Yes, associate the file policy (or policies) with ACP entries as appropriate.
I say "as appropriate" because it's not always needed - for instance if you are allowing inbound https and not de-encrypting then there is no need to associate a file policy since you will not be able to get the SHA-256 of the file to send to the cloud for analysis.