CMMC Policies That
Actually Pass
Assessment Scrutiny
Purpose-built cybersecurity policies for CMMC Level 2 compliance based on NIST SP 800-171 R2. Covering all 14 practice domains — written by experts who know the difference between a policy, a standard and a procedure. Most CMMC documentation fails because those are not interchangeable terms.
⚠ Most Common CMMC Doc Failure
Submitting a standard when an assessor asks for a policy. These are structurally different documents. If your “cybersecurity policy” contains prescriptive technical rules, it’s a standard — not a policy.
Critical Distinction🛡 CMMC Level 2 Basis
CMMC 2.0 Level 2 is built on NIST SP 800-171 R2 — 110 practices across 14 domains. It is not based on NIST SP 800-171 R3. Documentation must map to the correct version of the standard.
NIST 800-171 R2✅ SCF-Powered Coverage
ComplianceForge documentation is built on the Secure Controls Framework — policies, standards and procedures are pre-mapped and structurally connected, not independent templates that contradict each other.
Assessor-ReadyCMMC 2.0 is enforceable in DoD contracts. Organizations handling CUI must have documented cybersecurity policies across all 14 NIST SP 800-171 R2 practice domains before a C3PAO assessment.
Policy ≠ Standard ≠ Procedure
Most cybersecurity vendors call everything a “policy.” That’s a documentation error that CMMC assessors will identify and cite as a finding. ComplianceForge is one of the few providers that correctly structures all three document types — because the terms are not interchangeable.
High-Level Management Intent
Policies address the “what” and “why” — they do not prescribe technical specifics. A policy must be technology-independent, stable across system changes, and authorized by executive leadership. There is never a justifiable reason for an exception to a policy; exceptions belong at the standard level.
“The organization requires authentication for all users and devices accessing systems containing CUI.”
Mandatory Technical Requirements
Standards address the “how” for a specific technology or process context. They implement and enforce policy objectives through concrete, measurable requirements. If your “CMMC policy” document contains specific password lengths or log retention timeframes — those are standard statements, not policy language.
“All user accounts on CUI systems must use MFA. Passwords must be a minimum of 12 characters with complexity per IA.L2-3.5.7.”
Step-by-Step Operational Instructions
Procedures address the “who, when and specific steps” for operational execution. They are role-specific, system-specific and updated when processes change. CMMC assessors look for evidence that procedures exist and are followed — not just that a policy says things should happen.
“Step 1: Admin navigates to Active Directory… Step 2: Verify MFA enrollment for account… Step 3: Document in access review log…”
ComplianceForge knows the difference — and structures every CMMC documentation deliverable accordingly. Most competitors bundle all three into a single document they call a “policy.” That structure fails under C3PAO assessment scrutiny. Read the full explanation from ComplianceForge →
What Is CMMC Level 2
& What Does It Require?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s program for verifying that defense contractors adequately protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). CMMC 2.0 is enforced through DFARS 252.204-7021 and applies to all organizations in the Defense Industrial Base (DIB) that handle covered data.
CMMC Level 2 is built directly on NIST SP 800-171 Revision 2 (R2) — 110 security practices across 14 practice domains. This is not NIST SP 800-171 R3, which is a separate, newer standard with a different structure. CMMC Level 2 certification requires a triennial third-party assessment by a CMMC Third-Party Assessment Organization (C3PAO).
Documented cybersecurity policies are a prerequisite to any CMMC assessment. Multiple NIST SP 800-171 R2 practices explicitly require policy documentation as assessable evidence, and C3PAO assessors examine policies for correctness of structure, scope and coverage — not just existence.
Who Must Comply?
Any DoD contractor or subcontractor that processes, stores or transmits CUI. This includes prime contractors, sub-tiers, IT service providers and cloud services that handle CUI on behalf of defense contractors.
What Happens at a C3PAO Assessment?
A C3PAO evaluates evidence across all 14 practice domains. Policies are reviewed for correct structure, completeness and domain coverage. A policy that reads like a standard will be flagged. Missing domain coverage results in findings.
All 14 CMMC Level 2
Practice Domains
CMMC Level 2 is built on NIST SP 800-171 R2, organizing 110 security practices into 14 practice domains. Each domain requires cybersecurity policies that capture management intent — separate from the standards and procedures that implement those requirements operationally.
Access Control
Limit CUI system access to authorized users, processes and devices. Account management, least privilege and remote access.
22 practicesAwareness & Training
Ensure personnel understand CUI security risks and their assigned security responsibilities.
3 practicesAudit & Accountability
Create, protect and retain audit records sufficient to enable monitoring and investigation of unauthorized activity.
9 practicesConfiguration Management
Establish and maintain secure baseline configurations. Control changes and restrict unauthorized software.
9 practicesIdentification & Authentication
Identify system users and authenticate identities before granting access. Includes MFA and password management.
11 practicesIncident Response
Establish incident-handling capabilities: preparation, detection, analysis, containment and recovery.
3 practicesMaintenance
Perform maintenance on organizational systems. Control tools, techniques and personnel performing maintenance.
6 practicesMedia Protection
Protect system media containing CUI, limit access, sanitize or destroy before disposal and control transport.
9 practicesPhysical Protection
Limit physical access to systems, equipment and facilities containing CUI to authorized individuals.
6 practicesPersonnel Security
Screen individuals before authorizing CUI access. Protect CUI during and after personnel transfers and terminations.
2 practicesRisk Assessment
Assess risk to operations, assets and individuals. Periodically scan for vulnerabilities and remediate findings.
5 practicesSecurity Assessment
Periodically assess controls, develop plans of action, and monitor systems on an ongoing basis.
9 practicesSystem & Comms Protection
Monitor and protect communications at external and internal boundaries. Implement network segmentation and protect CUI in transit.
16 practicesSystem & Info Integrity
Identify and correct system flaws. Provide malicious code protection and monitor systems for security alerts.
7 practicesPolicy coverage across all 14 domains is required. CMMC assessors verify that cybersecurity policies address management intent for each domain individually. A single umbrella “IT Security Policy” that vaguely references security in general does not satisfy domain-specific requirements. ComplianceForge CMMC documentation provides correctly structured policies for all 14 domains.
What Must CMMC Level 2
Policy Documentation Include?
CMMC Level 2 assessors following the CMMC Assessment Process (CAP) review whether cybersecurity policy documentation meets specific structural criteria. Policies are not just “nice to have” — several NIST SP 800-171 R2 practices explicitly require documented policies as assessable evidence. ComplianceForge provides policies engineered to satisfy these requirements.
The most common assessment failure is not the absence of policies — it’s submitting documents misidentified as policies when they are actually standards or procedures. A C3PAO assessor who understands the documentation hierarchy will flag this immediately.
Executive-Level Authorization
Policies must reflect management intent from organizational leadership — not IT staff. They should carry executive approval to demonstrate organizational commitment to the security program.
→ Management Intent RequiredDomain-Specific Coverage
Each of the 14 practice domains requires dedicated policy coverage. Assessors verify that policies exist and directly address the security objectives of each specific domain.
→ All 14 Domains RequiredTechnology-Independent Language
Policies must be written at a strategic level — not referencing specific system names, IP addresses or technical configurations. Those belong in standards and procedures.
→ Strategic, Not TacticalDefined Review & Update Cycle
Policies must document a review frequency and show evidence of periodic review and update. Stale policies with outdated dates are a common finding in C3PAO assessments.
→ Dated & ReviewedReferences to Supporting Standards
Properly structured CMMC policies reference the standards documents that implement them. This cross-referencing validates the documentation hierarchy assessors expect to see throughout.
→ Hierarchical StructureA complete CMMC Level 2 compliance program requires multiple interconnected document types. Policies are the foundation — but they do not stand alone:
⚠ Assessment Finding Warning: Providing a single omnibus “IT Security Policy” that attempts to address all 14 domains in one document — mixing policy, standard and procedure language throughout — is among the most costly mistakes OSCs make, since that increases an assessment’s number of billable hours. ComplianceForge documentation is structured to avoid this failure entirely.
ComplianceForge CMMC
Documentation Bundles
ComplianceForge offers pre-built, SCF-powered CMMC documentation bundles containing properly structured cybersecurity policies, standards and procedures — ready to customize and submit as C3PAO assessment evidence.
NIST 800-171
Compliance Program
NCP
ComplianceForge’s flagship NIST SP 800-171 documentation suite — the most widely used solution for organizations that need correctly structured cybersecurity policies, standards and procedures for CMMC Level 2 compliance based on NIST SP 800-171 R2.
- Cybersecurity policies for all 14 NIST SP 800-171 R2 practice domains
- Control standards implementing each policy — separate, distinct documents
- Security procedures for operational staff
- System Security Plan (SSP) template mapped to NIST SP 800-171 R2
- Plan of Action & Milestones (POA&M) workbook
- SPRS score worksheets and calculation guidance
- SCF-powered — policies, standards and procedures are hierarchically connected
CMMC Level 2
Documentation Bundle
CMMC Bundle 2
A focused documentation bundle for organizations pursuing CMMC Level 2 certification. Contains correctly structured cybersecurity policies for all 14 NIST SP 800-171 R2 practice domains — written to pass C3PAO assessment scrutiny.
- Cybersecurity policies for all 14 practice domains (correctly structured)
- Control standards implementing each policy
- Security procedures for all 14 domains
- SSP template mapped to NIST SP 800-171 R2
- POA&M workbook and SPRS score worksheets
- SCF-powered documentation stack
CMMC Bundle 4
Level 3 / Advanced
CMMC Bundle 4
The most comprehensive CMMC documentation package — built for organizations that need enterprise-grade depth, the full Security, Compliance & Resilience Program (SCRP) suite, and CMMC Level 3 coverage for complex environments.
- Everything in CMMC Bundle 2, plus CMMC Level 3 coverage
- NIST SP 800-172 enhanced security requirements mapped
- Full Security, Compliance & Resilience Program (SCRP) suite
- Comprehensive GRC documentation library
- Supply Chain Risk Management (SCRM) program artifacts
- DIBCAC government assessment preparation materials
Not sure which product? The NCP is the right starting point for most organizations. CMMC Bundle 2 is a focused CMMC Level 2 alternative. CMMC Bundle 4 is the better fit for large or complex environments, CMMC Level 3, or DIBCAC assessment needs. Browse all ComplianceForge CMMC products →
SCF-Powered Policies:
Structured, Connected, Defensible
The Secure Controls Framework (SCF) is a free, open-source meta-framework that maps 100+ laws, regulations and standards into a single unified control set. Every ComplianceForge CMMC policy is built on the SCF backbone — meaning policies, standards and procedures are pre-mapped, internally consistent and structurally connected.
ComplianceForge documentation is not a collection of standalone templates. The SCF foundation ensures every policy references the correct implementing standards, every standard drives the right procedures, and the entire documentation stack is traceable from management intent to operational evidence. This is the coherence C3PAO assessors look for.
The SCF also provides the SCF Conformity Assessment Program (SCF CAP) for third-party assessments — giving organizations a single authoritative path to compliance validation across the DoD supply chain requirements.
Written for C3PAO Assessors
Every policy is structured to align with the CMMC Assessment Process (CAP) — management-intent statements that satisfy what assessors actually test for, not generic descriptions.
Hierarchically Connected
Policies reference their implementing standards. Standards drive their procedures. Cross-references are built in — so your documentation stack is coherent, not contradictory.
Complete Documentation Suite
Not just policies — policies, standards, procedures, SSP, POA&M and evidence templates provided in one integrated package ready for customization.
Scalable from SMB to Enterprise
CMMC Bundle 2 for lean Level 2 compliance. CMMC Bundle 4 for enterprise and Level 3 coverage. Both built on the same SCF foundation with the same structural quality.
Proven in Real CMMC Assessments
ComplianceForge documentation has been used in real C3PAO and DIBCAC assessments. Battle-tested under actual scrutiny — not theoretical compliance theater.
The Hierarchical Cybersecurity
Governance Framework (HCGF)
The Hierarchical Cybersecurity Governance Framework (HCGF) is the ComplianceForge reference model that defines how cybersecurity documentation components are structured and interconnected. It establishes the unique nature and purpose of policies, control objectives, standards, guidelines, controls, procedures, risks and metrics — and the dependencies between them.
This is the framework that explains why a policy is not a standard and a standard is not a procedure. Each document type serves a distinct role in the governance hierarchy. The HCGF maps the complete chain from executive management intent to operational metrics — giving C3PAO assessors the governance traceability they evaluate during CMMC assessments.
Download HCGF Reference Model (Free PDF) →
Clear Documentation Hierarchy
Defines the unique purpose of policies, standards, controls and procedures and the dependencies that make them a coherent governance system.
Evidence of Due Diligence
Provides the structural foundation assessors expect — demonstrating governance flows correctly from strategy to operations.
Traceable to CMMC Practices
Every policy, standard and procedure in ComplianceForge CMMC bundles traces to specific NIST SP 800-171 R2 practice requirements.
SCF Integration
The Secure Controls Framework provides the cybersecurity controls within the HCGF structure — unifying documentation across all 14 CMMC practice domains.
“Good cybersecurity documentation does not just describe what you do — it proves you understand why you do it and demonstrates a clear governance chain from executive intent to operational execution. Every ComplianceForge policy is written with the assessor’s evaluation criteria in mind.”
The Competitor Gap: Most CMMC documentation vendors provide a single document called a “policy” that mixes policy language, standard requirements and procedure steps throughout. This fails the documentation hierarchy test every time. Learn why this matters →
Frequently Asked Questions
What is the difference between a CMMC policy and a standard?
A policy is a high-level statement of management intent addressing the “what” and “why” — technology-independent and strategically framed. A standard is a mandatory, prescriptive requirement that tells staff exactly how to implement a control. CMMC assessors distinguish these clearly. Submitting a standard as a policy is a common assessment finding. Read the full distinction →
What version of NIST 800-171 does CMMC Level 2 use?
CMMC 2.0 Level 2 is built on NIST SP 800-171 Revision 2 (R2) — 110 practices across 14 domains. It is not based on NIST SP 800-171 R3, which is a newer standard with a different structure (97 controls, 17 families). Documentation for CMMC Level 2 must specifically map to R2 requirements.
How many practice domains does CMMC Level 2 cover?
CMMC Level 2 covers 14 practice domains from NIST SP 800-171 R2: AC, AT, AU, CM, IA, IR, MA, MP, PE, PS, RA, CA, SC and SI. Cybersecurity policies must explicitly address management intent for each domain. A single omnibus policy document is insufficient for assessment purposes.
Does CMMC Level 2 always require a C3PAO assessment?
No. CMMC Level 2 has two pathways: annual self-assessment (for contracts designated as self-attestation) or triennial third-party assessment by a C3PAO (for contracts requiring formal certification). Both pathways require documented cybersecurity policies, SSP and POA&M. SPRS score submission to the Supplier Performance Risk System is required under both.
What happens if my CMMC policies are actually standards?
This is among the most common pre-assessment documentation failures. If your “policy” document contains prescriptive technical requirements (password lengths, log retention periods, patch timelines) — it is structurally a standard. A trained C3PAO assessor will identify this mismatch and it will generate findings. ComplianceForge documentation maintains the correct structural separation throughout all deliverables.
What is the SPRS score and why does it matter?
The Supplier Performance Risk System (SPRS) score is a self-assessed score from -203 to 110 representing NIST SP 800-171 R2 compliance posture. Contractors submit this score under DFARS 252.204-7019. A well-documented SSP and POA&M are essential to calculating and defending the SPRS score during pre-assessment review or government audit.
What is the Secure Controls Framework (SCF)?
The SCF is a free, open-source meta-framework mapping 100+ cybersecurity laws, regulations and contractual requirements into a single comprehensive control set. ComplianceForge builds all CMMC documentation on the SCF backbone, ensuring policies, standards and procedures are internally consistent and traceable to NIST SP 800-171 R2 practice requirements across all 14 domains.
What is CMMC Level 3 and how does it differ from Level 2?
CMMC Level 3 applies to organizations supporting DoD programs of particular criticality. It is based on a subset of NIST SP 800-172 enhanced security requirements beyond the Level 2 baseline, and requires a government-led DIBCAC assessment. ComplianceForge CMMC Bundle 4 covers both Level 2 and Level 3 requirements in a single enterprise documentation package.
Get CMMC Policies That Pass
Assessment — The Right Way
ComplianceForge provides CMMC documentation built on the Secure Controls Framework — with properly structured policies, standards and procedures proven in real C3PAO assessments. Start with the NIST 800-171 Compliance Program (NCP), or choose CMMC Bundle 4 for enterprise and Level 3 coverage.