ML.2.998: Document the CMMC practices to implement the [DOMAIN NAME] policy.
As directed in the policy established in ML.2.999, CMMC practices must be documented. The documentation of practices enables an organization to execute the CMMC practices in a repeatable manner and to achieve expected outcomes, establishing a foundation for continuous improvement. Organizations build their cybersecurity practices by documenting them, then practicing them as documented. In other words, “Say what you do; do what you say.” The level of detail of a documented practice can vary from a handwritten desk procedure to a formal organizational standard operating procedure that is managed and controlled. It is up to the organization to determine how they will document their CMMC practices.
Links to Publicly Available Resources