Written policies document nearly one-third of the 320 assessment objectives within CMMC.

In fact, there are 281 results if you search for “policy” or “policies” in the CMMC Assessment Guide - Level 2.

The purpose of this blog is to: 

1. Outline the relationship between Policies, Practices and Procedures

2. Enable you to write CMMC policies based on NIST SP 800-53A guidelines

3. Provide a mapping of policies to practices & procedures within CMMC

4. How to avoid bottlenecks along the way

• Policies

• Practices and Procedures

• CMMC Guidance on Polices

• NIST SP 800-53A Guidance on Policies

• Mapping Policies with Practices in CMMC

• Avoiding Bottlenecks Along the Way

NIST SP 800-160 Vol.1 defines policy as a set of rules that governs all aspects of relevant system and system element (including technology, machine, and human elements) behavior. Policy frameworks start with high-level, organizational policies overseeing issue-specific and system-specific policies. 

Organizational policies have the following characteristics:

• State the organization’s goals

• Assign roles and responsibilities

• Outline enforcement 

• Support legal regulations

• Provide scope and direction

• Easy to understand

Underneath organizational policies are issue-specific and system-specific policies. 

Issue-specific policies provide guidance on how to comply with specific issues. For example…

• Information Flow Policy

• Separation of Duties

• Session Termination

System-specific policies govern defined scopes of information systems, networks or applications. For example…

• Mobile Device Policy

• Portable Storage Device Policy

All policies should be broad and focus on answering the questions “what” and “why”. They should also be technology-independent. And they shouldn't restrict the organization to specific ways of accomplishing them.

Practices (standards) and procedures enable implementation of a policy.

Let’s walk through a quick example. 100 practices within the NIST SP 800-171 specify four main groups…

• Technologies

• People

• Facilities

• Processes

The regulation explains how each of those groups should protect the confidentiality and integrity of controlled unclassified information.

These requirements can be further expanded into the 320 determination statements. Those statements express the desired outcomes of implementing each practice.

Focusing on these determination statements allows for the creation of procedures supporting implementation. Another term for determination statements? Assessment objectives. Procedures are repeatable, step-by-step descriptions that define the tasks carried out by people. 

To keep policies easy to understand, don’t insert the procedures into the policies. A more narrow audience will receive the standard operating procedures (SOPs).

The hierarchy below demonstrates policies and their relationship to practices and procedures.

There are two sources to consult when drafting policies for each domain within CMMC:

1. CMMC Assessment Guide Level 3 Version 1 

2. NIST Special Publication 800-53A

Ryan Bonner noted on a recent webinar that he classifies over 100 of the 320 assessment objectives as governance objectives.

These controls use non-functional language like identify, define or specify. Written policies would be a good way to document these requirements. Even though CMMC Version 1 was overcome by events, we find the original guidance on writing policies is still relevant.

CMMC Version 1 had specific requirements for each domain policy. These requirements included the following checklist of items that each should include:

1. Clearly state the purpose of the policy

2. Define the scope of the policy

3. Define the roles and responsibilities of the activities covered by the policy

4. Establish or direct the establishment of procedures to carry out the policy

5. Regulatory guidelines that the policy addresses

6. Management endorsement and dissemination to appropriate stakeholders

7. Periodically review and update the policy

CMMC uses NIST SP 800-171 as its underlying framework. These controls (practices) came from security requirements within NIST SP 800-53. CMMC Version 2.0 dropped the specific requirements for having written policies. But, the tailoring of controls referenced in Appendix E of NIST SP 800-171 points back to a series of controls that non-federal organizations should be performing without specification. These include having written policies for each domain!

We’re going to compare these requirements from NIST SP 800-53. We can do so by using the assessment guide from this framework, and we will bold those requirements that match from CMMC Version 1.0.

The NIST requirements for writing policy begins with eight organizationally defined parameters (ODPs):

1. Define the personnel or roles whom to disseminate the policy to

2. Define the personnel or roles whom to disseminate the procedures to 

3. Select the level this policy governs (organizational; mission/business process; system)

4. Define the official to manage the policy and procedures

5. Define the frequency to review and update the policy

6. Define events that would require review or updating of the current policy

7. Define the frequency to review and update the procedures

8. Define events that would require review or updating of the current procedures

Substituting these ODPs into the policy objectives provides us with the following guidance:

• Develop and document the Policy

• Disseminate the policy to (1) the personnel or roles

• Develop and document the procedures to facilitate the implementation of the policy and associated controls

• Disseminate the procedures to (2) the personnel or roles 

• The Policy addresses purpose

• The Policy addresses scope

• The Policy addresses roles

• The Policy addresses responsibilities

• The Policy addresses management commitment

• The Policy addresses coordination among entities

• The Policy addresses compliance

• The Policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines

• The (4) designated official manages the development, documentation, and dissemination of the policy and procedures

• Review and update the Policy within the (5) defined the frequency 

• Review and update the Policy following (6) defined events

• Review and update the current procedures (7) at a defined frequency

• Review and update the current procedures following (8) defined events

NIST SP 800-53 covers much more than the seven of the objectives listed in the original CMMC guidance. For these domain-level policies, NIST SP 800-53 provides the most detailed policy checklist to follow.

We started out discussing the 281 references to policy or policies within the Level 2 CMMC Assessment Guide. In addition to the 14 domain policies we counted 21 additional policies referenced. Based on the domain and controls referencing these policies, we created the following hierarchy:

As we went through this process, we came away with two main things.

First, we recognized that some practices referenced domain policies. No big deal, right? Well, some of these domain policies weren't for the particular practice.

For example, SI.L2-3.14.2 through SI.L2-3.14.4 belong to the System and Information Integrity domain. These three practices also reference configuration management policy and procedures as potential artifacts.

Second, we found out that parameters are important. A little more than 100 assessment objectives involve identifying, defining or specifying parameters.

As we mapped out the practice to policy relationship, we noted which assessment objectives used this language. We can then verify that they meet those requirements with the policies that govern those controls.

In support of each policy, standard operating procedures detail the effort of relevant practices. Within each practice, the assessment guide lists the relevant procedures.

You should group these procedures together by the policies that govern them. Doing so allows for the creation of standard operating procedures that can accompany each policy.

We're left with something amazing in the end. An 21 page document that includes the hierarchy of CMMC policies. It also includes the governed controls, assessment objectives they meet and associated procedures.

For example:

Access Control Policy 

Information Flow Control Policy 

Practice AC.L2-3.1.3 

Identify & Define (a, b, c, d)

Procedures addressing information flow enforcement

Separation of Duties Policy

Practice AC.L2-3.1.4 

Define & Assign (a, b)

Procedures addressing divisions of responsibility and separation of duties

Privacy and Security Policy

Practice AC.L2-3.1.7

Define (a,b)

Procedures addressing system use notification

Practice AC.L2-3.1.9

Identify (a)

Procedures addressing system use notification

The average time to summit K2 is about 60 days. Over 8,000 meters up, climbers must overcome an infamous section called the “Bottleneck” by traversing a column of glacial ice.

We named our compliance management solution K2 Compliance. The path to documenting compliance is lengthy and likely includes bottlenecks along the way.

At the end of your journey to CMMC, you will have written at least 43 policies. Each of them reference applicable regulations. They can also show the standard operating procedures that support these policies.

K2 Compliance helps you providing…

• Fillable fields for your policies

• Association of policies to practices

• Standard operating procedure linking

Our system can also set policies to expire and remind the policy owner that it is time to refresh and redistribute their policies. Contact us today for a 30-day free trial.