Looking for documentation related to the CMMC? You’ve come to the right place. We previously reserved this for our students but have now opened it up to everyoneOur students are provided a single zip file with all documents during class. NOTE: For the most part, we avoid duplicating formal/final CMMC documentation provided by the Department of Defense or the CMMC-AB / Cyber AB.

32 CFR 117 National Industrial Security Program Operating Manual_NISPOM

32 CFR 2002 Controlled Unclassified Information

32 CFR 2002 Controlled Unclassified Information: Final Rule

44 USC Chapter 33

44 USC Chapter 35

48 CFR

A Guide to the Rulemaking Process: Produced by the Federal Register

Atomic Energy Act of 1954

Australia Essential Eight Maturity Model

AWS CMMC Customer Responsibility Matrix

AWS Configuration Guide CMMC All Levels

AWS EastWest GovCloud Executive Briefing November 2020

CERT Resilience Management Model 1.2

CIS Controls Version 7.1

CMMC 1.02 Model Excel_Modified

CMMC 2.0 Model Excel_Modified

CMMC Assessment Process (CAP) v1.0: Pre-Decisional Draft

Committee on National Security Systems Instruction (CNSSI) 1253Categorization and Control Selection for National Security Systems

Committee on National Security Systems Instruction (CNSSI) 4009: CNSS Glossary

Contractor Purchasing System Review (CPSR) Guidebook (Appendix 24: Supply Chain Management Process DFARS 252.204-7012)

Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments

CUI FAQ

CUI SSP Template

Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward

Cybersecurity Maturity Model Certification Program

DARS 2018-0023-001: DoD developed the document “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” to facilitate the consistent review and understanding of System Security Plans and Plans of Action, the impact that NIST SP 800-171 Security Requirements that are “not yet implemented” have on an information system, and to assist in prioritizing the implementation of security requirements not yet implemented.

DARS 2018-0023-002 Attachment 1Defense Acquisition Regulations System (DARS) DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented

DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls

252.204-7009 Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber
Incident Information

DFARS 252.204-7012 Flowdown to International Suppliers

DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident
Reporting

DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirement

DFARS 252.227-7013 Rights in Technical Data—Noncommercial Items

DFARS 252.239-7010 Cloud Computing Services

DFARS Case 2019-D041 Interim Rule Memorandum

DFARS Case 2019-D041 Interim Rule

DFARS CMMC 2.0 Advanced Notice of Proposed Rulemaking

DFARS Cyber FAQ 115 (Update December 19, 2021)

DFARS Safeguarding CDI_One Pager Basics

DFARS Subparts 201-225

DFARS Subparts 226-251

DFARS Subparts 252-Appendix I

DIB Cybersecurity Activities Placemat

DoD CISO Special Session Town Hall (Feb 2022)

DoD Cloud Computing Security Requirements Guide (SRG)

DoD CUI Marking Guide

DoD CUI (CDI) Registry

DoD Directive 5230.09 Policy and responsibilities for the security and policy review process for the clearance of official DoD information proposed for official public release by the Department of Defense (Clearance of DoD Information for Public Release).

DoD FedRAMP Equivalency As a reference, the FedRAMP High baseline is approximately equivalent to DoD Impact Levels 4 and 5.

DoD Instruction 5015.02 Establish policy and assign responsibilities for the management of DoD records in all media, including electronic (DoD Records Management)

DoD Instruction 5200.01 DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI)

DoD Instruction 5200.48 Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012; and establishes the official DoD CUI Registry.

DoD Instruction 5210.01 Risk Management Framework (RMF) for DoD Information Technology (IT)

DoD Instruction 5230.09 Clearance of DoD Information for Public Release

DoD Instruction 5230.24 Distribution Statements and Their Corresponding Reasons for Use

DoD Instruction 5230.24 Distribution Statements on Technical Documents

DoD Instruction 5230.29 Security and Policy Review of DoD Information for Public Release

DoD Instruction 5400.04 Implements the policies and procedures of the Department’s provision of information, both classified and unclassified, to the Congress, and assigns responsibilities for approving and coordinating responses to requests for information from the Congress (Provision of Information to Congress).

DoD Instruction 8500.01 Establish a DoD cybersecurity program to protect and defend DoD information and information technology (IT); establishes the positions of DoD principal authorizing official (PAO) and the DoD Senior Information Security Officer (SISO) and continues the DoD Information Security Risk Management Committee (DoD ISRMC); and adopts the term “cybersecurity” as it is defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23 (Reference (m)) to be used throughout DoD instead of the term “information assurance (IA).”

DoD Instruction 8510.01 Implements the Risk Management Framework (RMF) for the Department of Defense Education Activity (DoDEA) in accordance with the DoD Instruction 8510.01; DoDEA Administrative Instruction 8500.01; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37; Subchapter III of Chapter 35 of Title 44, United States Code (also known and referred to as the “Federal Information Security Management Act of 2002” and in this Issuance as FISMA); the Committee on National Security Systems Instruction (CNSSI) 1253; and NIST SP 800-53.

DoD Instruction 8582.01 Establishes policy, assigns responsibilities, and provides direction for managing the security of non-DoD information systems that process, store, or transmit unclassified nonpublic DoD information, including controlled unclassified information (CUI).

DoD Manual 5200.01 Volume 1 DoD Information Security Program: Overview, Classification, and Declassification

DoD Manual 5200.01 Volume 2 DoD Information Security Program: Marking of Information

DoD Manual 5200.01 Volume 3 DoD Information Security Program: Protection of Classified Information

DoD Manual 5400.07 DoD Freedom of Information Act (FOIA) Program

DoD OCONUS Cloud Strategy Department of Defense Outside the Continental United States Cloud Strategy

Executive Order 13526 — Classified National Security Information

Executive Order 13556 — Controlled Unclassified Information

False Claims Act

FAR 4.1901 Definitions (covered contractor information system, Federal contract information, information, information system, and safeguarding)

FAR 52.204-21_48 CFR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

FedRAMP Low or Moderate Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this Low or Moderate Control Implementation Summary (CIS) Workbook Template to summarize a Low or Moderate system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.

FedRAMP High Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this High Control Implementation Summary (CIS) Workbook Template to summarize a High system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.

FedRAMP Security Controls Baseline

FedRAMP SSP Moderate Baseline Template

FIPS 140-1 Federal Information Processing Standard: Security Requirements for Cryptographic Modules

FIPS 140-2 Federal Information Processing Standard: Security Requirements for Cryptographic Modules

FIPS 140-3 Federal Information Processing Standard: Security Requirements for Cryptographic Modules

FIPS 199 Federal Information Processing Standard: Standards for Security Categorization of Federal Information and Information Systems

FIPS 200 Federal Information Processing Standard: Minimum Security Requirements for Federal Information and Information Systems

FISMA Act of 2002

FISMA Act of 2014

FISMA Act of 2021

FISMA Act of 2022

FY22 FISMA CIO Metrics

Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information SystemContract Data Requirements List (CDRL) DD Form 1423-1Contractor’s Systems Security Plan and Associated Plans of Action to Implement NIST SP 800-171 on a Contractor’s Internal Unclassified Information System (DI-MGMT-82247), & Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense
Information

Intelligence Community Directive 710 Classification Management and Control Markings System

Intelligence Community Policy Guidance 403.1 Criteria for Foreign Disclosure and Release of Classified National Intelligence

Introduction to the Risk Management Framework Student Guide

Microsoft Technical Reference Guide for CMMC v2_(Public Preview)_20220304

NARA CUI Categories Not in DoD CUI Registry

NARA CUI Marking Handbook

NARA CUI REL TO Country Trigraphs

NARA ISOO CUI Notice 2019-03 Destroying Controlled Unclassified Information (CUI) in paper form

NARA ISOO CUI Notice 2020-04 Assessing Security Requirements for CUI in Non-Federal Information Systems

NIST CSF National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity

NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements

NIST SP 500-292 NIST Cloud Computing Reference Architecture

NIST SP 800-171 Implementation Approach

NIST SP 800-171 DOD Assessment Methodology 9.22.20

NIST Definition of Cloud Computing

NIST.IR.7621r1 Small Business Information Security: The Fundamentals

NIST SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model

NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems (SSP)

NIST SP 800-30r1 Guide for Conducting Risk Assessments (Information Security)

NIST SP 800-37r2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy

NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View

NIST SP 800-40r4 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology

NIST SP 800-41r1 Guidelines on Firewalls and Firewall Policy

NIST SP 800-50 Building an Information Technology Security Awareness and Training Program

NIST SP 800-53Ar5-draft Assessing Security and Privacy Controls in Information Systems and Organizations

NIST SP 800-53B Control Baselines for Information Systems and Organizations

NIST SP 800-53r5 Security and Privacy Controls for Information Systems and Organizations

NIST SP 800-60v1r1 Volume I: Guide to Mapping Types of Information and Information Systems to Security Categories (Information Security)

NIST SP 800-63-3 Digital Identity Guidelines

NIST SP 800-88r1 Digital Identity Guidelines

NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices

NIST SP 800-124r1 Guidelines for Managing the Security of Mobile Devices in the Enterprise

NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection

NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems

NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

NIST SP 800-171 Assessment Methodology

NIST SP 800-171a Assessing Security Requirements for Controlled Unclassified Information

NIST SP 800-171r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171

NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information

Office of Management and Budget (OMB) Circular A-130: Managing Information as a Strategic Resource

Realignment of Responsibility for CMMC

Risk Management Framework Glossary

State Of Competition Within The Defense Industrial Base

UK Cyber Essentials Booklet

UK Cyber Essentials Plus Illustrative Test Specification

UK Cyber Essentials Requirements for IT Infrastructure