From the Winter 2023 Issue

Writing Effective Policies for CMMC 2.0 Compliance

Guy M. Bilyou
Cybersecurity Lead / ArCybr Lead Assessor | ArCybr

Wading through a CMMC 2.0 assessment preparation can remind one of driving through a thick fog with obstacles and hazards appearing and mere seconds to react. One way to cut through the fog of preparation is a technique that involves the writing and revising of policies and procedures based on a well-organized System Security Plan (SSP). We call this technique “SSP/Policy Coupling.” The clearer your control implementations are displayed to the assessors, the smoother the CMMC assessment will go. Using the SSP/Policy Coupling method will definitively outline your implementation methods, giving assessors a clear path to recommending your approval.

Start with the SSP

Consider your SSP as the Assessors’ Guide to your organization’s compliance. It is the anchor to the assessment, and it can be used as a reference to show in detail how you have implemented each control with links to the artifacts. The best format should map the controls you have implemented in the SSP in a Control Card format.

A Control Card format should outline the domain, control, and subordinate capabilities, which are already known to the assessors. This format should also include a field for System Specific Implementation, which tells the CMMC assessors that you have implemented the control. More importantly, it shows how you have implemented the control and each capability. Consider including a Reference field, which should list artifacts as evidence to show proof of implementation.

Adding links in this field to the actual artifacts may assist in providing easy access during your assessment. See how simple you can make it? Using the SSP as the anchor document gives you control during the conduct of the assessment and prevents you from having to dig around to find the necessary evidence of your control implementation. It is important to prepare for this prior to your assessment and ensure that your artifacts are well-organized for quick, easy access.

Tabula Rasa Approach

A properly formatted SSP will display all CMMC 2.0 controls that must be supported by policies and procedures. For this reason, we recommend taking a tabula rasa, or “clean slate”, approach. Imagine you have no existing policies or procedures, nothing at all to build upon but a clean, sharp SSP. You can let the SSP guide you in creating a fresh set of both policies and procedures. Old policies that have been through numerous slow and painful revisions can be cast aside to allow a clear path forward. By coupling the assessment SSP with your policy writing, you can create policy “shells” or templates, then populate the fields with content that shows how your policies and procedures effectively address each control.

Remember that your format should mirror the CMMC 2.0 structure[1]. Now ask yourself, “How does my organization do what the controls and capabilities dictate?” This will take both time and skilled writers, maybe even a technical writer, to create or review appropriate content. Pay attention to controls that require both a policy and supporting procedures. Within the verbiage of some controls, you may find explicit direction to include a procedure supporting portions of a policy. Read them carefully, though, to understand if a procedure is implied in the control or capability description.

Understanding Your Current Operations

Now consider how you can limit the impact of these fresh new policies on your current operations. Writing comprehensive, compliant policies that are not disruptive to your operations requires a thorough understanding of how you already do business. Ask for contributions from your IT, Cybersecurity, and Quality Departments for the bulk of the controls, and Security, Human Resources (HR), and Facilities staff for the remaining ones. Once this is done, take these conditions and compare them with all applicable controls. You may have to change how some things are done in your organization, but where policies are organizationally defined, you can write to compliance while taking a light touch to operational continuity.

In cases where you must alter current operations, include personnel that will be impacted and make certain any changes are business-driven. Thoroughly document how those changes will be made. If you don’t already have one, stand up a Change Control Board to review the recommendations, impacts, improvements, and how the change will be implemented. You may also consider categorizing some systems and processes as legacy and make your case that they are out of scope or are part of the process improvement, using a Plan of Action and Milestones (POA&M). However, this should be a last resort, as your assessment team may not accept that rationale. If you choose to use this route, be prepared to explain, and sell it hard.

Organizationally Defined Policies

You may notice a phrase that comes up quite often through the CMMC 2.0 control descriptions. Two words that make your life considerably easier in creating policies and procedures, like a gift to assessed organizations – organizationally defined. CMMC 2.0 guidance provides for many organizationally defined controls that largely allow the organization to determine what works best within its parameters. No less than 125 of the Level 2 controls require the organization to define the characteristics of the security control. With so many opportunities built into that verbiage, you are free to creatively write policies and procedures that best match your organization, staff, capabilities, and missions.

No less than 125  of the Level 2 controls require the organization to define the characteristics of the security control.

Focus the Assessment Scope

Finally, force the focus of the assessment scope to be exclusively on the systems, staff, and processes that use, store, or transmit Controlled Unclassified Information (CUI) or CUI assets. We say force the focus, because you will have to stand firm on the scope to prevent assessors who are not familiar with your organization from finding non-compliant systems. Systems, staff, and processes that do not interact with CUI are considered non-CUI assets. These non-CUI assets should be considered out of scope and must not be assessed. Forcing the focus of the assessment scope is an opportunity for your organization to limit the effort and cost of CMMC 2.0 compliance.

Be sure to clearly define this segregation between CUI and non-CUI assets. You can describe segregation within policies and procedures and with supplemental diagrams that illustrate their logical and/or physical separations. Consider subnetting (logical separation) and other methods (physical separation) that prove the effectiveness of this separation. Secure cloud platforms, such as MS365 Federal, Google Workspace, and other secure cloud service providers, as outlined by the Federal Risk and Authorization Management Program (FedRAMP), can serve well as simple, logical means of separation to limit the assessment scope. This may require some creativity on your part, and you will need to tap your IT staff to implement many of these measures. The cost of secure cloud providers can be substantial, so executive decision-makers will necessarily be part of that conversation.


Using the SSP as an assessment guide and coupling it with your policies and procedures is a proven technique for organizations seeking CMMC 2.0 certification. You can find comfort in writing those organizationally defined policies and extrapolating them into procedures with minimal disruption to your current operations. Ensuring the assessment is focused only on CUI assets will decrease the number of headaches, while keeping time and expense to a minimum. These recommendations can ease your path to CMMC 2.0 success. lock

The talented team of cybersecurity experts at ArCybr is here to help you with more recommendations and consultative services to help you reach CMMC compliance. Reach out to us today at!

Guy M. Bilyou

Leave a Comment