Policy Packages for Every Framework
Every package is built using the Cybersecurity Policy Governance Framework methodology. Fixed-fee. Per framework.
Government and Defense Compliance
Policy packages for federal agencies, DoD contractors, and organizations operating under federal information security requirements.
The authoritative control catalog for federal agencies and FedRAMP-authorized systems. Covers all 20 control families. Required for any system operating under FISMA.
- Access Control Policy (AC)
- Awareness and Training Policy (AT)
- Audit and Accountability Policy (AU)
- Assessment, Authorization and Monitoring Policy (CA)
- Configuration Management Policy (CM)
- Contingency Planning Policy (CP)
- Identification and Authentication Policy (IA)
- Incident Response Policy (IR)
- Maintenance Policy (MA)
- Media Protection Policy (MP)
- Personnel Security Policy (PS)
- Physical and Environmental Protection Policy (PE)
- Planning Policy (PL)
- Risk Assessment Policy (RA)
- System and Services Acquisition Policy (SA)
- System and Communications Protection Policy (SC)
- System and Information Integrity Policy (SI)
- Supply Chain Risk Management Policy (SR)
- Program Management Policy (PM)
- PII Processing and Transparency Policy (PT)
Mandatory for any cloud service provider selling to federal agencies. Based on NIST 800-53 with additional FedRAMP-specific controls across Low, Moderate, and High baselines.
- Access Control Policy
- Audit and Accountability Policy
- Configuration Management Policy
- Contingency Planning Policy
- Identification and Authentication Policy
- Incident Response Policy
- Maintenance Policy
- Media Protection Policy
- Physical and Environmental Protection Policy
- Planning Policy (SSP Support)
- Risk Assessment Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
- System and Services Acquisition Policy
- Personnel Security Policy
- Awareness and Training Policy (AT)
110 security requirements across 14 families for government contractors handling CUI. Required for any nonfederal organization that stores, processes, or transmits CUI under federal contracts.
- Access Control Policy
- Awareness and Training Policy
- Audit and Accountability Policy
- Configuration Management Policy
- Identification and Authentication Policy
- Incident Response Policy
- Maintenance Policy
- Media Protection Policy
- Personnel Security Policy
- Physical Protection Policy
- Risk Assessment Policy
- Security Assessment Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
Three-tiered cybersecurity maturity model required for DoD contractors. Level 2 maps directly to NIST 800-171 and is the certification standard for the defense industrial base supply chain.
- Access Control Policy
- Awareness and Training Policy
- Audit and Accountability Policy
- Configuration Management Policy
- Identification and Authentication Policy
- Incident Response Policy
- Maintenance Policy
- Media Protection Policy
- Personnel Security Policy
- Physical Protection Policy
- Risk Assessment Policy
- Security Assessment Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
Mandatory for all federal agencies and contractors. Requires documented information security programs aligned with NIST Risk Management Framework across Low, Moderate, and High impact systems.
- Information Security Program Policy
- Risk Management Policy
- System Security Planning Policy
- Security Assessment and Authorization Policy
- Configuration Management Policy
- Incident Response Policy
- Contingency Planning Policy
- Access Control Policy
- Audit and Accountability Policy
- Identification and Authentication Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
- Personnel Security Policy
- Physical and Environmental Protection Policy
Mandates NIST 800-171 compliance and 72-hour cyber incident reporting for all DoD supply chain contractors. Clause 252.204-7012 applies to any organization with a DoD contract touching CUI.
- Cyber Incident Reporting Policy
- CUI Handling and Protection Policy
- Access Control Policy
- Configuration Management Policy
- Identification and Authentication Policy
- Incident Response Policy
- Maintenance Policy
- Media Protection Policy
- Risk Assessment Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
- Supply Chain Risk Management Policy
Mandatory basic safeguarding requirements for all federal contractors and subcontractors that process, store, or transmit federal contract information (FCI). Applies to any company with a federal contract.
- Information System Security Policy
- Access Control Policy
- Identification and Authentication Policy
- Configuration Management Policy
- Incident Response Policy
- Audit and Accountability Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
- Risk Assessment Policy
- Media Protection Policy
- Physical Protection Policy
- Workforce Security Policy
CISA BODs establish mandatory baseline security practices for federal agencies. Coverage includes BOD 18-01 (HTTPS/email), BOD 19-02 (vulnerability remediation), BOD 22-01 (known exploited vulnerabilities), and BOD 23-01 (asset visibility).
- Known Exploited Vulnerability Remediation Policy (BOD 22-01)
- HTTPS Enforcement and Email Security Policy (BOD 18-01)
- Asset Visibility and Inventory Management Policy (BOD 23-01)
- DNS Security and DNSSEC Implementation Policy (BOD 20-01)
- Vulnerability Management and Patch Prioritization Policy (BOD 19-02)
- Endpoint Detection and Response Policy (BOD 23-01)
- Cybersecurity Incident Reporting Policy
- Continuous Diagnostics and Mitigation Policy
- Zero Trust Architecture Governance Policy
- Software Supply Chain Security Policy
OMB Circular A-130 establishes policy for managing federal information as a strategic resource. A-123 governs management accountability and internal controls. Together they define governance requirements for all federal information systems.
- Information Management and Technology Governance Policy (A-130)
- Privacy and Confidentiality Policy (A-130)
- System Security Planning and Authorization Policy (A-130)
- Continuous Monitoring and Ongoing Authorization Policy (A-130)
- Risk Management Policy (A-130)
- Information Lifecycle Management Policy (A-130)
- Records Management and Disposition Policy (A-130)
- Senior Agency Official for Privacy (SAOP) Policy (A-130)
- Capital Planning for Information Technology Policy (A-130)
- Internal Controls and Management Accountability Policy (A-123)
Security authorization framework for cloud service providers working with state and local government agencies. Based on NIST 800-53 controls scaled for state-level procurement requirements.
- Information Security Program Policy
- Access Control Policy
- Configuration Management Policy
- Contingency Planning Policy
- Incident Response Policy
- Risk Assessment Policy
- System and Communications Protection Policy
- System and Information Integrity Policy
- Security Assessment and Authorization Policy
- Audit and Accountability Policy
Industry-agnostic, prioritized baseline of 18 critical control families organized into Implementation Groups (IG1, IG2, IG3). Widely adopted across public and private sectors and mapped to NIST 800-53 and NIST CSF for concrete, actionable hardening guidance.
- Enterprise and Software Asset Inventory Policy
- Data Protection and Classification Policy
- Secure Configuration Management Policy
- Identity, Account, and Access Management Policy
- Continuous Vulnerability Management Policy
- Audit Logging and Monitoring Policy
- Email and Web Browser Security Policy
- Endpoint Malware Defense Policy
- Data Backup and Recovery Policy
- Network Infrastructure Security Policy
- Security Awareness and Training Policy
- Service Provider Risk Management Policy
- Secure Software Development Policy
- Incident Response and Penetration Testing Policy
Healthcare Compliance
Policy packages for covered entities, business associates, and healthcare technology organizations subject to HIPAA and HITECH requirements.
Required for all covered entities and business associates. The NIST 800-66 implementation guidance provides the technical standard for satisfying the HIPAA Security Rule's administrative, physical, and technical safeguard requirements.
- Information Security Management Policy
- Risk Analysis and Risk Management Policy
- Sanction Policy
- Information System Activity Review Policy
- Access Control Policy
- Workforce Training and Awareness Policy
- Security Incident Response Policy
- Contingency Planning Policy
- Evaluation and Audit Policy
- Business Associate Agreement Policy
- Device and Media Controls Policy
- Facility Access Controls Policy
- Workstation Use and Security Policy
- Transmission Security Policy
- Audit Controls Policy
- PHI Breach Notification Policy
Extends HIPAA obligations to business associates and significantly increases breach notification requirements and penalty tiers. Required for any organization in the healthcare supply chain handling ePHI.
- Breach Notification Policy
- Business Associate Oversight Policy
- Electronic Health Record Security Policy
- Data Retention and Destruction Policy
- Minimum Necessary Use Policy
- Audit and Accountability Policy
- Patient Rights and Access Policy
- Enforcement and Sanctions Policy
- Incident Response Policy
- Third-Party Risk Management Policy
Financial Services Compliance
Policy packages for payment processors, financial institutions, public companies, and any organization subject to financial sector security requirements.
Required for any organization that accepts, processes, stores, or transmits payment card data. PCI DSS v4.0 introduced customized implementation options and enhanced authentication requirements effective March 2025.
- Network Security Policy
- System Configuration and Hardening Policy
- Cardholder Data Protection Policy
- Data Encryption and Transmission Policy
- Malware and Vulnerability Management Policy
- Access Control Policy
- Authentication and Identity Policy
- Physical Security Policy
- Logging and Monitoring Policy
- Security Testing Policy
- Information Security Governance Policy
- Third-Party and Vendor Management Policy
Required by enterprise customers of SaaS and technology companies. Covers Security, Availability, Processing Integrity, Confidentiality, and Privacy trust service criteria. A Type II report covers a minimum 6-month observation period.
- Information Security Policy
- Access Control Policy
- Change Management Policy
- Risk Management Policy
- Vendor Management Policy
- Incident Response Policy
- Business Continuity and Disaster Recovery Policy
- Data Classification Policy
- Encryption Policy
- Vulnerability Management Policy
- Logging and Monitoring Policy
- Human Resources Security Policy
Mandatory for all US public companies. IT General Controls (ITGCs) around access management, change management, and computer operations directly affect the reliability of financial reporting systems.
- IT General Controls Policy
- Access Management and Segregation of Duties Policy
- Change Management Policy
- Computer Operations Policy
- Data Backup and Recovery Policy
- Financial System Security Policy
- Audit Trail and Logging Policy
- Vendor and Third-Party Access Policy
- IT Risk Management Policy
Requires financial institutions to implement a written information security program. The 2023 updated Safeguards Rule significantly expanded technical requirements including encryption, MFA, and incident response timelines.
- Information Security Program Policy
- Risk Assessment Policy
- Safeguards Implementation Policy
- Access Control Policy
- Encryption Policy
- Multi-Factor Authentication Policy
- Incident Response Policy
- Third-Party Service Provider Oversight Policy
- Employee Training Policy
- Data Disposal Policy
International Standards and Privacy Law
Policy packages for global operations, international certifications, and organizations subject to data protection regulations in Europe and California.
The international standard for ISMS certification. The 2022 revision reorganized Annex A controls into four themes. Certification is recognized globally and increasingly required for government contracts outside the US.
- Information Security Policy
- Risk Management Policy
- Asset Management Policy
- Access Control Policy
- Cryptography Policy
- Physical Security Policy
- Operations Security Policy
- Communications Security Policy
- System Acquisition and Development Policy
- Supplier Relationships Policy
- Incident Management Policy
- Business Continuity Policy
- Compliance Policy
- Human Resource Security Policy
Applies to any organization processing personal data of EU residents regardless of where the organization is located. Penalties up to 20 million euros or 4% of global annual revenue.
- Data Protection Policy
- Privacy Notice and Consent Policy
- Data Subject Rights Policy
- Data Retention and Deletion Policy
- Data Breach Notification Policy
- Data Protection Impact Assessment Policy
- International Data Transfer Policy
- Processor and Vendor Management Policy
- Records of Processing Activity Policy
- Data Minimization and Purpose Limitation Policy
Applies to businesses meeting revenue or data volume thresholds that collect personal information from California residents. The CPRA created the California Privacy Protection Agency with dedicated enforcement authority.
- Consumer Privacy Rights Policy
- Data Collection and Use Disclosure Policy
- Opt-Out and Opt-In Rights Policy
- Data Sale and Sharing Policy
- Sensitive Personal Information Policy
- Data Retention Limits Policy
- Contractor and Service Provider Agreements Policy
- Privacy Training Policy
- Consumer Request Response Policy
The 2024 update added the Govern function as a sixth core function, making organizational governance and accountability explicit requirements. Applicable across sectors with no industry restriction.
- Cybersecurity Governance Policy (GOVERN)
- Asset Management Policy (IDENTIFY)
- Risk Management Policy (IDENTIFY)
- Identity Management Policy (PROTECT)
- Awareness and Training Policy (PROTECT)
- Data Security Policy (PROTECT)
- Continuous Monitoring Policy (DETECT)
- Anomaly Detection Policy (DETECT)
- Incident Response Policy (RESPOND)
- Communication Policy (RESPOND)
- Recovery Planning Policy (RECOVER)
- Supply Chain Risk Policy (GOVERN)
Critical Infrastructure and Industrial Security
Policy packages for operators of bulk electric systems, industrial control systems, and organizations subject to NERC CIP mandatory reliability standards.
The authoritative federal guide for securing industrial control systems, SCADA, distributed control systems, and other OT environments. Critical for energy, utilities, manufacturing, and critical infrastructure operators.
- OT/ICS Security Program Policy
- Network Architecture and Segmentation Policy
- Access Control Policy (OT-Specific)
- Incident Response Policy (OT/ICS)
- Patch and Vulnerability Management Policy
- Remote Access Policy (OT Networks)
- Physical Security Policy (Control Systems)
- Supply Chain and Vendor Security Policy
- Backup, Recovery and Resilience Policy
- Security Training and Awareness Policy
- Change Management Policy (OT Systems)
- Risk Assessment Policy (OT Environment)
Mandatory for all bulk electric system owners, operators, and users. CIP standards cover physical security, cyber security, personnel, and supply chain risk for high, medium, and low impact BES cyber systems.
- BES Cyber System Categorization Policy (CIP-002)
- Security Management Controls Policy (CIP-003)
- Personnel and Training Policy (CIP-004)
- Electronic Security Perimeter Policy (CIP-005)
- Physical Security Policy (CIP-006)
- System Security Management Policy (CIP-007)
- Incident Reporting and Response Policy (CIP-008)
- Recovery Plans Policy (CIP-009)
- Configuration Management and Vulnerability Policy (CIP-010)
- Information Protection Policy (CIP-011)
- Supply Chain Risk Management Policy (CIP-013)
Mandatory configuration and hardening standards for all DoD information systems. STIGs provide prescriptive technical requirements for operating systems, network devices, applications, and cloud environments across the defense enterprise.
- STIG Compliance Program Policy
- Configuration Management and Hardening Policy
- Vulnerability Management Policy
- Access Control and Authentication Policy
- Audit and Logging Policy
- Network Security Policy
- Encryption and Data Protection Policy
- Patch Management Policy
- Endpoint Security Policy
- Cloud Security Configuration Policy
- Application Security Policy
- Compliance Monitoring and Reporting Policy
Need Multiple Frameworks or a Custom Scope?
Bundle pricing is available for organizations managing two or more compliance programs. Contact us for bundle rates, multi-year agreements, or to discuss a custom scope.