| QUICK ANSWER: WHAT DOCUMENTATION DOES CMMC REQUIRE? |
CMMC Level 2 requires:
CMMC Level 1 requires documentation supporting your annual self-assessment, including evidence that all 17 basic practices are implemented. |
If your organization handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) as part of a Department of Defense (DoD) contract, you are either preparing for CMMC certification or you should be. And documentation is where most companies either win or lose their assessment before it even begins.
This guide is your definitive CMMC documentation checklist. We cover every policy, plan, procedure, and evidence artifact required for both CMMC Level 1 and Level 2 — explain why each document matters to assessors — and give you practical guidance to get your paperwork in order. If you're brand new to the program, start with our Complete CMMC 2.0 Guide for Defense Contractors first.
Why CMMC Documentation Matters More Than You Think
Many defense contractors focus heavily on technical controls — firewalls, multi-factor authentication, endpoint detection — and treat documentation as an afterthought. This is a costly mistake.
CMMC assessors cannot simply take your word that a control is implemented. They need to see it. During a Certified Third-Party Assessment Organization (C3PAO) assessment, every practice must be:
- Implemented in your environment
- Documented in your policies and procedures
- Evidenced through artifacts — logs, screenshots, configurations, signed acknowledgments
If you have the technical control but lack the documentation, assessors may still find you non-compliant. Documentation and implementation go hand-in-hand.
Understanding CMMC Documentation Tiers
Before diving into the checklist, it helps to understand how CMMC documentation is organized. Think of it in three tiers:
Tier 1 — Policies: High-level statements of organizational intent. What your organization commits to doing. Examples: Acceptable Use Policy, Access Control Policy, Incident Response Policy.
Tier 2 — Procedures and Plans: Step-by-step instructions for how policies are carried out, plus formal plans for specific program areas. Examples: System Security Plan, Incident Response Plan, Configuration Management Procedures.
Tier 3 — Evidence and Artifacts: Proof that your policies and procedures are actually being followed. Examples: training completion records, system logs, vulnerability scan results, signed agreements.
All three tiers are necessary for a successful CMMC Level 2 assessment. Level 1 requires evidence at a minimum, with policies and procedures strongly recommended.
Section 1: CMMC Level 1 Documentation Requirements
CMMC Level 1 applies to organizations that handle Federal Contract Information (FCI) but not CUI. It requires implementation of 17 practices aligned with FAR 52.204-21 and an annual self-assessment with a senior official affirmation submitted to the Supplier Performance Risk System (SPRS). Not sure whether your organization falls under Level 1 or Level 2? Read our CMMC Level 1 vs. Level 2 comparison guide.
SPRS Self-Assessment Submission
Your SPRS score and the associated affirmation is a formal, legal attestation signed by a senior company official. Knowingly submitting a false score exposes your organization to False Claims Act liability. Retain all documentation supporting your score.
Basic Policy Documentation
While CMMC Level 1 does not mandate a full System Security Plan, you should maintain written evidence that each of the 17 practices is implemented. This typically includes:
- A written description of how each practice is addressed
- Access control documentation — who has access to systems handling FCI
- Sanitization and media disposal records
- Physical access logs or badge records
- Screening records for personnel with access to FCI systems
- Configuration baselines for devices handling FCI
Recommended Even at Level 1
- Acceptable Use Policy (AUP)
- Password Policy
- Mobile Device Policy (if applicable)
- Incident reporting procedures
Organizations planning to grow their DoD contract work should build Level 2-grade documentation from the start rather than rebuilding it later.
Section 2: CMMC Level 2 Documentation Requirements
CMMC Level 2 aligns with NIST SP 800-171 and its 110 security practices across 14 domains. The documentation requirements are significantly more extensive and must be comprehensive enough to support a C3PAO-led assessment. Building this documentation package is one of the primary drivers of CMMC compliance costs — and of how long your compliance timeline will run.
Core Program Documents
1. System Security Plan (SSP)
The SSP is the cornerstone of your CMMC documentation package. It is not optional. The SSP must:
- Define your system boundary — what is "in scope" for CMMC
- Describe how your organization implements each of the 110 NIST SP 800-171 practices
- Identify the types of CUI your organization processes, stores, or transmits
- Document system interconnections and external service providers
- Identify personnel responsible for each security domain
- Reference all supporting policies, procedures, and plans
The SSP should be a living document — updated whenever your environment changes, after incidents, or following significant system changes. Assessors will scrutinize the SSP extensively, so accuracy and completeness are critical.
Tip: Your SSP does not need to be a single massive document. Many organizations use a master SSP that references separate policy and procedure documents. Both approaches are acceptable.
2. Plan of Action and Milestones (POA&M)
A POA&M documents gaps — controls you have not yet fully implemented — along with your remediation plan and timeline. Under the current CMMC rules:
- Organizations with a SPRS score of 80 or above may be eligible for assessment with limited POA&M items outstanding
- High-value practices related to MFA, endpoint detection and response, and data backup may not be POA&M-eligible
- All POA&M items must have realistic remediation timelines and responsible parties assigned
Your POA&M should be reviewed and updated at regular intervals — quarterly is standard. Do not treat it as a static document.
3. Continuous Monitoring Plan
While CMMC does not require a standalone Continuous Monitoring Plan, assessors will look for evidence that you monitor your security posture on an ongoing basis. Document your approach to:
- Log review and security event monitoring
- Vulnerability scanning frequency and remediation
- Configuration change management
- Security control reviews
Required Policies — One Per Domain (or Combined)
NIST SP 800-171 has 14 domains. Your documentation must address all 14. Below is the required policy coverage with the relevant domain:
AC — Access Control Policy
Address who can access your systems, under what conditions, and with what level of privilege. Cover least privilege, separation of duties, remote access, and mobile device access.
AT — Awareness and Training Policy
Describe your security awareness training program, including frequency, content requirements, role-based training for privileged users, and records retention.
AU — Audit and Accountability Policy
Explain your approach to system logging, audit log review, log protection, and retention. Specify what events are logged and how long logs are kept.
CM — Configuration Management Policy
Cover baseline configurations, change control procedures, software restriction policies, and how unauthorized software is prevented or detected.
IA — Identification and Authentication Policy
Address password requirements, MFA requirements, identifier management, and authenticator management. Your MFA policy receives particular scrutiny at Level 2.
IR — Incident Response Policy
Define what constitutes a security incident, roles and responsibilities, reporting requirements (including to DoD when CUI is involved), and the incident response lifecycle.
MA — Maintenance Policy
Cover how system maintenance is performed, who is authorized to perform it, and how remote maintenance sessions are controlled and logged.
MP — Media Protection Policy
Address how CUI on physical and digital media is protected, transported, sanitized, and disposed of.
PE — Physical Protection Policy
Document physical access controls for facilities where CUI is processed or stored. Include visitor management, monitoring, and emergency procedures.
PS — Personnel Security Policy
Cover personnel screening, access agreements (NDA and system use agreements), and procedures for terminating access when personnel depart.
RA — Risk Assessment Policy
Describe your risk assessment methodology, how frequently assessments are conducted, and how identified risks are prioritized and addressed.
CA — Security Assessment Policy
Cover how you assess and monitor your security controls, including internal assessments, penetration testing, and third-party assessments.
SC — System and Communications Protection Policy
Address network segmentation, boundary protection, encryption in transit, and protection of CUI at system boundaries.
SI — System and Information Integrity Policy
Cover malware protection, security alerts, patch management, and how your organization identifies and responds to known vulnerabilities.
Consolidation Tip: Many organizations combine these into a single Information Security Policy document with 14 domain-specific sections or appendices. Assessors will accept either approach as long as all required topics are covered.
Required Plans
Incident Response Plan (IRP)
Your IRP must be actionable — not just a policy statement. It should include:
- Defined roles and responsibilities for your Incident Response Team
- Incident classification criteria
- Step-by-step response procedures for common incident types
- Escalation procedures and communication templates
- DoD reporting procedures — when CUI is involved, contractors must notify within 72 hours
- Post-incident review and lessons learned process
- Plan testing cadence — tabletop exercises recommended annually
Configuration Management Plan
Documents your approach to managing system configurations, including:
- How baselines are established and approved
- The change control process for configuration changes
- How unauthorized changes are detected and remediated
- Software allowlisting and denylisting procedures
Contingency / Business Continuity / Disaster Recovery Plan
NIST SP 800-171 Practice 3.6.1 requires planning for resilience. Your contingency plan should address:
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for CUI systems
- Backup procedures and tested restoration capabilities
- Alternate processing and communication options
- Roles and responsibilities during a disruption
Supply Chain Risk Management Plan (Recommended)
Assessors increasingly look for evidence that you manage third-party and supply chain risk. Document how you vet vendors, manage third-party access, and flow CMMC requirements down to relevant subcontractors. For a full breakdown of what subcontractors are responsible for, see our Subcontractor's Guide to CMMC.
Required Procedures
Procedures translate your policies into action. For each major domain, you need documented procedures that explain step-by-step how controls are implemented. Key procedure documents include:
- Access Review Procedures — How and how often you review user access rights
- Privileged Access Management Procedures — How privileged accounts are managed and monitored
- Onboarding/Offboarding Procedures — How new employees are provisioned and departing employees are terminated
- Patch Management Procedures — How patches are identified, tested, and deployed
- Vulnerability Management Procedures — How scans are conducted and findings remediated
- Log Review Procedures — How audit logs are reviewed and anomalies escalated
- Media Sanitization Procedures — Step-by-step instructions for sanitizing or destroying media containing CUI
- Backup and Recovery Procedures — How backups are performed, tested, and restored
- Change Management Procedures — How changes to systems are requested, approved, implemented, and tested
Required Supporting Documents and Evidence Artifacts
Policies and plans tell assessors what you intend to do. Artifacts prove you are actually doing it.
System and Network Documentation
- Network diagram showing CUI data flows and system boundary
- Asset inventory — hardware and software
- Data Flow Diagram showing how CUI moves through your environment
- List of authorized external connections and service providers
Access Management Records
- User access list with roles and permissions
- Privileged account list
- Access request and approval records
- Periodic access review documentation
Training Records
- Security awareness training completion records for all users
- Role-based training records for privileged users
- Training content documentation
Configuration Artifacts
- Documented baseline configurations for all systems in scope
- Hardening guides applied (e.g., CIS Benchmarks)
- Evidence of MFA implementation on all accounts accessing CUI
Audit and Log Artifacts
- Sample log data demonstrating logging is functional
- Log review records
- SIEM alert documentation (if applicable)
Vulnerability and Patch Management Records
- Vulnerability scan reports — recent, covering all in-scope assets
- Patch status documentation
- Remediation tracking records
Incident Response Artifacts
- Incident log or ticketing system records
- Tabletop exercise records
- Post-incident review reports
Third-Party Agreements
- System Use Agreements / Acceptable Use Agreements — signed by all users
- Non-Disclosure Agreements (NDAs) for personnel with access to CUI
- Vendor agreements with relevant security clauses
- Cloud Service Provider agreements — especially if using non-FedRAMP services; document risk acceptance
Personnel Records
- Background check records (per your PS policy)
- Signed access agreements
Special Focus: CUI Program Documentation
Many organizations overlook the need for formal Controlled Unclassified Information (CUI) program documentation. Your assessor will want to see that you understand what CUI you handle and how you protect it.
Consider maintaining:
- A CUI Registry or inventory documenting the types of CUI you receive, process, and store
- A CUI Handling Guide or job aid for employees
- Evidence that CUI is properly marked (if you create CUI)
- Documentation of how CUI is shared with subcontractors and the flow-down requirements imposed
CMMC Documentation by Domain — Quick Reference
| Domain | Policy Required | Key Plans / Procedures | Key Evidence Artifacts |
| AC – Access Control | Yes | Access Review Procedures, Onboarding/Offboarding | User access list, MFA evidence, remote access logs |
| AT – Awareness & Training | Yes | Training Program | Training completion records |
| AU – Audit & Accountability | Yes | Log Review Procedures | Log samples, review records |
| CM – Configuration Mgmt | Yes | Change Management Plan, Patch Procedures | Baseline configs, patch status reports |
| IA – ID & Authentication | Yes | Password/MFA Procedures | MFA implementation evidence, account inventory |
| IR – Incident Response | Yes | Incident Response Plan | Incident logs, tabletop exercise records |
| MA – Maintenance | Yes | Maintenance Procedures | Maintenance logs, remote session logs |
| MP – Media Protection | Yes | Media Sanitization Procedures | Sanitization/destruction records |
| PE – Physical Protection | Yes | Physical Access Procedures | Visitor logs, badge access records |
| PS – Personnel Security | Yes | Onboarding/Offboarding | Background check records, signed agreements |
| RA – Risk Assessment | Yes | Risk Assessment Procedures | Risk assessment reports |
| CA – Security Assessment | Yes | Assessment Procedures | Internal assessment reports, pen test results |
| SC – System & Communications | Yes | Network Segmentation Procedures | Network diagrams, encryption configs |
| SI – System & Info Integrity | Yes | Patch/Vulnerability Mgmt Procedures | Scan reports, AV/EDR evidence |
Common CMMC Documentation Mistakes to Avoid
| Common Mistake | Why It Fails |
| Generic Boilerplate Policies | Downloaded templates that haven't been customized are easy for assessors to spot. Your policies must reflect how YOUR organization actually operates. If your policy says 'the CISO will review logs weekly' but you don't have a CISO, that policy is invalid. |
| Outdated Documents | Policies dated 3+ years ago signal poor program management. Establish a formal annual review cycle and document each review. |
| Vague System Boundary | One of the most common SSP deficiencies is a vague or overly broad system boundary. Be specific about what systems, applications, and locations are in scope. |
| Lack of Evidence | A policy that says 'we conduct monthly vulnerability scans' means nothing if you can't produce the last 12 months of scan reports. Documentation must be backed by artifacts. |
| Disconnected Documents | Your policies, SSP, and procedures should cross-reference each other. An assessor picking up your Access Control Policy should be able to trace it directly to your SSP and your access review procedures. |
| Treating POA&M as Failure | A POA&M is not a red flag — it demonstrates that you know where your gaps are. What concerns assessors is unacknowledged gaps or gaps with no realistic remediation timeline. |
How Long Does It Take to Build CMMC Documentation?
This is one of the most common questions we hear from organizations starting their CMMC journey. The answer depends on your starting point. For a full picture of the overall compliance journey — not just documentation — see our CMMC compliance timeline breakdown.
| Starting Point | Estimated Timeline |
| Starting from zero | 3 to 6 months — assumes dedicated internal resources. Organizations without security personnel often find this estimate ambitious without outside help. |
| Existing NIST 800-171 or ISO 27001 program | 1 to 3 months to gap-fill and align existing documentation to CMMC requirements. |
| Working with a CMMC-focused MSSP or RPO | 4 to 8 weeks for the core documentation package. The fastest path for most defense contractors. |
How CISPOINT Helps with CMMC Documentation
CISPOINT is a Cyber-AB Registered Practitioner Organization (RPO) based in Columbia, Maryland, serving defense contractors across the DMV area, Huntsville, Alabama, Kentucky, and Florida.
Our CMMC compliance team has helped dozens of defense contractors build documentation packages that satisfy C3PAO assessors. We do not hand you a template and wish you luck — we work alongside your team to:
- Conduct a gap assessment to identify what documentation you have and what is missing
- Draft policies, procedures, and plans tailored to your organization
- Build and document your System Security Plan with accurate system boundary definition
- Identify and document your CUI data flows
- Prepare your complete evidence package
- Conduct pre-assessment reviews to find documentation gaps before your official C3PAO assessment
CISPOINT also provides fully managed and co-managed IT services — meaning we can help you both document your security controls AND implement the technical controls those documents describe, all under one roof.
| Ready to Start Your CMMC Documentation? |
| Contact CISPOINT for a complimentary CMMC readiness consultation. We serve defense contractors in Maryland, Virginia, DC, Alabama, Kentucky, and Florida. |
Frequently Asked Questions
What documents are required for CMMC Level 1?
CMMC Level 1 requires an annual self-assessment affirmation submitted to SPRS and documentation demonstrating that 17 basic cyber hygiene practices are implemented. A formal System Security Plan is not mandated at Level 1, but organizations should maintain written evidence that each practice is addressed. Policies such as an Acceptable Use Policy and Password Policy are strongly recommended.
What documents are required for CMMC Level 2?
CMMC Level 2 requires a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), policies covering all 14 NIST SP 800-171 domains, and procedures and evidence demonstrating that all 110 practices are implemented. Supporting artifacts — training records, vulnerability scan reports, configuration baselines, access reviews, and more — are equally essential.
Is a System Security Plan (SSP) required for CMMC?
Yes. A System Security Plan is required for CMMC Level 2 certification. The SSP must describe how your organization implements each of the 110 NIST SP 800-171 practices, define the system boundary, identify CUI flows, and document interconnections and external service providers.
What is a POA&M in CMMC?
A Plan of Action and Milestones (POA&M) identifies security gaps, the corrective actions planned to address them, and the milestones and resources needed for remediation. Under CMMC Level 2, organizations may be assessed with a limited number of POA&M items outstanding if their SPRS score meets the required threshold, excluding certain high-priority practices.
How many policies does CMMC require?
CMMC Level 2 requires policy coverage across at least 14 domains aligned with NIST SP 800-171. Organizations may maintain these as 14 separate policy documents or consolidate them into a single Information Security Policy with domain-specific sections or appendices.
Does CMMC require an Incident Response Plan?
Yes. An Incident Response Plan (IRP) is required for CMMC Level 2. The plan must define roles, response procedures, escalation steps, and DoD reporting requirements. It must also be tested at regular intervals — annual tabletop exercises are recommended.
Do subcontractors need their own CMMC documentation?
Yes. If your subcontractors handle CUI or FCI on your behalf, they are subject to CMMC requirements and must maintain their own documentation package. As the prime contractor, you may be responsible for flowing down CMMC requirements and verifying subcontractor compliance.
Read more in our dedicated Subcontractor's Guide to CMMC.
Conclusion
CMMC documentation is not bureaucratic box-checking — it is the foundation of a defensible cybersecurity program. The policies, plans, procedures, and artifacts on this checklist exist because they reflect real-world security practices that protect the defense industrial base.
If you look at this checklist and feel overwhelmed, you are not alone. Most defense contractors did not get into business to become cybersecurity documentation experts. That is exactly what CISPOINT is here for.
Contact CISPOINT today to schedule your CMMC readiness consultation and get your documentation on the right track.
Disclaimer
The information in this post reflects CMMC requirements as of the date of publication and is intended for general informational purposes. CMMC requirements, assessment procedures, and documentation standards may evolve as the DoD updates program guidance. Organizations should verify current requirements with the Cyber-AB, their contracting officer, or a qualified CMMC professional before making compliance decisions. This post does not constitute legal advice.
