Both NIST 800-171 and the Capability Maturity Model Certification (CMMC) require organizations have a documented information security policy and related standards for each of the respective domains. Up until the release of our Policy Professional Robot (ProBot) organizations were more or less “stuck” using Exostar’s PolicyPro. Exostar’s PolicyPro serves its purpose but it’s comparatively slow and they maintain control over your documents. We think that’s kind of like holding your policies hostage. And when Exostar PolicyPro is charging $999 it seems a bit unfair to organizations who just want a policy.
- Finished vs. Incomplete: We have employed industry best practices to automagically generate COMPLETE documents. After you fill in the form and hit submit you are finished. We are not generating partially complete documents; they are essentially complete. Yes, we do encourage customers to review them to ensure they truly match how you will or do operate but the documents you receive are complete. Exostar PolicyPro makes you create the policy whereas we do it for you.
- Seconds vs. Days: You’ll receive your information security policy in about 30 seconds after you hit submit. This is because unlike Exostar PolicyPro we have actually 100% automated the process, hence why we call ours a ProBot.
- Source Documents vs. Hostage Documents: Unlike Exostar PolicyPro, we deliver the NIST 800-171 & CMMC-compliant information security policy (including reference to the 17 domains), in 30 seconds or so. They come to you via email and you’ll get them in Microsoft Word format so you can adjust as you see fit.
- Reasonable Cost vs. Less Reasonable Cost: It’s pretty simple. They charge $999 and we charge $29.99 (UNTIL 5/22/21) then standard pricing of $59.99 begins.
- Fit for Use: Added value only matters if the customer gets tangible benefit. With that in mind, policies are not rocket science to create but they can be quite time consuming if you write them yourself. Where the real heavy lifting comes in is at the low-level procedures. Policies set the laws for the company but when it comes to a formal assessment, the assessor needs evidence that the organization actually does what it says. This is the devil in the details part and it’s where procedures enter the compliance equation. So, in 30 seconds or less we can produce a pretty amazing information security policy that include 17 sub-sections for each CMMC domain but procedures aren’t like that. They are unique to every customer.
- (Optional) Value-Added: In order to add real value in helping customers sort out the state of their procedures we offer a 24, 40 or 80 hour consulting options. You can decide how the hours are spent (e.g., assessing your current policy(ies), updating your existing procedures to align to the new policy(ies), or helping developing new procedures. It’s your decision and they are your hours to use as you see fit. All we require is that the hours are consumed contiguously, over the course of one calendar week.