CMMC Security Policies

15 governance policies covering all 113 CMMC Level 2 practices. Each policy provides detailed requirements, implementation roadmaps, evidence guides, and common assessment gaps.

15 Policies

113 Practices Covered

NIST SP 800-171 Rev 2

🔐

AC · 22 practices

Access Control Policy

Access Control is the foundation of your security program -- it answers the question 'who can access what, and under what conditions?' This policy covers user authorization, least privilege, account lifecycle management, privileged accounts, remote access, wireless access, mobile devices, network segmentation, and data access controls. Think of it as the comprehensive rulebook for every door, gate, and lock in your digital environment.

NIST 3.1.1 - 3.1.22 View Policy →

🎓

AT · 3 practices

Security Awareness and Training Policy

Awareness and Training ensures your people are your first line of defense rather than your weakest link. This policy covers security awareness training for all personnel (phishing, passwords, CUI handling, incident reporting), role-based training (IT admins: privileged access, secure config; developers: OWASP Top 10; CISO team: advanced threats, forensics; HR: insider threats, termination), insider threat awareness (behavioral and technical indicators, reporting mechanisms), phishing simulations (monthly/quarterly campaigns, metrics tracking, remedial training), and training records management and compliance tracking.

NIST 3.2.1 - 3.2.3 View Policy →

📊

AU · 9 practices

Audit and Accountability Policy

Audit and Accountability is your organization's security camera system -- it records everything that happens so you can prove what occurred, investigate incidents, and demonstrate compliance. This policy covers what events must be logged, what details each log must contain, how logs are protected from tampering, how long logs are retained, how logs are monitored and reviewed, and what happens when logging fails.

NIST 3.3.1 - 3.3.9 View Policy →

🔍

CA · 4 practices

Security Assessment, Authorization, and Monitoring Policy

Assessment, Authorization, and Monitoring is the governance loop that keeps your security program honest. This policy covers periodic security assessments (internal quarterly, external annually), System Security Plans (SSPs) -- the master document describing your security posture for each CUI system, continuous monitoring (SIEM, vulnerability scanning, config compliance, patch status), and penetration testing (annual external and internal pen tests with remediation tracking). This is the domain where all other policies come together -- the SSP references every other policy, and assessments verify they're working.

NIST 3.12.1 - 3.12.4 View Policy →

⚙️

CM · 9 practices

Configuration Management Policy

Configuration Management is about knowing exactly what your systems look like, keeping them hardened to a known-good state, and controlling any changes. This policy covers baseline configurations (the secure 'gold image' for each system type), change control processes (formal approval before any production change), least functionality (disabling what you don't need), user-installed software restrictions, asset inventory, automated configuration enforcement, vulnerability management, security impact analysis, and access restrictions for making changes.

NIST 3.4.1 - 3.4.9 View Policy →

🎫

IA · 11 practices

Identification and Authentication Policy

Identification and Authentication is about proving 'you are who you say you are' before granting access. This policy covers unique user identifiers, identity verification processes, password requirements, multi-factor authentication (MFA), cryptographic authentication (certificates, SSH keys), device authentication (802.1X, NAC), federated identity and SSO, service account management, and privileged access authentication. It works hand-in-hand with the Access Control policy -- IA proves identity, AC determines what that identity can access.

NIST 3.5.1 - 3.5.11 View Policy →

🚨

IR · 3 practices

Incident Response Policy

Incident Response is your organization's emergency playbook -- what happens when things go wrong. This policy covers your incident response plan and team structure, detection mechanisms and alert routing, the full incident lifecycle (preparation, detection, containment, eradication, recovery, lessons learned), severity classification, DoD DIBNET reporting requirements (72-hour rule for CUI incidents), incident documentation and metrics, and regular testing through tabletop exercises and technical drills.

NIST 3.6.1 - 3.6.3 View Policy →

🔧

MA · 6 practices

Maintenance Policy

Maintenance ensures your systems stay operational and secure while protecting CUI during the maintenance process itself. This policy covers maintenance scheduling and windows, controlled maintenance procedures (backup, approve, execute, verify), approved maintenance tools (only vetted, company-approved tools), non-local/remote maintenance (MFA, session recording, monitoring), maintenance personnel authorization (background checks, escorts for non-company), and maintenance records and documentation.

NIST 3.7.1 - 3.7.6 View Policy →

💾

MP · 8 practices

Media Protection Policy

Media Protection controls how CUI exists on portable and removable media -- the physical things that can walk out the door. This policy covers media encryption and physical security, access restrictions and tracking, CUI marking and labeling, secure storage (locked cabinets, off-site backups), transport controls (chain of custody, encrypted transfer), media sanitization and destruction (DoD 5220.22-M wipe, physical shredding), media accountability and inventory, and restrictions on personally-owned removable media.

NIST 3.8.1 - 3.8.9 View Policy →

🏢

PE · 6 practices

Physical Protection Policy

Physical Protection is about securing the physical spaces where CUI lives. This policy covers badge access systems and physical access authorization, physical access controls (badge readers, PIN pads, locks), visitor escort requirements and visitor logs, physical access audit logs, badge and lock management, and alternate work site (home office) security requirements.

NIST 3.10.1 - 3.10.6 View Policy →

👤

PS · 2 practices

Personnel Security Policy

Personnel Security addresses the human element -- ensuring the people who access your CUI are trustworthy and that information is protected when their status changes. This policy covers pre-employment background checks (criminal history, employment verification, education verification, credit checks for sensitive roles), screening frequency (initial, periodic re-screening), termination procedures (account disablement, device retrieval, badge deactivation within 1 hour), role change/transfer procedures, and leave-of-absence handling. With only 2 practices, this is the smallest CMMC domain, but it's foundational.

NIST 3.9.1 - 3.9.2 View Policy →

⚠️

RA · 3 practices

Risk Assessment Policy

Risk Assessment is about systematically identifying what could go wrong and how bad it would be. This policy covers periodic risk assessments using the NIST SP 800-30 methodology (identify assets, threats, vulnerabilities, determine likelihood and impact, calculate risk, prioritize and mitigate), vulnerability scanning (weekly authenticated scans, CVSS-based prioritization), and insider threat assessment (behavioral and technical indicators, detection methods, response procedures). This policy drives the prioritization of all other security investments.

NIST 3.11.1 - 3.11.3 View Policy →

📋

RE · 4 practices

Recovery Policy

Recovery ensures you can bounce back from disasters, ransomware, hardware failures, and data corruption. This policy covers backup frequency and types (full, incremental, differential by system type), backup storage tiers (on-site, off-site, cold storage), backup encryption and access controls, backup testing and validation (quarterly restore tests), Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), disaster recovery site capabilities (cloud-based hot/warm standby), and DR plan testing (annual tabletop + failover test).

NIST 3.14.1 - 3.14.4 View Policy →

🛡️

SC · 16 practices

System and Communications Protection Policy

System and Communications Protection is about securing the pipes that data flows through and the walls that separate your network zones. This policy covers network segmentation and boundary protection, encryption for data at rest and in transit, VPN and split tunneling controls, session management, cryptographic key management, DDoS protection, mobile code restrictions, VoIP and collaboration security, and network monitoring with IDS/IPS. With 16 practices, this is the third-largest CMMC domain.

NIST 3.13.1 - 3.13.16 View Policy →

✓

SI · 7 practices

System and Information Integrity Policy

System and Information Integrity ensures your systems stay healthy and uncompromised. This policy covers patch management (getting security fixes applied quickly), malicious code protection (antivirus, EDR, email gateway), security alert monitoring (staying aware of new threats), continuous system monitoring (SIEM, SOC operations), spam protection, input validation for web applications, and secure error handling. Think of it as the immune system for your IT environment.

NIST 3.14.1 - 3.14.7 View Policy →

How to Use These Policies

📖

1. Learn

Read each policy page for detailed requirements, implementation guidance, and evidence examples.

📝

2. Customize

Download the template and fill in your organization-specific details using the guidance from each policy page.

✅

3. Implement

Follow the phased implementation roadmap and collect the evidence artifacts for your C3PAO assessment.

Download Policy Templates