CMMC: Policies and Procedures Contractors Should Have

Join our newsletter:

Information security policies and procedures are the backbone of any cybersecurity program. This includes companies with cybersecurity maturity model certification (CMMC) level two or higher requirements. As a matter of fact, to have a mature cybersecurity program, contractors must “establish and document practices and policies to guide the implementation of their CMMC efforts” (CMMC Model Main V1.02).

Here are areas for which contractors with CMMC level two or higher requirements should have policies and procedures for:

Access Control
Audit and Accountability
Configuration Management
Configuration Planning
Incident Response
Identification and Authentication
Information Flow Control
Information Flow Enforcement
Information System Maintenance
Media Protection
Media Sanitization and Disposal
Mobile Code Implementation
Password
Personnel Security
Physical and Environmental Protection
Portable Media
Risk Assessment
Security Assessment and Authorization
Security Awareness and Training
Security Planning
Separation of Duties
System and Information Integrity
System and Services Acquisition
System and Communication Protection
System Use

You can document policies for the above items in your information security policy and you should maintain a standard operating procedure document that “enables individuals to perform them (CMMC practices/requirements) in a repeatable manner”. Processes such as account provisioning, patch deployments, configuration changes, incident response, employee training and everything else that comes to mind should have a document process.

CMMC: Policies and Procedures Contractors Should Have

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:

Compliance Accelerator

Quantum Assessor

Supply Chain Verifier