The official CMMC definition of Policy is:
A policy is a high-level statement from an organization’s senior management that documents the requirements for a given activity. It is intended to establish organizational expectations for planning and performing the activity and communicate those expectations to the organization. Senior management should sign policies to show its support of the activity.
The current CMMC Assessment Guide identifies the following policies as it describes the sorts of documents an assessor may look to review:
- Access Control Policies
- Asset Management Policies
- Audit and Accountability Policy
- Configuration Management Policy
- Data Protection Policy
- Identification and Authentication Policy
- Information Flow Control Policies
- Information Security Policies
- Information Technology Policies
- Insider Threat Policy
- Password Policy
- Privacy and Security Policies
- Security Assessment and Authorization Policy
- Security Awareness and Training Policies
- Security Planning Policy
- Software Review Policy - In House Development
- Systems Media Policy
- User-installed Software Policy
Organizations need not have exactly this list of policies, but should have a set of policies that address these items. Future versions of FutureFeed will allow tagging of uploaded policies with the above list.
What makes good policy?
General Policy Guidance
Policies can vary significantly in length, and there are advantages and disadvantages to both short and long policies. Generally, conciseness is advised. The length of a policy can determine how easy it is to find the keywords searched for within the policy, and how easy it is to navigate and read. As a general rule, the shorter the policy, the easier it is for users to retrieve the information they are seeking.
Policy Text Organization
If your policy is long and contains multiple sub-sections within the Policy Statement section, strive to organize the material using sub-headings and bulleted lists.
Avoid the use of numbering schemes, if possible. If you are anticipating including an ordered list, consider whether the material is actually a process rather than policy. Supplemental information such as procedures is not included in the Policy Library, but links to such material are encouraged within the "Resources" section (see above).