It begins with Plans, one of three components in the organization's Documentation Overview.
The SSP, System Security Plan, is required for any organization to submit their NIST 800-171 score to the SPRS database. The submission became required beginning 30 NOV 2020 by the interim DFARS Rule Change for any contractor to the DoD with a DFARS clause(s) in their contract.
Examples, in addition to the SSP, organizations create an Incident Response Plan, an IT Strategic Plan, and an Audit Plan amongst others.
Rather than including all the details of execution, Plans paint with broad strokes. Detailed outcomes, which may change from time-to-time, are defined in Policies. Procedures follow Policies to deliver on the policy's prescribed outcomes, changing with the evolution tools and human resources over time.