Justin Sloan

I’m not a compliance professional. I’m just an IT guy doing the work inside a TSP.

4 minute read

CMMC doesn’t grade you on how technical your policies sound. It grades you on whether your policies directly address specific security requirements and whether you can prove you’re actually following them.

Your policies need to map directly to these requirements. That means for every relevant requirement in NIST 800-171, there should be a policy in your documentation that addresses it.

My Approach to Policy Writing

I prefer to write policies that primarily address what needs to be done and save the how for a separate standard operating procedure (SOP) document. This is because policies need to be very formal and address specific requirements. Policies should not change very often. SOPs, however, are flexible and informal. They can be changed as needed, and often don’t require a review and approval process to modify.

If you find yourself changing policies on a regular basis, you may want to consider creating SOPs instead.

A Practical Way to Get Started

You don’t have to boil the ocean on day one. Here’s a straightforward approach:

  1. Get a copy of NIST 800-171.

    It’s free from the NIST website. Don’t be intimidated; focus on the 17 family headings first, not every line item.

  2. Use the 17 family groups as your policy framework.

    Each category essentially tells you a policy document you need to create. Access Control becomes your Access Control Policy. Media Protection becomes your Media Protection Policy. And so on. Consolidate policies together where it makes sense so you have fewer individual policy documents to maintain.

  3. Write to the requirement, not around it.

    A common mistake is writing a policy that sounds security-focused but doesn’t actually speak to what NIST 800-171 requires. For each policy, ask yourself: “Have we addressed the specific requirement? Does it make sense in our environment? Is it something we can actually do and follow?”

  4. Don’t copy-paste a template and call it done.

    Generic templates are a starting point, nothing more. Your policy needs to reflect your organization; your systems, your people, your actual processes. Write carefully, you’ll need to provide evidence for the things you say you are doing.

The policy map below shows one method of aligning your policy documents with NIST controls. It’s a good starting point, but keep in mind that it is intentionally flexible so you can tailor it to your environment.

Policy Map

Policy Controls (NIST 800-171r3)
CUI Program Management Policy 03.15.01 Policy and Procedures
  03.15.02 System Security Plan
Acceptable Use Policy 03.15.03 Rules of Behavior
Communications Security Policy 03.01.03 Information Flow Enforcement
  03.01.04 Separation of Duties
  03.01.05 Least Privilege
  03.01.06 Least Privilege – Privileged Accounts
  03.01.07 Least Privilege – Privileged Functions
  03.05.02 Device Identification and Authentication
  03.08.09 System Backup – Cryptographic Protection
  03.12.05 Information Exchange
  03.13.01 Boundary Protection
  03.13.04 Information in Shared System Resources
  03.13.06 Network Communications – Deny by Default – Allow by Exception
  03.13.08 Transmission and Storage Confidentiality
  03.13.09 Network Disconnect
  03.13.10 Cryptographic Key Establishment and Management
  03.13.11 Cryptographic Protection
  03.01.22 Publicly Accessible Content
Configuration Management Policy 03.04.01 Baseline Configuration
  03.04.02 Configuration Settings
  03.04.03 Configuration Change Control
  03.04.08 Authorized Software – Allow by Exception
  03.04.12 System and Component Configuration for High-Risk Areas
  03.04.04 Impact Analyses
  03.04.05 Access Restrictions for Change
  03.16.01 Security Engineering Principles
  03.16.02 Unsupported System Components
Continuous Monitoring Strategy and Auditing Policy 03.03.01 Event Logging
  03.03.02 Audit Record Content
  03.03.03 Audit Record Generation
  03.03.04 Response to Audit Logging Process Failures
  03.03.05 Audit Record Review, Analysis, and Reporting
  03.03.06 Audit Record Reduction and Report Generation
  03.03.07 Time Stamps
  03.03.08 Protection of Audit Information
  03.07.04 Maintenance Tools
  03.07.05 Nonlocal Maintenance
  03.11.01 Risk Assessment
  03.11.02 Vulnerability Monitoring and Scanning
  03.11.04 Risk Response
  03.12.01 Security Assessment
  03.12.02 Plan of Action and Milestones
  03.12.03 Continuous Monitoring
  03.13.12 Collaborative Computing Devices and Applications
  03.13.13 Mobile Code
  03.13.15 Session Authenticity
  03.14.01 Flaw Remediation
  03.14.02 Malicious Code Protection
  03.14.03 Security Alerts, Advisories, and Directives
  03.14.06 System Monitoring
Data Management Policy 03.14.08 Information Management and Retention
  03.04.10 System Component Inventory
  03.04.11 Information Location
Incident Response Plan 03.06.01 Incident Handling
  03.06.02 Incident Monitoring, Reporting, and Response Assistance
  03.06.03 Incident Response Testing
  03.06.04 Incident Response Training
  03.06.05 Incident Response Plan
Personnel Security, Training, and Awareness Policy 03.02.01 Literacy Training and Awareness
  03.02.02 Role-Based Training
  03.09.01 Personnel Screening
  03.09.02 Personnel Termination and Transfer
Physical Access Policy 03.10.01 Physical Access Authorizations
  03.10.02 Monitoring Physical Access
  03.10.06 Alternate Work Site
  03.10.07 Physical Access Control
  03.10.08 Access Control for Transmission
  03.07.06 Maintenance Personnel
  03.08.01 Media Storage
  03.08.02 Media Access
  03.08.03 Media Sanitization
  03.08.04 Media Marking
  03.08.05 Media Transport
  03.08.07 Media Use
System and Services Acquisition Policy 03.17.01 Supply Chain Risk Management Plan
  03.17.02 Acquisition Strategies, Tools, and Methods
  03.17.03 Supply Chain Requirements and Processes
  03.16.03 External System Services
User and Data Access Policy 03.01.01 Account Management
  03.01.02 Access Enforcement
  03.01.08 Unsuccessful Logon Attempts
  03.01.09 System Use Notification
  03.01.10 Device Lock
  03.01.11 Session Termination
  03.01.12 Remote Access
  03.01.16 Wireless Access
  03.01.18 Access Control for Mobile Devices
  03.01.20 Use of External Systems
  03.04.06 Least Functionality
  03.05.01 User Identification and Authentication
  03.05.03 Multi-Factor Authentication
  03.05.04 Replay-Resistant Authentication
  03.05.05 Identifier Management
  03.05.07 Password Management
  03.05.11 Authentication Feedback
  03.05.12 Authenticator Management

You may also enjoy

Why are they making us do this?

2 minute read

I get it. As TSPs, we move household goods. Our military contracts deal with futons and family mementos, not highly classified defense projects. CMMC seems l...

Keep your military contracts. Here’s how.

3 minute read

So you provide transportation services for military household goods – moving families when they PCS (Permanent Change of Station)? That’s a valuable service,...