Poliato

CMMC procedure templates

CMMC procedure templates that don't go stale six months later.

Procedures reference specific platform configuration screens and feature names — the parts of CMMC documentation that go out of date fastest. Poliato's procedure templates are tied to the platforms you actually use (Microsoft 365, Google Workspace, others) and maintained as a subscription as those platforms evolve.

Start 14-day free trial See pricing

Policy vs procedure — where the line gets drawn

A policy states the rule — the organizational decision. A procedure states the steps — the specific configuration, the menu path, the responsible role. CMMC assessors examine both. Procedures are where most documentation goes stale, because the underlying platforms change continuously.

A practical heuristic: if a sentence references a specific UI element (a menu name, a button label, a setting key), it belongs in a procedure. If a sentence states what the organization has decided to do (we require MFA on all CUI-handling accounts, we encrypt CUI at rest), it belongs in a policy. Procedures are where the screenshots go; policies are where the rules go.

Why static CMMC procedure templates rot

A Word document that walks through Microsoft 365 admin screens last year has the wrong screen names this year. A procedure that references Azure AD is now Entra ID. A G Suite reference is now Google Workspace. The platforms underneath every CMMC procedure change continuously, and assessors do notice when a procedure references an interface the contractor doesn't actually have anymore.

Poliato treats this as the structural problem it is — procedures are a maintenance subscription, not a one-time purchase. Each supported platform (Microsoft 365, Google Workspace, and others as customer concentration warrants) is a $49 per month per platform add-on. The procedure text stays current as the platform evolves.

Procedures generated against your environment, not generic

Like policies, procedures are wizard-generated. The wizard asks which platforms are in scope, which configurations are in use, and which roles own each step. The output is a procedure that reflects the platforms and configurations you actually have — not a generic Word document with bracketed placeholders.

  • NIST SP 800-171 control identifiers mapped to each procedure step.
  • Platform-specific configuration paths — current as of the latest platform release.
  • Role assignments your team can read and acknowledge.
  • Version control and review reminders, like every other document in the platform.

See how procedures plug into the management platform for acknowledgement, version control, and audit readiness — same workflow as policies, same single source of truth.

Start with the wizard

Trial it with your actual platforms.

14-day free trial. Generate sample procedures for your platforms. Export to PDF anytime — yours regardless of subscription status. No sales call required to start.

Start free trial See pricing

Common questions

About CMMC procedure templates.

What's the difference between a CMMC policy and a CMMC procedure?
A policy states what the organization does (the rule). A procedure describes how the organization does it (the step-by-step). CMMC assessors examine both — a policy without a corresponding procedure is a coverage gap. Procedures are also where most documentation goes stale, because the underlying platforms (Microsoft 365, Google Workspace, etc.) change configuration screens and feature names continuously.
How many CMMC procedure templates does an organization need?
Roughly one or more procedures per NIST SP 800-171 control family, depending on the platforms in use. An organization standardized on Microsoft 365 will have a different procedure set than one on Google Workspace — the access-control procedure for Entra ID looks nothing like the equivalent for Google Admin. Poliato generates procedures specific to the platforms you actually use.
Why do CMMC procedure templates go stale so quickly?
The cloud platforms underneath them change constantly. Microsoft renames a feature, Google moves a setting to a different screen, AWS rolls out a new service that supersedes an old one. Static procedure documentation written against last year's UI is wrong by next year's assessment. Poliato treats procedures as a subscription category — each platform is a $49/month add-on that keeps the procedures current as the platform evolves.
Which platforms does Poliato cover with procedure subscriptions?
Microsoft 365 and Google Workspace are the primary supported procedure platforms today; additional platforms are added based on customer concentration. Each procedure subscription is $49 per month per platform and stays current as the underlying platform changes — adding new screens, renaming features, accommodating new compliance-relevant controls.
Are CMMC procedures pre-mapped to NIST 800-171 controls?
Yes. Like policies, each procedure carries explicit mapping to specific NIST SP 800-171 control identifiers. The same reverse-mapping view applies — pick a control ID and see every policy AND procedure that addresses it.
Can I bring my own procedures?
Yes — the Change Management (BYOP) tier supports uploading existing procedure documents and managing them through Poliato. Manual control mapping on BYOP; automatic on the With Policies tier, including procedures for any platforms you've subscribed to.
Where does the line between policy and procedure get drawn?
Policies should survive platform changes; procedures should not. If a sentence references a specific UI element, a specific configuration screen, or a specific platform feature, it probably belongs in a procedure. If a sentence states an organizational decision (we require MFA, we encrypt CUI at rest), it probably belongs in a policy.