ ] Partial [ ] Not Implemented | Implementation Description: [Describe controls]
PREVIEW
CMMC Level 2
CMMC Level 2 Access Control Policy Template
The #1 assessment failure domain - 22 practices, fully covered. Mapped to every NIST SP 800-171 Rev 2 AC requirement: account lifecycle, least privilege, remote access, wireless, MFA, and more.
What's inside▾
- All 22 AC practices (3.1.1-3.1.22)
- Account lifecycle management
- Least privilege enforcement
- Remote access policy language
- MFA requirements section
- Wireless access controls
Preview▾
CMMC Level 2 Access Control Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.1.1 — ACCESS CONTROL
Limit information system access to authorized users, processes acting on behalf of authorized users, and devices. User accounts shall be created only upon written approval by the system owner.
3.1.2 — LEAST PRIVILEGE
Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Privilege escalation requires separate approval and logging.
PREVIEW
CMMC Level 2
CMMC Level 2 Configuration Management Policy Template
Covers all 9 CM practices (3.4.1–3.4.9): baseline configurations, change control, security impact analysis, least functionality, user-installed software controls, and unauthorized software/firmware prevention.
What's inside▾
- All 9 CM practices (3.4.1-3.4.9)
- Baseline configuration requirements
- Change control process
- Security impact analysis procedure
- User-installed software controls
- Unauthorized software prevention
Preview▾
CMMC Level 2 Configuration Management Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.4.1 — BASELINE CONFIGURATIONS
[Organization] shall establish and maintain baseline configurations for all CUI-handling systems. All deviations from approved baselines require documented change control approval prior to implementation.
3.4.2 — CONFIGURATION CHANGE CONTROL
All changes to approved baseline configurations must follow the change management process. Security impact analysis required before implementation. Emergency changes must be documented within 24 hours.
PREVIEW
CMMC Level 2
CMMC Level 2 Audit & Accountability Policy Template
Covers all 9 AU practices (3.3.1–3.3.9): audit log creation, content requirements, protection from modification, review and analysis, audit failure response, and correlation of audit review across systems.
What's inside▾
- All 9 AU practices (3.3.1-3.3.9)
- Audit log creation requirements
- Log content and retention standards
- Protection from modification
- Review and analysis procedures
- Audit failure response process
Preview▾
CMMC Level 2 Audit & Accountability Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.3.1 — AUDIT LOG CREATION
[Organization] shall create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity on all CUI-handling systems.
3.3.2 — USER AUDIT TRACEABILITY
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Shared accounts are prohibited on CUI systems.
PREVIEW
CMMC Level 2
CMMC Level 2 Risk Assessment Policy Template
Covers all 3 RA practices (3.11.1–3.11.3): organizational risk assessments, CUI-handling system vulnerability scanning, and periodic remediation of identified vulnerabilities - aligned to NIST SP 800-30.
What's inside▾
- All 3 RA practices (3.11.1-3.11.3)
- Risk assessment process (NIST 800-30)
- Vulnerability scanning cadence
- Remediation tracking requirements
- Risk register template language
- CUI system scope definition
Preview▾
CMMC Level 2 Risk Assessment Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.11.1 — RISK ASSESSMENT
[Organization] shall periodically assess the risk to organizational operations, assets, and individuals resulting from the use of organizational systems. Risk assessments shall occur annually and upon significant change.
3.11.2 — VULNERABILITY SCANNING
Scan for vulnerabilities in organizational systems and hosted applications periodically and when new vulnerabilities potentially affecting the systems are identified. Critical findings remediated within 15 days.
PREVIEW
CMMC Level 2
CMMC Level 2 Media Protection Policy Template
Covers all 9 MP practices (3.8.1–3.8.9): CUI media access controls, secure marking, storage, transport, sanitization, destruction, and removable media use restrictions on organizational systems.
What's inside▾
- All 9 MP practices (3.8.1-3.8.9)
- CUI media access controls
- Secure marking and storage rules
- Transport and sanitization procedures
- Removable media restrictions
- Media destruction requirements
Preview▾
CMMC Level 2 Media Protection Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.8.1 — MEDIA ACCESS
Protect system media containing CUI, both paper and digital, limiting access to authorized individuals. All removable media containing CUI must be encrypted using FIPS 140-2 validated cryptographic mechanisms.
3.8.3 — MEDIA SANITIZATION
Sanitize or destroy system media before disposal or reuse using NIST SP 800-88 guidelines. Sanitization actions must be documented and records retained for a minimum of 3 years.
PREVIEW
CMMC Level 2
CMMC Level 2 Maintenance Policy Template
Covers all 6 MA practices (3.7.1–3.7.6): scheduled and controlled system maintenance, maintenance tool controls, nonlocal maintenance requirements, and removal of equipment for off-site servicing.
What's inside▾
- All 6 MA practices (3.7.1-3.7.6)
- Controlled maintenance procedures
- Maintenance tool controls
- Nonlocal maintenance requirements
- Equipment removal procedures
- Maintenance personnel authorization
Preview▾
CMMC Level 2 Maintenance Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.7.1 — CONTROLLED MAINTENANCE
Perform maintenance on organizational systems. All maintenance activities on CUI-handling systems must be scheduled, approved by the system owner, and documented in the [Organization] maintenance log.
3.7.3 — MAINTENANCE TOOL CONTROLS
Inspect tools used by maintenance personnel for improper or unauthorized modifications. All tools brought on-site by external maintenance personnel must be inspected and approved before use.
PREVIEW
CMMC Level 2
CMMC Level 2 Personnel Security Policy Template
Covers both PS practices (3.9.1–3.9.2): screening individuals prior to authorizing access to CUI systems, and termination and transfer procedures to protect CUI upon employee departure or role change.
What's inside▾
- Both PS practices (3.9.1-3.9.2)
- Personnel screening requirements
- CUI access authorization process
- Termination access revocation
- Transfer role-change procedures
- Contractor and vendor screening
Preview▾
CMMC Level 2 Personnel Security Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.9.1 — PERSONNEL SCREENING
Screen individuals prior to authorizing access to organizational systems containing CUI. All personnel with access to CUI systems must complete a background check prior to access authorization.
3.9.2 — TERMINATION AND TRANSFER
Upon termination, revoke access to all organizational systems within 1 business day. Upon transfer, adjust access rights to reflect new role. Return of all organization-issued assets required upon departure.
PREVIEW
CMMC Level 2
CMMC Level 2 Physical Protection Policy Template
Covers all 6 PE practices (3.10.1–3.10.6): limiting physical access to CUI systems, visitor escorting and logs, physical access device management, monitoring physical access, and protecting systems at alternate work sites.
What's inside▾
- All 6 PE practices (3.10.1-3.10.6)
- Physical access authorization
- Visitor escort and log requirements
- Access device management
- Physical monitoring requirements
- Alternate work site protections
Preview▾
CMMC Level 2 Physical Protection Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.10.1 — PHYSICAL ACCESS AUTHORIZATION
Limit physical access to organizational systems, equipment, and operating environments to authorized individuals. Access control lists must be reviewed quarterly and updated upon personnel changes.
3.10.3 — VISITOR ESCORT
Escort visitors and monitor visitor activity within facilities containing CUI systems. All visitors must sign a visitor log upon entry. Unescorted access by visitors to CUI areas is prohibited.
PREVIEW
CMMC Level 2
CMMC Level 2 Identification & Authentication Policy Template
Covers all 11 IA practices (3.5.1–3.5.11): MFA requirements for privileged and non-privileged accounts, password complexity, identifier management, replay-resistant authentication, cryptographic password storage, and session feedback obscurement - the most commonly failed domain in CMMC assessments.
What's inside▾
- All 11 IA practices (3.5.1-3.5.11)
- MFA requirements (privileged + standard)
- Password complexity rules
- Replay-resistant authentication
- Cryptographic password storage
- Session obscurement requirements
Preview▾
CMMC Level 2 Identification & Authentication Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.5.3 — MULTI-FACTOR AUTHENTICATION
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Approved authenticators: FIDO2 hardware keys, TOTP authenticator apps.
3.5.7 — PASSWORD COMPLEXITY
Enforce a minimum password complexity when new passwords are created. Minimum 12 characters, or passphrases of 4+ words. Cryptographic storage required (bcrypt/PBKDF2). Plaintext password storage is prohibited.
PREVIEW
CMMC Level 2
CMMC Level 2 System & Communications Protection Policy Template
Covers all 16 SC practices (3.13.1–3.13.16): boundary protection, deny-by-default network rules, encryption in transit (TLS/FIPS), encryption at rest, key management, split tunneling prevention, session termination, FIPS-validated cryptography, and CUI protection requirements.
What's inside▾
- All 16 SC practices (3.13.1-3.13.16)
- Boundary protection rules
- Encryption in transit (TLS/FIPS)
- Encryption at rest requirements
- Split tunneling prevention
- FIPS-validated cryptography
Preview▾
CMMC Level 2 System & Communications Protection Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.13.1 — BOUNDARY PROTECTION
Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems. All traffic traversing system boundaries must be inspected by a stateful firewall.
3.13.8 — ENCRYPTION IN TRANSIT
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. TLS 1.2 or higher required for all network communications. TLS 1.0 and 1.1 shall be disabled on all systems.
PREVIEW
CMMC Level 2
CMMC Level 2 System & Information Integrity Policy Template
Covers all 7 SI practices (3.14.1–3.14.7): vulnerability remediation SLAs by CVSS severity, EDR/malware protection requirements, CISA KEV monitoring, vulnerability scanning cadence, intrusion detection, and unauthorized system use identification.
What's inside▾
- All 7 SI practices (3.14.1-3.14.7)
- Vuln remediation SLAs by CVSS score
- EDR/malware protection requirements
- CISA KEV monitoring requirements
- Vulnerability scanning cadence
- Intrusion detection requirements
Preview▾
CMMC Level 2 System & Information Integrity Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.14.1 — FLAW REMEDIATION SLAs
Identify, report, and correct information and system flaws in a timely manner. Critical (CVSS 9.0+): 15 days. High (7.0-8.9): 30 days. Medium (4.0-6.9): 90 days. Low: Next scheduled maintenance window.
3.14.2 — MALICIOUS CODE PROTECTION
Provide protection from malicious code at appropriate locations within organizational systems. EDR must be deployed on all endpoints. Real-time scanning and automatic updates required. Weekly full-system scans required.
PREVIEW
CMMC Level 2
CMMC Level 2 Incident Response Plan Template
Covers all 3 IR practices (3.6.1–3.6.3): 6-phase IR lifecycle, IRT roles, P1–P4 severity classification, containment and eradication procedures, DFARS 252.204-7012 72-hour DoD reporting workflow, DIBNet reporting, forensic image preservation (90-day requirement), and annual tabletop exercise requirements.
What's inside▾
- All 3 IR practices (3.6.1-3.6.3)
- 6-phase IR lifecycle
- DFARS 72-hour DoD reporting workflow
- DIBNet reporting procedures
- Forensic preservation (90-day rule)
- Annual tabletop exercise requirements
Preview▾
CMMC Level 2 Incident Response Plan
Version 1.0 | Effective: [Date] | Owner: [Title]
3.6.1 — IR CAPABILITY
Establish an operational incident-handling capability for organizational systems including preparation, detection, analysis, containment, recovery, and user activities per NIST SP 800-61r2.
DFARS REPORTING REQUIREMENT
Incidents involving CUI must be reported to the DoD via DIBNet within 72 hours of discovery per DFARS 252.204-7012(c). Forensic images must be preserved for 90 days and made available upon DoD request.
PREVIEW
CMMC Level 2
CMMC Level 2 Security Awareness & Training Policy Template
Covers all 3 AT practices (3.2.1–3.2.3): new hire and annual training requirements, role-based training matrix (admins, finance, executives, help desk), insider threat and phishing recognition training, quarterly phishing simulation program, and training completion tracking requirements.
What's inside▾
- All 3 AT practices (3.2.1-3.2.3)
- New hire training requirements
- Role-based training matrix
- Insider threat training language
- Quarterly phishing simulation program
- Training completion tracking
Preview▾
CMMC Level 2 Security Awareness & Training Policy
Version 1.0 | Effective: [Date] | Owner: [Title]
3.2.1 — SECURITY LITERACY
Ensure that personnel are aware of the security risks associated with their activities and of applicable policies, standards, and procedures related to the security of CUI and organizational systems.
3.2.2 — ROLE-BASED TRAINING
Ensure personnel are trained to carry out their assigned security responsibilities. Role-specific training required for: System Administrators, Finance/Payroll, Human Resources, Executive Leadership, and Help Desk.
PREVIEW
CMMC Level 2 - Assessment Tool
CMMC Level 2 Evidence Tracker - All 110 Practices
Stop guessing what assessors want to see. This Excel tracker maps all 110 NIST SP 800-171 Rev 2 practices to specific evidence artifacts - with a live dashboard, status tracking, domain-by-domain progress, and an Assessment Ready formula for every practice.
What's inside▾
- All 110 practices mapped
- Evidence artifact column per practice
- Live dashboard with % readiness
- Domain-by-domain progress tracking
- Assessment Ready formula
- Gap prioritization by domain
Preview▾
CMMC Level 2 Evidence Tracker
Version 1.0 | Effective: [Date] | Owner: [Title]
TRACKER STRUCTURE
All 110 NIST SP 800-171 Rev 2 practices organized by domain, with: Implementation Status | Evidence Artifact Description | Evidence Location | Assessment Ready indicator
DASHBOARD OVERVIEW (SAMPLE)
AC (Access Control): 18/22 — 82% ready • CM (Config Mgmt): 7/9 — 78% ready • AU (Audit): 9/9 — 100% ready • Overall: 87 of 110 practices Assessment Ready
PREVIEW
Risk & Resilience
Business Continuity Plan Template
A complete, ready-to-use BCP covering: Business Impact Analysis with RTO/RPO tables, plan activation criteria, BCT roster and succession, communication plan (internal + external), IT recovery summary, vendor registry, manual fallback procedures, and test record templates. Structured per NIST SP 800-34.
What's inside▾
- Business Impact Analysis table
- RTO/RPO by business function
- BCT roster and succession plan
- Internal and external comms plan
- Manual fallback procedures
- BCP test record template
Preview▾
Business Continuity Plan
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Establishes procedures to ensure [Organization] can continue critical operations during and following a disruptive event, structured per NIST SP 800-34 and aligned to ISO 22301 principles.
BUSINESS IMPACT ANALYSIS (EXCERPT)
Financial Processing (Payroll): RTO 4 hrs | RPO 1 hr | MTD 24 hrs • Email / Communications: RTO 1 hr | RPO 30 min | MTD 4 hrs • Customer Portal: RTO 8 hrs | RPO 4 hrs | MTD 72 hrs
PREVIEW
Risk & Resilience
Disaster Recovery Plan Template
A complete IT disaster recovery plan covering: system inventory with RTO/RPO/MTD targets, IT Recovery Team structure, backup architecture documentation, step-by-step recovery procedures for ransomware, hardware failure, and facility loss, recovery validation checklists, and DR test record templates.
What's inside▾
- System inventory with RTO/RPO/MTD
- IT Recovery Team structure
- Backup architecture documentation
- Recovery procedures (4 scenarios)
- 10-point recovery validation checklist
- DR test record template
Preview▾
IT Disaster Recovery Plan
Version 1.0 | Effective: [Date] | Owner: [Title]
1. PURPOSE
Provides step-by-step procedures for restoring [Organization] IT systems, applications, and data following a disruptive event including ransomware, hardware failure, facility loss, or cloud provider outage.
SYSTEM RECOVERY PRIORITIES
Tier 1 (RTO 4hr): Active Directory, Email, VPN, Core ERP • Tier 2 (RTO 8hr): File Servers, Backup Infrastructure • Tier 3 (RTO 24hr): Development/Test Environments, Archival Systems
PREVIEW
Vendor Risk
Vendor Risk Assessment Questionnaire
A comprehensive 68-question vendor security assessment covering 9 domains: security governance, access control, data handling and encryption, network and endpoint security, incident response, business continuity, personnel security, subcontractor risk, and compliance. Includes a scoring rubric and risk rating summary.
What's inside▾
- 68 assessment questions
- 9 security domain sections
- Yes/No/NA + evidence columns
- Subcontractor (4th party) risk section
- Risk scoring rubric (Low/Med/High)
- Assessor approval workflow
Preview▾
Vendor Security Assessment Questionnaire
Version 1.0 | Effective: [Date] | Owner: [Title]
DOMAIN 1 — SECURITY GOVERNANCE
1.1 Written Information Security Policy reviewed annually? • 1.2 SOC 2 Type II or ISO 27001 audit completed within the last 12 months? • 1.3 Designated CISO or equivalent security leadership role?
DOMAIN 2 — ACCESS CONTROL
2.1 MFA enforced for all remote access and privileged accounts? • 2.2 Access reviews conducted at least quarterly? • 2.3 Privileged Access Management (PAM) solution deployed?
PREVIEW
Microsoft 365
Microsoft Defender Impersonation Protection Template Pack
9 ready-to-use checklists, worksheets, and templates for M365 admins, MSPs, and IT teams - covering anti-phishing policy reviews, spoof intelligence, impersonation incident response, and more.
What's inside▾
- Anti-phishing policy review checklist
- Spoof intelligence worksheet
- Impersonation IR runbook
- Safe Sender/Domain audit template
- Admin audit log review guide
- 9 total templates (.docx + .pdf)
Preview▾
Microsoft Defender — Anti-Phishing Policy Review Checklist
Version 1.0 | Effective: [Date] | Owner: [Title]
STEP 1 — POLICY REVIEW
Navigate to: security.microsoft.com > Policies & Rules > Threat Policies > Anti-Phishing. Verify impersonation protection is enabled for all executive and high-value accounts.
STEP 2 — SPOOF INTELLIGENCE
Confirm anti-spoofing intelligence is enabled. Review quarantine vs. deliver actions for detected spoofed senders. Verify all expected external sending domains are on the safe senders list.
PREVIEW
Email Security
Email Security Starter Pack
6 practical templates for small businesses and MSPs - phishing incident response, suspicious email triage, SPF/DKIM/DMARC verification, user awareness emails, and a monthly review checklist.
What's inside▾
- Phishing incident response template
- Suspicious email triage guide
- SPF/DKIM/DMARC verification checklist
- User awareness email templates
- Monthly email security review
- 6 files (.docx + .pdf)
Preview▾
Phishing Incident Response Template
Version 1.0 | Effective: [Date] | Owner: [Title]
STEP 1 — INITIAL REPORT
User reports suspicious email to: [IT Security Email / Helpdesk Ticket System] | Date/Time Reported: _______ | Email Subject Line: _______ | Sender Address: _______
STEP 2 — TRIAGE
Was any link clicked or attachment opened? [ ] Yes [ ] No. If yes: isolate device immediately, preserve email headers, open incident ticket. Notify Security team within 15 minutes of confirmed phishing.
PREVIEW
Free Tool
CMMC Level 2 Policy Checklist Generator
Answer 3 quick questions about your organization and instantly get a prioritized list of the CMMC Level 2 policies you need - matched to your industry, size, and CUI handling scope.
Free Tool
CMMC Level 2 Readiness Assessment
Walk through 56 questions across all 14 CMMC domains and get a scored readiness report - with your weakest domains flagged, prioritized remediation gaps, and template recommendations tailored to your results.
Free Download
CMMC Scope Definition Worksheet
The first document every CMMC Level 2 assessment requires. Define your CUI boundary, system inventory, network architecture, external service providers, and scope exclusions - all in one structured worksheet.
Free Download
Cyber Incident Response Quick-Reference Card
A print-ready one-pager covering all 6 IR phases, DFARS 72-hour reporting requirements, severity classification, contact fill-in blocks, and a Do / Never Do checklist. Keep it next to your keyboard.