CMMC Documentation

Looking for documentation related to the CMMC? You’ve come to the right place. We previously reserved this for our students but have now opened it up to everyone. NOTE: For the most part, we avoid duplicating formal/final CMMC documentation provided by the Department of Defense or the CMMC-AB / Cyber AB.

​

NOTE: If you want to pre-read for your upcoming CCP training course or are preparing for your CCP exam we STRONGLY recommend you read (and re-read) the following documents:

All documents here:

• https://dodcio.defense.gov/CMMC/Documentation/

CMMC Assessment Process (CAP) v5.6.1

• Provided to you by us during CCP training.

The following documents found on this page:

• FAR 52.204-21

• 32 CFR 2002

• 32 CFR 2002 Final Rule

• DOD Instruction 5200.48

• DFARS 252.204-7008

• DFARS 252.204-7012

• DFARS 252.204-7019

• DFARS 252.204-7020

• DFARS 252.204-7021

• DFARS Cyber FAQ 115 (Update December 19, 2021)

• NARA CUI Marking Handbook and DOD CUI Marking Guide (NOTE: Compare and contrast these two.)

• DFARS Case 2019-D041 Interim Rule (NOTE: This was released under the CMMC 1.0 model so parts are outdated.)

• DFARS CMMC 2.0 Advanced Notice of Proposed Rulemaking

• NIST SP 800-171 Assessment Methodology

​

​

• 32 CFR 117 National Industrial Security Program Operating Manual_NISPOM

• 32 CFR 2002 Controlled Unclassified Information

• 32 CFR 2002 Controlled Unclassified Information: Final Rule

• 44 USC Chapter 33

• 44 USC Chapter 35

• 48 CFR

• A Guide to the Rulemaking Process: Produced by the Federal Register

• Assessing Contractor Implementation of Cybersecurity Requirements and Strategically Implementing Cybersecurity Contract Clauses (two documents in one file)

• Atomic Energy Act of 1954

• Australia Essential Eight Maturity Model

• AWS CMMC Customer Responsibility Matrix

• AWS Configuration Guide CMMC All Levels

• C3PAO Pre-Assessment Package: Documentation set developed and provided by the DCMA DIBCAC for candidate C3PAOs

• CERT Resilience Management Model 1.2

• CIS Controls Version 7.1

• CMMC 1.02 Model Excel_Modified

• CMMC 2.0 Model Excel_Modified

• CMMC Assessment Process (CAP) v1.0: Pre-Decisional Draft

• CMMC Self-Assessment Tool: Access database developed and provided by the DCMA DIBCAC

• Committee on National Security Systems Instruction (CNSSI) 1253: Categorization and Control Selection for National Security Systems

• Committee on National Security Systems Instruction (CNSSI) 4009: CNSS Glossary

• Contractor Purchasing System Review (CPSR) Guidebook (Appendix 24): Supply Chain Management Process DFARS 252.204-7012)

• Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments

• CUI FAQ

• CUI SSP Template

• Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward

• DARS 2018-0023-001: DoD developed the document “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” to facilitate the consistent review and understanding of System Security Plans and Plans of Action, the impact that NIST SP 800-171 Security Requirements that are “not yet implemented” have on an information system, and to assist in prioritizing the implementation of security requirements not yet implemented.

• DARS 2018-0023-002 Attachment 1: Defense Acquisition Regulations System (DARS) DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented

• DARS-2018-0023-0002 Content: Assessing the State of Contractor’s Internal Information System in a Procurement Action

• DCMA DIBCAC Assessment Documentation Package: Developed and provided by the DCMA DIBCAC to OSCs subject to a NIST 800-171 DIBCAC assessment

• Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual

• DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls

• DFARS 252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information

• DFARS 252.204-7012 Flowdown to International Suppliers

• DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting

• DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements

• DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements

• DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirement

• DFARS 252.204-7024 Notice on the Use of the Supplier Performance Risk System & SPRS Evaluation Criteria

• DFARS 252.227-7013 Rights in Technical Data—Noncommercial Items

• DFARS 252.239-7010 Cloud Computing Services

• DFARS Case 2019-D041 Interim Rule Memorandum

• DFARS Case 2019-D041 Interim Rule

• DFARS CMMC 2.0 Advanced Notice of Proposed Rulemaking

• DFARS Cyber FAQ 115 (Update December 19, 2021)

• DFARS Safeguarding CDI_One Pager Basics

• DFARS Subparts 201-225

• DFARS Subparts 226-251

• DFARS Subparts 252-Appendix I

• DIB Cybersecurity Activities Placemat

• DoD CIO Use of Non-Government Owned Mobile Devices: Provides technical and programmatic requirements for approving, managing and configuring the use of AMDs (non-government owned mobile devices – personally or commercially owned) to store, process, transmit, or display DoD Controlled Unclassified Information (CUI).

• DoD CISO Special Session Town Hall (Feb 2022)

• DoD Cloud Computing Security Requirements Guide (SRG)

• DoD CUI Marking Guide

• DoD CUI (CDI) Registry

• DoD Defense Industrial Base (DB) Cybersecurity (CS) Activities: Proposed Rule May 3, 2023 – The DoD is proposing revisions to the eligibility criteria for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program. These revisions will allow a broader community of defense contractors to benefit from bilateral information sharing as when this proposed rule is finalized all defense contractors who are subject to mandatory cyber incident reporting will be able to participate.

• DoD Directive 5230.09 Policy and responsibilities for the security and policy review process for the clearance of official DoD information proposed for official public release by the Department of Defense (Clearance of DoD Information for Public Release).

• DoD Inspector General’s Audit of the DoD’s Implementation and Oversight of the Controlled Unclassified Information (CUI) Program

• DoD Instruction 5015.02 Establish policy and assign responsibilities for the management of DoD records in all media, including electronic (DoD Records Management)

• DoD Instruction 5200.01 DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI)

• DoD Instruction 5200.48 Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012; and establishes the official DoD CUI Registry.

• DoD Instruction 5210.01 Risk Management Framework (RMF) for DoD Information Technology (IT)

• DoD Instruction 5230.09 Clearance of DoD Information for Public Release

• DoD Instruction 5230.24 Distribution Statements and Their Corresponding Reasons for Use

• DoD Instruction 5230.24 Distribution Statements on Technical Documents

• DoD Instruction 5230.29 Security and Policy Review of DoD Information for Public Release

• DoD Instruction 5400.04 Implements the policies and procedures of the Department’s provision of information, both classified and unclassified, to the Congress, and assigns responsibilities for approving and coordinating responses to requests for information from the Congress (Provision of Information to Congress).

• DoD Instruction 8500.01 Establish a DoD cybersecurity program to protect and defend DoD information and information technology (IT); establishes the positions of DoD principal authorizing official (PAO) and the DoD Senior Information Security Officer (SISO) and continues the DoD Information Security Risk Management Committee (DoD ISRMC); and adopts the term “cybersecurity” as it is defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23 (Reference (m)) to be used throughout DoD instead of the term “information assurance (IA).”

• DoD Instruction 8510.01 Implements the Risk Management Framework (RMF) for the Department of Defense Education Activity (DoDEA) in accordance with the DoD Instruction 8510.01; DoDEA Administrative Instruction 8500.01; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37; Subchapter III of Chapter 35 of Title 44, United States Code (also known and referred to as the “Federal Information Security Management Act of 2002” and in this Issuance as FISMA); the Committee on National Security Systems Instruction (CNSSI) 1253; and NIST SP 800-53.

• DoD Instruction 8582.01 Establishes policy, assigns responsibilities, and provides direction for managing the security of non-DoD information systems that process, store, or transmit unclassified nonpublic DoD information, including controlled unclassified information (CUI).

• DoD Manual 5200.01 Volume 1 DoD Information Security Program: Overview, Classification, and Declassification

• DoD Manual 5200.01 Volume 2 DoD Information Security Program: Marking of Information

• DoD Manual 5200.01 Volume 3 DoD Information Security Program: Protection of Classified Information

• DoD Manual 5400.07 DoD Freedom of Information Act (FOIA) Program

• DoD OCONUS Cloud Strategy Department of Defense Outside the Continental United States Cloud Strategy

• Executive Order 13526 — Classified National Security Information

• Executive Order 13556 — Controlled Unclassified Information

• False Claims Act

• FAR 4.1901 Definitions (covered contractor information system, Federal contract information, information, information system, and safeguarding)

• FAR 52.204-21_48 CFR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

• FedRAMP Low or Moderate Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this Low or Moderate Control Implementation Summary (CIS) Workbook Template to summarize a Low or Moderate system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.

• FedRAM