CMMC Resources, NIST 800-171 Resources, CUI Resources, DFARS Resources

CMMC and NIST 800-171 Terms & Links

We’ve compiled the most thorough collection of helpful and authoritative links on the internet to help with your CMMC compliance efforts: CMMC Resources, NIST 800-171 Resources, CUI Resources, DFARS Resources

The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) Program Proposed Rule on 12/26/2023. DoD also announces the availability of eight guidance documents for the CMMC Program. These documents provide additional guidance for the CMMC model, assessments, scoring, and hashing.

As of 12/26/2023 CMMC Proposed Rule and Documentations AND The CMMC documents (version 2.11) have both been released

CMMC Proposed Rule

CMMC Program – Proposed Rule (PDF)32 CFR Part 170

Summary: DoD is proposing to establish requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the Cybersecurity Maturity Model Certification (CMMC) Program, implemented required security measures to expand application of existing security requirements for Federal Contract Information (FCI) and add new Controlled Unclassified Information (CUI) security requirements for certain priority programs. DoD currently requires covered defense contractors and subcontractors to implement the security protections set forth in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 to provide adequate security for sensitive unclassified DoD information that is processed, stored, or transmitted on contractor information systems and to document their implementation status, including any plans of action for any NIST SP 800-171 Rev 2 requirement not yet implemented, in a System Security Plan (SSP). The CMMC Program provides the Department the mechanism needed to verify that a defense contractor or subcontractor has implemented the security requirements at each CMMC Level and is maintaining that status across the contract period of performance, as required.

CMMC Guidance – CMMC Model

CMMC Model Overview

Abstract: This document focuses on the CMMC Model as set forth in 32 CFR 170.14 of the CMMC Program proposed rule (See docket DoD–2023–OS–0063 on Regulations.gov). The model incorporates the security requirements from: (1) FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, (2) NIST SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and (3) a selected set of the requirements from NIST SP 800–172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171. ;The CMMC Program is designed to provide increased assurance to the DoD that defense contractors and subcontractors are compliant with information protection requirements for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and are protecting such information at a level commensurate with risk from cybersecurity threats, including Advanced Persistent Threats (APTs).

CMMC Guidance – CMMC Scoping Guide

Scoping Guide – CMMC Level 1

Abstract: This document provides scoping guidance for Level 1 of CMMC as set forth in 32 CFR 170.19. Prior to a Level 1 CMMC Self-Assessment the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the self-assessment.

This guide is intended for OSAs that will be conducting a CMMC Level 1 self-assessment and the professionals or companies that will support them in those efforts.

Scoping Guide – CMMC Level 2

Abstract: This document provides scoping guidance for Level 2 of CMMC as set forth in 32 CFR 170.19. Prior to a Level 2 Self-Assessment or Level 2 Certification Assessment, the OSA must specify the CMMC Assessment Scope. The CMMC Assessment Scope defines which assets within the OSA’s environment will be assessed and the details of the assessment.

This guide is intended for OSAs that will be conducting a CMMC Level 2 Self-Assessment in accordance with 32 CFR 170.16, OSCs that will be obtaining a CMMC Level 2 Certification Assessment in accordance with 32 CFR 170.17, and the professionals or companies that will support them in those efforts. OSCs are a subset of OSAs as all organizations will participate in an assessment, but self-assessment cannot result in certification.

Scoping Guide – CMMC Level 3

Abstract: This document provides scoping guidance for Level 3 of CMMC as set forth in 32 CFR 170.19. Prior to conducting a CMMC assessment, the Level 3 CMMC Assessment Scope must be defined as set forth in 32 CFR 170.19(d). The CMMC Assessment Scope defines which assets within the OSC’s environment will be assessed and the details of the assessment.

When seeking a Level 3 Certification, the OSC must have a CMMC Level 2 Final Certification Assessment for the same scope as the Level 3 assessment. Any Level 2 Plan of Action and Milestones (POA&M as set forth in 32 CFR 170.4) items must be closed prior to the initiation of the CMMC Level 3 assessment. The CMMC Level 3 CMMC Assessment Scope may be a subset of the Level 2 CMMC Assessment Scope (e.g., a Level 3 data enclave with greater restrictions and protections within the Level 2 data enclave).

This guide is intended for OSCs that will be obtaining a CMMC Level 3 assessment and the professionals or companies that will support them in those efforts.

CMMC Guidance – CMMC Assessment Guide

Assessment Guide – CMMC Level 1

Abstract: This document provides guidance in the preparation for and execution of a Level 1 Self-Assessment under the CMMC Program as set forth in 32 CFR 170.15. CMMC Level 1 focuses on the protection of FCI, which is defined in 32 CFR 170.4 and 48 CFR 4.1901 as:

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

CMMC Level 1 is comprised of the 15 basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204–21.

Assessment Guide – CMMC Level 2

Abstract: This document provides guidance in the preparation for and execution of a Level 2 Self-Assessment or Level 2 Certification Assessment under the CMMC Program as set forth 32 CFR 170.16 and 170.17 respectively. An Assessment as defined in 32 CFR 170.4 means:

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization as defined in 32 CFR 170.15 to 32 CFR 170.18. For CMMC Level 2 there are two types of assessments:

  • A Self-Assessment is the term for the activity performed by an entity to evaluate its own CMMC Level, as applied to Level 1 and some Level 2.
  • A CMMC Level 2 Certification Assessment is the term for the activity performed by a Certified Third-Party Assessment Organization (C3PAO) to evaluate the CMMC Level of an OSC.

32 CFR 170.16(b) describes contract or subcontract eligibility for any contract with a CMMC Level 2 Self-Assessment requirement, and 32 CFR 170.17(b) describes contract or subcontract eligibility for any contract with a CMMC Level 2 Certification Assessment requirement. Level 2 Certification Assessment requires the OSA achieve either a Level 2 Conditional Certification Assessment or a Level 2 Final Certification Assessment, as described in 32 CFR 170.4, obtained through an assessment by an accredited Certified Third-Party Assessment Organization (C3PAO).

Assessment Guide – CMMC Level 3

Abstract: This document provides guidance in the preparation for and execution of a Level 3 Certification Assessment under the CMMC Program as set forth in 32 CFR 170.18. Certification at each CMMC level occurs independently. An Assessment as defined in 32 CFR 170.4 means:

The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system, or organization as defined in 32 CFR 170.15 to 32 CFR 170.18

A CMMC Level 3 Certification Assessment as defined in 32 CFR 170.4 is the term for the activity performed by the Department of Defense to evaluate the CMMC Level of an OSC. For CMMC Level 3, assessments are performed exclusively by the DoD.

An OSC seeking a CMMC Level 3 Certification Assessment must have first received a CMMC Level 2 Final Certification Assessment, as set forth in 32 CFR 170.18, for all applicable information systems within the CMMC Assessment Scope, and the OSC must implement the Level 3 requirements specified in 32 CFR 170.14(c)(4). This is followed by the CMMC Level 3 assessment conducted by the DoD.

OSCs may also use this guide to perform CMMC Level 3 self-assessment (for example, in preparation for an annual affirmation); however, they are not eligible to submit results from a self-assessment in support of a CMMC Level 3 Certification Assessment. Only the results from an assessment by the DoD are considered for award of a CMMC Level 3 Certification Assessment. Level 3 reporting and affirmation requirements can be found in 32 CFR 170.18 and 32 CFR 170.22.

CMMC Guidance – CMMC Hashing Guide

Hashing Guide (cryptographic reference (or hash) for each artifact used in the assessment)

Abstract: This guide assumes that the reader has a basic understanding of command line tools and scripting. During the performance of a CMMC assessment, the assessment team will collect objective evidence using a combination of three assessment methods:

  • examination of artifacts,
  • affirmations through interviews, and
  • observations of actions.

Because these OSA artifacts may be proprietary, the assessment team will not take OSA artifacts offsite at the conclusion of the assessment. For the protection of all stakeholders, the OSA must retain the artifacts. This guide describes how to provide a cryptographic reference (or hash) for each artifact used in the assessment as discussed in 32 CFR 170.17 and 170.18.

CUI

CUI Policies (Gov Policies) / Regulations

FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (pdf)

Cloud service providers supporting CUI

Additional CUI resources

Cybersecurity Awareness Training (Free)

Satisfies CMMC’s general cybersecurity awareness training requirements

DoD Cybersecurity Awareness Training – Cyber Awareness Challenge 2022 (The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage to mitigate threats and vulnerabilities to DoD Information Systems. )

Cybersecurity Policy Templates

KLC Consulting’s NIST 800-171 R2 Self Assessment Template

Spreadsheet with CMMC 2.0 numbering, Practice, and AO, Practice, and AO descriptions, Dropdown showing practice compliance level, Practice documentation, evidence tracking, POAM gaps documentation, POAM remediation date, Methodology score.

Commercially Off The Shelf (COTS)

Any item of supply (including construction material) that is:

  1. A commercial product (as defined in paragraph (1) of the definition of commercial product in this section);
  2. Sold in substantial quantities in the commercial marketplace; and
  3. Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and does not include bulk cargo items, as defined in 46 USC 40102(4). Examples:  agricultural products and petroleum products.

DCMA Commercial Item Group (CIG)

COTS definition – FAR 201 FAR 12.103

FAR 2.101 KLC Consulting’s COTS Exemption Case Studies

FIPS 140-2 validated product search

  • A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module must employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.
  • Search for information on validated cryptographic modules

Here is where you can search for FedRAMP-certified products

SPRS – SPRS submission instructions 

Requires registering and logging into the PIEE system to receive authority as the SPRS security role.

DoD Procurement Toolbox – Cybersecurity Policy Regulations

  1. Safeguarding Covered Defense Information and Cyber Incident Reporting
  2. DoDI 5200.48 “Controlled Unclassified Information.”
  3. 32 CFR 2002 Part IV National Archives and Records Administration 32 CFR Part 2002 “Controlled Unclassified Information.”
  4. EO 13556 Vol 75, No 216. “Controlled Unclassified Information”
  5. NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Non-federal Systems and Organizations”
  6. 2019 CUI Reports to the President & CUI Notices
  7. US Under Secretary of Defense’s Office of Acquisition & Sustainment CMMC Page

CMMC, CUI, DFARS, and NIST Authoritative Regulation

DFARS 70xx Index

  1. DFARS 252.204-7008
  2. DFARS 252.204-7012
  3. DFARS 252.204-7019
  4. DFARS 252.204-7020
  5. DFARS 252.204-7021 (CMMC)

48 CFR Federal Acquisition Regulations – Basic Safeguarding of Contractor Information Systems

Official CMMC Documents

CMMC Information
CMMC Model Overview

CMMC Scoping

Mapping NIST 800-171 / CMMC to Other Cybersecurity Frameworks

The Cyber Accreditation Body (Formerly the CMMC-AB)

  • Cyber AB – Manages the CMMC ecosystem, C3PAOs, Registered Practitioners (RP)
  • Cyber AB Marketplace – for searching entities within the CMC ecosystem, such as C3PAOs or Registered Practitioners (RP)

CUI / DFARS 7012 / NIST 800-171 / CMMC FAQ

Government sources

Non-Government sources

Other Resources: CUI Registry

Defense Counterintelligence and Security Agency (DCSA)

NIST 800-171 Resources

CUI Marking, Handling, and Labeling

Controlled Unclassified Information [EO 13556]: Information that law, regulation, or government wide policy requires safeguarding or disseminating controls. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Term Definition
Controlled Unclassified Information [EO 13556] Controlled Unclassified Information (CUI): Information that requires safeguarding or disseminating controls through laws, regulation, or government wide policy. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
CUI categories [32 CFR 2002] Types of Information requiring (or permitting) agencies to exercise safeguarding or dissemination controls through laws, regulations, or government wide policies. and which the CUI Executive Agent has approved and listed in the CUI Registry
CUI Executive Agent [32 CFR 2002] The National Archives and Records Administration (NARA) implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).
CUI program [32 CFR 2002] The executive branch program standardizes CUI handling by all Federal agencies. The program includes CUI’s rules, organization, and procedures, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.
CUI registry [32 CFR 2002] The CUI Registry is an online repository for all information, guidance, policy, and requirements for handling CUI, including everything issued by the CUI Executive Agent (other than 32 CFR Part 2002). The CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
Federal Information System [40 USC 11331] An information system used or operated by an executive agency, contractor of an executive agency, or another organization on behalf of an executive agency.
External Network An external network is a network not controlled by your business organization.
External System Service Provider A provider of external system services to an organization through broad consumer-producer relationships. These include joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, or supply chain exchanges.
FIPS-Validated Cryptography A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module requires employing a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.   Information on validated cryptographic modules.
Incident [44 USC 3552] An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of a breach of law, security policies, security procedures, or acceptable use policies
Information Resources [44 USC 3502] Information and related resources include personnel, equipment, funds, and information technology.
Information Security [44 USC 3552] Protecting information and systems from unauthorized access, disclosure, disruption, modification, or destruction. Information Security provides confidentiality, integrity, and availability.
Information System [44 USC 3502] An Information System is a discrete set of information resources organized for collecting, processing, maintaining, using, sharing, disseminating, or disposing of information.
Information Technology [OMB A-130] Information Technology is any service, equipment, or interconnected system(s) or subsystem(s) of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. Information Technology includes: Computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware, and similar procedures, services (including cloud computing and helpdesk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment acquired by a contractor incidental to a contract that does not require its use.
Insider Threat Insider Threat is the threat that an insider will use their authorized access, wittingly or unwittingly, to harm the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or the loss or degradation of departmental resources or capabilities.
Internal Network A network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (concerning confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.
Least Privilege Least Privilege is a principle of designing security architecture to grant the minimum system authorizations and resources needed for employees to perform their functions.
Malicious Code Malicious code is software or firmware intended to perform an unauthorized process that harms a system’s confidentiality, integrity, or availability. Examples are a virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
Media [FIPS 200] Physical devices or writing surfaces include magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not display media) onto which information is recorded, stored, or printed within a system.
Mobile Code Software programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.
Mobile Device A portable computing device with a small form factor such that a single individual can easily carry it. It’s designed to: Operate without a physical connection (e.g., wirelessly transmit or receive information), possess local, nonremovable/removable data storage, and it has a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.
Multifactor Authentication Multifactor Authentication uses two or more different factors to achieve Authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric)
Nonfederal Organization An entity that owns operates, or maintains a nonfederal system.
Nonfederal System A system that does not meet the criteria for a federal system.
Network A Network is an implemented system with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
Network Access Access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide-area network, Internet).
Organization [FIPS 200, Adapted] An Organization is an entity of any size, complexity, or position with a hierarchical structure.
Personnel Security [SP 800-53] Personnel Security is the discipline of assessing individual conduct, integrity, judgment, loyalty, reliability, and stability for duties and responsibilities requiring trustworthiness.
Portable Storage Device A Portable Storage Device is a system component that can be inserted into and removed from another system. They store data or information (e.g., text, video, audio, and image data). And they typically use magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Potential Impact [FIPS 199] The Potential Impact is the expected loss of confidentiality, integrity, or availability: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.
Privileged Account A Privileged Account is a system account with authorizations of a privileged user.
Privileged User A Privileged User has authorization (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Remote Access Remote Access allows a user (or a process acting on behalf of a user) to communicate through an external network (e.g., the Internet).
Remote Maintenance People conduct Remote Maintenance activities by communicating through an external network (e.g., the Internet).
Replay Resistance Replay Resistance protects against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.
Risk [OMB A-130] Risk measures the extent to which a potential circumstance or event threatens an entity. It typically functions as (i) the adverse impact or magnitude of the harm that would arise if the circumstance or event occurs and (ii) the likelihood of occurrence.  
Risk Assessment [SP 800-30] A Risk Assessment identifies risks to organizational operations (including mission, functions, image, and reputation), corporate assets, individuals, other organizations, and the Nation resulting from the operation of a system.
Sanitization Sanitation is the action to render data written on media unrecoverable by ordinary and extraordinary means. Some forms of sanitization remove information from media such that data recovery is impossible. It includes removing all classified labels, markings, and activity logs.
Security Control [OMB A-130] Security Control(s) are the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
Security Control Assessment [OMB A-130] A Security Control Assessment is the testing or evaluation of security controls to determine the extent the controls are: implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements for an information system or organization.
Security Domain [CNSSI 4009, Adapted] A Security Domain implements a security policy administered by a single authority.
Security Functions Security Functions are the hardware, software, or firmware of the system responsible for enforcing system security policy and supporting the isolation of the system’s code.
Split Tunneling Split Tunneling allows a remote user or device to establish a non-remote connection with a system and simultaneously communicate via another connection to a resource in an external network. This network access method enables users to access remote devices (e.g., a networked printer) simultaneously while accessing uncontrolled networks.
System Component [SP 800-128] A discrete, identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.
System Security Plan (SSP) A document that describes how an organization meets the security requirements for a system. Or how an organization plans to meet the requirements if it doesn’t currently. The System Security Plan describes the system boundary, the environment in which the system operates, the implementation of the security requirements, and the relationships with or connections to other systems.
System Service a system’s capability to process, store, and transmit information.
Threat [SP 800-30] A Threat is a circumstance or event that can adversely impact operations, assets, individuals, other organizations, or the Nation. In a system, a threat arises through unauthorized access, destruction, disclosure, modification of information, or denial of service.
System User A System User is an individual or (system) process acting on behalf of an individual authorized to access a system.
Whitelisting Whitelisting is a process to identify software programs authorized to execute on a system or authorized Universal Resource Locators (URL)/websites.
Wireless Technology Wireless technology allows information transfer between separated points without a physical connection. Wireless technologies include microwave, packet radio (ultra-high-frequency or very high frequency), 802.11x, and Bluetooth.

Scroll to Top