NIST 800-171 • LEVEL 2 • PLANNING
3.15.1 — Policy and Procedures
Establish, document, disseminate, and maintain security policy and procedures that address the management, operational, and technical controls required to protect Controlled Unclassified Information (CUI).
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- security policy for protecting CUI is established, documented, and disseminated.
- procedures to implement security policy are established, documented, and maintained.
- security policy and procedures are reviewed and updated periodically and when significant changes occur.
Practitioner Notes
Policy sets expectations; procedures explain execution. Both are required for consistent implementation and auditability.
Example 1: Publish a security policy that defines roles, responsibilities, and control requirements for protecting CUI.
Example 2: Maintain corresponding procedures for account management, logging, vulnerability remediation, and incident response, with assigned owners and review cadence.