Skip to content
  • There are no suggestions because the search field is empty.

Policies

Policies describe the outcomes required to implement Plans and are one of three components in the organization's Documentation Overview

The official CMMC definition of Policy is:

A policy is a high-level statement from an organization’s senior management that documents the requirements for a given activity. It is intended to establish organizational expectations for planning and performing the activity and communicate those expectations to the organization. Senior management should sign policies to show its support of the activity.

Policy Listing

The current CMMC Assessment Guide identifies the following policies as it describes the sorts of documents an assessor may look to review:

  1. Access Control Policies
  2. Asset Management Policies
  3. Audit and Accountability Policy
  4. Configuration Management Policy
  5. Data Protection Policy
  6. Identification and Authentication Policy
  7. Information Flow Control Policies
  8. Information Security Policies
  9. Information Technology Policies
  10. Insider Threat Policy
  11. Password Policy
  12. Privacy and Security Policies
  13. Security Assessment and Authorization Policy
  14. Security Awareness and Training Policies
  15. Security Planning Policy
  16. Software Review Policy - In House Development
  17. Systems Media Policy
  18. User-installed Software Policy

Organizations need not have exactly this list of policies, but should have a set of policies that address these items.  Future versions of FutureFeed will allow tagging of uploaded policies with the above list.

What makes good policy?

project-2021-03-04_11-03_AM__2_.png

General Policy Guidance

Size (Length) 

Policies can vary significantly in length, and there are advantages and disadvantages to both short and long policies. Generally, conciseness is advised. The length of a policy can determine how easy it is to find the keywords searched for within the policy, and how easy it is to navigate and read. As a general rule, the shorter the policy, the easier it is for users to retrieve the information they are seeking.

Policy Text Organization

If your policy is long and contains multiple sub-sections within the Policy Statement section, strive to organize the material using sub-headings and bulleted lists.

Avoid the use of numbering schemes, if possible. If you are anticipating including an ordered list, consider whether the material is actually a process rather than policy. Supplemental information such as procedures is not included in the Policy Library, but links to such material are encouraged within the "Resources" section (see above).

 

FutureFeed Footer – Newest