Documentation Without Enforcement Is a Liability
Here’s the uncomfortable part: a policy that isn’t enforced is arguably worse than no policy at all. An unwritten practice is a gap. A written, unenforced policy showing the workflow of that police and SOP with documented evidence that your organization knew the requirement and didn’t meet it. Assessors — and, in the event of a breach, regulators and contracting officers — treat that difference seriously.
This is why Dragnet approaches policy and procedure writing as an operational exercise, not a documentation exercise. Before we draft a single policy, we map it to what’s actually configured, who actually owns it, and what evidence will actually exist to prove it. The document comes last, not first.
Mapping Policies to CMMC Control Families
CMMC Level 2 is built on 110 practices across 14 domains, and your policy set needs to speak the same language as the assessment. A few of the domains where misalignment is most common:
Access Control (AC): Policies must reflect exactly how account provisioning, least privilege, and remote access are configured — not an idealized version of it. If your policy says role-based access control governs CUI systems, your identity provider needs to show it.
Identification and Authentication (IA): This is where MFA gaps live. Your policy should specify where multifactor authentication is enforced, for whom, and under what conditions — and it should match your actual authentication logs, not an aspiration for “next quarter.”
Audit and Accountability (AU): Policies need to define what gets logged, how long logs are retained, and who reviews them. Assessors will ask to see the review, not just the retention setting.
System and Information Integrity (SI): Covers patch management, malware protection, and flaw remediation. Your policy’s stated patching cadence needs to match your actual patch history — a common and easily-caught discrepancy.
Getting these four domains right doesn’t guarantee a clean assessment, but misalignment in any of them is one of the fastest ways to generate findings.
Building Policies That Hold Up
Strong CMMC documentation isn’t about volume — it’s about accuracy. A shorter policy set that precisely mirrors your actual environment will outperform a comprehensive one full of assumptions and templates every time.
Dragnet’s Policy & Procedure Writing service is built around this principle. We work directly with your team to map requirements to real technical controls, assign clear ownership, and build documentation that will hold up under scrutiny — because it reflects what you’re actually doing, not what a template says you should be doing.
If your policies haven’t been reviewed against your actual environment recently, now is the time.
Schedule a CMMC Discovery Call



