CMMC Documentation
Looking for documentation related to the CMMC? You’ve come to the right place. We previously reserved this for our students but have now opened it up to everyone. NOTE: For the most part, we avoid duplicating formal/final CMMC documentation provided by the Department of Defense or the CMMC-AB / Cyber AB.
NOTE: If you want to pre-read for your upcoming CCP training course or are preparing for your CCP exam we STRONGLY recommend you read (and re-read) the following documents:
All documents here:
CMMC Assessment Process (CAP) v5.6.1
-
Provided to you by us during CCP training.
The following documents found on this page:
-
FAR 52.204-21
-
32 CFR 2002
-
32 CFR 2002 Final Rule
-
DOD Instruction 5200.48
-
DFARS 252.204-7008
-
DFARS 252.204-7012
-
DFARS 252.204-7019
-
DFARS 252.204-7020
-
DFARS 252.204-7021
-
DFARS Cyber FAQ 115 (Update December 19, 2021)
-
NARA CUI Marking Handbook and DOD CUI Marking Guide (NOTE: Compare and contrast these two.)
-
DFARS Case 2019-D041 Interim Rule (NOTE: This was released under the CMMC 1.0 model so parts are outdated.)
-
DFARS CMMC 2.0 Advanced Notice of Proposed Rulemaking
-
NIST SP 800-171 Assessment Methodology
-
32 CFR 117 National Industrial Security Program Operating Manual_NISPOM
-
A Guide to the Rulemaking Process: Produced by the Federal Register
-
Assessing Contractor Implementation of Cybersecurity Requirements and Strategically Implementing Cybersecurity Contract Clauses (two documents in one file)
-
C3PAO Pre-Assessment Package: Documentation set developed and provided by the DCMA DIBCAC for candidate C3PAOs
-
CMMC 2.0+ Proposed Rule: Initial Regulatory Flexibility Analysis
-
CMMC Self-Assessment Tool: Access database developed and provided by the DCMA DIBCAC
-
Committee on National Security Systems Instruction (CNSSI) 1253: Categorization and Control Selection for National Security Systems
-
Committee on National Security Systems Instruction (CNSSI) 4009: CNSS Glossary
-
Contractor Purchasing System Review (CPSR) Guidebook (Appendix 24): Supply Chain Management Process DFARS 252.204-7012)
-
Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments
-
Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward
-
DARS 2018-0023-001: DoD developed the document “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” to facilitate the consistent review and understanding of System Security Plans and Plans of Action, the impact that NIST SP 800-171 Security Requirements that are “not yet implemented” have on an information system, and to assist in prioritizing the implementation of security requirements not yet implemented.
-
DARS 2018-0023-002 Attachment 1: Defense Acquisition Regulations System (DARS) DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented
-
DARS-2018-0023-0002 Content: Assessing the State of Contractor’s Internal Information System in a Procurement Action
-
DCMA DIBCAC Assessment Documentation Package: Developed and provided by the DCMA DIBCAC to OSCs subject to a NIST 800-171 DIBCAC assessment
-
Defense Counterintelligence and Security Agency Assessment and Authorization Process Manual
-
DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls
-
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting
-
DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
-
DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
-
DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirement
-
DFARS 252.204-7024 Notice on the Use of the Supplier Performance Risk System & SPRS Evaluation Criteria
-
DFARS 252.227-7013 Rights in Technical Data—Noncommercial Items
-
DoD CIO Use of Non-Government Owned Mobile Devices: Provides technical and programmatic requirements for approving, managing and configuring the use of AMDs (non-government owned mobile devices – personally or commercially owned) to store, process, transmit, or display DoD Controlled Unclassified Information (CUI).
-
DoD CISO Special Session Town Hall (Feb 2022)
-
DoD Defense Industrial Base (DB) Cybersecurity (CS) Activities: Proposed Rule May 3, 2023 – The DoD is proposing revisions to the eligibility criteria for the voluntary Defense Industrial Base (DIB) Cybersecurity (CS) Program. These revisions will allow a broader community of defense contractors to benefit from bilateral information sharing as when this proposed rule is finalized all defense contractors who are subject to mandatory cyber incident reporting will be able to participate.
-
DoD Directive 5230.09 Policy and responsibilities for the security and policy review process for the clearance of official DoD information proposed for official public release by the Department of Defense (Clearance of DoD Information for Public Release).
-
DoD Instruction 5015.02 Establish policy and assign responsibilities for the management of DoD records in all media, including electronic (DoD Records Management)
-
DoD Instruction 5200.01 DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI)
-
DoD Instruction 5200.48 Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012; and establishes the official DoD CUI Registry.
-
DoD Instruction 5210.01 Risk Management Framework (RMF) for DoD Information Technology (IT)
-
DoD Instruction 5230.09 Clearance of DoD Information for Public Release
-
DoD Instruction 5230.24 Distribution Statements and Their Corresponding Reasons for Use
-
DoD Instruction 5230.24 Distribution Statements on Technical Documents
-
DoD Instruction 5230.29 Security and Policy Review of DoD Information for Public Release
-
DoD Instruction 5400.04 Implements the policies and procedures of the Department’s provision of information, both classified and unclassified, to the Congress, and assigns responsibilities for approving and coordinating responses to requests for information from the Congress (Provision of Information to Congress).
-
DoD Instruction 8500.01 Establish a DoD cybersecurity program to protect and defend DoD information and information technology (IT); establishes the positions of DoD principal authorizing official (PAO) and the DoD Senior Information Security Officer (SISO) and continues the DoD Information Security Risk Management Committee (DoD ISRMC); and adopts the term “cybersecurity” as it is defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23 (Reference (m)) to be used throughout DoD instead of the term “information assurance (IA).”
-
DoD Instruction 8510.01 Implements the Risk Management Framework (RMF) for the Department of Defense Education Activity (DoDEA) in accordance with the DoD Instruction 8510.01; DoDEA Administrative Instruction 8500.01; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37; Subchapter III of Chapter 35 of Title 44, United States Code (also known and referred to as the “Federal Information Security Management Act of 2002” and in this Issuance as FISMA); the Committee on National Security Systems Instruction (CNSSI) 1253; and NIST SP 800-53.
-
DoD Instruction 8582.01 Establishes policy, assigns responsibilities, and provides direction for managing the security of non-DoD information systems that process, store, or transmit unclassified nonpublic DoD information, including controlled unclassified information (CUI).
-
DoD Manual 5200.01 Volume 1 DoD Information Security Program: Overview, Classification, and Declassification
-
DoD Manual 5200.01 Volume 2 DoD Information Security Program: Marking of Information
-
DoD Manual 5200.01 Volume 3 DoD Information Security Program: Protection of Classified Information
-
DoD Manual 5400.07 DoD Freedom of Information Act (FOIA) Program
-
DoD Manual 8140.03 Cyberspace Workforce Qualification and Management Program
-
DoD OCONUS Cloud Strategy Department of Defense Outside the Continental United States Cloud Strategy
-
Executive Order 13526 — Classified National Security Information
-
Executive Order 13556 — Controlled Unclassified Information
-
FAR 4.1901 Definitions (covered contractor information system, Federal contract information, information, information system, and safeguarding)
-
FAR 52.204-21_48 CFR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
-
Federal Risk and Authorization Management Program Moderate Equivalency for Cloud Service Provider's Cloud Service Offerings: FedRAMP Moderate Equivalency explained by DoD via memorandum dated December 21, 2023 and cleared for release on January 2, 2024. This memo applies to DoD contractors who use such CSOs to store, process, or transmit covered defense information. The memo is not intended to confer Moderate Authorization to CSOs nor does it apply to CSOs that have FedRAMP Moderate Authorization under the existing process.
-
FedRAMP Low or Moderate Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this Low or Moderate Control Implementation Summary (CIS) Workbook Template to summarize a Low or Moderate system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.
-
FedRAMP High Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this High Control Implementation Summary (CIS) Workbook Template to summarize a High system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.
-
FIPS 140-1 Federal Information Processing Standard: Security Requirements for Cryptographic Modules
-
FIPS 140-2 Federal Information Processing Standard: Security Requirements for Cryptographic Modules
-
FIPS 140-3 Federal Information Processing Standard: Security Requirements for Cryptographic Modules
-
FIPS 199 Federal Information Processing Standard: Standards for Security Categorization of Federal Information and Information Systems
-
FIPS 200 Federal Information Processing Standard: Minimum Security Requirements for Federal Information and Information Systems
-
Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense), & DI-MGMT-82247 (Contractor’s Systems Security Plan and Associated Plans of Action to Implement NIST SP 800-171 on a Contractor’s Internal Unclassified Information System, Contract Data Requirements List (CDRL) DD Form 1423-1, Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System Information
-
Intelligence Community Directive 710 Classification Management and Control Markings System
-
Intelligence Community Policy Guidance 403.1 Criteria for Foreign Disclosure and Release of Classified National Intelligence
-
Introduction to the Risk Management Framework Student Guide
-
Microsoft Technical Reference Guide for CMMC v2_(Public Preview)_20220304
-
NARA ISOO CUI Notice 2019-03 Destroying Controlled Unclassified Information (CUI) in paper form
-
NARA ISOO CUI Notice 2020-04 Assessing Security Requirements for CUI in Non-Federal Information Systems
-
NIST CSF National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity
-
NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
-
NIST.IR.7621r1 Small Business Information Security: The Fundamentals
-
NIST SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model
-
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems (SSP)
-
NIST SP 800-30r1 Guide for Conducting Risk Assessments (Information Security)
-
NIST SP 800-37r2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy
-
NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
-
NIST SP 800-40r4 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
-
NIST SP 800-41r1 Guidelines on Firewalls and Firewall Policy
-
NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
-
NIST SP 800-53Ar5 Assessing Security and Privacy Controls in Information Systems and Organizations
-
NIST SP 800-53B Control Baselines for Information Systems and Organizations
-
NIST SP 800-53r5 Security and Privacy Controls for Information Systems and Organizations
-
NIST SP 800-60v1r1 Volume I: Guide to Mapping Types of Information and Information Systems to Security Categories (Information Security)
-
NIST SP 800-63-3 Digital Identity Guidelines
-
NIST SP 800-70r4 National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
-
NIST SP 800-88r1 Digital Identity Guidelines
-
NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
-
NIST SP 800-124r1 Guidelines for Managing the Security of Mobile Devices in the Enterprise
-
NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
-
NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
-
NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
-
NIST SP 800-171Ar2 Assessing Security Requirements for Controlled Unclassified Information
-
NIST SP 800-171Ar3 Final Public Draft (FPD) Assessing Security Requirements for Controlled Unclassified Information
-
NIST SP 800-171r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
-
NIST SP 800-171r3 Final Public Draft (FPD) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
-
NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
-
NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information
-
NIST SP 800-218 Secure Software Development Framework (SSDF)
-
NMCARS Annex 16: Statement of Work Language Implementing the DIB Memo. Includes seven (7) security controls within SOW language that shall be used to supplement DFARS Clause 252.204-7012 entitled, “Safeguarding Covered Defense Information and Cyber Incident Reporting” where the Department of the Navy Program Manager, Program Executive Officer or Chief of Naval Research, in coordination with Resource Sponsor, determines that the risk to a critical program and/or technology warrants its inclusion. Does not apply to CMMC Level 1.
-
Office of Management and Budget (OMB) Circular A-130: Managing Information as a Strategic Resource