CMMCDocs.comHome / Glossary / Policy vs Procedure
Policy vs Procedure
Also known as: Policies and procedures
Policies state what the organization will do and why; procedures state how it will be done. Both are required for CMMC Level 2.
Policies and procedures are distinct but related artifacts that together document an organization's security program. Both are required for CMMC Level 2.
**A policy** is a high-level statement of intent: what the organization will do and why. Policies are typically signed by senior management, reviewed annually, and changed rarely. They establish the rules; they don't specify the implementation details.
**A procedure** is the operational document that explains how the policy is actually executed: which tool, which steps, who does what, when, and how the activity is documented. Procedures change as tools and processes evolve.
A C3PAO will look for both policies and procedures for every relevant control area. Policies without procedures (and vice versa) are a frequent finding.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account