TRA Consulting — Document Generator

Your NIST 800-171
compliance documents.
Generated. Free.

Fill in your client profile once. Generate 12 professional compliance documents — SSP, POA&M, WISP, IRP, BCP/DRP, GenAI Policy, CMMC Self-Assessment, and more — populated with real org data, not placeholders. Download as PDF or Word.

No account required No server — browser only PDF & Word export Multi-client Claude AI built in
12 documents — all free
One profile. Every document your client needs.
📋Acceptable Use PolicyPolicy
🔒CUI Handling PolicyPolicy
📘WISP (7 appendices)Policy
🤖Generative AI PolicyPolicy
🚨Incident Response PlanPlan
🔄BCP / DRPPlan
🤝Vendor Risk AssessmentAssessment
🛡️System Security PlanRecord
📊POA&MRecord
Annual Review ChecklistRecord
🎖️CMMC Self-AssessmentRecord
✍️Attestations (5 roles)Attestation
12
Documents generated
0
Data sent to server
Free
No account needed
PDF
& Word export

Who this is for

You did the NIST 800-171 assessment. Now you need the paperwork.

DFARS requires more than a score. Contracting officers, prime contractors, and DIBCAC auditors want documentation — a signed SSP, a current POA&M, a written IRP. Writing these from scratch takes days. This tool generates them in minutes from your assessment data.

🎯

Defense contractors submitting to SPRS

DFARS 252.204-7021 requires a CMMC Level 2 self-assessment with your score, scope, CAGE code, and SSP reference. The generator produces the complete SPRS submission package — auto-calculating whether your score qualifies for Final or Conditional status — and flags the FCA liability risk if you over-report.

🏢

MSPs and consultants managing multiple clients

Multi-client support lets you store a separate profile for each client. Switch between Jupiter Systems, Inge Realty, and every other client in seconds — each generates their own complete document set with their specific contacts, system names, and scope. No copy-pasting between files.

📋

Security teams that need audit-ready documentation

A WISP audit or contract review comes with little warning. Having a current, signed WISP, IRP, and POA&M on hand shortens those conversations from weeks to days. The generator produces documents that look like they were written by a compliance attorney — because they were built from real client engagements.

From our client work: Writing a compliant WISP manually — with all appendices, an embedded IRP, GenAI policy, Chain of Custody forms, and attestation templates — takes 8–12 hours for an experienced practitioner. The generator does it in under 2 minutes, fully populated with your client’s real data.


The documents

12 documents. Every one built from real client engagements.

Not generic templates. Every section, clause, and table in these documents came from actual WISP, IRP, and SSP deliverables TRA Consulting has produced for real clients. They are written the way a senior compliance practitioner writes them — not the way a template vendor thinks they should look.

📄 Policies
📋
Acceptable Use Policy (AUP)
NIST 3.1.9 / 3.2.1
Defines the rules for how employees, contractors, and third parties may use organizational IT systems and data. Required as the foundational policy document for any CMMC or DFARS compliance program.
What it covers: IT resource usage rules, password requirements (16-char minimum, MFA, 180-day rotation), prohibited uses (personal email, unauthorized software, social media abuse), removable media policy, incident reporting obligations, and a signature acknowledgment table for all staff.
👤 All employees and contractors with system access must sign. Required for CMMC Level 1 and 2.
🔒
CUI Handling Policy
NIST 3.8 / 3.13 / DFARS 252.204-7012
Defines how Controlled Unclassified Information must be identified, stored, transmitted, disposed of, and shared with third parties. Required for any organization handling CUI under a DoD contract.
What it covers: CUI category identification, marking requirements, storage controls (encrypted at rest, access-controlled), transmission rules (TLS 1.2+, no personal email), disposal requirements (NIST 800-88 sanitization), third-party CUI sharing rules, and employee acknowledgment.
👤 Required for all DFARS-covered contractors. Directly maps to NIST 3.8 (Media Protection) and 3.13 (System & Communications Protection).
📘
Written Information Security Program (WISP)
NIST 3.12.4 / All 14 families
The master security policy document. Thomas Andersen format — the same WISP structure TRA Consulting delivers to real clients. Section 1 covers governance and breach notification, Section 2 has 15 IT and cyber security policies, Section 3 has 20 technical controls.
Includes 7 appendices: A (WISP Attestation Template & Risk Register), B (Maintenance SOP — daily through annual), C (Chain of Custody Form for PII/CUI), D (Full Incident Response Plan), E (Generative AI Policy), F (Officers Signature Page), G (BCP/DRP).
👤 The core deliverable for any compliance engagement. Required for CMMC, DFARS, HIPAA, and most enterprise vendor assessments.
🤖
Generative AI Policy
NIST 3.1 / 3.4 / 3.13
Governs how employees and contractors may use generative AI tools — including ChatGPT, Copilot, Gemini, and internally developed models. Built from Thomas Andersen’s actual GenAI policy deliverables for DoD contractors.
What it covers: Purpose and scope, 14-term definitions table (AI / GenAI / LLM / FM / Prompt Engineering / PII / PHI / Bias / Explainability / SaaS), AI Advisory Board structure, GenAI Ownership responsibilities, Proposals approval process, Acceptable Use table (permitted vs. requires approval), Data Protection, Transparency labeling requirement, Third-Party Risk, Failure to Comply.
👤 Required for any organization whose employees use AI tools for work. Also embedded as Appendix E in the WISP.
🗂 Plans
🚨
Incident Response Plan (IRP)
NIST 3.6.1 / 3.6.2 / 3.6.3 / DFARS 252.204-7012
Defines how the organization detects, contains, eradicates, and recovers from cybersecurity incidents — including the 72-hour DoD reporting requirement. IRT roster is auto-populated from your client profile contacts.
What it covers: Incident Response Team roster (IRM, Security Officer, IT Director, Systems Admin, MSP), 6-phase response lifecycle (Detect / Contain / Analyze / Eradicate / Recover / Document), Post-Mortem Report format, DFARS 252.204-7012 72-hour notification workflow and DIBNet portal instructions, and 6 incident type playbooks including ransomware, account compromise, CUI exposure, and insider threat forensics.
👤 Required for NIST 3.6. Also embedded as Appendix D in the WISP. Must be tested annually via tabletop exercise (NIST 3.6.3).
🔄
Business Continuity Plan / Disaster Recovery Plan
NIST 3.6.3 / WISP §2.10
Defines how the organization sustains critical business operations and recovers IT systems following a disruptive event. Recovery Team is auto-populated from profile contacts.
What it covers: Business Impact Analysis (8 critical systems with MAO/RTO/RPO — Active Directory, M365, File Server, VPN, Firewall, LOB apps, Internet, Facility), Recovery Team roster and activation authority, 5 disaster scenario phased response tables (Ransomware, Server Failure, Connectivity, Natural Disaster, Key Personnel Loss), Backup schedule, Remote work activation procedures and employee checklist, Communication plan by audience, DR Test Results Log, Plan maintenance triggers, Approval signatures. Also embedded as Appendix G in the WISP.
👤 Referenced in the WISP and required for any organization with contractual uptime obligations. DR test required annually.
🔍 Assessments
🤝
Third-Party Vendor Risk Assessment
NIST 3.1.20 / CMMC Level 2 Supply Chain
A 20-question security questionnaire used to assess vendors and third parties before granting them access to organizational systems or CUI. Required for all vendors under CMMC and DFARS supply chain security requirements.
What it covers: Vendor information and system access scope, security program maturity questions across access control, encryption, incident response, patch management, and personnel security, risk scoring (Low / Medium / High / Critical) with a calculated overall rating, approval workflow with Security Officer signature, and an annual re-assessment schedule. Includes DFARS flow-down clause confirmation requirement.
👤 Required before any third party accesses CUI. Must be renewed annually. DFARS requires flow-down of cybersecurity requirements to all CUI-handling subcontractors.
📊 Compliance Records
🛡️
System Security Plan (SSP)
NIST 3.12.4 / DFARS 252.204-7019
Documents how every one of the 110 NIST SP 800-171 Rev 2 security requirements is implemented in the organization’s environment. If the NIST 800-171 Assessment Tool is open in the same browser, all control statuses and implementation notes are pulled in automatically.
What it covers: System identification (name, version, framework, contract/CAGE code), all key contacts from profile, system boundary description, CUI types handled, compliance summary with live SPRS score calculation, and all 110 controls organized by the 14 NIST families — each showing status (Met/Partial/Not Met/N/A), DoD weight, responsible party, and implementation notes. Signature block for Security Officer, IT Director, and IRM.
👤 Required by DFARS 252.204-7012 and 7019. Must be referenced in SPRS submission. Updated whenever the security posture changes materially.
📊
Plan of Action & Milestones (POA&M)
NIST 3.12.2 / CMMC Conditional Status
Documents all Not Met and Partially Implemented controls with gap descriptions, responsible parties, remediation plans, and target dates. Required for CMMC Conditional Self-Assessment status and must be updated monthly.
What it covers: POA&M summary (Not Met count, Partial count, total SPRS point exposure), all gap items pulled automatically from NIST tool assessment data — sorted by severity (5-point gaps first), each with the control ID, name, gap description from your notes, remediation plan, assigned owner, and target completion date. Signature block for Security Officer and IRM.
👤 Required for any SPRS score below 110. Score of 88–109 with a valid POA&M = Conditional status (180 days). Update monthly per NIST 3.12.2.
Annual NIST 800-171 Compliance Review Checklist
NIST 3.12.3 / Annual SPRS Affirmation
A Security Officer checklist covering all governance, operational, and technical tasks required to complete an annual NIST 800-171 compliance review and support the SPRS annual affirmation requirement.
8 sections, 28 checklist items: Governance Documents (SSP, WISP, POA&M, IRP, Attestations, AUP, CUI Policy updated and signed), Vulnerability Assessment (annual Nessus scan, cloud hygiene, critical findings addressed), Training (annual cybersecurity training, phishing simulation, new hire onboarding), Access Control (privileged account review, inactive account audit, MFA at 100%, password policy), System Integrity (patch compliance, AV/EDR, full disk encryption), Audit & Logging (monthly log review reports, log retention), Physical & Media (access log review, hardware disposal records), Vendor Management (annual vendor risk assessments, DFARS flow-down confirmed). Each item pre-filled with owner name from profile.
👤 Complete annually before submitting the SPRS annual affirmation. CMMC Final status requires annual affirmation within 12 months of assessment date.
🎖️
CMMC 2.0 Self-Assessment Statement
DFARS 252.204-7021 / 32 CFR Part 170 (Nov 2025)
The formal SPRS submission package required for CMMC Level 2 self-assessment under the CMMC Final Rule effective November 2025. Auto-calculates Final vs. Conditional status from your SPRS score. Includes an FCA liability warning.
What it covers: Assessment overview with score and auto-calculated status (Final at 110 / Conditional at 88–109 / Below Threshold below 88), regulatory basis table (DFARS 252.204-7012, 252.204-7021, 32 CFR Part 170, RFO changes note), CMMC phase timeline (Phase 1 self-assessments now through Nov 2026, Phase 2 C3PAO, Phase 3 DIBCAC), system scope and SSP reference, assessment results with all 14 control family counts, POA&M summary, SPRS pre-submission checklist (10 items), SPRS entry field reference guide, CMMC UID field, Affirming Official statement with FCA liability warning, dual signatures.
👤 Required for any DoD contract requiring CMMC Level 2. Submit via PIEE portal (piee.eb.mil) with SPRS Cyber Vendor User role. Affirm annually in SPRS within 12 months.
✍️ Attestations
✍️
Control Responsibility Attestations (5 Roles)
NIST 3.12.1 / CMMC Role-Based Accountability
One packaged document containing role-specific control responsibility attestations for all five key security roles. Each role signs off on the specific NIST 800-171 controls assigned to their position — creating documented accountability across the organization.
5 role attestations included: Security Officer (policy governance, risk management, breach notification, WISP administration — 18 controls), IT Director (configuration management, change control, vendor management, access authorization — 15 controls), Systems Administrator (technical controls, patch management, account management, backup, AV/EDR — 22 controls), Incident Response Manager / MSP (incident detection, containment, reporting, DFARS 72-hour notification — 12 controls), MSP / IT Support Provider (technical monitoring, security alerts, patch deployment, DR testing — 16 controls). Each attestation includes the role description, control list with specific obligations, and a dated signature block.
👤 Sign annually and whenever roles change. Provides auditors with documented evidence of role-based accountability for each NIST control family. Names auto-populated from client profile.

How it works

From zero to a signed, formatted SSP in under 5 minutes

No templates to fill in manually. No copy-pasting org names into 50 fields. Fill your client profile once — every document pulls from it automatically.

Step 01

Add your client

Create a client profile with org name, Security Officer, IT Director, Systems Admin, IRM, MSP, system name, scope, CUI types, SPRS score, and dates. The tool supports multiple clients — switch between them instantly.

Step 02

Pick a document

Choose from 12 documents in the sidebar, grouped by type. The NIST 800-171 Assessment Tool (open in the same browser) automatically shares control data for the SSP, POA&M, and CMMC Statement.

Step 03

Preview and PDF

Click Preview / PDF to open a fully formatted, print-ready document with your client’s real data throughout — org name, contact names and emails, system boundary, dates. Ctrl+P to save as PDF.

Step 04

Download Word

Click Download Word to get a .docx file for editing, branding, or sending to clients. Multi-client storage means every client’s profile is saved separately and reloaded automatically next session.

NIST Tool integration: If the TRA NIST 800-171 Assessment Tool is open in the same browser while you generate an SSP or POA&M, your control statuses and implementation notes are pulled in automatically via shared browser localStorage. No export, no import, no manual re-entry. The 📋 Generate Documents button in the NIST tool opens the generator directly.


Built for MSPs and consultants

One tool. Every client. No duplication.

TRA Consulting generates documents for dozens of clients across Southern California and Baja. The multi-client system was built so that switching from Jupiter Systems to Inge Realty to any other client takes one click — not 20 minutes of find-and-replace.

🔄

Client profiles saved separately

Each client has their own profile stored in browser localStorage — org name, all 5 role contacts, system name, scope, CUI types, SPRS score, dates, and version. Profiles save automatically when you switch clients.

Instant switching

The client dropdown in the header lets you jump between clients without losing any data. Add a new client with + New, give them a blank profile, fill it in, and generate their full document set — in minutes.

🤖

Claude AI knows your client

The built-in AI chat sends your active client profile as context automatically. Ask it to review the profile for completeness, explain which controls matter most for that client, or generate NIST 800-171 guidance specific to their environment.

🔒

PIN-locked, browser-only

The tool is protected by a 4-digit PIN (default 1111, change via the API panel). All data stays in your browser — nothing is sent to TRA servers. Use Export JSON in the NIST tool to back up assessment data anytime.


Start generating

Open the Document Generator — free, no signup

Fill in your client profile. Generate your SSP, WISP, IRP, and POA&M. Download as PDF or Word. Then let TRA Consulting help you close the gaps the documents reveal.

Open the Generator → Browse Compliance Tools Contact TRA →
⚠ All documents are templates generated for informational purposes — not a substitute for legal review, formal certification, or audit. Data stays in your browser. TRA Consulting is not responsible for compliance decisions made based on generated documents.