What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All questionnaires

NIST 800-171 r3 / CMMC L2 · 22 QUESTIONS · FREE TEMPLATE

NIST SP 800-171 Self-Assessment — for DoD contractors handling CUI

Any organisation processing Controlled Unclassified Information (CUI) under a DoD contract must implement and self-assess against NIST SP 800-171 (revision 3, finalised 2024). This template gets you 80% of the way to a defensible SPRS score and CMMC Level 2 readiness.

Total questions

The questionnaire — every question, inline

1. Access Control (3.1)

2 questions

Who can access CUI systems and data.

1.1
Are CUI accounts limited to authorised users, processes, and devices (3.1.1)? Provide the access-control policy and inventory.
Critical
1.2
Is MFA enforced for all local and network access to CUI (3.1.20 → 3.5.3)? Phishing-resistant factor?
Critical

2. Awareness & Training (3.2)

1 question

Security training for the workforce.

2.1
Is role-based security training delivered to CUI users at hire and annually (3.2.1, 3.2.2)? Completion records?
High

3. Audit & Accountability (3.3)

2 questions

Logging and review.

3.1
Are audit events created and retained per organisational policy (3.3.1, 3.3.2)? Retention period?
Critical
3.2
Are audit logs reviewed and analysed for indicators of unauthorised activity (3.3.5)? SIEM in use?
High

4. Configuration Management (3.4)

2 questions

Baselines and change control.

4.1
Established and maintained baseline configurations for CUI systems (3.4.1)? Hardening framework used (CIS, DISA STIG)?
High
4.2
Is software execution restricted via allowlisting (3.4.8)?
High

5. Identification & Authentication (3.5)

1 question

Strong authentication.

5.1
Are passwords replaced with cryptographic mechanisms or phishing-resistant MFA where required (3.5.3, 3.5.7)?
Critical

6. Incident Response (3.6)

2 questions

Detect, report, recover.

6.1
Is there a documented IR capability that includes preparation, detection, analysis, containment, recovery (3.6.1)?
Critical
6.2
Cyber incidents reported to DoD via DIBNet within 72 hours per DFARS 7012(c)? Provide the most recent test or actual report.
Critical

7. Maintenance (3.7)

1 question

Maintenance personnel and tools.

7.1
Are maintenance tools, techniques, and personnel controlled (3.7.1, 3.7.6)? Sanitisation before removal?
High

8. Media Protection (3.8)

2 questions

Storage media handling.

8.1
Is CUI on digital and non-digital media protected at rest and in transit (3.8.1, 3.8.6)?
Critical
8.2
Sanitisation of media before disposal or reuse per NIST SP 800-88 (3.8.3)?
High

9. Personnel Security (3.9)

1 question

Screening, termination.

9.1
Are individuals screened before granting access to CUI (3.9.1)? Access revoked promptly on termination/transfer (3.9.2)?
High

10. Physical Protection (3.10)

1 question

Facility and device control.

10.1
Are physical access to CUI facilities and devices monitored, logged, and limited (3.10.1, 3.10.2)?
High

11. Risk Assessment (3.11)

1 question

Periodic risk analysis.

11.1
Are risk assessments performed periodically (3.11.1)? Vulnerability scanning frequency (3.11.2)?
High

12. Security Assessment (3.12)

2 questions

Self-assessment and POA&M.

12.1
Has a NIST 800-171 self-assessment been completed and SPRS score posted (3.12.4, DFARS 7019)?
Critical
12.2
Is a Plan of Action & Milestones (POA&M) maintained for any unimplemented requirements (3.12.2)?
High

13. System & Comms Protection (3.13)

2 questions

Network architecture and crypto.

13.1
Is cryptography FIPS-validated for protecting CUI confidentiality (3.13.11)? Which modules?
Critical
13.2
Are network boundaries defined, monitored, and managed (3.13.1)? Deny-by-default rules in place?
High

14. System & Info Integrity (3.14)

2 questions

Flaw remediation, malicious code.

14.1
Maximum window from vendor patch release to deployed fix for critical vulns (3.14.1)?
Critical
14.2
Are systems monitored for malicious code (3.14.2) and unauthorised network traffic (3.14.6)?
High

Common pitfalls

Self-scoring without a System Security Plan (SSP) — required artefact under 3.12.4.
Skipping the POA&M for unmet controls — required, and CMMC C3PAOs will fail you without it.
FIPS 140-2/3 modules — using 'AES-256' from a non-validated library does not satisfy 3.13.11.
Forgetting DFARS 7012(c) requires DoD breach notification within 72 hours via DIBNet with a medium-assurance certificate.
Assuming r2 work transfers — r3 (May 2024) restructured controls; expect to re-map your evidence.

Want this pre-filled with YOUR controls?

Run a free NIST 800-171 r3 / CMMC 2.0 audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free CMMC audit See answer-pack plans

FAQ

Is NIST 800-171 mandatory or just recommended?

Mandatory if you handle CUI under any DoD contract via DFARS 252.204-7012. Failure to comply can trigger contract termination and False Claims Act liability.

What's the difference between 800-171 and CMMC 2.0 Level 2?

CMMC 2.0 Level 2 requires the same 110 controls (r2) / restructured set (r3) as NIST 800-171, but adds third-party C3PAO assessment for prioritised programmes. Self-assessment for non-prioritised.

Do we need to be on GovCloud?

Not strictly — you need a system architecture that meets the controls. GCC High / AWS GovCloud / Azure Government make it easier but aren't the only path. Many SMB defense contractors use enclaves.

How is the SPRS score calculated?

Start at 110, deduct 1, 3, or 5 points per unimplemented requirement per the DoD scoring methodology. Negative scores are common at first assessment. Primes increasingly require ≥110 or a clear POA&M to award.

Related free policy templates

ISO 27001 Information Security Policy →

NIST SP 800-171 Self-Assessment — for DoD contractors handling CUI

The questionnaire — every question, inline

1. Access Control (3.1)

2. Awareness & Training (3.2)

3. Audit & Accountability (3.3)

4. Configuration Management (3.4)

5. Identification & Authentication (3.5)

6. Incident Response (3.6)

7. Maintenance (3.7)

8. Media Protection (3.8)

9. Personnel Security (3.9)

10. Physical Protection (3.10)

11. Risk Assessment (3.11)

12. Security Assessment (3.12)

13. System & Comms Protection (3.13)

14. System & Info Integrity (3.14)

Common pitfalls

FAQ

Related free policy templates

More questionnaires