top of page

CMMC/NIST Policy ProBot

Both NIST 800-171 and the Capability Maturity Model Certification (CMMC) require organizations have a documented information security policy (or policies) and related procedures for each of the respective domains.  Up until the release of our Policy Professional Robot (ProBot) organizations were more or less "stuck" writing them from scratch or or forced to use Exostar's PolicyPro. Exostar's PolicyPro serves its purpose but it's comparatively slow and they maintain control over your documents.  We think that's kind of like holding your policies hostage.  And when Exostar PolicyPro is charging $999 per year it seems a bit unfair to organizations who just want a policy or policy set.

  • Finished vs. Incomplete:  We have employed industry best practices to automagically generate COMPLETE documents.  After you fill in the form and hit submit you are finished.  We are not generating partially complete documents; they are essentially complete.  Yes, we do encourage customers to review them to ensure they truly match how you will or do operate but the documents you receive are complete.  Exostar PolicyPro makes you create the policy whereas we do it for you.

  • Level-Specific Policies: Every customer receives the appropriate number of policies according to the selected CMMC level. CMMC Level 1 includes seven (7) policies: a single integrated information security policy and individual policies for the six domains. If CMMC Level 2 is selected then you will receive fifteen (15) policies: a single integrated information security policy and individual policies for the 14 domains.

  • Seconds vs. Days: What you'll receive in approximately 30-90 seconds after you hit submit. How are we able to do this so fast? It's because unlike Exostar, we have automated the process so you can get your hands on the policies and get to work immediately!

    • A single information security policy that incorporates all appropriate CMMC domains---this is the simple approach to policies and may be ideal for some smaller organizations seeking certification (OSCs); AND

    • From six (6) to fourteen (14) individual policies aligned to each of the CMMC domains---this is the more robust option and is ideal for larger OSCs that want/need segmentation for better policy management.

  • Source Documents vs. Hostage Documents: Unlike Exostar PolicyPro, we deliver the NIST 800-171 & CMMC-compliant information security policy/ies (including reference to the domains), in 30-90 seconds or so.  They come to you via email and you'll get them in Microsoft Word format so you can adjust as you see fit. 

  • Direct Mapping: We map all of our detailed information to the CMMC to ensure traceability.

  • Developed by a Certified CMMC Assessor: We're not 100% certain but we are pretty sure Exostar doesn't have any CMMC Provisional Assessors on their staff, so, there's that to consider.

  • Reasonable Cost vs. Less Reasonable Cost: It's pretty simple. Exostar charges $999 per year and we charge $79.99 (Level 1) or $149.99 (Level 2). This is a ONE TIME cost, not an annual fee. Sorry, if you need to re-run the ProBot for the same client you'll have to pay again---although we recommend a find/replace strategy to reduce your costs.

  • License: You are allowed to you to use the policy/policy set for ONE (1) customer or organization only.

    • You may modify a single purchased copy of the contents for internal organizational use or for the benefit of one (1) customer.

    • You MAY NOT re-sell, re-distribute or make available to any entity the policy(ies) unless in accordance with the terms.

    • You MAY NOT create derivative versions of the material for commercial purposes.

  • Fit for Use:  Added value only matters if the customer gets tangible benefit.  With that in mind, policies are not rocket science to create but they can be quite time consuming if you write them yourself.  Where the real heavy lifting comes in is at the low-level procedures.  Policies set the laws for the company but when it comes to a formal assessment, the assessor needs evidence that the organization actually does what it says. This is the devil in the details part and it's where procedures enter the compliance equation.  So, in 30 seconds or less we can produce a pretty amazing information security policy that include the appropriate sub-sections for each CMMC domain and a corresponding set of individual policies, but procedures aren't like that.  They are unique to every customer. 

  • (Optional) Value-Added: In order to add real value in helping customers sort out the state of their procedures we offer a 24, 40 or 80 hour consulting options.  You can decide how the hours are spent (e.g., assessing your current policy(ies), updating your existing procedures to align to the new policy(ies), or helping developing new procedures.  It's your decision and they are your hours to use as you see fit.  All we require is that the hours are consumed contiguously, over the course of one calendar week.

bottom of page