GET YOUR CMMC-COMPLIANT INFORMATION SECURITY POLICIES IN 30 SECONDS OR LESS!
Welcome to the CMMC Policy Creator! We have mastered the art of automating Cybersecurity Maturity Model Certification (CMMC) information security policy creation so you can get your CMMC and NIST 800-171 compliant policies right here, right now.
COMPLIANCE-FOCUSED
CMMC 2.0 / NIST 800-171
With the latest and greatest updates from the U.S. Department of Defense (DoD) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) guidance, CMMC 2.0 is geared up to be directly aligned to NIST 800-171.
Wait, I heard that policies were no longer a thing for CMMC 2.0. Um, well, you heard wrong. Appendix E of NIST 800-171 clearly articulates that domain-specific information security policies are expected as a normal part of a company’s business operations. As such, your Certified CMMC Assessor (CCA) will most certainly be asking to see them during your CMMC Assessment.

WHAT YOU GET
YOUR CMMC / NIST POLICY SET
POLICIES
CMMC Level 1: Six (6) individual policies (just in case you want one policy for each of the domains) and one (1) integrated policy (for those companies that just want one policy that has sections for all six domains). That’s a total of seven (7) documents.
CMMC Level 2 & Level 3: Fourteen (14) individual policies (just in case you want one policy for each of the domains) and one (1) integrated policy (for those companies that just want one policy that has sections for all fourteen domains). That’s a total of fifteen (15) documents.
MS WORD POLICIES
Unlike competitors like Exostar’s PolicyPro we don’t keep your information security policies hostage.
We deliver your policies in Microsoft Word format so you have the source code. There’s absolutely no reason to pay $999 per year to a company to manage your policies; that’s something you can do yourself.
Why wait on a third-party when you need to make a change? That’s just crazy if you ask us. They are your policies after all.
CREATED BY A CMMC ASSESSOR
Our policies were created by an an (Provisional) Certified CMMC Assessor and (Provisional) Certified CMMC Instructor so you have confidence in the policies that have been created.
The author is a dual-service veteran with more than four decades of information security experience.
As a result, we stand behind our policies and will back them up if any issues arise during your CMMC Assessment.
CONTROL/PRACTICE MAPPING
In addition to the basic guidelines found in the CMMC and NIST 800-171, we have leveraged decades of experience to create an industry best practice structure for the policies. In fact, the framework is used by some of the world’s most mature information security groups.
Of course, a key part of the information security policy structure or framework is mapping of the CMMC practice / NIST security control in the policy so we have taken care of that.
Why did we do that? Well, because as an Assessor we know what Assessors want. Policy statement mapping to controls makes for economical CMMC Assessments, which we like.




Finished vs. Incomplete
We have employed industry best practices to automagically generate COMPLETE documents. After you fill in the form and hit submit you are finished. We are not generating partially complete documents; they are essentially complete. Yes, we do encourage customers to review them to ensure they truly match how you will or do operate but the documents you receive are complete. Exostar PolicyPro makes you create the policy whereas we do it for you.
Level-Specific Policies
We have employed industry best practices to automagically generate COMPLETE documents. After you fill in the form and hit submit you Every customer receives the appropriate number of policies according to the selected CMMC level. CMMC Level 1 includes seven (7) policies: a single integrated information security policy and individual policies for the six domains. If CMMC Level 2 is selected then you will receive fifteen (15) policies: a single integrated information security policy and individual policies for the 14 domains.
Seconds vs. Days
What you’ll receive in approximately 30-90 seconds after you hit submit. How are we able to do this so fast? It’s because unlike Exostar, we have automated the process so you can get your hands on the policies and get to work immediately!
- A single information security policy that incorporates all appropriate CMMC domains—this is the simple approach to policies and may be ideal for some smaller organizations seeking certification (OSCs); AND
- From six (6) to fourteen (14) individual policies aligned to each of the CMMC domains—this is the more robust option and is ideal for larger OSCs that want/need segmentation for better policy management.
Source Documents vs. Hostage Documents
Unlike Exostar PolicyPro, we deliver the NIST 800-171 & CMMC-compliant information security policy/ies (including reference to the domains), in 30-90 seconds or so. They come to you via email and you’ll get them in Microsoft Word format so you can adjust as you see fit.
Direct Mapping
We map all of our detailed information to the CMMC to ensure traceability.
Developed by a CMMC Provisional Assessor
We’re not 100% certain but we are pretty sure Exostar doesn’t have any CMMC Provisional Assessors on their staff, so, there’s that to consider.
Reasonable Cost vs. Less Reasonable Cost
It’s pretty simple. Exostar charges $999 per year and we charge $79.99 (Level 1) or $149.99 (Level 2). This is a ONE TIME cost, not an annual fee. Sorry, if you need to re-run the ProBot for the same client you’ll have to pay again—although we recommend a find/replace strategy to reduce your costs.
Fit for Use
Added value only matters if the customer gets tangible benefit. With that in mind, policies are not rocket science to create but they can be quite time consuming if you write them yourself. Where the real heavy lifting comes in is at the low-level procedures. Policies set the laws for the company but when it comes to a formal assessment, the assessor needs evidence that the organization actually does what it says. This is the devil in the details part and it’s where procedures enter the compliance equation. So, in 30 seconds or less we can produce a pretty amazing information security policy that include the appropriate sub-sections for each CMMC domain and a corresponding set of individual policies, but procedures aren’t like that. They are unique to every customer.
(Optional) Value-Added
In order to add real value in helping customers sort out the state of their procedures we offer a 24, 40 or 80 hour consulting options. You can decide how the hours are spent (e.g., assessing your current policy(ies), updating your existing procedures to align to the new policy(ies), or helping developing new procedures. It’s your decision and they are your hours to use as you see fit. All we require is that the hours are consumed contiguously, over the course of one calendar week.