Why Policies Matter More Than You Think
You can have all the right technology — EDR on every endpoint, MFA enforced, encrypted cloud storage — and still fail a CMMC assessment because your policies don't match your actual practices. Assessors look for three things: documented policies, technical implementation, and evidence that the two align. All three must be present.
The most common failure mode: a policy that says "all employees receive annual security training" when the last training was 18 months ago. Or a policy that says "all remote access is through VPN" when the IT admin occasionally bypasses VPN. Assessors interview people, not just read documents. Your policies need to reflect reality — which means either update your policies to match what you actually do, or update what you actually do to match your policies.
A policy states what you require (the "what" and "why"). A procedure describes how you do it (the "how"). Both are required for CMMC, and both are assessed. "We encrypt all CUI" is policy. "CUI is encrypted using BitLocker with AES-256, enabled during device provisioning per our device baseline process" is procedure. You need both.
The 14 Policy Documents Required for CMMC Level 2
CMMC Level 2 / NIST 800-171 requires documented policies covering each of the 14 control families. Here's what each one needs to cover:
1. Access Control Policy
Covers who gets access to what, under what conditions. Must address: account management (how accounts are created, modified, and terminated), least privilege principle, remote access requirements, mobile device access, wireless access, and session management. This is the largest policy because AC is the largest control family.
2. Awareness and Training Policy
Covers how you ensure employees understand security risks. Must address: initial training requirements, annual refresher training, insider threat awareness, documentation of training completion, and what happens when training isn't completed.
3. Audit and Accountability Policy
Covers what you log, how long you keep logs, and what you do with them. Must address: which events are logged, retention periods, log review procedures, protection of audit records, and how you handle audit system failures.
4. Configuration Management Policy
Covers how systems are built and maintained. Must address: baseline configuration requirements, change management process (how changes are approved and documented), software restrictions, and how you handle deviations from baseline.
5. Identification and Authentication Policy
Covers how identities are verified. Must address: MFA requirements, password complexity and management, account management (inactivity, termination), authenticator protection, and multi-factor authentication for CUI access.
6. Incident Response Policy
Covers what you do when something goes wrong. Must address: incident categories, response procedures, roles and responsibilities, communication requirements (including the 72-hour DFARS reporting requirement), and how you conduct post-incident reviews.
7. Maintenance Policy
Covers how systems are serviced and repaired. Must address: authorization for maintenance activities, maintenance schedules, remote maintenance controls, media sanitization during maintenance, and external maintenance personnel requirements.
8. Media Protection Policy
Covers how CUI media is handled. Must address: media inventory, access restrictions, transport requirements (encryption, double-wrap), destruction procedures, and removable media controls.
9. Personnel Security Policy
Covers screening and off-boarding. Must address: background check requirements for CUI-access positions, what screening is performed, termination procedures (immediate access revocation), and transfer procedures.
10. Physical Protection Policy
Covers physical security of your facility. Must address: access controls for sensitive areas, visitor management, physical access monitoring, media protection in physical spaces, and alternate work site requirements.
11. Risk Assessment Policy
Covers how you identify and manage security risk. Must address: risk assessment frequency, methodology, vulnerability scanning requirements, and how findings feed into remediation planning.
12. Security Assessment Policy
Covers how you evaluate your own security controls. Must address: assessment frequency, methodology, System Security Plan (SSP) requirements, Plan of Action and Milestones (POA&M) management, and continuous monitoring activities.
13. System and Communications Protection Policy
Covers how you protect your networks and communications. Must address: network monitoring requirements, encryption requirements (at rest and in transit), wireless security, boundary protection, VPN requirements, and FIPS validation requirements.
14. System and Information Integrity Policy
Covers how you maintain system health. Must address: patch management (timelines, priority), malware protection requirements, security alert monitoring, and anomaly detection.
A 200-page policy document that doesn't match what anyone actually does is worth less than a 5-page policy that your team actually follows. Assessors interview people. Gaps between policy and practice get found.
How Long Should Policies Be?
There's no minimum or maximum length requirement. Policies should be long enough to actually address what they're required to cover — no shorter. For a small company (10–50 people), policies are typically 2–8 pages each. For a larger organization with more complex environments, they might be longer.
What assessors actually care about: can you show them a documented policy, can you show them that policy is current and reviewed, can you show them evidence that people actually follow it? A five-page Access Control Policy that you follow consistently beats a 40-page policy that nobody has read.
Who Signs Policies?
Policies must be approved and signed by someone with authority over the described domain. For small contractors, that's usually the owner, president, or a designated Security Officer. The signer doesn't need a specific title — they need the actual authority to enforce the policy and the accountability for its implementation.
Policies should be reviewed and re-signed at least annually, and whenever there's a major change to your environment or operations that affects the policy area. If your IT infrastructure changes significantly (new cloud platform, new VPN, new MDM), your relevant policies need to be updated to reflect that.
Common Policy Mistakes That Fail Assessments
- Policies that don't match actual practice — The most common failure. Write policies that describe what you actually do or commit to doing, not an idealized vision you'll never implement.
- Generic templates used without customization — Assessors recognize generic CMMC policy templates. They will ask specific questions about your specific environment. If your policy says "the system administrator" and you have three people who share admin responsibilities, that's a discrepancy.
- No review dates or version control — Policies must show when they were last reviewed and by whom. An undated policy with no version number fails.
- Missing procedures — Policy without supporting procedures is incomplete. "We conduct vulnerability scans" is policy. You also need a procedure that describes when, with what tool, how results are reviewed, and what the remediation timeline is.
- Not distributed to employees — Policies must be communicated to the people they affect. Evidence of distribution (email notification, training records, intranet access logs) is required.
Our Assessment-Ready Package generates all 14 required policies customized to your specific operation — not generic templates. Take the assessment to get started.
Start Free Readiness Check →Frequently Asked Questions
Yes, but use them carefully. Free templates are a starting point, not a finished product. Every policy must be customized to reflect your specific environment, your specific people, and your actual practices. Generic templates that haven't been customized are easy for assessors to spot — they don't mention your specific tools, your specific roles, or your specific processes. Customization is mandatory.
At minimum, annually. Policies should be formally reviewed at least once per year and updated to reflect any significant changes to your environment, operations, or personnel. After a security incident, after a major infrastructure change, after acquiring new systems or tools — those are all triggers for review. Each policy should have a documented review date and the reviewer's signature or initials.
Yes. If a subcontractor handles CUI on your behalf, they need their own CMMC compliance program — including their own policies. Your policies govern your organization. The subcontractor's policies govern theirs. You should verify (contractually and through assessment) that subcontractors who handle your CUI have appropriate policies in place. 'Our prime has policies' is not a valid CMMC compliance strategy for a subcontractor.
The SSP is the master document that describes your entire security environment — what systems you have, what controls are implemented, which policies apply, and how everything fits together. Policies are the detailed documents that govern specific areas of security practice. Your SSP references your policies and describes how they're implemented in your specific environment. Both are required. The SSP is the map; the policies are the rulebooks for each domain.
Leadership must be involved at minimum in approval and sign-off. Policies require executive authority because they're organizational commitments, not just technical guidelines. Your IT team can draft the technical content, but the final policy must be approved by someone with the authority to hold the organization accountable — typically the CEO, President, or designated Security Officer. Assessors will ask who is responsible for security policy compliance.
Get policies that actually pass an assessment.
Our Assessment-Ready Package generates all 14 required CMMC policies customized to your specific environment.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →