An artifact or collection of artifacts that establishes governance over the implementation of CMMC practices and activities. The policy should establish or direct the establishment of procedures to carry out and meet the intent of the policy and should be endorsed by senior management to show its support of the policy. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions “what” and “why” without dealing with “how.” Policies are normally stated in terms that are technology-independent. Policies are implemented by the organization by way of one or more Procedures. The policy should include:
- the stated purpose;
- the defined scope;
- roles and responsibilities of the activities covered by the policy; and,
- any included regulatory guidelines.