Your policies say “enforce least privilege.” Your assessor says “show me how.”
Policies describe what your organization requires. But during a CMMC Level 2 assessment, the C3PAO does not just read your policies. They ask to see how your team actually manages accounts, responds to incidents, handles media sanitization, and enforces access controls. Without documented operating procedures, your policies are promises with no proof.
**Tier 2** gives you both layers: 30 audit-ready templates (everything in Tier 1) plus 42 step-by-step operating procedures that show assessors exactly how your organization implements each requirement.
What’s Included in Tier 2 (72 Documents)
Everything in Tier 1 (30 Documents):
- System Security Plan (SSP) Template covering all 110 controls
- POA&M narrative template + Excel tracking workbook with dashboard
- CUI Boundary Definition Worksheet with 4 architecture models
- 14 domain security policies (ready for executive signature)
- 8 supporting assessment tools (Control Matrix, System Inventory, Evidence Guide, DFD Template, Vendor Questionnaire, Readiness Checklist, FIPS Audit Sheet)
- Comprehensive Usage Guide
Plus 42 Operating Procedures Across All 14 Domains:
| Domain | Procedures | Examples |
| Access Control | 8 | Account Management, Access Enforcement, Remote Access, Privileged Access, Session Management |
| Awareness & Training | 1 | Security Awareness Training |
| Audit & Accountability | 3 | Audit Logging & Monitoring, Record Review, Correlation & Analysis |
| Security Assessment | 3 | Assessment & Authorization, Control Monitoring, System Interconnections |
| Configuration Management | 3 | Configuration & Change Management, Software Management, System Hardening |
| Identification & Auth | 3 | Authentication & Password Management, Device Authentication, Identifier Management |
| Incident Response | 2 | Incident Response, Incident Tracking & Reporting |
| Maintenance | 3 | System Maintenance, Controlled Maintenance, Maintenance Tools |
| Media Protection | 4 | Sanitization & Disposal, Media Protection, Transport, Storage |
| Physical Protection | 3 | Physical Access Control, Access Authorization, Visitor Control |
| Personnel Security | 1 | Personnel Security |
| Risk Assessment | 2 | Risk Assessment, Security Categorization |
| System & Comms Protection | 3 | Boundary Protection, Network Segmentation, Cryptographic Protection |
| System & Info Integrity | 3 | Monitoring & Malware Protection, Vulnerability Scanning, Flaw Remediation |
Each procedure includes:
- Purpose, scope, and applicability
- Technology-neutral placeholders: [Identity Provider], [Cloud Platform], [SIEM Solution], [Endpoint Management Solution], and more. Replace with your actual tools.
- Step-by-step operational workflows
- Roles and responsibilities with RACI-style assignments
- Metrics and KPIs for measuring effectiveness
- Evidence collection guidance (what to save for assessors)
- Appendices with operational forms, checklists, and quick-reference guides
Who This Is For
- Organizations that have policies but no documented procedures
- IT teams that know how they do things but have never written it down
- Compliance leads preparing for a C3PAO assessment within the next 6 months
- Consultants helping clients build complete compliance documentation packages
What You’ll Accomplish with Tier 2
- Close the policy-to-procedure gap that assessors flag most often
- Give every team member a reference for how security processes actually work
- Document the operational evidence your assessor expects to see
- Reduce procedure writing time from 60+ hours to 15-20 hours of customization
- Create consistency between what your policies require and how your team operates
| Feature | Tier 1 ($79) | Tier 2 ($119) | Tier 3 ($149) |
| SSP, POA&M, CUI Boundary | Yes | Yes | Yes |
| 14 Domain Policies | Yes | Yes | Yes |
| Supporting Tools (8 Excel/PPT/Word) | Yes | Yes | Yes |
| Usage Guide | Yes | Yes | Yes |
| 42 Operating Procedures | Yes | Yes | |
| 111 Control Implementation Guides | Yes | ||
| Evidence Checklists per Control | Yes | ||
| C3PAO Assessment Objectives | Yes |
Why Procedures Matter for CMMC
C3PAO assessors evaluate your compliance at three levels: Do your policies exist? Do your procedures describe how you implement them? Can you demonstrate that you follow them? Without the middle layer (procedures), your policies float above reality and your evidence has no framework to attach to. This is the number one gap assessors find in organizations that built their own documentation.
Why Upgrade to Tier 3? You Have the “What” and “How.” The Final Question is “Will I Pass?”
Tier 2 gives you the documentation (Tier 1) and the operational detail (procedures). But do you know whether your implementation will actually satisfy every C3PAO assessment objective? Do you know what specific evidence the assessor expects for control 3.5.3? Do you know the common pitfalls that cause findings for control 3.13.11?
**Tier 3: Complete Pack – Templates, Procedures, and Control Guides ($149)** includes everything in Tier 2 plus 111 control implementation guides with evidence checklists and C3PAO assessment objectives for every CMMC Level 2 practice. Each guide shows you the exact objectives the assessor will check, what “Met” looks like, the specific evidence to collect, and the common pitfalls that trip up other organizations. Tier 3 turns your documentation from “we think we are ready” into “we know we will pass.”
Reviews
There are no reviews yet.