CMMC Level 2 sits on the 14 control families of NIST SP 800-171, and each family needs a documented policy — which, with a couple of overarching documents, lands most small shops at roughly 20 policies. A policy states what you require and who owns it; a separate procedure states how it's done. Write them to what your business actually does, map each to its control family, and the paperwork stops being the thing that fails you.
Nobody fails a CMMC assessment because their firewall wasn't fast enough. They fail because the documentation didn't hold up — a policy that described a company they aren't, a procedure filed where a policy should be, a control with nothing on paper behind it. The 110 controls get the attention, but the writing is where small contractors quietly lose.
Here's the part that should make you feel better: the policy layer is the most learnable, most templatable part of the whole standard. The 14 families are fixed and public. The structure of a good policy never changes. Once you understand what a policy has to actually say — and how it differs from the procedure sitting next to it — you can write all 20 yourself and have them stand up.
I've written these for shops from six seats to sixty. Below is what each control family needs, what a policy must contain to pass, the practical list a small contractor works from, and the failures I see over and over. No fluff, because your assessor won't reward fluff either.
NIST SP 800-171 organizes its 110 controls into 14 families — Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System & Communications Protection, and System & Information Integrity. Each family is a coherent chunk of your security posture, and an assessor works through them one at a time.
A documented policy for each family is how you prove the requirement isn't just something one admin happens to do — it's a standing organizational rule with an owner behind it. When your System Security Plan says "we enforce least privilege," the assessor's next move is to ask where is that written down as a requirement, and who owns it? The policy is the answer. Without it, the control is a claim with no backing.
That's the mental model: the policy is the commitment, the procedure is the execution, and your evidence is the proof it happened. Miss the commitment layer for a family and every control under it starts on shaky ground.
This is the single most common mix-up, and it's worth slowing down on. A policy is a statement of intent and authority. It says what the organization requires, why, and who is responsible for making it stick. It's short, stable, and rarely changes. A procedure is the how-to: the specific steps, tools, and settings that carry the policy out. It changes whenever your tools or workflow change.
Put concretely, in the Access Control family:
See the difference? The policy is the rule and the accountability. The procedure is the keystrokes. Assessors expect both, and the classic failure is writing a detailed procedure, labeling it "policy," and leaving no actual policy statement anywhere. When that happens, the control has no organizational commitment behind it — just an undocumented habit.
Strip away the templates and a policy that passes always contains the same handful of elements. If yours has these, it works. If it's missing one, that's usually the finding.
Five elements. Scope, requirement, ownership, review, mapping. A policy that nails those in two clean pages beats a bloated one that buries them — which is exactly the point of the next section.
There's no single federal document that says "write these exact 20." What exists is the requirement for documented policy across all 14 families. In practice, small contractors write one policy per family and add a few overarching governance documents, which is how the number lands near 20. Here's the working set I build from.
| # | Policy | Family | What it commits you to |
|---|---|---|---|
| 01 | Access Control Policy | AC | Least privilege, account management, remote and CUI access rules. |
| 02 | Awareness & Training Policy | AT | Security awareness and role-based training for everyone touching CUI. |
| 03 | Audit & Accountability Policy | AU | What gets logged, how logs are protected, who reviews them. |
| 04 | Configuration Management Policy | CM | Baselines, change control, and locking down system settings. |
| 05 | Identification & Authentication Policy | IA | Unique IDs, MFA, and password/credential requirements. |
| 06 | Incident Response Policy | IR | Detecting, reporting, and handling security incidents. |
| 07 | Maintenance Policy | MA | Controlled system maintenance and handling of maintenance tools. |
| 08 | Media Protection Policy | MP | Marking, storing, transporting, and sanitizing media that holds CUI. |
| 09 | Personnel Security Policy | PS | Screening, and protecting CUI during transfers and terminations. |
| 10 | Physical Protection Policy | PE | Physical access to CUI systems, facilities, and devices. |
| 11 | Risk Assessment Policy | RA | Assessing risk and running vulnerability scanning. |
| 12 | Security Assessment Policy | CA | Assessing controls, the SSP, and managing the POA&M. |
| 13 | System & Communications Protection Policy | SC | Boundary protection, segmentation, and encryption of CUI. |
| 14 | System & Information Integrity Policy | SI | Flaw remediation, malware protection, and monitoring. |
| 15 | Information Security Program Policy | — | The overarching document that ties the program together. |
| 16 | CUI Handling & Marking Policy | — | How controlled data is identified, marked, and handled day to day. |
| 17 | Acceptable Use Policy | — | What users may and may not do on systems that touch CUI. |
| 18 | Mobile Device & Remote Work Policy | — | Protecting CUI on the road, at home, and on mobile endpoints. |
| 19 | Data Backup & Recovery Policy | — | Encrypted, versioned, recoverable backups and restore testing. |
| 20 | Vendor & Supply Chain Policy | — | Flowing requirements down to subcontractors and service providers. |
The first 14 map cleanly to the families. The last six are the overarching and cross-cutting documents that most assessors expect to see and that keep the family policies from having to repeat themselves. Your exact set may shift a little based on how your contract and your assessor scope things — but this is a set that covers the ground without inventing paperwork you don't need.
Assessors don't weigh your policies. A twenty-page Access Control policy full of borrowed boilerplate is not "more compliant" than a tight two-pager — it's usually less, because the longer it is, the more likely it describes something you don't actually do. And the fastest way to fail is a policy that contradicts your evidence.
Here's the trap with copy-pasted policies: they're written for a generic, larger organization. They'll say things like "the Security Operations Center reviews alerts 24/7" when you're a nine-person shop with no SOC. The moment an assessor reads that and then asks to see your SOC, you've got a documented commitment you can't meet — which is worse than not claiming it at all. Every sentence in a policy is a promise you're agreeing to be graded against.
So the discipline is: write what's true, name who's accountable, keep it enforceable, and cut everything you can't stand behind. Short and honest sails through. Long and aspirational gets picked apart.
Same handful, over and over. Avoid these and you're ahead of most small shops walking into an assessment:
None of these are hard to fix. They're just easy to miss when you're writing twenty documents under deadline pressure — which is exactly why starting from a mapped, editable set beats a blank page.
Writing twenty policies from scratch is the slow, error-prone half of CMMC. The CMMC Level 2 DIY Compliance Kit gives you all 20 as editable documents — each with the scope, requirement, ownership, review, and control mapping already structured — plus a System Security Plan, a POA&M template, and a per-control SPRS scorer. Tailor them to your shop instead of building them from nothing.
Before you write a word, get a baseline: the free SPRS score estimator shows where you stand against the 110 controls in about two minutes, so you know which families need the most attention. And if the price of getting all this done is what's on your mind, the honest breakdown of CMMC cost for a small business lays out every line item — including where the documentation work is the biggest share of a consultant's bill.
CMMC Level 2 is built on the 14 control families of NIST SP 800-171, and each family needs a documented policy. In practice most small contractors write one policy per family plus a couple of overarching documents, which lands at right around 20 policies. There is no single federal list that says "these exact 20," but a policy per control family is what assessors expect to see referenced in your System Security Plan.
A policy states what your organization requires and who is responsible — the rule and the authority behind it. A procedure describes how that rule gets carried out, step by step. Assessors want both: a policy that commits you to a control and a procedure that shows the control actually runs. Writing a procedure and calling it a policy is one of the most common documentation failures.
No. Length is not what an assessor grades. A policy passes when it clearly states the requirement, names who is accountable, references the control family it satisfies, and matches what your organization actually does. A tight two-page policy that is true beats a twenty-page policy full of language you do not follow. Accuracy and enforceability matter far more than word count.
Yes. Policies are the most template-friendly part of CMMC because the control families are fixed and public. A small shop can start from proven, editable policies mapped to each family, then tailor them to how the business really operates. What you cannot skip is the tailoring — copy-paste policies that describe a company you are not will fail the moment an assessor cross-checks them against your evidence.
Now, if you are chasing contracts that will require Level 2. November 10, 2026 begins Phase 2, when Level 2 third-party (C3PAO) certification becomes a required condition of award on applicable DoD contracts, and self-assessment and affirmation language is already appearing in solicitations. Your policies underpin your System Security Plan, so they need to exist and be accurate before any assessment, not written the week before.
Your policies should map to the 14 control families and the 110 controls of NIST 800-171, and they should reference whichever revision your contract and your assessment scope call for. Confirm the exact revision against your contract requirements and your C3PAO rather than assuming — the control families and the count of 110 are the stable anchor, and the policies should reference the specific version you are being assessed against.