CMMC and NIST Assessments

Overview of CMMC and NIST 800-171 Assessments


CMMC and NIST Express Packages

CMMC Cybersecurity Compliance Solutions

Based upon the newly mandated DoD CMMC requirements, Imprimis has developed express packages specifically designed to meet these requirements and are organized by domain, process and practice.
These Express Packages take into consideration accepted cybersecurity principles and best practices and are designed to greatly reduce remediation costs and the time it takes to reach compliance.



i2 CMMC Architectural Development & Design Express Package

Imprimis highly recommends that an architectural review be performed of the in-scope system, and that the future architectural design of the CMMC compliant to-be system be performed, reviewed and approved immediately following the assessment process. This allows for easy and effective progression to the Plan of Actions and Milestones needed to complete the remediation process. The network architecture and design of security controls will either impact or be included in required documentation such as the Policies and Procedures and System Security Plan.


  • Architecture Documentation (network diagram, identification of all major components, and a bill of materials)
  • Documented Approach to Security Control Implementation

i2 CMMC Plan of Actions and Milestones (POA&M) Express Package

The POA&M will be developed based upon the assessment findings and the ‘to-be’ architecture as follows:
  • Provide the customer a tailored POA&M which will include all remediation actions required to implement the new architecture and security controls required for compliance with CMMC will be identified and organized according to the recommended precedence.
  • Imprimis will lead a facilitated meeting with customer to define options, including cost and implementation lead times, to achieve the final schedule for all tasks.
  • The customer will make decisions on key elements which include network changes required, key technology/system selections such as multi-factor authentication, backup, monitoring and scanning selections, and will make the final decisions on schedule based on the customer’s needs and resources available.


  • Customer POA&M in MS Project or Excel (can apply to open source project management tools). If customer cannot define schedule when POA&M items are defined, it will be their responsibility to insert the schedules later.

i2 CMMC System Security Plan (SSP) Express Package

​Utilizing the Imprimis SSP Express Template and working closely with the customer, a CMMC | DFARS compliant SSP will be developed for the requested Level as follows:
  • System definition including diagrams and hardware/software inventories
  • Identification of the customer’s management organization with responsibility for the protecting the business, Information Technology, and controlled Unclassified Information (CUI) 
  • A documented Risk analysis/assessment
  • Inclusion of the most current Assessment Report
  • Recommended inclusion of, or reference to, the customer’s Policies and Procedures and Incident Response Plan and any other pertinent information


  • Draft customer SSP (to be completed by client once remediation has been completed)

i2 CMMC Policy and Procedure (P&P) Express Package

i2 NIST 800-171 Policies and Procedures (P&P) Express Package

CMMC P&P: The CMMC is organized by domains, each of which has one or more capabilities which in turn call for security practices to be implemented. Each domain requires processes to be implemented that ensure the integrity of the security controls and indicates maturity.   Even though the CMMC was strongly informed by NIST 800-171, the CMMC increases the total number of items that need to be implemented, tracked, maintained, and eventually audited.
The Imprimis CMMC P&P document is organized by all 17 domains and at least one policy per domain is documented and domain sub-policies are provided when needed. The policies will be cross-referenced to the procedures needed to ensure the security practices are implemented and maintained. The procedures document will be a separate volume and will contain the basic procedures and processes required by compliant organizations. The procedures are written in sufficient detail to ensure proper implementation of all practices and processes included in the CMMC.  Both the policies and the procedures documents will provide direct mapping of the CMMC practices, processes, and capabilities. They will also provide cross-mapping to the NIST 800-171r1 or 800-53 requirements.
The P&P documents are designed to be adopted “as is” and will require little or no changes.  These packages provide direct mapping of the CMMC, NIST 800-171r1/800-53 and DFARS requirements to the policies and procedures a company needs to implement to be compliant with the added benefit of saving money and resources typically incurred when developing P&P’s.  Of course, the customer can modify or adjust the P&P at any time as they see fit.   
A training briefing and video are included with these packages so all employees can immediately be trained on the adopted P&P.


       A final tailored P&P package as follows:
  • Two separate documents – a Policy document and a Procedure document which allows for easy future additions/deletions
  • Facilitated review of the P&P package with the customer  
  • Incorporation of minor changes after customer review if necessary
  • Assistance with customer’s approval process for P&P adoption
  • Overview of the training briefing and video 
Note: This P&P Package does not include completely customized P&P preparation, re-writing of existing customer policies and procedures, or actual training of employees.

i2 CMMC Incident Response Plan (IRP) Express Package

The purpose of the IRP is to plan, implement, and maintain a robust incident-handling capability for organizational information and operational systems.  This capability includes preparation, detection, analysis, containment, recovery, and user response activities.   The IRP Package will be prepared working jointly with client, taking into account their existing corporate culture, processes and IT knowledge base and will include a detailed definition of the incident response process, key personnel and contacts, and detailed procedures for:
  • Identification of incidences
  • Isolation procedure,
  • Evidence gathering and chain of evidence protection
  • Media preservation
  • Malware capture and isolation
  • Forensic analysis
  • A communications plan which defines roles, responsibilities, and all communications protocol and details
Once the IRP is in place, the client will be responsible for training their management and staff on incident response and developing mock incident response exercises multiple times per year.


  • Final tailored Incident Response Plan

NIST 800-171/53 Express Packages

Imprimis will continue to offer the P&P, POA&M, SSP and IRP Express Package applicable to the NIST 800 171 requirements only. These are organized by requirement and will be adapted to NIST 800-53 if required. As a side note, more than 100 of the 110 requirements in NIST 800-171 call for governing policies and procedures.  


NOTE:  Services (other than hourly consulting) and Solutions are not available for purchase through the online store as this pricing is dependent upon company size, number of users, end user devices, servers, and network architectures.  Call 719-785-0320 for more information or a quote today!