CMMC Case Studies Resources Available through KLC Consulting, a cleared C3PAO candidate firm specializing in CMMC and NIST 800-171 solutions
Full 1
Compliance Guidance With
CMMC & NIST Resources

We’ve compiled the most thorough collection of helpful and authoritative links on the internet to help with your CMMC compliance efforts: CMMC Resources, NIST 800-171 Resources, CUI Resources, DFARS Resources

CUI Resources

CUI Policies (Gov Policies) / Regulations

FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (pdf)

Cloud service providers supporting CUI

Additional CUI resources

Cybersecurity Awareness Training (Free)

Satisfies CMMC’s general cybersecurity awareness training requirements

The DoD Insider Threat Awareness training –

DoD’s Phishing & Social Engineering Awareness Training –

DoD Cybersecurity Awareness Training – Cyber Awareness Challenge 2022 (The purpose of the Cyber Awareness Challenge is to influence behavior, focusing on actions that authorized users can engage to mitigate threats and vulnerabilities to DoD Information Systems. )

Cybersecurity Policy Templates

  • – Great resource highlighting available policy templates 
  • SANS Institute – over 60 Security Policy Templates, including Acceptable Use, Remote Access, and Wireless policies –
  • Cybersecurity Facility-Related Control Systems (FRCS) This site has excellent policy and procedure templates and checklists. While the templates and checklists are labeled DoD, ESTCP, or Navy, they are generally organization agnostic, and any organization can modify them to suit their use.
  • A generic template of recommended policies and procedures (artifacts) to support the answers to the security control questions –  ESTCP IT Policies and Procedures template

KLC NIST 800-171 R2 Self Assessment Template

Spreadsheet with CMMC 2.0 numbering, Practice, and AO, Practice, and AO descriptions, Dropdown showing practice compliance level, Practice documentation, evidence tracking, POAM gaps documentation, POAM remediation date, Methodology score

Commercially Off The Shelf (COTS)

  1. Any item of supply (including construction material) that is—
    (i) A commercial product (as defined in paragraph (1) of the definition of commercial product in this section);
    (ii) Sold in substantial quantities in the commercial marketplace; and
    (iii) Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
  2. Does not include bulk cargo items, as defined in 46 USC 40102(4). Examples:  agricultural products and petroleum products.
  3. DCMA Commercial Item Group (CIG)  –
  4. COTS definition – FAR 201
  5. KLC COTS case studies

FIPS 140-2 validated product search

  • A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module must employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.
  • Search for information on validated cryptographic modules

Here is where you can search for FedRAMP-certified products

SPRS – SPRS submission instructions 

Requires registering and logging into the PIEE system to receive authority as the SPRS security role.

Mapping NIST 800-171 /CMMC to Other Cybersecurity Frameworks

The Cyber Accreditation Body (Formerly the CMMC AB)

  • Cyber AB – Manages the CMMC ecosystem, C3PAOs, Registered Practitioners (RP) –
  • Cyber AB Marketplace – for searching entities within the CMC ecosystem, such as C3PAOs or Registered Practitioners (RP) –

CUI / DFARS 7012 / NIST 800-171 / CMMC FAQ

Government sources

Non-Government sources

Other Resources: CUI Registry


NIST 800-171 Resources

CUI Scoping Guide

CUI Marking, Handling, and Labeling

Controlled Unclassified Information [EO 13556]: Information that law, regulation, or governmentwide policy requires safeguarding or disseminating controls. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.

Controlled Unclassified Information [EO 13556]Controlled Unclassified Information (CUI): Information that requires safeguarding or disseminating controls through laws, regulation, or governmentwide policy. It excludes Classified Information under Executive Order 13526, Classified National Security Information, December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
CUI categories [32 CFR 2002]Types of Information requiring (or permitting) agencies to exercise safeguarding or dissemination controls through laws, regulations, or governmentwide policies. and which the CUI Executive Agent has approved and listed in the CUI Registry
CUI Executive Agent [32 CFR 2002]The National Archives and Records Administration (NARA) implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO).
CUI program [32 CFR 2002]The executive branch program standardizes CUI handling by all Federal agencies. The program includes CUI’s rules, organization, and procedures, established by Executive Order 13556, 32 CFR Part 2002, and the CUI Registry.
CUI registry [32 CFR 2002]The CUI Registry is an online repository for all information, guidance, policy, and requirements for handling CUI, including everything issued by the CUI Executive Agent (other than 32 CFR Part 2002). The CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.
Federal Information System [40 USC 11331]An information system used or operated by an executive agency, contractor of an executive agency, or another organization on behalf of an executive agency.
External NetworkAn external network is a network not controlled by your business organization.
External System Service ProviderA provider of external system services to an organization through broad consumer-producer relationships. These include joint ventures, business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements), licensing agreements, or supply chain exchanges.
FIPS-Validated CryptographyA cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module requires employing a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP). See NSA-approved cryptography.   Information on validated cryptographic modules:
Incident [44 USC 3552]An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of a breach of law, security policies, security procedures, or acceptable use policies
Information Resources [44 USC 3502]Information and related resources include personnel, equipment, funds, and information technology.
Information Security [44 USC 3552]Protecting information and systems from unauthorized access, disclosure, disruption, modification, or destruction. Information Security provides confidentiality, integrity, and availability.
Information System [44 USC 3502]An Information System is a discrete set of information resources organized for collecting, processing, maintaining, using, sharing, disseminating, or disposing of information.
Information Technology [OMB A-130]Information Technology is any service, equipment, or interconnected system(s) or subsystem(s) of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. Information Technology includes: Computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware, and similar procedures, services (including cloud computing and helpdesk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment acquired by a contractor incidental to a contract that does not require its use.
Insider ThreatInsider Threat is the threat that an insider will use their authorized access, wittingly or unwittingly, to harm the security of the United States. This threat can include damage to the United States through espionage, terrorism, unauthorized disclosure, or the loss or degradation of departmental resources or capabilities.
Internal NetworkA network where establishment, maintenance, and provisioning of security controls are under the direct control of organizational employees or contractors; or the cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect (concerning confidentiality and integrity). An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned.
Least PrivilegeLeast Privilege is a principle of designing security architecture to grant the minimum system authorizations and resources needed for employees to perform their functions.
Malicious CodeMalicious code is software or firmware intended to perform an unauthorized process that harms a system’s confidentiality, integrity, or availability. Examples are a virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
Media [FIPS 200]Physical devices or writing surfaces include magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not display media) onto which information is recorded, stored, or printed within a system.
Mobile CodeSoftware programs or parts of programs obtained from remote systems, transmitted across a network, and executed on a local system without explicit installation or execution by the recipient.
Mobile DeviceA portable computing device with a small form factor such that a single individual can easily carry it. It’s designed to: Operate without a physical connection (e.g., wirelessly transmit or receive information), possess local, nonremovable/removable data storage, and it has a self-contained power source. Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information or built-in features that synchronize local data with remote locations. Examples include smartphones, tablets, and E-readers.
Multifactor AuthenticationMultifactor Authentication uses two or more different factors to achieve Authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric)
Nonfederal OrganizationAn entity that owns operates, or maintains a nonfederal system.
Nonfederal SystemA system that does not meet the criteria for a federal system.
NetworkA Network is an implemented system with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.
Network AccessAccess to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide-area network, Internet).
Organization [FIPS 200, Adapted]An Organization is an entity of any size, complexity, or position with a hierarchical structure.
Personnel Security [SP 800-53]Personnel Security is the discipline of assessing individual conduct, integrity, judgment, loyalty, reliability, and stability for duties and responsibilities requiring trustworthiness.
Portable Storage DeviceA Portable Storage Device is a system component that can be inserted into and removed from another system. They store data or information (e.g., text, video, audio, and image data). And they typically use magnetic, optical, or solid-state devices (e.g., floppy disks, compact/digital video disks, flash/thumb drives, external hard disk drives, and flash memory cards/drives that contain nonvolatile memory).
Potential Impact [FIPS 199]The Potential Impact is the expected loss of confidentiality, integrity, or availability: (i) a limited adverse effect (FIPS Publication 199 low); (ii) a serious adverse effect (FIPS Publication 199 moderate); or (iii) a severe or catastrophic adverse effect (FIPS Publication 199 high) on organizational operations, organizational assets, or individuals.
Privileged AccountA Privileged Account is a system account with authorizations of a privileged user.
Privileged UserA Privileged User has authorization (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
Remote AccessRemote Access allows a user (or a process acting on behalf of a user) to communicate through an external network (e.g., the Internet).
Remote MaintenancePeople conduct Remote Maintenance activities by communicating through an external network (e.g., the Internet).
Replay ResistanceReplay Resistance protects against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access.
Risk [OMB A-130]Risk measures the extent to which a potential circumstance or event threatens an entity. It typically functions as (i) the adverse impact or magnitude of the harm that would arise if the circumstance or event occurs and (ii) the likelihood of occurrence.  
Risk Assessment [SP 800-30]A Risk Assessment identifies risks to organizational operations (including mission, functions, image, and reputation), corporate assets, individuals, other organizations, and the Nation resulting from the operation of a system.
SanitizationSanitation is the action to render data written on media unrecoverable by ordinary and extraordinary means. Some forms of sanitization remove information from media such that data recovery is impossible. It includes removing all classified labels, markings, and activity logs.
Security Control [OMB A-130]Security Control(s) are the safeguards or countermeasures prescribed for an information system or an organization to protect the confidentiality, integrity, and availability of the system and its information.
Security Control Assessment [OMB A-130]A Security Control Assessment is the testing or evaluation of security controls to determine the extent the controls are: implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements for an information system or organization.
Security Domain [CNSSI 4009, Adapted]A Security Domain implements a security policy administered by a single authority.
Security FunctionsSecurity Functions are the hardware, software, or firmware of the system responsible for enforcing system security policy and supporting the isolation of the system’s code.
Split TunnelingSplit Tunneling allows a remote user or device to establish a non-remote connection with a system and simultaneously communicate via another connection to a resource in an external network. This network access method enables users to access remote devices (e.g., a networked printer) simultaneously while accessing uncontrolled networks.
System Component [SP 800-128]A discrete, identifiable information technology asset that represents a building block of a system and may include hardware, software, and firmware.
System Security Plan (SSP)A document that describes how an organization meets the security requirements for a system. Or how an organization plans to meet the requirements if it doesn’t currently. The System Security Plan describes the system boundary, the environment in which the system operates, the implementation of the security requirements, and the relationships with or connections to other systems.
System Servicea system’s capability to process, store, and transmit information.
Threat [SP 800-30]A Threat is a circumstance or event that can adversely impact operations, assets, individuals, other organizations, or the Nation. In a system, a threat arises through unauthorized access, destruction, disclosure, modification of information, or denial of service.
System UserA System User is an individual or (system) process acting on behalf of an individual authorized to access a system.
WhitelistingWhitelisting is a process to identify software programs authorized to execute on a system or authorized Universal Resource Locators (URL)/websites.
Wireless TechnologyWireless technology allows information transfer between separated points without a physical connection. Wireless technologies include microwave, packet radio (ultra-high-frequency or very high frequency), 802.11x, and Bluetooth.