ML.2.998: Document the CMMC practices to implement the [DOMAIN NAME] policy.
As directed in the policy established in ML.2.999, CMMC practices must be documented. The documentation of practices enables an organization to execute the CMMC practices in a repeatable manner and to achieve expected outcomes, establishing a foundation for continuous improvement. Organizations build their cybersecurity practices by documenting them, then practicing them as documented. In other words, “Say what you do; do what you say.” The level of detail of a documented practice can vary from a handwritten desk procedure to a formal organizational standard operating procedure that is managed and controlled. It is up to the organization to determine how they will document their CMMC practices.
Links to publicly available resources coming soon