Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!


3 min read

Writing CMMC Security Policies: The CMMC Compliance Task That Nobody Wants to Do

writing CMMC compliance policies

As a Registered Provider Organization working with US manufacturers to attain CMMC compliance, we’ve discovered an area of weakness that we see time and time again – the lack of effective security policies.

In fact, in many cases, policies don’t exist at all.

Security policies are just as important to cyber security strategy as firewalls and endpoint protection, but they don’t get the attention they deserve. That is until regulations like Cybersecurity Maturity Model Certification (CMMC) not only require policies but require verification that they’re in place and doing what they’re supposed to be doing.

Why does this happen?

Why Security Policies Get Neglected

One reason could be because management thinks that compliance is just IT’s job. IT can probably do just fine writing the policies that the document technical configurations that they’re managing. About half of the policies, however, concern human behavior -- and that means that HR, leadership, and department heads need to be involved.

Another reason why security policies get neglected could be that people just don’t know what to do. Some policies are pretty simple and they may already be in your employee handbook. These are guidelines about things like Acceptable Use and how guests can connect to your network.

It gets more complicated when policies need to gel with your business processes and how the Controlled Unclassified Data (CUI) that you’re handling for your Department of Defense customer flows through your IT system.

There are very few people who get excited about taking this on, but it's a necessary step. You can’t become CMMC compliant without documented policies, proof that they’re being followed, and that they’re effective at protecting CUI.

🔎 Related: Cybersecurity Maturity Model Certification (CMMC) Explained

Getting Started with Writing Security Policies

The first step in putting an effective security policy in place is to determine its objective. For example, “how we will identify CUI in our network?”, or “how we will screen individuals who need access to CUI?” might be questions that lead you to your goal. When you’re going down the list of controls in NIST 800-171 (which is part of the CMMC initial self-assessment), the objectives are clear.

When it comes to the actual documentation, there are several sources for templates that provide a good starting point for writing security policies. Then plan to customize the templates to match up with your business processes, from how customer service enters an order to how HR offboards a terminated employee.

Training and Enforcement is Crucial

Policies that aren’t followed are good for nothing. Your whole organization will need some training, and those people who actually handle the CUI will need training specific to their role in order to understand and follow expectations.

The realization that policies need to be enforced can be a stumbling block when you’re trying to get cooperation for writing the actual policies. After all, who wants to be the author of a rule that people will view as inconvenient or unnecessary?

Obviously, helping people understand what’s at stake and getting buy-in starting with leadership will be the essential foundation for any training program, or any security strategy for that matter. The goal is not to establish a “police state” but an organization that absorbs the practice of secure behavior into its culture.

When it comes time for your actual third-party CMMC assessment, you won’t be able to rely on last-minute policy implementation or employee coaching to prove that your security policies are protecting CUI. The assessor will examine the evidences that you’ve documented for the control, and they’ll examine it with different methods to assure that it’s effective.

Get Help with CMMC Compliance

Your future as a Department of Defense supplier depends on attaining CMMC compliance. If you’re stuck, moving slowly, or need another set of eyes on your process, we’re here to help – and we can guide you in developing your security policies.

As a Registered Provider Organization, we have several Registered Practitioners on staff who are trained to consult with companies seeking CMMC compliance. Contact us to talk with a CMMC expert today.

Let's talk about how VC3 can help you AIM higher.