Browse Skills

CMMC Policies and Procedures

    CMMC NIST DoD Compliance Policies
    Get Started with This Skill

    Overview

    Draft CMMC-aligned security policies and procedures for all NIST 800-171 domains: Access Control, Audit, Awareness, Configuration Management, and others.

    Getting Started

    Add your source materials to the project workspace, then activate the CMMC Policies and Procedures skill. The agent will guide you through the process step by step.

    Example Conversation

    You: We need Access Control and Audit and Accountability policies and procedures for CMMC Level 2. Can you draft them so we can reference them in our SSP?

    Agent: I’ll draft a policy and a procedure for each domain. Policies will cover purpose, scope, roles, and requirements; procedures will be step-by-step with evidence (logs, reviews). I’ll add version and review date so the SSP can cite them.

    Agent: I’ve created: (1) Access Control Policy — purpose, scope (all in-scope systems), roles (CISO, system owners, IAM), requirements aligned to 3.1 (access enforcement, least privilege, session lock, account management); version 1.0, review date. (2) Access Control Procedure — account request/approval/provisioning/deprovisioning steps, access review frequency (quarterly), evidence (tickets, review log). (3) Audit and Accountability Policy — audit logging, log protection, review; (4) Audit and Accountability Procedure — what is logged, where, who reviews, frequency, retention. All reference 3.1 and 3.3. Should I add Identification and Authentication next?

    Sample Output Excerpt

    Below is a representative excerpt from a CMMC policy and procedure set.

    Access Control Policy (excerpt)

    Purpose: To ensure only authorized users, processes, and devices can access systems that process, store, or transmit CUI, in alignment with NIST SP 800-171 requirements (3.1).

    Scope: All systems and assets within the CMMC assessment boundary.

    Requirements:

    • Access shall be limited to authorized individuals based on job function (least privilege).
    • Unsuccessful logon attempts shall be limited per organizational configuration (e.g. lockout threshold).
    • Session lock shall be enforced after a period of inactivity.

    Review: This policy is reviewed annually by the CISO. Version 1.0 | Last review: 2025-01-15.

    Access Control Procedure — Access Review (excerpt)

    1. IAM Lead generates access report from AD and Contract App monthly.
    2. System owners review report for their systems within 10 business days.
    3. Unnecessary access is revoked; tickets created for provisioning/deprovisioning.
    4. Completion is recorded in the Access Review Log (date, reviewer, outcome).
    5. Evidence: Access Review Log, tickets; retained for assessor review.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started