We’ve compiled the most thorough collection of helpful and authoritative links on the internet to help with your CMMC compliance efforts: CMMC Resources, NIST 800-171 Resources, CUI Resources, DFARS Resources
The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) Program Proposed Rule on 12/26/2023. DoD also announces the availability of eight guidance documents for the CMMC Program. These documents provide additional guidance for the CMMC model, assessments, scoring, and hashing.
As of 12/26/2023 CMMC Proposed Rule and Documentations AND The CMMC documents (version 2.11) have both been released
CMMC Proposed Rule
CMMC Program – Proposed Rule (PDF)32 CFR Part 170
Summary: DoD is proposing to establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs. DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800-171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP). The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required.
- Federal Register – CMMC Program – Proposed Rule Webpage
- CMMC Program Rulemaking Docket (Unified Agenda, Overall Documents, Comments)
- Public comments posted regarding rule
- Regulatory Impact Analysis 32 CFR Part 170 (Impact, Cost, and Benefit Analysis)
- Initial Regulatory Flexibility Analysis 32 CFR (benefits and costs, small business impact analysis)
- CMMC Guidance document repository with public comments (assessment guides, scoping guides, hashing guide)
- Notice of Guidance for CMMC
CMMC Guidance – CMMC Model
CMMC Model Overview
Abstract: This document focuses on the CMMC Model as set forth in 32 CFR 170.14 of the CMMC Program proposed rule (See docket DoD–2023–OS–0063 on Regulations.gov). The model incorporates the security requirements from: (1) FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, (2) NIST SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and (3) a selected set of the requirements from NIST SP 800–172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171. ;The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs).
CMMC Guidance – CMMC Scoping Guide
Scoping Guide – CMMC Level 1
Abstract: This document provides scoping guidance for Level 1 of CMMC as set forth in 32 CFR 170.19. Prior to a Level 1 CMMC Self-Assessment the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the self-assessment.
This guide is intended for OSAs that will be conducting a CMMC Level 1 self-assessment and the professionals or companies that will support them in those efforts.
Scoping Guide – CMMC Level 2
Abstract: This document provides scoping guidance for Level 2 of CMMC as set forth in 32 CFR 170.19. Prior to a Level 2 Self-Assessment or Level 2 Certification Assessment, the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the assessment.
This guide is intended for OSAs that will be conducting a CMMC Level 2 Self-Assessment in accordance with 32 CFR 170.16, OSCs that will be obtaining a CMMC Level 2 Certification Assessment in accordance with 32 CFR 170.17, and the professionals or companies that will support them in those efforts. OSCs are a subset of OSAs as all organizations will participate in an assessment, but self-assessment cannot result in certification.
Scoping Guide – CMMC Level 3
Abstract: This document provides scoping guidance for Level 3 of CMMC as set forth in 32 CFR 170.19. Prior to conducting a CMMC assessment, the Level 3 CMMC Assessment Scope must be defined as set forth in 32 CFR 170.19(d). The CMMC Assessment Scope defines which assets within the OSC’s environment will be assessed and the details of the assessment.
When seeking a Level 3 Certification, the OSC must have a CMMC Level 2 Final Certification Assessment for the same scope as the Level 3 assessment. Any Level 2 Plan of Action and Milestones (POA&M as set forth in 32 CFR 170.4) items must be closed prior to the initiation of the CMMC Level 3 assessment. The CMMC Level 3 CMMC Assessment Scope may be a subset of the Level 2 CMMC Assessment Scope (e.g., a Level 3 data enclave with greater restrictions and protections within the Level 2 data enclave).
This guide is intended for OSCs that will be obtaining a CMMC Level 3 assessment and the professionals or companies that will support them in those efforts.
CMMC Guidance – CMMC Assessment Guide
Assessment Guide – CMMC Level 1
Abstract: This document provides guidance in the preparation for and execution of a Level 1 Self-Assessment under the CMMC Program as set forth in 32 CFR 170.15. CMMC Level 1 focuses on the protection of FCI, which is defined in 32 CFR 170.4 and 48 CFR 4.1901 as:
Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
CMMC Level 1 is comprised of the 15 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204–21.
Assessment Guide – CMMC Level 2
Abstract: This document provides guidance in the preparation for and execution of a Level 2 Self-Assessment or Level 2 Certification Assessment under the CMMC Program as set forth 32 CFR 170.16 and 170.17 respectively. An Assessment as defined in 32 CFR 170.4 means:
The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization as defined in 32 CFR 170.15 to 32 CFR 170.18. For CMMC Level 2 there are two types of assessments:
- A Self-Assessment is the term for the activity performed by an entity to evaluate its own CMMC Level, as applied to Level 1 and some Level 2.
- A CMMC Level 2 Certification Assessment is the term for the activity performed by a Certified Third-Party Assessment Organization (C3PAO) to evaluate the CMMC Level of an OSC.
32 CFR 170.16(b) describes contract or subcontract eligibility for any contract with a CMMC Level 2 Self-Assessment requirement, and 32 CFR 170.17(b) describes contract or subcontract eligibility for any contract with a CMMC Level 2 Certification Assessment requirement. Level 2 Certification Assessment requires the OSA achieve either a Level 2 Conditional Certification Assessment or a Level 2 Final Certification Assessment, as described in 32 CFR 170.4, obtained through an assessment by an accredited Certified Third-Party Assessment Organization (C3PAO).
Assessment Guide – CMMC Level 3
Abstract: This document provides guidance in the preparation for and execution of a Level 3 Certification Assessment under the CMMC Program as set forth in 32 CFR 170.18. Certification at each CMMC level occurs independently. An Assessment as defined in 32 CFR 170.4 means:
The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR 170.15 to 32 CFR 170.18
A CMMC Level 3 Certification Assessment as defined in 32 CFR 170.4 is the term for the activity performed by the Department of Defense to evaluate the CMMC Level of an OSC. For CMMC Level 3, assessments are performed exclusively by the DoD.
An OSC seeking a CMMC Level 3 Certification Assessment must have first received a CMMC Level 2 Final Certification Assessment, as set forth in 32 CFR 170.18, for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR 170.14(c)(4). This is followed by the CMMC Level 3 assessment conducted by the DoD.
OSCs may also use this guide to perform CMMC Level 3 self-assessment (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a CMMC Level 3 Certification Assessment. Only the results from an assessment by the DoD are considered for award of a CMMC Level 3 Certification Assessment. Level 3 reporting and affirmation requirements can be found in 32 CFR 170.18 and 32 CFR 170.22.
CMMC Guidance – CMMC Hashing Guide
Hashing Guide (cryptographic reference (or hash) for each artifact used in the assessment)
Abstract: This guide assumes that the reader has a basic understanding of command line tools and scripting. During the performance of a CMMC assessment, the assessment team will collect objective evidence using a combination of three assessment methods:
- examination of artifacts,
- affirmations through interviews, and
- observations of actions.
Because these OSA artifacts may be proprietary, the assessment team will not take OSA artifacts offsite at the conclusion of the assessment. For the protection of all stakeholders, the OSA must retain the artifacts. This guide describes how to provide a cryptographic reference (or hash) for each artifact used in the assessment as discussed in 32 CFR 170.17 and 170.18.
CUI
CUI Policies (Gov Policies) / Regulations
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (pdf)
Cloud service providers supporting CUI
- Microsoft Azure GCC / GCC HIGH
- Azure Commercial – suitable for handling Federal Contract Information (FCI)
- Government (GCC) – Suitable for handling CUI that is not export-controlled and does not require US persons for operations tasks
- Government (GCC High) – suitable for handling CUI that have export-controlled restrictions (i.e., ITAR, EAR)
- Microsoft Tech Community Discussion: Understanding Compliance Between Commercial, Government and DoD Offerings
- Amazon Web Services (AWS) GOVERNMENT: AWS released the NIST SP 800-171 Customer Responsibility Matrix (CRM), which aligns with the CMMC 2.0 Level 2 Advanced. It provides a breakdown of the NIST SP 800-171 security controls that customers can inherit from AWS using the Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US).
- AWS presentation explains CMMC
- Google Cloud Government – Google has many cloud services that are NIST 800-171 compliant.
- Oracle Government Cloud
- Oracle Cloud Compliance Matrix
Additional CUI resources
- Defense Counterintelligence and Security Agency (DCSA) presentation covering “What is CUI”
- National Archives and Records Administration Page with CUI Registry
- DoD Procurement Toolbox – Cybersecurity Page Other Resources
- NIST SP 800-171 DoD Assessment Methodology (.docx)
- Project Spectrum Project Spectrum is a comprehensive, cost-effective platform that provides companies, institutions, and organizations with cybersecurity information, resources, tools, and training. Our mission is to improve cybersecurity readiness, resiliency, and compliance for small/medium-sized businesses and the Federal manufacturing supply chain.
- The CMMC Information Institute Helping you cut through the fog of CMMC-related misinformation.
- Assistance in the development of a System Security Plan and Plans of Action and milestones
- Approach to Implementing NIST SP 800-171
- About the Cybersecurity Evaluation Tool (CSET) Tool – CSET is a no-cost application developed by the DHS’s Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT). The tool provides a systematic approach for evaluating an organization’s security posture. It guides asset owners and operators through a step-by-step process to evaluate their industrial control system and IT network security practices.
Cybersecurity Awareness Training (Free)
Satisfies CMMC’s general cybersecurity awareness training requirements
DoD Cybersecurity Awareness Training – Cyber Awareness Challenge 2022 (The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage to mitigate threats and vulnerabilities to DoD Information Systems. )
Cybersecurity Policy Templates
- Community Resources for CMMC and NIST 800-171 Compliance – a great resource highlighting available policy templates
- SANS Institute – over 60 Security Policy Templates, including Acceptable Use, Remote Access, and Wireless policies
- Cybersecurity Facility-Related Control Systems (FRCS) This site has excellent policy and procedure templates and checklists. While the templates and checklists are labeled DoD, ESTCP, or Navy, they are generally organization agnostic, and any organization can modify them to suit their use.
- A generic template of recommended policies and procedures (artifacts) to support the answers to the security control questions – ESTCP IT Policies and Procedures template
KLC Consulting’s NIST 800-171 R2 Self Assessment Template
Spreadsheet with CMMC 2.0 numbering, Practice, and AO, Practice, and AO descriptions, Dropdown showing practice compliance level, Practice documentation, evidence tracking, POAM gaps documentation, POAM remediation date, Methodology score.
Commercially Off The Shelf (COTS)
Any item of supply (including construction material) that is:
- A commercial product (as defined in paragraph (1) of the definition of commercial product in this section);
- Sold in substantial quantities in the commercial marketplace; and
- Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and does not include bulk cargo items, as defined in 46 USC 40102(4). Examples: agricultural products and petroleum products.
DCMA Commercial Item Group (CIG)
COTS definition – FAR 201 FAR 12.103
FAR 2.101 KLC Consulting’s COTS Exemption Case Studies
FIPS 140-2 validated product search
- A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module must employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.
- Search for information on validated cryptographic modules
FedRAMP certified product search
Here is where you can search for FedRAMP-certified products
SPRS – SPRS submission instructions
Requires registering and logging into the PIEE system to receive authority as the SPRS security role.
- Simple instructions to obtain PIEE Access and the SPRS Vendor Support role.
- SPRS Access Instruction
- Detailed instructions with screenshot examples – Add SPRS Cyber Vendor Role Instruction and SPRS Quick Entry Guide
- PIEE Helpdesk telephone #: 866-618-5988
- For submission detail: please follow the instructions here.
- SPRS Submission website
- CMMCAUDIT’s Guide to submit a NIST 800-171 self-assessment to the DoD’s SPRS
DoD Procurement Toolbox – Cybersecurity Policy Regulations
- Safeguarding Covered Defense Information and Cyber Incident Reporting
- DoDI 5200.48 “Controlled Unclassified Information.”
- 32 CFR 2002 Part IV National Archives and Records Administration 32 CFR Part 2002 “Controlled Unclassified Information.”
- EO 13556 Vol 75, No 216. “Controlled Unclassified Information”
- NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations”
- 2019 CUI Reports to the President & CUI Notices
- US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC Page
CMMC, CUI, DFARS, and NIST Authoritative Regulation
- DFARS 252.204-7008
- DFARS 252.204-7012
- DFARS 252.204-7019
- DFARS 252.204-7020
- DFARS 252.204-7021 (CMMC)
48 CFR Federal Acquisition Regulations – Basic Safeguarding of Contractor Information Systems
Official CMMC Documents
CMMC Information
CMMC Model Overview
CMMC Scoping
- Link to CMMC Level 1 Scoping Guidance
- Link to CMMC Level 2 Scoping Guidance
- NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non federal Systems and Organizations”
Mapping NIST 800-171 / CMMC to Other Cybersecurity Frameworks
- ComplianceForge – CMMC 2.0 Mapping – NIST-ISO-CIS
- NIST SP 800-171 Revision 2 Appendix D
The Cyber Accreditation Body (Formerly the CMMC-AB)
- Cyber AB – Manages the CMMC ecosystem, C3PAOs, Registered Practitioners (RP)
- Cyber AB Marketplace – for searching entities within the CMC ecosystem, such as C3PAOs or Registered Practitioners (RP)
CUI / DFARS 7012 / NIST 800-171 / CMMC FAQ
Government sources
- US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC FAQ Page
- DoD Procurement Toolbox CMMC FAQ Page
- Defense Counterintelligence and Security Agency (DCSA) CUI FAQ – CUI Marking FAQ
- NIST CUI FAQ
- DCSA CUI Frequently Asked Questions (FAQ)
- CDSA – CUI and Freedom of Information Act (FOIA) FAQ CUI and the FOIA FAQs
Non-Government sources
- CMMC Accreditation Body (CMMC AB) FAQ
- CMMCAudit.org – CMMC Compliance FAQs – Organizations seeking certification
Other Resources: CUI Registry
Defense Counterintelligence and Security Agency (DCSA)
- DCSA CUI Information Page
- DCSA CUI Slick Sheet – One-page overview of CUI
- DCSA CUI Quick Start Guide – to assist in building a CUI program
- DCSA CUI Marking Job Aid
- DCSA CUI Baseline Requirements
- DCSA CUI Roadmap to Compliance
- DCSA CUI Standard Practice and Procedure (SPP) Template
- DCSA CUI Training Reference Guide
- DCSA CUI Resources One-Pager
- DCSA CUI Glossary & Policy Summaries
- DCSA CUI Training Presentation
- DCSA CUI Manager Customer Engagement Questions
- DCSA CUI Self-Inspection Tool for DOD and Industry
- CUI Cover Sheet
- NARA CUI Marking Handbook (2016)
- NIST MEP Cybersecurity Self-Assessment Handbook 162 For Assessing NIST SP 800-171 Security Requirements in Response to DFAR
- Cybersecurity Requirements
- CDSE CUI Toolkit/Resources
- Safeguarding Covered Defense Information (CDI) – 2 pager
- Implementing DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting – What happens on 12/31/2017
- One page information about CUI
NIST 800-171 Resources
- NIST 800-171 Revision 2 document: Protecting Controlled Unclassified Information in Non-federal Systems and Organizations PDF
- NIST 800-171 Assessment Guide PDF
- NIST 800-171 System Security Plan (SSP) Template by NIST (Word format)
- NIST 800-171 CUI Plan of Action and Milestone (POA&M) (Word format)
- NIST 800-172 – Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Specia
- Publication 800-171 – CMMC 2.0 Level 3 is based on NIST 800-171 and 800-172
- NIST 800-171 Rev 2 Mapping: Cybersecurity Framework v.1.0 to SP 800-171 Rev. 2 (xls)
CMMC / CUI Related Training
- KLC’s CMMC videos – Cybersecurity Maturity Model Certification (CMMC)
- DoD Mandatory CUI Training
- DOD Mandatory CUI Training Student Guide
- DCSA CUI Training Presentation
- DODCUI.MIL – CUI Training page
- ISOO – CUI Training
- The National Archive – Controlled Unclassified Information Program (Video)
CUI Marking, Handling, and Labeling
- ISOO CUI Marking Training (YouTube
- DoD CUI Marking Job Aid
- CUI Marking Quick Reference Guide
- CUI Marking Category List
- CUI Marking – Limited Dissemination Controls
- KLC’s CUI Marking, Handling, and Labeling video discussion
- ISOO – CUI: Lawful Government Purpose
- ISOO – CUI – Introduction to Marking
- ISOO – CUI – Marking Commingled Information
- ISOO – CUI – Controlled Environments
- ISOO – CUI – Destruction of CUI
- ISOO – CUI: Unauthorized Disclosure: Prevention and Reporting
CUI-Related Glossary
Controlled Unclassified Information [EO 13556]: Information that law, regulation, or government wide policy requires safeguarding or disseminating controls. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.