Family compliance plans, generated.
Answer a structured set of questions and download a Word document — cover page, control-by-control implementation narrative, linked CCIs, and back matter included. Saves and reloads as JSON so a half-finished draft travels with you.
Access Control Plan
Documents how the organization controls who can access the system, what they can do once authenticated, and how that access is reviewed and revoked. Covers the controls of the AC family in NIST SP 800-53 r5 and aligns with NIST SP 800-63 (Digital Identity Guidelines) and NIST SP 800-162 (ABAC).
Start Awareness and TrainingAwareness and Training Plan
Documents how the system's user, administrator, and developer populations are trained in security awareness, role-based duties, insider-threat indicators, social-engineering / phishing recognition, and how training records are maintained. Covers the controls of the AT family in NIST SP 800-53 r5 and aligns with NIST SP 800-50 (Building an Information Technology Security Awareness and Training Program), NIST SP 800-181 r1 (NICE Workforce Framework), DoD 8140.03 (Cyberspace Workforce Qualification and Management), and Federal Information Security Modernization Act (FISMA) annual training requirements.
Start Audit and AccountabilityAudit and Accountability Plan
Documents how the system generates, protects, retains, and reviews audit records to support accountability, anomaly detection, and forensic investigation. Covers the controls of the AU family in NIST SP 800-53 r5 and aligns with NIST SP 800-92 (Guide to Computer Security Log Management).
Start Assessment, Authorization, and MonitoringAssessment, Authorization, and Monitoring Plan
Documents how the system is assessed for control effectiveness, authorized for operation, and continuously monitored. Covers the controls of the CA family in NIST SP 800-53 r5 and aligns with NIST SP 800-37 r2 (RMF), NIST SP 800-53A r5 (Assessment), NIST SP 800-137 (Continuous Monitoring), NIST SP 800-47 r1 (Information Exchange), and NIST SP 800-115 (Penetration Testing).
Start Configuration ManagementConfiguration Management Plan
Documents how the organization establishes, maintains, and monitors baseline configurations for the system. Covers the controls of the CM family in NIST SP 800-53 r5 and aligns with NIST SP 800-128.
Start Contingency PlanningContingency Plan
Documents how the system continues to operate during a disruption and how it recovers afterwards. Covers the controls of the CP family in NIST SP 800-53 r5 and aligns with NIST SP 800-34 r1 (Contingency Planning Guide for Federal Information Systems).
Start Identification and AuthenticationIdentification and Authentication Plan
Documents how the system identifies users, devices, and services and verifies their authenticators. Covers the controls of the IA family in NIST SP 800-53 r5 and aligns with NIST SP 800-63 (Digital Identity Guidelines) and FIPS 140 (cryptographic modules).
Start Incident ResponseIncident Response Plan
Documents how the organization prepares for, detects, contains, eradicates, recovers from, and learns from cybersecurity incidents affecting the system. Covers the controls of the IR family in NIST SP 800-53 r5 and aligns with NIST SP 800-61 r2 (Computer Security Incident Handling Guide).
Start MaintenanceMaintenance Plan
Documents how the system's maintenance activities are governed across scheduling, tool control, nonlocal (remote) maintenance, maintenance personnel, and timely component replacement. Covers the controls of the MA family in NIST SP 800-53 r5 and aligns with NIST SP 800-88 r1 (Sanitization), NIST SP 800-46 r2 (Remote Access), CNSSP-300 (Hardware Maintenance for National Security Systems), and FAR / DFARS clauses governing vendor maintenance personnel.
Start Media ProtectionMedia Protection Plan
Documents how the system's storage media — both digital and non-digital — are governed across access, marking, storage, transport, sanitization, and use. Covers the controls of the MP family in NIST SP 800-53 r5 and aligns with NIST SP 800-88 r1 (Sanitization Guidelines), CNSSI 1253 (Categorization and Control Selection for National Security Systems), 32 CFR Part 2002 (CUI Marking), and FIPS 199 / FIPS 200 categorization frameworks.
Start Physical and Environmental ProtectionPhysical and Environmental Protection Plan
Documents how the facilities, environmental systems, and physical-access controls protecting the system are governed. Covers physical-access authorization, physical-access control, transmission and output-device protection, monitoring and visitor logging, emergency systems (power, lighting, fire suppression, water leak detection, HVAC), environmental protection, secure delivery and removal of assets, and alternate work-site protection. Covers the controls of the PE family in NIST SP 800-53 r5 and aligns with NFPA 75 (Fire Protection of Information Technology Equipment), TIA-942 (Data Center Standards), Uptime Institute Tier ratings, NIST SP 800-46 r2 (Telework Security), and FedRAMP physical-control inheritance models.
Start PlanningPlanning Plan
Documents how the system's planning artifacts — System Security Plan (SSP), Rules of Behavior, security and privacy architectures, baseline selection, and baseline tailoring — are governed across creation, review, change-control, and integration with the broader RMF package. Covers the controls of the PL family in NIST SP 800-53 r5 and aligns with NIST SP 800-37 r2 (RMF), NIST SP 800-160 v1 r1 (Engineering Trustworthy Secure Systems), NIST SP 800-18 r1 (Guide for Developing Security Plans), FIPS 199 / 200 (baseline selection), and CNSSI 1253 (overlays for national-security systems).
Start Program Management Privacy baselineProgram Management Plan
Documents how the organizational Program Management framework — Information Security Program Plan, Privacy Program Plan, Risk Management Strategy, Continuous Monitoring Strategy, POA&M process, system inventory, enterprise architecture, mission / business-process definition, insider-threat program, workforce program, testing / training / monitoring program, threat-awareness program, supply-chain-risk strategy, data governance, and complaint management — applies to this system. Covers the controls of the PM family in NIST SP 800-53 r5 and aligns with NIST SP 800-37 r2 (RMF), NIST SP 800-39 (Managing Information Security Risk), NIST SP 800-181 r1 (Workforce Framework), NIST IR 8062 (Privacy Risk Management Framework), and OMB Circular A-130 (Managing Information as a Strategic Resource). Note: PM controls are organizational rather than system-specific — most controls in this plan are documented as inherited from the organization's PM program with system-specific extensions where applicable.
Start Personnel SecurityPersonnel Security Plan
Documents how the system's personnel-security risks are managed across the employee / contractor lifecycle: position risk designation, pre-access screening, termination, transfer, access agreements, external-personnel governance, sanctions, and position descriptions. Covers the controls of the PS family in NIST SP 800-53 r5 and aligns with 5 CFR Part 731 (Suitability), 5 CFR Part 1400 (Designation of National Security Positions), Executive Order 12968 (Access to Classified Information), Federal Investigative Standards (FIS), HSPD-12, and OPM background-investigation policies.
Start Personally Identifiable Information Processing and Transparency Privacy baselinePII Processing and Transparency Plan
Documents how the system manages PII processing authority, lawful purpose, transparency to data subjects, consent, system-of-records notices, individual rights (access / amendment), and dissemination across third parties. Covers the controls of the PT family in NIST SP 800-53 r5 and aligns with the Privacy Act of 1974 (5 U.S.C. § 552a), E-Government Act of 2002 (Section 208 — PIA), OMB M-03-22 (PIA guidance), OMB M-17-12 (breach response), NIST IR 8062 (Privacy Risk Management Framework), NIST IR 8112 (Attribute Metadata), GDPR / state privacy laws where applicable, and Fair Information Practice Principles (FIPPs).
Start Risk AssessmentRisk Assessment Plan
Documents how the system categorizes information, identifies threats and vulnerabilities, assesses likelihood and impact, responds to risk, performs criticality analysis, and conducts threat hunting. Covers the controls of the RA family in NIST SP 800-53 r5 and aligns with FIPS 199 (Categorization), FIPS 200 (Minimum Security Requirements), NIST SP 800-30 r1 (Risk Assessment Guide), NIST SP 800-37 r2 (RMF), NIST SP 800-39 (Managing Information Security Risk), and NIST SP 800-161 r1 (Supply Chain Risk Management).
Start System and Services AcquisitionSystem and Services Acquisition Plan
Documents how the system is acquired, developed, documented, engineered, and maintained across the SDLC. Covers resource allocation, acquisition contract language, security-engineering principles, external system services, developer configuration management, developer testing, development process / tooling / standards, system documentation, and the lifecycle treatment of unsupported components. Covers the controls of the SA family in NIST SP 800-53 r5 and aligns with NIST SP 800-160 v1 r1 (Engineering Trustworthy Secure Systems), NIST SP 800-218 (Secure Software Development Framework — SSDF), NIST SP 800-64 r2 (SDLC integration — withdrawn but historically informative), NIST SP 800-161 r1 (SCRM), EO 14028, and OMB M-22-18.
Start System and Communications ProtectionSystem and Communications Protection Plan
Documents how the system protects information at rest and in transit, partitions trust, defends boundaries, manages cryptographic key material, secures DNS / certificate / session integrity, and provides architectural protections (process isolation, DoS resilience, mobile-code containment). Covers the controls of the SC family in NIST SP 800-53 r5 and aligns with NIST SP 800-52 r2 (TLS), NIST SP 800-57 (Key Management), NIST SP 800-77 r1 (IPsec VPNs), NIST SP 800-95 (Web Services Security), FIPS 140-3 (Cryptographic Module Validation), and FIPS 199 / FIPS 200.
Start System and Information IntegritySystem and Information Integrity Plan
Documents how the system identifies, reports, and remediates flaws; protects against malicious code; monitors system events; and maintains the integrity of software, firmware, and information. Covers the controls of the SI family in NIST SP 800-53 r5 and aligns with NIST SP 800-40 r4 (Patch Management), NIST SP 800-83 r1 (Malware), NIST SP 800-94 (IDS/IPS), and NIST SP 800-115 (Technical Guide to Information Security Testing).
Start Supply Chain Risk ManagementSupply Chain Risk Management Plan
Documents how supply-chain risk is identified, assessed, and mitigated across the system's lifecycle. Covers SCRM plan governance, processes for managing supply-chain risk, acquisition strategies that select trustworthy suppliers, supplier assessments and reviews, notification agreements, inspection of received components, anti-counterfeit / authenticity controls, and component disposal. Covers the controls of the SR family in NIST SP 800-53 r5 and aligns with NIST SP 800-161 r1 (Cybersecurity Supply Chain Risk Management Practices), NIST SP 800-53A r5 (Assessment), Executive Order 14028, OMB M-22-18 / M-23-16 (software supply chain), Section 889 of the FY2019 NDAA (covered telecommunications), CISA ICT-SCRM Task Force guidance, and FedRAMP Continuous Monitoring requirements.
Start