NIST 800-171 Assessment Pricing
30 Day Free Trial. No credit card required.
NIST 800-171
110 Controls
$1,800/year
Billed Annually
CMMC Lite
(Limited Features)
(Limited Features)
Start Free Trial
Platform Features
Auto-Generated Documentation 1
Policy Templates
Multiple Users
CSP-Blind Encryption
Evidence Storage
POA&Ms
Progress Visualization
2FA
Task Assignment
Email/SMS Task Reminders 2
SSP Revision History
Policy Templates
Multiple Users
CSP-Blind Encryption
Evidence Storage
POA&Ms
Progress Visualization
2FA
Task Assignment
Email/SMS Task Reminders 2
SSP Revision History
1 Includes System Security Plan (SSP)
2 Coming Soon
All user-supplied content (text, evidence, etc.) is encrypted in the browser with an AES-256 key generated by the user before transmission to ComplyUp. Bottom Line: We couldn’t decrypt your data if we wanted to.
Frequently Asked Questions
The DoD expects compliance with NIST 800-171 to be an ongoing process instead of a snapshot in time. Contractors are required to continually review and update control responses and refresh the System Security Plan on a regular basis.
3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
An annual subscription to ComplyUp allows you to update requirement responses and generate new System Security Plans as often as necessary.
3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
An annual subscription to ComplyUp allows you to update requirement responses and generate new System Security Plans as often as necessary.
In order to answer this, you must first determine how many sites you have with IT equipment that will store or process CUI data. This can include data centers, cloud systems, and offices or manufacturing sites with servers or workstations. Do not include sites that have no access to CUI data, like corporate offices with workstations that only perform business or administrative activities. Then work your way through the following question list.
1. How many sites with CUI do you have?
One Site – You only need 1 assessment.
Two or more Sites – Continue to the next question.
2 If you assessed one site, would the bulk of your responses to the requirements be the same for all other sites? In other words, are all IT system types and configurations essentially the same across all sites? Do all sites adhere to the same corporate policies regarding IT system configuration and use?
Yes – You only need 1 assessment.
No – Continue on to the next question.
3. Are the IT systems, configurations and policies different for each site?
Yes – The number of assessments you need is equal to the number of sites you have.
No – Group sites together that are built out and configured similarly, so the bulk of your responses to the requirements are the same for all sites in the group. Each of these groups of sites would require one assessment.
If you’re still unsure how many assessments you’ll need, feel free to contact us to discuss your specific situation.
1. How many sites with CUI do you have?
One Site – You only need 1 assessment.
Two or more Sites – Continue to the next question.
2 If you assessed one site, would the bulk of your responses to the requirements be the same for all other sites? In other words, are all IT system types and configurations essentially the same across all sites? Do all sites adhere to the same corporate policies regarding IT system configuration and use?
Yes – You only need 1 assessment.
No – Continue on to the next question.
3. Are the IT systems, configurations and policies different for each site?
Yes – The number of assessments you need is equal to the number of sites you have.
No – Group sites together that are built out and configured similarly, so the bulk of your responses to the requirements are the same for all sites in the group. Each of these groups of sites would require one assessment.
If you’re still unsure how many assessments you’ll need, feel free to contact us to discuss your specific situation.
Simply log into your ComplyUp assessment and hit the “upgrade” button at the top right of the screen.
