Framework hub
CMMC 2.0
DoD · 2.0
Cybersecurity Maturity Model Certification for DoD and federal agency contractors handling federal contract information and CUI.
HLD Group maintains policies and controls mapped to this framework as part of our security and compliance programme. This hub describes programme alignment — not a third-party certification or attestation unless separately agreed in your contract.
Programme focus areas
- Level 2 practices
- SSP
- POA&M
- CUI scoping
Policies meeting this framework
The following published policies and programme documents are mapped to CMMC 2.0. Status: published and under periodic review.
- Information security policyPublished
Enterprise information security programme and control framework.
v3.0 · review every 365 days
- Acceptable use policyPublished
Permitted and prohibited use of company systems, devices, and data.
v2.0 · review every 365 days
- Access control policyPublished
Granting, reviewing, and revoking access to systems and data.
v2.0 · review every 180 days
- Privileged access management policyPublished
Administrative and break-glass access controls.
v1.0 · review every 180 days
- Data classification policyPublished
Classification levels and handling requirements for information assets.
v1.3 · review every 365 days
- Data retention & disposal policyPublished
Retention schedules and secure destruction of information.
v1.0 · review every 365 days
- Incident response planPublished
Detecting, responding to, and recovering from security incidents.
v3.0 · review every 180 days
- Breach notification policyPublished
Notifying regulators, customers, and individuals of data breaches.
v1.0 · review every 365 days
- Encryption policyPublished
Requirements for encryption at rest and in transit.
v1.2 · review every 365 days
- Password & authentication policyPublished
Password complexity, MFA, and credential management.
v2.0 · review every 180 days
- Network security policyPublished
Segmentation, remote access, and perimeter controls.
v1.0 · review every 365 days
- Logging & monitoring policyPublished
Security logging, SIEM, and alerting requirements.
v1.0 · review every 365 days
- Vulnerability management policyPublished
Discovery, prioritisation, and remediation of vulnerabilities.
v1.0 · review every 365 days
- Patch management policyPublished
Security patching cadence and emergency patch process.
v1.0 · review every 365 days
- Asset management policyPublished
Inventory and lifecycle of information assets.
v1.0 · review every 365 days
- Risk management policyPublished
Identifying, assessing, and treating organizational risks.
v1.5 · review every 365 days
- Vendor & third-party risk policyPublished
Assessment and ongoing management of suppliers and subprocessors.
v1.4 · review every 365 days
- Change management policyPublished
Managing changes to systems, infrastructure, and applications.
v2.2 · review every 365 days
- Physical security policyPublished
Physical access to facilities, equipment, and media.
v1.1 · review every 365 days
- Secure development policyPublished
Secure SDLC, code review, and dependency management.
v1.0 · review every 365 days
- Cloud security policyPublished
Cloud governance, hardening, and identity in IaaS/PaaS.
v1.0 · review every 365 days
- Email & messaging security policyPublished
Anti-phishing, SPF/DKIM/DMARC, and acceptable email use.
v1.0 · review every 365 days
- Compliance & GRC policyPublished
Compliance programme, audits, and control ownership.
v1.0 · review every 365 days
- Security assessment policyPublished
Penetration testing, scans, and customer audit coordination.
v1.0 · review every 365 days
- Personnel security policyPublished
Screening, employment terms, and termination procedures.
v1.0 · review every 365 days
- Security awareness & training policyPublished
Mandatory security training and phishing simulations.
v1.0 · review every 365 days
- CUI handling policyPublished
Handling Controlled Unclassified Information per CMMC and NIST 800-171.
v1.1 · review every 180 days
- Business continuity planPublished
Continuity during and after operational disruption.
v1.9 · review every 365 days
Assurance note
Programme alignment means HLD maintains controls, policies, and monitoring mapped to CMMC 2.0 requirements appropriate to our services and risk profile. It does not by itself constitute certification, authorization, or a SOC/ISO audit report. Customers requiring formal attestations should contact [email protected].