The Power of Acceptable Use Policies for CMMC Level 2

Eric Marquette

Welcome back to CMMC Unlocked. I’m Eric Marquette, and today, we’re zeroing in on one of those deceptively simple policies that can make or break your CMMC Level 2 readiness—the Acceptable Use Policy, or AUP. Sounds basic, right? But let me tell you, this is ground zero for aligning user behavior with security expectations, especially when you’re working around Controlled Unclassified Information, or CUI.

Paul Netopski

That’s right, Eric. The core purpose of an AUP, particularly in the context of CMMC, is to set explicit boundaries—what’s permitted and what’s off-limits—so everyone knows how to interact with systems, networks, and data. For defense contractors, that ties directly to CUI, but it also stretches to any organizational assets connected to the information environment: laptops, cloud resources, portable media, you name it.

Roz the Rulemaker

Exactly. And you can’t underestimate the importance of clarity here. The AUP isn’t just a formality, it’s the living document that translates compliance obligations into practical, everyday guidance. I’ve seen—too often, honestly—organizations treat it like a box to check, filed away until the next audit cycle rolls around.

Eric Marquette

Yeah, Roz, and that reminds me—years ago I did an assessment where the client handed over an AUP that still referenced floppy disks and dial-up modems—no joke. We laughed for a second, but then it hit me: their users were signing something that had zero application to their real-world workflows. If your AUP’s out of date, no one takes it seriously, least of all your staff. And by the way, assessors are definitely reading these things, looking for evidence that your organization is actually guiding behavior, not just recycling old paperwork.

Paul Netopski

Let’s ground this in specifics. CMMC Level 2 is built on NIST SP800-171, and there are some key controls that should directly inform your Acceptable Use Policy—things like 3.1.1, which covers limiting system access to authorized users, or 3.1.16, which is about session locks. These aren’t theoretical—they need to turn into real, actionable instructions for your staff.

Roz the Rulemaker

I couldn’t agree more. When we’re talking policy, “real-world” is the operative word. For example, take password requirements under 3.5.7—your AUP should clearly spell out what’s expected: minimum length, complexity, how often to change passwords. And then there’s device usage: spell out the rules for personal device use, USB drives, or connecting remotely. That’s how you bridge regulation and reality.

Eric Marquette

Yeah, and don’t forget what’s actually prohibited. A lot of folks overlook the “what not to do” part. Things like, “Don’t store CUI on unapproved devices,” or “No sharing passwords.” Make it plain. And Paul, you had a great story about portable media that kind of ties this all together, right?

Paul Netopski

Right, so one defense client was having trouble with shadow IT—employees copying files onto thumb drives “just to work from home.” We revised their AUP to explicitly highlight portable media restrictions, tying it to NIST 3.8.9 for media protection. We paired that with increased monitoring, and the data transfer risk dropped sharply. Clear language plus enforcement—people got the message, and we saw an actual change in user behavior.

Roz the Rulemaker

And let’s get into the “so what”—how do you turn published policy into real compliance? Communication is always the first line of defense. If people don’t understand the “why” and “how,” there’s no foundation for holding them accountable—or for proving that accountability during a CMMC assessment.

Eric Marquette

Exactly, Roz. Assessors are trained to look for more than just the existence of a document—they want enforceability. You need a record of how users attested to the policy, like digital signatures or old-fashioned sign-off sheets. Then there’s audit trails, which corroborate whether users are actually following the rules. And, periodic training—if you can’t show that everyone gets regular reminders, you’re at risk for a finding.

Paul Netopski

That’s the heart of the assessment. Just last year, during a Level 2 evaluation, we asked for training records and user acknowledgements. The organizations that tracked this—maybe with a learning management system or centralized HR file—demonstrated maturity. The others struggled, especially if they relied on word of mouth or one-time onboarding checklists.

Roz the Rulemaker

I see a real parallel here to federal rulemaking. Agencies can’t just say, “We issued a rule; therefore, it’s followed.” They’re expected to document publication, establish clear comment periods, and show how they’ve communicated expectations to stakeholders. For organizations, it’s similar: it’s about documenting that stakeholders—your employees—are actually receiving, and understanding, the rules. That’s what builds real accountability.

Paul Netopski

Let’s build on that with the practical side of keeping users informed. Training isn’t a once-and-done activity. You need programs that walk people through the Acceptable Use Policy—not just the language, but the “what ifs” and the “what happens if I mess up” scenarios.

Eric Marquette

Absolutely. Think real-world: phishing emails, lost laptops, unauthorized devices showing up in conference rooms. Story-based training sessions stick way better than reading a twelve-page PDF. And, don’t be afraid to throw in quizzes. Yeah, they can be a little cheesy, but they’re effective for surfacing knowledge gaps and making folks pay attention.

Roz the Rulemaker

I would add that periodic refreshers are vital. Rules and threats change, and personnel turnover is constant. So set a schedule—maybe twice a year—for review sessions. And always document who attended, who passed the quiz, and who might need a bit more coaching. Accessibility matters too: quick-reference guides, FAQs, and maybe a policy portal so people can look things up when the pressure’s on. That’s compliance you can prove.

Eric Marquette

So, what do you do once your Acceptable Use Policy is up and running? You need a system to make sure it’s staying relevant. The tech changes, the threats change, and compliance rules definitely change. I always encourage a regular review cycle—let’s say, at least annually—with active input from security, IT, and legal, to keep the AUP current.

Paul Netopski

Yeah, and users are on the ground—they know when language is confusing, or when something’s not working. Set up ways for them to give feedback, like an anonymous suggestion box or a quick online form. If someone spots a gray area or a compliance challenge, you want to hear about it—before it shows up in your next assessment.

Roz the Rulemaker

Here’s where your audit and incident reporting process earns its stripes. If you see repeat violations or near-misses, that’s a red flag about how your policy’s written or communicated. Update the policy, retrain as needed, and document the cycle. That’s how you show assessors—and regulators—continuous improvement, not just compliance for its own sake.

Roz the Rulemaker

But even the best-written policy falls flat if it’s just a document in a binder. Integration into your organization’s culture starts with leadership modeling the right behaviors. Leadership sends the message that the AUP isn’t just “IT’s problem”—it’s everyone’s responsibility, every day.

Eric Marquette

That’s so on point. And getting buy-in isn’t one-size-fits-all; departments have their own pain points, workflows, and risks. I’ve seen finance teams need more training around phishing, while engineering obsesses over USB drives. Tailoring rollout and reinforcement by department helps make the AUP feel less like a “top-down command” and more like a resource. It gets people invested, not just compliant.

Paul Netopski

You know, one of the best things I’ve seen is when organizations actually celebrate success—like sharing stories about someone who reported a suspicious incident or highlighting lessons learned from a recent audit. Recognition helps embed these policies in the day-to-day, reinforcing that security and compliance are shared wins. It’s contagious—in a good way.

Paul Netopski

To close the loop, let’s talk metrics. You need real numbers to show the AUP is working, beyond “well, nobody complained.” Incident reduction rates, fewer violations, positive audit results—those are your hard metrics. But also watch user compliance levels—track trainings completed, quizzes passed, policy acknowledgments signed.

Eric Marquette

I think regular staff surveys are underrated for spotting blind spots. Ask how comfortable people are with the policy—do they know where to find it, can they explain what’s most important for their role? Take that feedback and actually use it to update your approach, not just file it away.

Roz the Rulemaker

If you’ve got automated monitoring tools in place, use them to check for repeat violations—unapproved USBs, login failures, things like that. And then, generate reports that point directly to what needs improvement. It’s that continuous oversight—combined with feedback and transparent data—that takes your AUP from a piece of paper to a dynamic management tool. That’s sustainability.

Eric Marquette

Well, that’s a wrap for today—The Power of Acceptable Use Policies for CMMC Level 2. Thanks for sticking with us as we dove into everything from legal frameworks to day-to-day realities of user policy. Roz, Paul, always a pleasure.

Roz the Rulemaker

Thank you, Eric. Looking forward to our next deep dive—there’s always more to unpack.

Paul Netopski

Thanks everyone—and remember, effective policies and real enforcement are your best defense. See you next time on CMMC Unlocked.