The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

CMMC Policies and Procedures: What Level 2 Contractors Actually Need

Last reviewed: · By The Defense Compliance Report Editorial Team

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice.

CMMC policies and procedures are the written rules (policies) and step-by-step operating documents (procedures) that prove how your company actually meets the security requirements behind its CMMC level. For CMMC Level 2, you need them across all 14 NIST SP 800-171 Revision 2 control families, anchored by a System Security Plan (SSP) and, where allowed gaps remain, a Plan of Action and Milestones (POA&M).

Here’s the part most guides skip, and it will save you money: there is no official master list of required CMMC policies.Assessors don’t count your documents. They check whether your policies, procedures, and the evidence behind them let them mark all 320 assessment objectives as MET. Which documents you need depends on your required level, whether you handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), and your assessment type.

Below is the exact map — family by family — plus which documents the rule actually points to, how assessors judge your paperwork, why template packs fail, and who to bring in if you can’t build it yourself.

This page is for you ifyou’re a defense contractor — or the IT director, compliance manager, FSO, or owner inside one — who needs to understand and build the documentation set for CMMC Level 1 or Level 2.

This page is not the fastest path if you only need to figure out which level applies to you (start with our CMMC levels guide), you want a deep dive on the SSP by itself (see our CMMC Level 2 Checklist), or you need a legal reading of a specific contract clause (talk to a qualified federal-contracts attorney).

Which CMMC documentation path are you on?

Before you write a single policy, find your row. The documents you need — and the mistakes that will cost you — depend on your situation, not on a generic checklist.

Your situationWhat you probably need firstWhat not to do firstBest next step
You handle FCI only and your contract requires Level 1A lighter set tied to the 15 basic safeguards in FAR 52.204-21Buy a full Level 2 template package before confirming scopeConfirm your level and FCI boundary
You handle CUI and need Level 2 self-assessmentSSP, defined scope, a 14-family policy/procedure/evidence map, an SPRS-ready scoreTreat “having policies” as the whole compliance programStart collecting evidence now, before you post a score
You handle CUI and need Level 2 with a C3PAOAn assessment-ready SSP, final evidence, a POA&M strategy, artifact controlAsk the C3PAO to write your documents and then assess the same workKeep readiness help and formal assessment separate
You use an MSP, MSSP, cloud tenant, or CUI enclaveA shared-responsibility map and a Customer Responsibility Matrix (CRM)Assume the provider “makes you compliant”Document what’s inherited vs. what you still own
You already bought templatesCustomization, approval, scope mapping, and evidence behind each oneLeave them generic, unsigned, or disconnected from your systemsTurn templates into real procedures with real evidence

Scoping note: before any Level 2 assessment, you must specify your CMMC Assessment Scope, and your assets must be documented across artifacts like the asset inventory, SSP, and network diagram, depending on the asset category (32 CFR § 170.19; CMMC Scoping Guide – Level 2).

The right documents flow from your contract requirement and your environment— not from a one-size folder. The category of help you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Not sure which documentation path applies to you?

Tell us your required level, FCI/CUI handling, assessment type, environment, and timeline. We’ll map your situation to the provider category that usually fits — before you spend on the wrong help.

Provider matching may generate referral or lead-routing compensation, disclosed at the point of recommendation. Do not submit CUI or sensitive contract details.

Find My CMMC Path →

What are CMMC policies and procedures?

A policy is a management-approved statement of what your organization requires and why. A procedure is the step-by-step description of how it actually gets done.Neither one is enough alone — and both live inside a larger documentation system that also includes plans (like the SSP) and records (the evidence proving the procedure happened). Sorting these out is the single biggest source of CMMC documentation confusion.

Contractors often use “policies and procedures” as a catch-all for “the paperwork.” That instinct is what gets people in trouble. An assessor reads each type of document for a different reason, and a beautiful policy can’t paper over a procedure nobody follows or a control with no proof behind it.

The full CMMC documentation vocabulary, in plain terms

Document typeWhat it is, in plain EnglishIts CMMC jobThe common mistake
PolicyWhat leadership requiresSets direction and accountabilityToo generic, never approved, no named owner
ProcedureHow the work actually gets doneShows a repeatable, real processWritten but not followed, or not tied to evidence
StandardA specific technical rule (e.g., password length)Defines the minimum configurationSays one thing; the system is set to another
PlanHow you’ll run a whole area (IR, training, assessment)Coordinates and schedules the workExists on paper but never tested
SSP (System Security Plan)The description of your boundary, environment, and how each requirement is metThe anchor document; assessors read it firstOutdated, generic, or disconnected from real systems
POA&M (Plan of Action and Milestones)A tracked plan to close allowed gapsThe limited path to conditional statusUsed for gaps the rule won’t let you defer
Record / evidenceProof the control exists and runsWhat assessors examine, interview on, and test againstStale, unlabeled, or not tied to a requirement

One requirement, four documents: a worked example

The cleanest way to feel the difference: watch one requirement — Access Control(NIST SP 800-171 Rev. 2, §3.1) — become each type of document:

An assessor examines the policy for intent, examines the procedure for the steps, interviews your staff to confirm they follow it, then tests your systems to see if reality matches. Miss any leg of that stool and the requirement fails — no matter how polished the document looks. (NIST SP 800-171A; CMMC Assessment Guide – Level 2.)

Does CMMC actually require policies and procedures?

Yes — but not the way most guides imply.NIST SP 800-171 Rev. 2 contains no numbered control that says “write an access control policy.” The obligation comes from how your compliance is assessed: NIST SP 800-171A directs assessors to examineyour policies and procedures — the “specifications” it evaluates — to confirm each requirement is met. You cannot demonstrate compliance without them.

There is no official, DoD-blessed master list of “the X policies every CMMC contractor must have.”If you’re hunting for a definitive folder of required document titles you can buy and check off, it doesn’t exist — and any vendor implying otherwise is selling you a certainty they can’t deliver.

NIST SP 800-171A (the assessment companion to the standard) evaluates four kinds of “assessment objects” — specifications (your plans, policies, procedures, and designs), mechanisms (the hardware, software, and firmware safeguards), activities (protection-related actions people perform, like running backups or exercising an incident response plan), and individuals(the people applying all of the above). A policy is just one type of specification — it has to be consistent with your mechanisms, activities, and people to count.

There’s also a quieter reason documented governance is expected. When NIST built the 110 Rev. 2 requirements from the broader NIST SP 800-53 catalog, it tailored the classic “policy and procedures” governance controls into Appendix E as “NFO” controls — items a nonfederal organization is expected to routinely satisfyeven though they aren’t standalone numbered requirements. Documented policies and procedures are assumed, not optional.

Do you need one policy per family?

Not by rule.A single clear, approved, current document can cover more than one family, and combining topics is fine. Think of “one policy plus supporting procedures per family” as a clean organizing convention — the simplest way to show an assessor that every family is covered — not a mandate. The binding test is whether your documentation lets an assessor trace each applicable objective to implementation evidence.

What policies and procedures do you need for CMMC Level 2?

For Level 2, you need documented policies and procedures across all 14 NIST SP 800-171 Rev. 2 control families, backed by operational evidence — plus a System Security Plan and, where allowed gaps remain, a POA&M. The matrix below maps each family to the policy it needs, the procedures behind it, the plan or artifact the rule points to, the evidence assessors expect, the provider category that typically helps, and the failure that most often sinks that family.

The CMMC Policy-to-Evidence Matrix(NIST SP 800-171 Rev. 2, all 14 families — for CMMC Level 2). Requirement numbers are Rev. 2; CMMC uses the same numbers (e.g., CA.L2-3.12.2). Horizontally scrollable on mobile.

Family (code · # reqs)Policy must defineProcedures must showPlan/artifact the rule points toEvidence assessors wantProvider category#1 documentation failure
AC · Access Control (3.1 · 22)Authorized users, least privilege, separation of duties, remote/wireless access, CUI flowAccount provisioning/deprovisioning, access reviews, remote access, session lock(In SSP; specifics per 3.1.x)Access-request tickets, quarterly access-review sign-offs, permission exports, remote-access logsMSP/MSSP, GRC platform, RPOPolicy says “least privilege,” but permissions and logs show stale or shared admin accounts
AT · Awareness & Training (3.2 · 3)Required security and CUI training, role-based training, responsibilitiesOnboarding training, annual refresher, insider-threat training, completion trackingTraining records/plan (3.2.1–3.2.3)Completion records for all personnel, training content, phishing-sim results, signed acknowledgmentsGRC platform, RPO“We do annual training” with no completion records to prove coverage
AU · Audit & Accountability (3.3 · 9)What’s logged, retained, reviewed, and escalatedLog review, alert triage, log protection, time sync(In SSP; logging/monitoring strategy)Historical logs, human-review records, alert tickets, retention configurationMSSP, GRC platform“We have a SIEM,” but no record of human review and no historical log data
CM · Configuration Management (3.4 · 9)Baseline configurations, change control, approved software, secure settingsBaseline creation/maintenance, change approval, security impact analysis, least functionalityDocumented baseline (3.4.1), change control (3.4.3), security impact analysis (3.4.4)Baseline docs, change tickets with approvals, impact-analysis records, hardened-config exportsMSP/MSSP, RPONo formal security impact analysis before changes — the most commonly missed CM element
IA · Identification & Authentication (3.5 · 11)MFA, password/credential rules, identifier managementMFA enrollment, credential lifecycle, authenticator and service-account management(In SSP)MFA configuration across all in-scope systems, enforcement settings, exception handling (3.5.3)MSP/MSSP, GRC platformMFA scope undocumented, or the password policy says one thing and the system enforces another
IR · Incident Response (3.6 · 3)How incidents are detected, reported, analyzed, contained, and learned fromTriage, escalation, evidence preservation, recovery, and DFARS 252.204-7012 reporting when that clause appliesIR capability (3.6.1), track/report (3.6.2), test the response (3.6.3)The IR plan, tabletop/test results, incident tickets, and 72-hour DIBNet reports where DFARS 7012 appliesMSSP, RPO, federal-contracts counselAn IR plan that has never been tested (3.6.3) — assessors mark it not met
MA · Maintenance (3.7 · 6)How maintenance is authorized, logged, and controlled, including remote/vendor accessScheduled and emergency maintenance, remote-maintenance controls, pre-maintenance sanitization, tool checks(In SSP)Maintenance logs, remote-maintenance authorizations, sanitization recordsMSP/MSSPVendor or remote maintenance happens outside the documented, controlled process
MP · Media Protection (3.8 · 9)Marking, storage, transport, encryption, sanitization, and control of CUI mediaMedia handling, removable-media approval, sanitization/destruction, marking, transport(In SSP)Sanitization/destruction certificates, media inventory, marking samplesMSP/MSSP, CUI enclaveNo sanitization or destruction records; backups or removable media are uncontrolled
PS · Personnel Security (3.9 · 2)Screening, transfers, terminations, and access removalPre-employment screening, HR-triggered access changes, termination checklist(In SSP)Screening records, termination checklists showing access revokedRPO, GRC platform, MSPHR and IT aren’t connected, so access lingers after termination
PE · Physical Protection (3.10 · 6)Facility access, visitor control, escorting, device and media physical securityBadge issuance, visitor logging/escorting, facility access review, alternate-worksite controls(In SSP)Visitor logs, badge/access reports, facility diagrams, access-review recordsRPO (physical), MSP (device)Digital-only focus; visitor logs and physical access to CUI areas go undocumented
RA · Risk Assessment (3.11 · 3)How risks, vulnerabilities, scans, and remediation are identified and trackedPeriodic risk assessment, vulnerability scanning, risk acceptance, remediation trackingRisk assessment (3.11.1), vulnerability scanning (3.11.2), remediate (3.11.3)Risk register, recurring scan results, remediation tickets, risk-acceptance approvalsMSSP, GRC platform, RPOA one-time scan with no recurring cadence and no tracking to closure
CA · Security Assessment (3.12 · 4)How controls are assessed, monitored, documented, and improvedInternal assessment, SSP updates, POA&M management, continuous monitoringSSP (3.12.4), POA&M (3.12.2), periodic assessment (3.12.1), ongoing monitoring (3.12.3)The SSP, a POA&M if any allowed NOT MET requirements are tracked, assessment/review records, monitoring-review recordsRPO, GRC platformMissing a POA&M for a NOT MET requirement, or relying on a POA&M for a requirement §170.21 won’t allow
SC · System & Communications Protection (3.13 · 16)Boundary protection, encryption, subnetworks, CUI transfer, interconnectionsFirewall management, FIPS-validated encryption, key management, DNS/session controls, external-connection review(In SSP + network and CUI-flow diagrams)Firewall configs, FIPS-validated encryption evidence, network and CUI-flow diagrams, CRMCUI enclave, MSP/MSSP, RPOAssuming GCC High or GovCloud “makes you compliant” without documenting inherited vs. retained responsibilities
SI · System & Information Integrity (3.14 · 7)Flaw remediation, malicious-code protection, monitoring, alert responsePatch management, anti-malware, security-alert monitoring, system monitoring(In SSP)Patch records, AV/EDR configuration and logs, alert-handling recordsMSSP, MSP, GRC platformFlaw remediation isn’t documented or timely; no proof that alerts are acted on

Required by rule vs. assessment-critical: the four documentation anchors

Most of the 110 requirements point to documentation indirectly. Four are the anchors that most often stop a Level 2 assessment:

Don’t forget the cross-cutting artifacts

Three documents aren’t tied to any single family, but you can’t scope a Level 2 assessment without them: an asset inventory, a network diagram, and a CUI data-flow diagramshowing where CUI enters, moves, rests, and leaves. (CMMC Scoping Guide – Level 2; see also the CMMC Scoping Guide. These feed directly into the SSP.)

Level 1 vs. Level 2: what changes

Level 1 (FCI only) is built on the 15 basic safeguards in FAR 52.204-21 and verified by an annual self-assessment. Formal, family-by-family policy documentation is not the explicit focus it is at Level 2. One hard line: a POA&M is not permitted at Level 1(32 CFR § 170.21). All 15 requirements must be met.

Level 2(CUI) is the 110 NIST SP 800-171 Rev. 2 requirements across 14 families, and 32 CFR § 170.14 states Level 2 requirements are identical toNIST SP 800-171 Rev. 2. That’s the documentation depth this page is built around. See our CMMC levels guide and NIST 800-171 requirements checklist for the full requirement set.

How many CMMC policies do you need?

There’s no fixed number — and no required page count.The Cyber AB’s CMMC Assessment Process uses an “adequacy and sufficiency” standard: your evidence has to cover the right things (adequacy) and provide enough proof (sufficiency) for an assessor to mark all 320 assessment objectives as MET. Counting documents is the wrong game; alignment is the whole game.

NIST SP 800-171A breaks the 110 requirements into 320 assessment objectives— the individual determination statements an assessor checks. Every objective has to come back MET or Not Applicable for the parent requirement to pass. A single polished 40-page policy that doesn’t map to those objectives loses to a lean, well-aligned set that does.

Stop asking “how many policies?” and start asking “can an assessor trace each objective from my SSP to a policy, a procedure, a responsible role, and live evidence?” If yes, you pass. If they have to guess or fill in blanks, the control fails.

Are CMMC policy templates enough?

No. Templates are a legitimate starting point — but a template pack alone will not pass an assessment. Assessors read hundreds of these; they recognize generic, copy-pasted language quickly and probe harder in interviews and testing when they see it. A template becomes compliant only when it describes your actual systems and workflows, is paired with a real procedure, and is backed by evidence that the procedure happens.

A template says…Why it fails on its ownWhat actually makes it count
“Access is limited to authorized users under least privilege.”Your permissions or logs may show stale or shared accountsA matching procedure plus access-review records that prove it
“All CUI is encrypted with FIPS-validated cryptography.”Your encryption may not be FIPS-validated — or even configuredEvidence of the validated module and exactly where it’s applied
“Employees complete annual security awareness training.”Nothing proves anyone actually completed itCompletion records covering all personnel, plus the content

There’s also a quality bar most template buyers miss. For a policy or procedure to count as evidence it must be final, approved, version-controlled, and assigned to an owner. A generic, unsigned, undated document isn’t weak evidence — it’s no evidence.

The fix isn’t “buy better templates.” It’s to treat documentation as the work of describing yourenvironment and proving it runs — then decide honestly whether you have the time and expertise to do that in-house.

Have templates, but not an evidence system behind them?

Use Find My CMMC Path to see whether your gap is really a readiness, managed-security, GRC/evidence, CUI-enclave, or assessment-timing problem. The tool maps you to a provider category— not a named-provider ranking.

Do not submit CUI or sensitive contract details.

Map My Documentation Gap →

How do assessors evaluate your policies, procedures, and evidence?

CMMC Level 2 assessments use the NIST SP 800-171A method: examine, interview, and test.Assessors examine your documents, interview your staff to confirm the process is real, and test your systems to see if reality matches the paper. A clean policy can’t compensate for a process nobody follows — and if your written controls don’t match what testing reveals, the control fails no matter how good the SSP looks.

MethodWhat it meansWhat weak documentation misses
ExamineReviewing documents, records, diagrams, mechanisms, activities, and configurationsA policy exists, but it’s unsigned, undated, generic, or has no evidence linked to it
InterviewAsking your staff how the process actually worksStaff describe a process that’s different from the written procedure
TestObserving or exercising a mechanism or activityThe tool’s real settings or the actual workflow don’t match the document

The standard behind all three is adequacy and sufficiency— the right evidence, and enough of it, across your full assessment scope. Assessors do accept additional evidence during the assessment, but that window is narrow and it’s for evidence that already exists— not for building controls you haven’t implemented yet.

The honest catch: evidence can’t be back-dated

Assessors don’t just want documents — they want operating history. Months of log-review records. A risk assessment that actually happened. Quarterly access reviews with sign-offs. An incident response plan that’s been tested. You cannot manufacture that history the week before an assessment.

Turn on centralized logging the day before and you’ll have a policy but no historical data — a not-met. Write an IR plan you’ve never exercised and §3.6.3 fails. This is why “we’ll document it later” is the single most expensive assumption in CMMC.

We’re in Phase 1, which runs from November 10, 2025 through November 9, 2026(32 CFR § 170.3(e)). In Phase 1, DoD includes Level 1 (Self) and Level 2 (Self) requirements as a condition of award for applicable contracts — and can require a Level 2 C3PAO assessment at its discretion. There is no blanket “self-assessment only” grace period. Phase 2 begins November 10, 2026: DoD intends to include Level 2 (C3PAO) for applicable solicitations as a condition of award. Phase 3 (November 10, 2027) extends that to all applicable solicitations and adds Level 3 (DIBCAC). Phase 4(November 10, 2028) is full implementation. The evidence you should already be generating can’t be created retroactively.

Once assessed, hashed artifacts used as evidence must be retained for six yearsfrom your CMMC Status Date (32 CFR § 170.17). Your documentation isn’t a one-time deliverable. It’s a living system.

Common documentation failure patterns

How should you organize your CMMC documentation?

Organize your documentation the way an assessor reads it: scope first, then the SSP, then policies and procedures by family, then the evidence that proves them, then a POA&M for whatever’s left.Writing polished policies before you’ve defined your CUI scope is the most common way to waste weeks — because scope decides what your documents have to describe.

CMMC Documentation
  00 - Scope and Boundary
       Asset Inventory
       CUI Data-Flow Diagram
       Network Diagram
       Cloud / ESP Responsibility Matrix (CRM)
  01 - SSP
       Current Approved SSP
       SSP Version History
  02 - Policies and Procedures
       Access Control
       Awareness and Training
       Audit and Accountability
       Configuration Management
       Identification and Authentication
       Incident Response
       Maintenance
       Media Protection
       Personnel Security
       Physical Protection
       Risk Assessment
       Security Assessment
       System and Communications Protection
       System and Information Integrity
  03 - Evidence Register
       Event-Based Evidence
       Weekly / Monthly Evidence
       Quarterly Evidence
       Annual Evidence
  04 - POA&M and Remediation
  05 - Assessment Prep

Put evidence on a calendar. Controls that require recurring action need recurring proof:

CadenceEvidence examples
Event-basedNew-user approvals, termination access removals, incident tickets, configuration changes
Weekly / monthlyVulnerability scans, patch status, log reviews, alert triage
QuarterlyAccess reviews, risk-register review, SSP and evidence spot-checks
AnnualSecurity training, an incident response tabletop, policy review, affirmation readiness

Two habits separate the programs that pass from the ones that scramble: version control(every policy shows what’s current, who approved it, and when) and a living POA&M(reviewed at least quarterly and after any significant change — not resurrected the week before an assessment).

Want the structure without rebuilding it from scratch?

The CMMC Readiness Checklist maps the folder structure and evidence calendar above to all 14 families, so you can start filling gaps today. No form to reach it.

Go to the CMMC Readiness Checklist →

What changes if you use an MSP, cloud, GCC High, or a CUI enclave?

External providers can shrink the work, but they don’t erase your documentation responsibility. If a Cloud Service Provider (CSP) or External Service Provider (ESP) touches your CUI at Level 2, the relationship, the services, and the Customer Responsibility Matrix (CRM)need to be documented or referenced in your SSP — and your on-premises infrastructure that connects to the provider can remain in your assessment scope (32 CFR Part 170).

The trap is subtle and expensive: believing that a compliant tool makes youcompliant. A FedRAMP-authorized cloud, a GCC High tenant, or a CUI enclave can inherit real controls on your behalf — but only if you document what’s inherited versus what you still retain. An assessor will ask you to prove that split.

Provider typeAsk them forWhy it matters
MSP (Managed Service Provider)System inventory, admin procedures, change records, patch reports, access controlsThey may operate controls your SSP depends on — you need the evidence
MSSP (Managed Security Service Provider)Logging architecture, alerting process, escalation evidence, incident recordsMonitoring without evidence of review isn’t sufficient
CSP (Cloud Service Provider)FedRAMP status or equivalency documentation, the CRM, the service boundaryCloud authorization is not the same as your compliance
CUI enclaveBoundary diagram, inherited-vs.-retained responsibility map, evidence exports, the user/admin modelAn enclave reduces scope only if it’s implemented and documented correctly
GRC platformEvidence mapping, SSP support, POA&M workflow, export formatGRC organizes your proof — it doesn’t implement every control for you

Who should help you write CMMC policies and procedures?

The right helper depends on what you’re actually missing.If the gap is time or writing capacity, a Registered Provider Organization (RPO) or a CMMC-focused MSP can build and tailor the documentation set. If you can’t operatelogging, patching, or monitoring, that’s an MSSP problem. If you need to manage and provedocumentation at scale, a GRC platform helps. If your CUI footprint is too broad, a CUI enclave changes what you have to document. And when you’re ready for the formal exam, a C3PAO assesses— it doesn’t build the documentation it will later assess.

The table below is The Defense Compliance Report’s provider-category mapping — part of The CMMC Path Framework. It routes to a category, not a named provider, and it is not a Cyber AB, DoD, or government recommendation.

If your real problem is…Start with this categoryWhyDon’t confuse it with…
You don’t know your level, scope, or assessment pathRPO/RP, or a neutral pathing toolYou need clarity before you buy anythingA C3PAO assessment
You have generic templates but no implementationRPO/RP, plus an MSP/MSSP if the gap is technicalDocuments have to match real controlsA template seller
You can’t operate logging, patching, or endpoint controlsMSP/MSSPThe issue is executing technical controlsGRC software alone
You need to organize the SSP, POA&M, and recurring evidenceGRC platform, plus an RPO/RPThe issue is documentation governance and workflowCertification
Your CUI collaboration boundary is too broadCUI enclave / secure collaboration providerScope reduction lowers burden if documented“Compliance in a box”
You’re assessment-ready and your contract requires Level 2 (C3PAO)An authorized or accredited C3PAOC3PAOs conduct Level 2 certification assessmentsA readiness consultant

One conflict-of-interest rule worth protecting:Under the Cyber AB Code of Professional Conduct (v2.0), which incorporates 32 CFR § 170.8(b)(17), a C3PAO and its assessment team members may not participate in the Level 2 certification of an organization they served as a consultant to prepare for any CMMC assessment within the previous three years.Don’t let a firm build your documentation and then certify the same work — the rule won’t allow it, and a conflict discovered later can put your certificate at risk. (See also: how to choose a C3PAO.)

Choose the category before you request quotes

Tell us your required level, scope, environment, and deadline. We’ll map your situation to a source-checked provider category— RPO/RP, MSP/MSSP, GRC, CUI enclave, or C3PAO — so you don’t ask the wrong vendor to solve the wrong problem.

Disclosure: The Defense Compliance Report may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis or provider-category recommendations.

Compare provider categories with Find My CMMC Path →

The fastest safe way to build your CMMC documentation set

The fastest safe path is not “download templates and edit the names.” It’s: confirm the requirement → define scope → build the SSP skeleton → map each family to policy, procedure, and evidence → assign owners and an evidence cadence → run a gap assessment → choose the provider category for whatever’s left. That order keeps you from writing beautiful documents for the wrong environment.

  1. Confirm the clause, level, and assessment type. Your contract, solicitation, or prime flow-down sets the requirement — self-assessment or C3PAO.
  2. Define FCI/CUI handling and your assessment scope (asset inventory, network diagram, CUI-flow diagram).
  3. Build the SSP skeleton first — before you write every policy, so the plan drives the documents.
  4. Map the 14 families to policies, procedures, and evidence using the matrix above.
  5. Assign owners and an evidence cadence, and start collecting now so history accrues.
  6. Run a readiness/gap assessment, and open a POA&M only where the rule allows it (see the next section).
  7. Choose the provider category that matches the remaining gap.

Get your documentation gap list

The CMMC Readiness Checklist maps all 14 families to the documents and evidence you need, so you can identify gaps before you spend on the wrong help.

Start with the CMMC Readiness Checklist →

What can and can’t go on a POA&M

A Plan of Action and Milestones lets you defer a narrowset of gaps and still earn a Conditional Level 2 status — but it’s not a free pass, and your most important controls can’t be deferred at all.The eligibility rules are precise, public, and non-negotiable under 32 CFR § 170.21.

SituationPOA&M eligibilitySourcePractical consequence
CMMC Level 1Not permitted at all§ 170.21(a)(1)All 15 requirements must be MET; nothing can be deferred
Minimum score for Conditional Level 2You must score ≥ 80% (88 of 110 points)§ 170.21(a)(2)(i)Below 88, no CMMC status is awarded
Requirements worth more than 1 point (3- and 5-point controls)Not POA&M-eligible§ 170.21(a)(2)(ii)Every high-value control must be MET at the assessment
SC.L2-3.13.11 (CUI encryption)Eligible only if encryption is used but not yet FIPS-validated (counts as 3 points)§ 170.21(a)(2)(ii)The one carve-out; no encryption at all is a 5-point gap and can’t be deferred
Six named 1-point requirementsNever POA&M-eligible§ 170.21(a)(2)(iii)(A)–(F)Must be MET regardless of point value (listed below)
Any allowed POA&M itemMust be closed within 180 days§ 170.21(b)Miss the window and your Conditional status expires

The six 1-point requirements that can nevergo on a Level 2 POA&M, named in § 170.21(a)(2)(iii): AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access). Each is worth only one point, but missing any single one blocks a Conditional status entirely. See our full Conditional Level 2 & POA&M Closeout guide.

The practical takeaway: carry the high-value controls to MET beforethe assessment, and treat the POA&M as a narrow safety net for minor, 1-point residuals — not a strategy for deferring real work.

How this connects to SPRS, affirmation, and contract eligibility

Your policies and procedures become contract-risk documents the moment they support a CMMC status, score, or affirmation. Level 2 self-assessment results are submitted to SPRS; Level 2 C3PAO results are entered into the CMMC instance of eMASS and transmitted to SPRS; and to maintain a Final Level 2 status, an Affirming Officialmust affirm compliance at the time of assessment and annually thereafter (32 CFR §§ 170.17, 170.22).

This is why leadership should care about the paperwork. Those documents underpin what your company formally attests is true about its security — and a false affirmation carries real legal exposure. Before award of a contract that requires Level 2 (C3PAO), you must both hold a Conditional or Final Level 2 (C3PAO) status andhave submitted your affirmation into SPRS (§ 170.17(b)). No current status, no award.

See our self-assessment vs. C3PAO guide for the full SPRS and eMASS breakdown.

The most common CMMC documentation mistakes

The single most dangerous CMMC documentation mistake is believing documentation equals implementation. The rest follow from it.

MistakeWhy it mattersThe fix
Treating templates as complianceTemplates don’t prove implementationMap each document to real systems, owners, and evidence
An SSP that doesn’t match realityThe SSP is the anchor artifact — its absence stops the assessmentUpdate the boundary, assets, diagrams, and implementation statements
No evidence cadenceYou can’t prove a recurring control from a one-time documentBuild the event/weekly/quarterly/annual evidence calendar
Undocumented MSP/CSP responsibilitiesShared-responsibility gaps break the SSPRequire the CRM, service descriptions, and evidence exports
Unsigned or draft policiesEvidence must be final, approved, version-controlled, and ownedFinalize, approve, version, and assign an owner
Rev. 3 confusionCMMC Level 2 currently maps to Rev. 2Build to Rev. 2’s 110 requirements until DoD amends the rule
Using the POA&M too broadlyHigh-value controls can’t be deferred; the 180-day clock is fixedCheck § 170.21 and carry the 3- and 5-point controls to MET first
Engaging a C3PAO too earlyAssessment isn’t implementationFinish readiness, then assess — and keep the two separate

A note on Rev. 2 vs. Rev. 3:NIST finalized SP 800-171 Revision 3 in May 2024 (consolidating requirements from 110 to 97), and NIST’s own catalog lists Rev. 2 as withdrawn/superseded. But for CMMC, Rev. 2 is still the standard.DoD issued Class Deviation 2024-O0013 directing contractors under DFARS 252.204-7012 to comply with Rev. 2, and 32 CFR § 170.14 ties CMMC Level 2 to Rev. 2. Build your documentation to Rev. 2 until DoD formally amends the rule.

What we verified for this guide

We built this from primary sources, not vendor claims. Here’s what we actually checked, and when. Last verified:

  • 32 CFR Part 170 (the CMMC Program Rule; effective December 16, 2024) — the level mapping (§ 170.14), phased rollout (§ 170.3), assessment and affirmation requirements (§§ 170.15–170.17, 170.22), scoping (§ 170.19), POA&M rules (§ 170.21), scoring methodology (§ 170.24), and ecosystem/conflict rules (§ 170.8–170.9). eCFR
  • Federal Register — the CMMC Program final rule and the DFARS acquisition final rule, effective November 10, 2025, which set the phased rollout.
  • NIST SP 800-171 Revision 2 — the 110 requirements across 14 families, the SSP requirement (§ 3.12.4), the POA&M requirement (§ 3.12.2), the incident response and configuration requirements, and Appendix E. NIST CSRC
  • NIST SP 800-171A — the assessment objects (specifications, mechanisms, activities, individuals), the examine/interview/test methods, and the 320 assessment objectives. NIST CSRC
  • DoD CMMC Assessment Guide – Level 2 and Level 1 — how documentation is examined and scored. dodcio.defense.gov
  • Cyber AB CMMC Assessment Process and Code of Professional Conduct (v2.0) — the adequacy/sufficiency standard and the three-year consultant conflict rule. cyberab.org
  • DoD Class Deviation 2024-O0013 — confirming CMMC and DFARS 7012 remain on NIST SP 800-171 Rev. 2. acq.osd.mil

This page does not provide legal, contractual, or compliance advice, guarantee a certification outcome, or endorse a named provider. Confirm your scope, level, and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.

CMMC policies and procedures: FAQ

What CMMC policies are required?

There’s no official single list of document titles every contractor must use. For Level 2, the practical requirement is to document how your organization implements the 110 NIST SP 800-171 Rev. 2 requirements across all 14 families — with an SSP, supporting policies and procedures, and evidence that matches your actual scope (32 CFR § 170.14; NIST SP 800-171A).

What’s the difference between a CMMC policy and a procedure?

A policy is a management-approved statement of what your organization requires and why. A procedure is the step-by-step description of how it’s done. Assessors examine the policy for intent and the procedure for execution — then interview staff to confirm the procedure is actually followed (NIST SP 800-171A).

Do I need one policy for each NIST 800-171 family?

Not by rule. A single clear, approved, current document can cover more than one family. A common organizing convention is at least one policy plus supporting procedures per family, because it’s the cleanest way to show every objective is covered — but it’s a convention, not a mandate.

Can I use free CMMC policy templates?

Yes, as a starting point — but a template alone won’t pass. Assessors recognize generic, copy-pasted policies and probe harder. A template becomes usable evidence only when it describes your actual environment, is paired with a real procedure, and is final, approved, version-controlled, and backed by proof the control runs.

Does CMMC require an SSP?

For Level 2, yes. NIST SP 800-171 requirement 3.12.4 requires you to develop, document, and periodically update a system security plan. It’s the first document a C3PAO reads, and under 32 CFR Part 170 the absence of an up-to-date SSP at the time of assessment means the assessment cannot be completed.

Does CMMC require a POA&M?

For each NOT MET requirement you must have a POA&M — but it’s never a substitute for a completed requirement, and it’s tightly limited. Level 1 allows none. Level 2 allows a POA&M only for eligible 1-point gaps, requires a minimum 80% score for Conditional status, excludes six named requirements, and requires closeout within 180 days (32 CFR § 170.21).

Are draft or unsigned policies acceptable evidence?

No. Assessors judge evidence on adequacy and sufficiency, and for a policy or procedure to count it must be current, final, approved, version-controlled, and assigned to an owner. A generic, unsigned, undated document doesn’t demonstrate a control that’s actually running.

Can my MSP write my CMMC procedures?

An MSP can help write or operate procedures for the systems it manages, but you still need the documents to reflect your actual scope, CUI flow, responsibilities, SSP, and evidence. If the MSP operates controls, make sure ownership, evidence exports, and shared responsibilities are documented in a Customer Responsibility Matrix.

Can a C3PAO write my policies and then assess me?

No. Under the Cyber AB Code of Professional Conduct (v2.0) and 32 CFR § 170.8(b)(17), a C3PAO and its team can’t assess an organization they served as a consultant to prepare for any CMMC assessment within the previous three years. Keep readiness and formal assessment with separate organizations.

Is NIST SP 800-171 Rev. 3 used for CMMC Level 2?

Not under the current rule. NIST finalized Rev. 3 in May 2024 and lists Rev. 2 as superseded, but 32 CFR § 170.14 and DoD Class Deviation 2024-O0013 keep CMMC Level 2 on Rev. 2. Build to Rev. 2 until DoD amends the rule.

What happens if my policies don’t match what I actually do?

The control fails. Assessors compare your documentation to reality through interviews and testing, and any discrepancy is a finding. A polished policy that doesn’t reflect your systems is worse than a lean one that does — it signals the rest of your documentation may not be trustworthy either.

Need help deciding what type of CMMC provider you need?

You’ve seen the map, the documents the rule actually points to, why templates fall short, and how assessors judge your paperwork. If you’re clear on your path, go build. If you’re not, don’t guess your way into a six-figure decision.

Do not submit CUI, controlled technical drawings, export-controlled data, or sensitive contract details through the form.

Find My CMMC Path →

Keep going

Primary sources

This is educational research, not legal, contractual, or compliance advice. Confirm your scope, required level, and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist. See our Editorial Standards and Corrections Policy.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.