CMMC Policies and Procedures: What Level 2 Contractors Actually Need
CMMC policies and procedures are the written rules (policies) and step-by-step operating documents (procedures) that prove how your company actually meets the security requirements behind its CMMC level. For CMMC Level 2, you need them across all 14 NIST SP 800-171 Revision 2 control families, anchored by a System Security Plan (SSP) and, where allowed gaps remain, a Plan of Action and Milestones (POA&M).
Here’s the part most guides skip, and it will save you money: there is no official master list of required CMMC policies.Assessors don’t count your documents. They check whether your policies, procedures, and the evidence behind them let them mark all 320 assessment objectives as MET. Which documents you need depends on your required level, whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and your assessment type.
Below is the exact map — family by family — plus which documents the rule actually points to, how assessors judge your paperwork, why template packs fail, and who to bring in if you can’t build it yourself.
This page is for you ifyou’re a defense contractor — or the IT director, compliance manager, FSO, or owner inside one — who needs to understand and build the documentation set for CMMC Level 1 or Level 2.
This page is not the fastest path if you only need to figure out which level applies to you (start with our CMMC levels guide), you want a deep dive on the SSP by itself (see our CMMC Level 2 Checklist), or you need a legal reading of a specific contract clause (talk to a qualified federal-contracts attorney).
Which CMMC documentation path are you on?
Before you write a single policy, find your row. The documents you need — and the mistakes that will cost you — depend on your situation, not on a generic checklist.
| Your situation | What you probably need first | What not to do first | Best next step |
|---|---|---|---|
| You handle FCI only and your contract requires Level 1 | A lighter set tied to the 15 basic safeguards in FAR 52.204-21 | Buy a full Level 2 template package before confirming scope | Confirm your level and FCI boundary |
| You handle CUI and need Level 2 self-assessment | SSP, defined scope, a 14-family policy/procedure/evidence map, an SPRS-ready score | Treat “having policies” as the whole compliance program | Start collecting evidence now, before you post a score |
| You handle CUI and need Level 2 with a C3PAO | An assessment-ready SSP, final evidence, a POA&M strategy, artifact control | Ask the C3PAO to write your documents and then assess the same work | Keep readiness help and formal assessment separate |
| You use an MSP, MSSP, cloud tenant, or CUI enclave | A shared-responsibility map and a Customer Responsibility Matrix (CRM) | Assume the provider “makes you compliant” | Document what’s inherited vs. what you still own |
| You already bought templates | Customization, approval, scope mapping, and evidence behind each one | Leave them generic, unsigned, or disconnected from your systems | Turn templates into real procedures with real evidence |
The right documents flow from your contract requirement and your environment— not from a one-size folder. The category of help you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.
Not sure which documentation path applies to you?
Tell us your required level, FCI/CUI handling, assessment type, environment, and timeline. We’ll map your situation to the provider category that usually fits — before you spend on the wrong help.
Find My CMMC Path →What are CMMC policies and procedures?
A policy is a management-approved statement of what your organization requires and why. A procedure is the step-by-step description of how it actually gets done.Neither one is enough alone — and both live inside a larger documentation system that also includes plans (like the SSP) and records (the evidence proving the procedure happened). Sorting these out is the single biggest source of CMMC documentation confusion.
Contractors often use “policies and procedures” as a catch-all for “the paperwork.” That instinct is what gets people in trouble. An assessor reads each type of document for a different reason, and a beautiful policy can’t paper over a procedure nobody follows or a control with no proof behind it.
The full CMMC documentation vocabulary, in plain terms
| Document type | What it is, in plain English | Its CMMC job | The common mistake |
|---|---|---|---|
| Policy | What leadership requires | Sets direction and accountability | Too generic, never approved, no named owner |
| Procedure | How the work actually gets done | Shows a repeatable, real process | Written but not followed, or not tied to evidence |
| Standard | A specific technical rule (e.g., password length) | Defines the minimum configuration | Says one thing; the system is set to another |
| Plan | How you’ll run a whole area (IR, training, assessment) | Coordinates and schedules the work | Exists on paper but never tested |
| SSP (System Security Plan) | The description of your boundary, environment, and how each requirement is met | The anchor document; assessors read it first | Outdated, generic, or disconnected from real systems |
| POA&M (Plan of Action and Milestones) | A tracked plan to close allowed gaps | The limited path to conditional status | Used for gaps the rule won’t let you defer |
| Record / evidence | Proof the control exists and runs | What assessors examine, interview on, and test against | Stale, unlabeled, or not tied to a requirement |
One requirement, four documents: a worked example
The cleanest way to feel the difference: watch one requirement — Access Control(NIST SP 800-171 Rev. 2, §3.1) — become each type of document:
- Policy: “Access to CUI systems is limited to authorized users. We enforce least privilege, and access is reviewed quarterly.” (Approved by management. This is the rule.)
- Procedure: “To grant access: the manager submits a request → IT verifies the role → a role-based account is created → the action is logged in the ticketing system → access is reviewed at the quarterly access review.” (This is the how.)
- Plan: The SSP section that explains how §3.1 is implemented across your environment — the identity system, the boundary, the responsible roles.
- Record: The access-request tickets, the quarterly access-review sign-offs, the account-permission exports, the deactivated-account logs. (This is the proof.)
An assessor examines the policy for intent, examines the procedure for the steps, interviews your staff to confirm they follow it, then tests your systems to see if reality matches. Miss any leg of that stool and the requirement fails — no matter how polished the document looks. (NIST SP 800-171A; CMMC Assessment Guide – Level 2.)
Does CMMC actually require policies and procedures?
Yes — but not the way most guides imply.NIST SP 800-171 Rev. 2 contains no numbered control that says “write an access control policy.” The obligation comes from how your compliance is assessed: NIST SP 800-171A directs assessors to examineyour policies and procedures — the “specifications” it evaluates — to confirm each requirement is met. You cannot demonstrate compliance without them.
There is no official, DoD-blessed master list of “the X policies every CMMC contractor must have.”If you’re hunting for a definitive folder of required document titles you can buy and check off, it doesn’t exist — and any vendor implying otherwise is selling you a certainty they can’t deliver.
NIST SP 800-171A (the assessment companion to the standard) evaluates four kinds of “assessment objects” — specifications (your plans, policies, procedures, and designs), mechanisms (the hardware, software, and firmware safeguards), activities (protection-related actions people perform, like running backups or exercising an incident response plan), and individuals(the people applying all of the above). A policy is just one type of specification — it has to be consistent with your mechanisms, activities, and people to count.
There’s also a quieter reason documented governance is expected. When NIST built the 110 Rev. 2 requirements from the broader NIST SP 800-53 catalog, it tailored the classic “policy and procedures” governance controls into Appendix E as “NFO” controls — items a nonfederal organization is expected to routinely satisfyeven though they aren’t standalone numbered requirements. Documented policies and procedures are assumed, not optional.
Do you need one policy per family?
Not by rule.A single clear, approved, current document can cover more than one family, and combining topics is fine. Think of “one policy plus supporting procedures per family” as a clean organizing convention — the simplest way to show an assessor that every family is covered — not a mandate. The binding test is whether your documentation lets an assessor trace each applicable objective to implementation evidence.
What policies and procedures do you need for CMMC Level 2?
For Level 2, you need documented policies and procedures across all 14 NIST SP 800-171 Rev. 2 control families, backed by operational evidence — plus a System Security Plan and, where allowed gaps remain, a POA&M. The matrix below maps each family to the policy it needs, the procedures behind it, the plan or artifact the rule points to, the evidence assessors expect, the provider category that typically helps, and the failure that most often sinks that family.
| Family (code · # reqs) | Policy must define | Procedures must show | Plan/artifact the rule points to | Evidence assessors want | Provider category | #1 documentation failure |
|---|---|---|---|---|---|---|
| AC · Access Control (3.1 · 22) | Authorized users, least privilege, separation of duties, remote/wireless access, CUI flow | Account provisioning/deprovisioning, access reviews, remote access, session lock | (In SSP; specifics per 3.1.x) | Access-request tickets, quarterly access-review sign-offs, permission exports, remote-access logs | MSP/MSSP, GRC platform, RPO | Policy says “least privilege,” but permissions and logs show stale or shared admin accounts |
| AT · Awareness & Training (3.2 · 3) | Required security and CUI training, role-based training, responsibilities | Onboarding training, annual refresher, insider-threat training, completion tracking | Training records/plan (3.2.1–3.2.3) | Completion records for all personnel, training content, phishing-sim results, signed acknowledgments | GRC platform, RPO | “We do annual training” with no completion records to prove coverage |
| AU · Audit & Accountability (3.3 · 9) | What’s logged, retained, reviewed, and escalated | Log review, alert triage, log protection, time sync | (In SSP; logging/monitoring strategy) | Historical logs, human-review records, alert tickets, retention configuration | MSSP, GRC platform | “We have a SIEM,” but no record of human review and no historical log data |
| CM · Configuration Management (3.4 · 9) | Baseline configurations, change control, approved software, secure settings | Baseline creation/maintenance, change approval, security impact analysis, least functionality | Documented baseline (3.4.1), change control (3.4.3), security impact analysis (3.4.4) | Baseline docs, change tickets with approvals, impact-analysis records, hardened-config exports | MSP/MSSP, RPO | No formal security impact analysis before changes — the most commonly missed CM element |
| IA · Identification & Authentication (3.5 · 11) | MFA, password/credential rules, identifier management | MFA enrollment, credential lifecycle, authenticator and service-account management | (In SSP) | MFA configuration across all in-scope systems, enforcement settings, exception handling (3.5.3) | MSP/MSSP, GRC platform | MFA scope undocumented, or the password policy says one thing and the system enforces another |
| IR · Incident Response (3.6 · 3) | How incidents are detected, reported, analyzed, contained, and learned from | Triage, escalation, evidence preservation, recovery, and DFARS 252.204-7012 reporting when that clause applies | IR capability (3.6.1), track/report (3.6.2), test the response (3.6.3) | The IR plan, tabletop/test results, incident tickets, and 72-hour DIBNet reports where DFARS 7012 applies | MSSP, RPO, federal-contracts counsel | An IR plan that has never been tested (3.6.3) — assessors mark it not met |
| MA · Maintenance (3.7 · 6) | How maintenance is authorized, logged, and controlled, including remote/vendor access | Scheduled and emergency maintenance, remote-maintenance controls, pre-maintenance sanitization, tool checks | (In SSP) | Maintenance logs, remote-maintenance authorizations, sanitization records | MSP/MSSP | Vendor or remote maintenance happens outside the documented, controlled process |
| MP · Media Protection (3.8 · 9) | Marking, storage, transport, encryption, sanitization, and control of CUI media | Media handling, removable-media approval, sanitization/destruction, marking, transport | (In SSP) | Sanitization/destruction certificates, media inventory, marking samples | MSP/MSSP, CUI enclave | No sanitization or destruction records; backups or removable media are uncontrolled |
| PS · Personnel Security (3.9 · 2) | Screening, transfers, terminations, and access removal | Pre-employment screening, HR-triggered access changes, termination checklist | (In SSP) | Screening records, termination checklists showing access revoked | RPO, GRC platform, MSP | HR and IT aren’t connected, so access lingers after termination |
| PE · Physical Protection (3.10 · 6) | Facility access, visitor control, escorting, device and media physical security | Badge issuance, visitor logging/escorting, facility access review, alternate-worksite controls | (In SSP) | Visitor logs, badge/access reports, facility diagrams, access-review records | RPO (physical), MSP (device) | Digital-only focus; visitor logs and physical access to CUI areas go undocumented |
| RA · Risk Assessment (3.11 · 3) | How risks, vulnerabilities, scans, and remediation are identified and tracked | Periodic risk assessment, vulnerability scanning, risk acceptance, remediation tracking | Risk assessment (3.11.1), vulnerability scanning (3.11.2), remediate (3.11.3) | Risk register, recurring scan results, remediation tickets, risk-acceptance approvals | MSSP, GRC platform, RPO | A one-time scan with no recurring cadence and no tracking to closure |
| CA · Security Assessment (3.12 · 4) | How controls are assessed, monitored, documented, and improved | Internal assessment, SSP updates, POA&M management, continuous monitoring | SSP (3.12.4), POA&M (3.12.2), periodic assessment (3.12.1), ongoing monitoring (3.12.3) | The SSP, a POA&M if any allowed NOT MET requirements are tracked, assessment/review records, monitoring-review records | RPO, GRC platform | Missing a POA&M for a NOT MET requirement, or relying on a POA&M for a requirement §170.21 won’t allow |
| SC · System & Communications Protection (3.13 · 16) | Boundary protection, encryption, subnetworks, CUI transfer, interconnections | Firewall management, FIPS-validated encryption, key management, DNS/session controls, external-connection review | (In SSP + network and CUI-flow diagrams) | Firewall configs, FIPS-validated encryption evidence, network and CUI-flow diagrams, CRM | CUI enclave, MSP/MSSP, RPO | Assuming GCC High or GovCloud “makes you compliant” without documenting inherited vs. retained responsibilities |
| SI · System & Information Integrity (3.14 · 7) | Flaw remediation, malicious-code protection, monitoring, alert response | Patch management, anti-malware, security-alert monitoring, system monitoring | (In SSP) | Patch records, AV/EDR configuration and logs, alert-handling records | MSSP, MSP, GRC platform | Flaw remediation isn’t documented or timely; no proof that alerts are acted on |
Required by rule vs. assessment-critical: the four documentation anchors
Most of the 110 requirements point to documentation indirectly. Four are the anchors that most often stop a Level 2 assessment:
- System Security Plan — explicit (§3.12.4).You must develop, document, and periodically update a system security plan. The rule is direct: the absence of an up-to-date SSP at assessment results in a finding that “an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012” (32 CFR Part 170, Subpart D). It’s the first document a C3PAO opens. See our full CMMC Level 2 documentation checklist.
- Plan of Action and Milestones — required where gaps exist (§3.12.2; §170.21).For each NOT MET requirement, you must have a POA&M — but a POA&M is not a substitute for a completed requirement, and only certain gaps are eligible (more below).
- Configuration baseline — explicit (§3.4.1),with change control (§3.4.3) and a security impact analysis before changes (§3.4.4). The impact analysis is the piece most contractors forget.
- Incident response capability and test records — required in substance (§3.6.1–3.6.3). The rule requires an operational incident-handling capability that you test. A written IR plan plus tabletop/test evidence — an IR plan you’ve never exercised is a not-met waiting to happen.
Don’t forget the cross-cutting artifacts
Three documents aren’t tied to any single family, but you can’t scope a Level 2 assessment without them: an asset inventory, a network diagram, and a CUI data-flow diagramshowing where CUI enters, moves, rests, and leaves. (CMMC Scoping Guide – Level 2; see also the CMMC Scoping Guide. These feed directly into the SSP.)
Level 1 vs. Level 2: what changes
Level 1 (FCI only) is built on the 15 basic safeguards in FAR 52.204-21 and verified by an annual self-assessment. Formal, family-by-family policy documentation is not the explicit focus it is at Level 2. One hard line: a POA&M is not permitted at Level 1(32 CFR § 170.21). All 15 requirements must be met.
Level 2(CUI) is the 110 NIST SP 800-171 Rev. 2 requirements across 14 families, and 32 CFR § 170.14 states Level 2 requirements are identical toNIST SP 800-171 Rev. 2. That’s the documentation depth this page is built around. See our CMMC levels guide and NIST 800-171 requirements checklist for the full requirement set.
How many CMMC policies do you need?
There’s no fixed number — and no required page count.The Cyber AB’s CMMC Assessment Process uses an “adequacy and sufficiency” standard: your evidence has to cover the right things (adequacy) and provide enough proof (sufficiency) for an assessor to mark all 320 assessment objectives as MET. Counting documents is the wrong game; alignment is the whole game.
NIST SP 800-171A breaks the 110 requirements into 320 assessment objectives— the individual determination statements an assessor checks. Every objective has to come back MET or Not Applicable for the parent requirement to pass. A single polished 40-page policy that doesn’t map to those objectives loses to a lean, well-aligned set that does.
Stop asking “how many policies?” and start asking “can an assessor trace each objective from my SSP to a policy, a procedure, a responsible role, and live evidence?” If yes, you pass. If they have to guess or fill in blanks, the control fails.
Are CMMC policy templates enough?
No. Templates are a legitimate starting point — but a template pack alone will not pass an assessment. Assessors read hundreds of these; they recognize generic, copy-pasted language quickly and probe harder in interviews and testing when they see it. A template becomes compliant only when it describes your actual systems and workflows, is paired with a real procedure, and is backed by evidence that the procedure happens.
| A template says… | Why it fails on its own | What actually makes it count |
|---|---|---|
| “Access is limited to authorized users under least privilege.” | Your permissions or logs may show stale or shared accounts | A matching procedure plus access-review records that prove it |
| “All CUI is encrypted with FIPS-validated cryptography.” | Your encryption may not be FIPS-validated — or even configured | Evidence of the validated module and exactly where it’s applied |
| “Employees complete annual security awareness training.” | Nothing proves anyone actually completed it | Completion records covering all personnel, plus the content |
There’s also a quality bar most template buyers miss. For a policy or procedure to count as evidence it must be final, approved, version-controlled, and assigned to an owner. A generic, unsigned, undated document isn’t weak evidence — it’s no evidence.
The fix isn’t “buy better templates.” It’s to treat documentation as the work of describing yourenvironment and proving it runs — then decide honestly whether you have the time and expertise to do that in-house.
Have templates, but not an evidence system behind them?
Use Find My CMMC Path to see whether your gap is really a readiness, managed-security, GRC/evidence, CUI-enclave, or assessment-timing problem. The tool maps you to a provider category— not a named-provider ranking.
Map My Documentation Gap →How do assessors evaluate your policies, procedures, and evidence?
CMMC Level 2 assessments use the NIST SP 800-171A method: examine, interview, and test.Assessors examine your documents, interview your staff to confirm the process is real, and test your systems to see if reality matches the paper. A clean policy can’t compensate for a process nobody follows — and if your written controls don’t match what testing reveals, the control fails no matter how good the SSP looks.
| Method | What it means | What weak documentation misses |
|---|---|---|
| Examine | Reviewing documents, records, diagrams, mechanisms, activities, and configurations | A policy exists, but it’s unsigned, undated, generic, or has no evidence linked to it |
| Interview | Asking your staff how the process actually works | Staff describe a process that’s different from the written procedure |
| Test | Observing or exercising a mechanism or activity | The tool’s real settings or the actual workflow don’t match the document |
The standard behind all three is adequacy and sufficiency— the right evidence, and enough of it, across your full assessment scope. Assessors do accept additional evidence during the assessment, but that window is narrow and it’s for evidence that already exists— not for building controls you haven’t implemented yet.
The honest catch: evidence can’t be back-dated
Assessors don’t just want documents — they want operating history. Months of log-review records. A risk assessment that actually happened. Quarterly access reviews with sign-offs. An incident response plan that’s been tested. You cannot manufacture that history the week before an assessment.
Turn on centralized logging the day before and you’ll have a policy but no historical data — a not-met. Write an IR plan you’ve never exercised and §3.6.3 fails. This is why “we’ll document it later” is the single most expensive assumption in CMMC.
We’re in Phase 1, which runs from November 10, 2025 through November 9, 2026(32 CFR § 170.3(e)). In Phase 1, DoD includes Level 1 (Self) and Level 2 (Self) requirements as a condition of award for applicable contracts — and can require a Level 2 C3PAO assessment at its discretion. There is no blanket “self-assessment only” grace period. Phase 2 begins November 10, 2026: DoD intends to include Level 2 (C3PAO) for applicable solicitations as a condition of award. Phase 3 (November 10, 2027) extends that to all applicable solicitations and adds Level 3 (DIBCAC). Phase 4(November 10, 2028) is full implementation. The evidence you should already be generating can’t be created retroactively.
Once assessed, hashed artifacts used as evidence must be retained for six yearsfrom your CMMC Status Date (32 CFR § 170.17). Your documentation isn’t a one-time deliverable. It’s a living system.
Common documentation failure patterns
- Missing a POA&M for a NOT MET requirement — or leaning on a POA&M for a gap the rule won’t allow.
- An SSP that lists controls without explaining implementation — an index, not a plan.
- An incident response plan that’s never been tested.
- No security impact analysis before configuration changes (§3.4.4).
- “We have a SIEM” with no records of human review or escalation.
- Template language with no environment specifics — recognized on sight.
- An access policy that doesn’t match actual permissions (stale or shared admin accounts).
- Physical and media controls ignored because the focus was all digital.
How should you organize your CMMC documentation?
Organize your documentation the way an assessor reads it: scope first, then the SSP, then policies and procedures by family, then the evidence that proves them, then a POA&M for whatever’s left.Writing polished policies before you’ve defined your CUI scope is the most common way to waste weeks — because scope decides what your documents have to describe.
CMMC Documentation
00 - Scope and Boundary
Asset Inventory
CUI Data-Flow Diagram
Network Diagram
Cloud / ESP Responsibility Matrix (CRM)
01 - SSP
Current Approved SSP
SSP Version History
02 - Policies and Procedures
Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity
03 - Evidence Register
Event-Based Evidence
Weekly / Monthly Evidence
Quarterly Evidence
Annual Evidence
04 - POA&M and Remediation
05 - Assessment PrepPut evidence on a calendar. Controls that require recurring action need recurring proof:
| Cadence | Evidence examples |
|---|---|
| Event-based | New-user approvals, termination access removals, incident tickets, configuration changes |
| Weekly / monthly | Vulnerability scans, patch status, log reviews, alert triage |
| Quarterly | Access reviews, risk-register review, SSP and evidence spot-checks |
| Annual | Security training, an incident response tabletop, policy review, affirmation readiness |
Two habits separate the programs that pass from the ones that scramble: version control(every policy shows what’s current, who approved it, and when) and a living POA&M(reviewed at least quarterly and after any significant change — not resurrected the week before an assessment).
Want the structure without rebuilding it from scratch?
The CMMC Readiness Checklist maps the folder structure and evidence calendar above to all 14 families, so you can start filling gaps today. No form to reach it.
Go to the CMMC Readiness Checklist →What changes if you use an MSP, cloud, GCC High, or a CUI enclave?
External providers can shrink the work, but they don’t erase your documentation responsibility. If a Cloud Service Provider (CSP) or External Service Provider (ESP) touches your CUI at Level 2, the relationship, the services, and the Customer Responsibility Matrix (CRM)need to be documented or referenced in your SSP — and your on-premises infrastructure that connects to the provider can remain in your assessment scope (32 CFR Part 170).
The trap is subtle and expensive: believing that a compliant tool makes youcompliant. A FedRAMP-authorized cloud, a GCC High tenant, or a CUI enclave can inherit real controls on your behalf — but only if you document what’s inherited versus what you still retain. An assessor will ask you to prove that split.
| Provider type | Ask them for | Why it matters |
|---|---|---|
| MSP (Managed Service Provider) | System inventory, admin procedures, change records, patch reports, access controls | They may operate controls your SSP depends on — you need the evidence |
| MSSP (Managed Security Service Provider) | Logging architecture, alerting process, escalation evidence, incident records | Monitoring without evidence of review isn’t sufficient |
| CSP (Cloud Service Provider) | FedRAMP status or equivalency documentation, the CRM, the service boundary | Cloud authorization is not the same as your compliance |
| CUI enclave | Boundary diagram, inherited-vs.-retained responsibility map, evidence exports, the user/admin model | An enclave reduces scope only if it’s implemented and documented correctly |
| GRC platform | Evidence mapping, SSP support, POA&M workflow, export format | GRC organizes your proof — it doesn’t implement every control for you |
Who should help you write CMMC policies and procedures?
The right helper depends on what you’re actually missing.If the gap is time or writing capacity, a Registered Provider Organization (RPO) or a CMMC-focused MSP can build and tailor the documentation set. If you can’t operatelogging, patching, or monitoring, that’s an MSSP problem. If you need to manage and provedocumentation at scale, a GRC platform helps. If your CUI footprint is too broad, a CUI enclave changes what you have to document. And when you’re ready for the formal exam, a C3PAO assesses— it doesn’t build the documentation it will later assess.
| If your real problem is… | Start with this category | Why | Don’t confuse it with… |
|---|---|---|---|
| You don’t know your level, scope, or assessment path | RPO/RP, or a neutral pathing tool | You need clarity before you buy anything | A C3PAO assessment |
| You have generic templates but no implementation | RPO/RP, plus an MSP/MSSP if the gap is technical | Documents have to match real controls | A template seller |
| You can’t operate logging, patching, or endpoint controls | MSP/MSSP | The issue is executing technical controls | GRC software alone |
| You need to organize the SSP, POA&M, and recurring evidence | GRC platform, plus an RPO/RP | The issue is documentation governance and workflow | Certification |
| Your CUI collaboration boundary is too broad | CUI enclave / secure collaboration provider | Scope reduction lowers burden if documented | “Compliance in a box” |
| You’re assessment-ready and your contract requires Level 2 (C3PAO) | An authorized or accredited C3PAO | C3PAOs conduct Level 2 certification assessments | A readiness consultant |
One conflict-of-interest rule worth protecting:Under the Cyber AB Code of Professional Conduct (v2.0), which incorporates 32 CFR § 170.8(b)(17), a C3PAO and its assessment team members may not participate in the Level 2 certification of an organization they served as a consultant to prepare for any CMMC assessment within the previous three years.Don’t let a firm build your documentation and then certify the same work — the rule won’t allow it, and a conflict discovered later can put your certificate at risk. (See also: how to choose a C3PAO.)
Choose the category before you request quotes
Tell us your required level, scope, environment, and deadline. We’ll map your situation to a source-checked provider category— RPO/RP, MSP/MSSP, GRC, CUI enclave, or C3PAO — so you don’t ask the wrong vendor to solve the wrong problem.
Compare provider categories with Find My CMMC Path →The fastest safe way to build your CMMC documentation set
The fastest safe path is not “download templates and edit the names.” It’s: confirm the requirement → define scope → build the SSP skeleton → map each family to policy, procedure, and evidence → assign owners and an evidence cadence → run a gap assessment → choose the provider category for whatever’s left. That order keeps you from writing beautiful documents for the wrong environment.
- Confirm the clause, level, and assessment type. Your contract, solicitation, or prime flow-down sets the requirement — self-assessment or C3PAO.
- Define FCI/CUI handling and your assessment scope (asset inventory, network diagram, CUI-flow diagram).
- Build the SSP skeleton first — before you write every policy, so the plan drives the documents.
- Map the 14 families to policies, procedures, and evidence using the matrix above.
- Assign owners and an evidence cadence, and start collecting now so history accrues.
- Run a readiness/gap assessment, and open a POA&M only where the rule allows it (see the next section).
- Choose the provider category that matches the remaining gap.
Get your documentation gap list
The CMMC Readiness Checklist maps all 14 families to the documents and evidence you need, so you can identify gaps before you spend on the wrong help.
Start with the CMMC Readiness Checklist →What can and can’t go on a POA&M
A Plan of Action and Milestones lets you defer a narrowset of gaps and still earn a Conditional Level 2 status — but it’s not a free pass, and your most important controls can’t be deferred at all.The eligibility rules are precise, public, and non-negotiable under 32 CFR § 170.21.
| Situation | POA&M eligibility | Source | Practical consequence |
|---|---|---|---|
| CMMC Level 1 | Not permitted at all | § 170.21(a)(1) | All 15 requirements must be MET; nothing can be deferred |
| Minimum score for Conditional Level 2 | You must score ≥ 80% (88 of 110 points) | § 170.21(a)(2)(i) | Below 88, no CMMC status is awarded |
| Requirements worth more than 1 point (3- and 5-point controls) | Not POA&M-eligible | § 170.21(a)(2)(ii) | Every high-value control must be MET at the assessment |
| SC.L2-3.13.11 (CUI encryption) | Eligible only if encryption is used but not yet FIPS-validated (counts as 3 points) | § 170.21(a)(2)(ii) | The one carve-out; no encryption at all is a 5-point gap and can’t be deferred |
| Six named 1-point requirements | Never POA&M-eligible | § 170.21(a)(2)(iii)(A)–(F) | Must be MET regardless of point value (listed below) |
| Any allowed POA&M item | Must be closed within 180 days | § 170.21(b) | Miss the window and your Conditional status expires |
The six 1-point requirements that can nevergo on a Level 2 POA&M, named in § 170.21(a)(2)(iii): AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access). Each is worth only one point, but missing any single one blocks a Conditional status entirely. See our full Conditional Level 2 & POA&M Closeout guide.
The practical takeaway: carry the high-value controls to MET beforethe assessment, and treat the POA&M as a narrow safety net for minor, 1-point residuals — not a strategy for deferring real work.
How this connects to SPRS, affirmation, and contract eligibility
Your policies and procedures become contract-risk documents the moment they support a CMMC status, score, or affirmation. Level 2 self-assessment results are submitted to SPRS; Level 2 C3PAO results are entered into the CMMC instance of eMASS and transmitted to SPRS; and to maintain a Final Level 2 status, an Affirming Officialmust affirm compliance at the time of assessment and annually thereafter (32 CFR §§ 170.17, 170.22).
This is why leadership should care about the paperwork. Those documents underpin what your company formally attests is true about its security — and a false affirmation carries real legal exposure. Before award of a contract that requires Level 2 (C3PAO), you must both hold a Conditional or Final Level 2 (C3PAO) status andhave submitted your affirmation into SPRS (§ 170.17(b)). No current status, no award.
See our self-assessment vs. C3PAO guide for the full SPRS and eMASS breakdown.
The most common CMMC documentation mistakes
The single most dangerous CMMC documentation mistake is believing documentation equals implementation. The rest follow from it.
| Mistake | Why it matters | The fix |
|---|---|---|
| Treating templates as compliance | Templates don’t prove implementation | Map each document to real systems, owners, and evidence |
| An SSP that doesn’t match reality | The SSP is the anchor artifact — its absence stops the assessment | Update the boundary, assets, diagrams, and implementation statements |
| No evidence cadence | You can’t prove a recurring control from a one-time document | Build the event/weekly/quarterly/annual evidence calendar |
| Undocumented MSP/CSP responsibilities | Shared-responsibility gaps break the SSP | Require the CRM, service descriptions, and evidence exports |
| Unsigned or draft policies | Evidence must be final, approved, version-controlled, and owned | Finalize, approve, version, and assign an owner |
| Rev. 3 confusion | CMMC Level 2 currently maps to Rev. 2 | Build to Rev. 2’s 110 requirements until DoD amends the rule |
| Using the POA&M too broadly | High-value controls can’t be deferred; the 180-day clock is fixed | Check § 170.21 and carry the 3- and 5-point controls to MET first |
| Engaging a C3PAO too early | Assessment isn’t implementation | Finish readiness, then assess — and keep the two separate |
A note on Rev. 2 vs. Rev. 3:NIST finalized SP 800-171 Revision 3 in May 2024 (consolidating requirements from 110 to 97), and NIST’s own catalog lists Rev. 2 as withdrawn/superseded. But for CMMC, Rev. 2 is still the standard.DoD issued Class Deviation 2024-O0013 directing contractors under DFARS 252.204-7012 to comply with Rev. 2, and 32 CFR § 170.14 ties CMMC Level 2 to Rev. 2. Build your documentation to Rev. 2 until DoD formally amends the rule.
What we verified for this guide
We built this from primary sources, not vendor claims. Here’s what we actually checked, and when. Last verified:
- 32 CFR Part 170 (the CMMC Program Rule; effective December 16, 2024) — the level mapping (§ 170.14), phased rollout (§ 170.3), assessment and affirmation requirements (§§ 170.15–170.17, 170.22), scoping (§ 170.19), POA&M rules (§ 170.21), scoring methodology (§ 170.24), and ecosystem/conflict rules (§ 170.8–170.9). eCFR
- Federal Register — the CMMC Program final rule and the DFARS acquisition final rule, effective November 10, 2025, which set the phased rollout.
- NIST SP 800-171 Revision 2 — the 110 requirements across 14 families, the SSP requirement (§ 3.12.4), the POA&M requirement (§ 3.12.2), the incident response and configuration requirements, and Appendix E. NIST CSRC
- NIST SP 800-171A — the assessment objects (specifications, mechanisms, activities, individuals), the examine/interview/test methods, and the 320 assessment objectives. NIST CSRC
- DoD CMMC Assessment Guide – Level 2 and Level 1 — how documentation is examined and scored. dodcio.defense.gov
- Cyber AB CMMC Assessment Process and Code of Professional Conduct (v2.0) — the adequacy/sufficiency standard and the three-year consultant conflict rule. cyberab.org
- DoD Class Deviation 2024-O0013 — confirming CMMC and DFARS 7012 remain on NIST SP 800-171 Rev. 2. acq.osd.mil
This page does not provide legal, contractual, or compliance advice, guarantee a certification outcome, or endorse a named provider. Confirm your scope, level, and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.
CMMC policies and procedures: FAQ
What CMMC policies are required?
There’s no official single list of document titles every contractor must use. For Level 2, the practical requirement is to document how your organization implements the 110 NIST SP 800-171 Rev. 2 requirements across all 14 families — with an SSP, supporting policies and procedures, and evidence that matches your actual scope (32 CFR § 170.14; NIST SP 800-171A).
What’s the difference between a CMMC policy and a procedure?
A policy is a management-approved statement of what your organization requires and why. A procedure is the step-by-step description of how it’s done. Assessors examine the policy for intent and the procedure for execution — then interview staff to confirm the procedure is actually followed (NIST SP 800-171A).
Do I need one policy for each NIST 800-171 family?
Not by rule. A single clear, approved, current document can cover more than one family. A common organizing convention is at least one policy plus supporting procedures per family, because it’s the cleanest way to show every objective is covered — but it’s a convention, not a mandate.
Can I use free CMMC policy templates?
Yes, as a starting point — but a template alone won’t pass. Assessors recognize generic, copy-pasted policies and probe harder. A template becomes usable evidence only when it describes your actual environment, is paired with a real procedure, and is final, approved, version-controlled, and backed by proof the control runs.
Does CMMC require an SSP?
For Level 2, yes. NIST SP 800-171 requirement 3.12.4 requires you to develop, document, and periodically update a system security plan. It’s the first document a C3PAO reads, and under 32 CFR Part 170 the absence of an up-to-date SSP at the time of assessment means the assessment cannot be completed.
Does CMMC require a POA&M?
For each NOT MET requirement you must have a POA&M — but it’s never a substitute for a completed requirement, and it’s tightly limited. Level 1 allows none. Level 2 allows a POA&M only for eligible 1-point gaps, requires a minimum 80% score for Conditional status, excludes six named requirements, and requires closeout within 180 days (32 CFR § 170.21).
Are draft or unsigned policies acceptable evidence?
No. Assessors judge evidence on adequacy and sufficiency, and for a policy or procedure to count it must be current, final, approved, version-controlled, and assigned to an owner. A generic, unsigned, undated document doesn’t demonstrate a control that’s actually running.
Can my MSP write my CMMC procedures?
An MSP can help write or operate procedures for the systems it manages, but you still need the documents to reflect your actual scope, CUI flow, responsibilities, SSP, and evidence. If the MSP operates controls, make sure ownership, evidence exports, and shared responsibilities are documented in a Customer Responsibility Matrix.
Can a C3PAO write my policies and then assess me?
No. Under the Cyber AB Code of Professional Conduct (v2.0) and 32 CFR § 170.8(b)(17), a C3PAO and its team can’t assess an organization they served as a consultant to prepare for any CMMC assessment within the previous three years. Keep readiness and formal assessment with separate organizations.
Is NIST SP 800-171 Rev. 3 used for CMMC Level 2?
Not under the current rule. NIST finalized Rev. 3 in May 2024 and lists Rev. 2 as superseded, but 32 CFR § 170.14 and DoD Class Deviation 2024-O0013 keep CMMC Level 2 on Rev. 2. Build to Rev. 2 until DoD amends the rule.
What happens if my policies don’t match what I actually do?
The control fails. Assessors compare your documentation to reality through interviews and testing, and any discrepancy is a finding. A polished policy that doesn’t reflect your systems is worse than a lean one that does — it signals the rest of your documentation may not be trustworthy either.
Need help deciding what type of CMMC provider you need?
You’ve seen the map, the documents the rule actually points to, why templates fall short, and how assessors judge your paperwork. If you’re clear on your path, go build. If you’re not, don’t guess your way into a six-figure decision.
Find My CMMC Path →Keep going
- CMMC Level 2 Checklist: 110 Controls, Evidence & SPRS — the full readiness sequence
- CMMC Level 2 Documentation Checklist — SSP, POA&M & evidence requirements
- NIST 800-171 Requirements Checklist — all 110 requirements in detail
- NIST 800-171A Assessment Objectives — the 320 assessment objectives explained
- CMMC Levels Explained — confirm whether you need Level 1, 2, or 3
- CMMC Scoping Guide — asset categories and boundary reduction
- CMMC Self-Assessment vs. C3PAO — which path your clause requires
- Conditional Level 2 & POA&M Closeout — the 180-day path
- CMMC Readiness Checklist — map gaps to the 14 families
- Best C3PAO for CMMC Level 2 — how to choose an assessment organization
- The CMMC Final Rule, Explained — 32 CFR Part 170 background
- Find My CMMC Path — map your situation to the right provider category
Primary sources
- 32 CFR Part 170 (CMMC Program Rule) — ecfr.gov/current/title-32/…/part-170
- NIST SP 800-171 Rev. 2 — nvlpubs.nist.gov
- NIST SP 800-171A (assessment methodology, 320 objectives) — nvlpubs.nist.gov
- DoD CMMC Assessment Guide – Level 2 — dodcio.defense.gov
- DoD CMMC Scoping Guide – Level 2 — dodcio.defense.gov
- Cyber AB Code of Professional Conduct (v2.0) — cyberab.org
- DoD Class Deviation 2024-O0013 (Rev. 2) — acq.osd.mil
- Federal Register — CMMC Program final rule (Oct 15, 2024) — federalregister.gov
- DFARS acquisition final rule (effective Nov 10, 2025) — federalregister.gov