CMMC ML.2.999 Developing an effective CMMC Policy

This webinar is published by Carnegie Mellon University’s Software Engineering Institute (SEI) – the co-authors of the CMMC Model. Their guidance about the CMMC should be considered authoritative.

At CMMC level 2 and above, organizations are expected to have policies supporting their security program. Here are my notes from the webinar.

  • Policies are a way for senior management to demonstrate their commitment. Senior management signals this by signing their policy.
  • Provide clear expectations for employees and managers.
  • Clearly states the purpose of the policy.
  • Defines the scope (enterprise-wide, department-wide, a single information system, etc).
  • Defines roles and responsibilities. Who needs to perform the activities. Who oversees them. Who funds the activities.
  • The policy should direct the establishment of procedures to support the policy. Some policies could have specific activity guidance within them.
  • Describe any regulatory guidelines that affect the policy (such as DFARS 252.204-7021).
  • Review and update the policy at least yearly (you should update it sooner if something changes, or if it cannot be followed as-is)
  • A single policy can cover more than one domain, or multiple policies could be used to address a single domain. Policies should fit the organization.

Thanks SEI for your CMMC guidance! More please!!

Defense contractors and those who are helping them prepare desperately need guidance to understand the CMMC model and assessment methodology. The angst comes from trying to figure out how to comply without harming the business. These webinars are extremely helpful to us.

SEI Webinar link:

Software Engineering Institute’s CMMC blog:

Next topics

Policy templates and tools for CMMC and NIST SP 800-171 compliance

CMMC PS.2.127 Personnel Screening discussion

Leave a Reply

Your email address will not be published. Required fields are marked *