We've covered every domain within NIST SP 800-171 Rev 2 with a separate policy. Each policy has relevant roles with responsibilities. The roles and responsibilities table also serves as our dissemination list. This alleviates our end-users from having to acknowledge every domain-level policy. It also requires us to communicate end-user responsibilities in a separate policy. As we went through each domain, statements addressable to end-users were set aside. These became the basis for our acceptable use policy. This policy encompasses all domains but focuses on non-privileged end users.
Acceptable use policies address the behaviors expected of our end users. We require end users to acknowledge having received this policy. We test their comprehension of key content from within the policy. Here are some of the principles that guided this acceptable use policy:
A cover page tracks specific details regarding the policy, including:
We followed our templated structure for all domain level policies. From this guidance we incorporate the following major sections into our policy:
The purpose statement should identify why the policy exists and what it aims to achieve.
The scope should identify who it applies to and under what circumstances.
The policy governance section covers most of the organization defined parameters. These subsections cover the following details:
The fourth section includes our policy statements. Subsection headings group related Policy statements together. Each policy statement has a unique number for traceability to other documents. A policy statement number consists of the section, subsection, and policy statement order
The fifth section identifies the relevant roles and responsibilities identified in the policy. A single, short paragraph describes the responsibilities for each role. The sixth section documents a revision history. This table captures policy changes, including: version, effective date, approver(s), change summaries. The seventh section captures a formal acknowledgement of the policy by the end user.
We used the same section headings from domain policies whenever possible. This helped establish traceability for statements addressing the same controls to different audiences.
The organization provides information systems only for official business and related tasks. The organization limits access to those with a documented need to use the system. Users must complete their security training before accessing the system. Users must never post internal system details on public websites or social media. The organization reviews all data made public for sensitive content.
Users cannot access social media for personal use on company systems without approval. Users must have approval before using alternative cloud storage or AI applications. Users may not use work email addresses to sign up on any non-business websites. The organization updates these rules every year or whenever major changes happen. All staff sign the rules again every twelve months.
CMMC Objectives Covered in This Section:
The organization requires all passwords to be at least eight characters long. These passwords must include a mix of letters, numbers, and special characters. You cannot use easy-to-guess information like your name, username, or the company name. When you create a new password, it must be completely unique. You cannot change one number or rotate through old passwords you used before.
New users must change their temporary password immediately during their first login. If you do not use your temporary password within 48 hours, the system will disable your account. You are the only person responsible for keeping your password secret. You must never share your login details with anyone, including your boss or the IT team. The organization prohibits writing passwords on notes or saving them in unprotected files. You may only use an approved password manager to store your credentials.
You must not use your work password for personal accounts like your bank or social media. If you think someone stole your password, you must change your password immediately. You must also notify the Security Team right away.
CMMC Objectives Covered in This Section:
Users must lock their devices every time they leave their workstations unattended. You must take this action even if you only plan to step away for a short moment.
CMMC Objectives Covered in This Section:
Users must use only approved communication channels when they share sensitive data. The organization prohibits personal chat apps or unencrypted file-transfer sites for work-related information.
CMMC Objectives Covered in This Section:
Users must not install any unauthorized software or applications on company-owned devices. This rule applies to downloads from the Internet and software from a thumb drive. You must submit all software requests to the IT department for formal approval.
CMMC Objectives Covered in This Section:
Personnel must store all sensitive media in secured areas. This rule applies to everything from hard drives and flash drives to paper records. When you move sensitive documents, you must place them in sealed envelopes. If you take these materials out of controlled areas, you must track them using a formal log.
The organization prohibits connecting personal USB drives, smartphones, or cameras to company systems. If you receive an exception to use portable media, you must keep it locked in a drawer or safe when you are not using it. You must never leave removable media unattended. Do not use portable storage devices containing sensitive data on outside systems. Use an approved secure file-sharing platform for all data transfers to external partners.
CMMC Objectives Covered in This Section:
Users must mark all media containing sensitive data. Mark CUI data in the banner at the top and bottom of every page or on the physical exterior of the device. You must also include labels that explain who can see the information. If a device is too small for a full label, you must store it in a marked envelope or container instead.
When you work with digital files, you must include the "CUI" designation in the filename. You must also update the headers and footers before you save them to shared folders.
CMMC Objectives Covered in This Section:
Users must mark all paper records with the correct "CUI" label as soon as they collect them. You are responsible for the physical safety of printed materials. When you print or copy sensitive documents, you must go to the machine and pick them up immediately. Never leave sensitive files sitting in a shared output tray where others could see them.
CMMC Objectives Covered in This Section:
Personnel must keep all assigned keys, badges, and tokens in their physical custody. You must never share these items or leave them unattended. Report lost access devices suspicious events to security personnel immediately.
You are responsible for keeping your workspace and the office entrance secure. You must badge in every time you enter a door to prevent others from following you inside. If you have a visitor, you must ensure they sign the log and stay with them at all times. If you see someone you do not recognize alone in nonpublic areas, call security right away.
CMMC Objectives Covered in This Section:
Personnel must use only approved devices when working remote with sensitive data. You must connect through a secure VPN that requires multi-factor authentication. When handling sensitive information, do not use unauthorized devices or public Wi-Fi.
You are responsible for the safety of your home office or remote workspace. You must ensure that unauthorized people cannot see your screen or overhear conversations. Secure your devices and media to prevent loss or theft while working away from the main office.
CMMC Objectives Covered in This Section:
All employees, contractors, and third-party users must immediately report any security incidents. You should notify your manager or the security personnel as soon as you see a suspected threat. Use the official reporting tools, such as the Help Desk or the security email address.
CMMC Objectives Covered in This Section:
Upon leaving or changing your role, you must return all company property and data. This includes hardware as well as physical items like your ID badge and keys. You must return all sensitive documents and delete corporate information from personal devices.
The organization requires you to complete an offboarding checklist. You must surrender all company property before your final departure. Keeping any corporate data or hardware may lead to legal consequences.
CMMC Objectives Covered in This Section:
The organization penalizes employees, contractors, or third parties who breaks the rules. Human Resources and the security personnel manage this process together. Penalties can include written warnings, losing system access, extra training, or your job. When violations trigger penalties, the organization must notify designated personnel within 24 hours. This report must include the person's name and a description of which rule they broke.
CMMC Objectives Covered in This Section:
FedRAMP guidance on how to write a control implementation statement states the following:
Write your policies before you start drafting your security plan. K2 GRC shows you exactly how each part of your policy connects to your security goals. This starts with selecting an objective to document.

After selecting a criteria, K2 GRC shows policy statements relevant to that criteria. The input screen shows the specific policy name and the statement’s number. This enables users to cite relevant policy sections within the control narratives. The system aggregates these control narratives to populate the system security plan (SSP).

Navigating the complexities of CMMC can feel like a high-stakes balancing act. You are protecting your reputation and the contracts that keep your business thriving. We know the weight of that responsibility can be overwhelming. A password on a sticky note could jeopardize everything you’ve worked to build. But security doesn't have to be a source of constant anxiety.
A clear Acceptable Use Policy (AUP) replaces uncertainty with shared responsibilities. You empower your team with the knowledge they need to be your strongest line of defense. Don't let the fear of an audit keep you up at night. Take the first step toward a more secure, confident future today. Download our AUP Template for CMMC. Give your team the framework they need to stay focused on the work that matters most.