Looking for documentation related to the CMMC? You’ve come to the right place. We previously reserved this for our students but have now opened it up to everyone. Our students are provided a single zip file with all documents during class. NOTE: For the most part, we avoid duplicating formal/final CMMC documentation provided by the Department of Defense or the CMMC-AB / Cyber AB.
32 CFR 117 National Industrial Security Program Operating Manual_NISPOM
32 CFR 2002 Controlled Unclassified Information
32 CFR 2002 Controlled Unclassified Information: Final Rule
A Guide to the Rulemaking Process: Produced by the Federal Register
Australia Essential Eight Maturity Model
AWS CMMC Customer Responsibility Matrix
AWS Configuration Guide CMMC All Levels
AWS EastWest GovCloud Executive Briefing November 2020
CERT Resilience Management Model 1.2
CMMC 1.02 Model Excel_Modified
CMMC Assessment Process (CAP) v1.0: Pre-Decisional Draft
Committee on National Security Systems Instruction (CNSSI) 1253: Categorization and Control Selection for National Security Systems
Committee on National Security Systems Instruction (CNSSI) 4009: CNSS Glossary
Contractor Purchasing System Review (CPSR) Guidebook (Appendix 24: Supply Chain Management Process DFARS 252.204-7012)
Contractual Remedies to Ensure Contractor Compliance with Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, for contracts and orders not subject to Clause 252.204-7020; and Additional Considerations Regarding National Institute of Standards and Technology Special Publication 800-171 Department of Defense Assessments
Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward
Cybersecurity Maturity Model Certification Program
DARS 2018-0023-001: DoD developed the document “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented” to facilitate the consistent review and understanding of System Security Plans and Plans of Action, the impact that NIST SP 800-171 Security Requirements that are “not yet implemented” have on an information system, and to assist in prioritizing the implementation of security requirements not yet implemented.
DARS 2018-0023-002 Attachment 1: Defense Acquisition Regulations System (DARS) DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented
DFARS 252.204-7008 Compliance with Safeguarding Covered Defense Information Controls
DFARS 252.204-7012 Flowdown to International Suppliers
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident
Reporting
DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7021 Cybersecurity Maturity Model Certification Requirement
DFARS 252.227-7013 Rights in Technical Data—Noncommercial Items
DFARS 252.239-7010 Cloud Computing Services
DFARS Case 2019-D041 Interim Rule Memorandum
DFARS Case 2019-D041 Interim Rule
DFARS CMMC 2.0 Advanced Notice of Proposed Rulemaking
DFARS Cyber FAQ 115 (Update December 19, 2021)
DFARS Safeguarding CDI_One Pager Basics
DIB Cybersecurity Activities Placemat
DoD CISO Special Session Town Hall (Feb 2022)
DoD Cloud Computing Security Requirements Guide (SRG)
DoD Directive 5230.09 Policy and responsibilities for the security and policy review process for the clearance of official DoD information proposed for official public release by the Department of Defense (Clearance of DoD Information for Public Release).
DoD FedRAMP Equivalency As a reference, the FedRAMP High baseline is approximately equivalent to DoD Impact Levels 4 and 5.
DoD Instruction 5015.02 Establish policy and assign responsibilities for the management of DoD records in all media, including electronic (DoD Records Management)
DoD Instruction 5200.01 DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI)
DoD Instruction 5200.48 Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012; and establishes the official DoD CUI Registry.
DoD Instruction 5210.01 Risk Management Framework (RMF) for DoD Information Technology (IT)
DoD Instruction 5230.09 Clearance of DoD Information for Public Release
DoD Instruction 5230.24 Distribution Statements and Their Corresponding Reasons for Use
DoD Instruction 5230.24 Distribution Statements on Technical Documents
DoD Instruction 5230.29 Security and Policy Review of DoD Information for Public Release
DoD Instruction 5400.04 Implements the policies and procedures of the Department’s provision of information, both classified and unclassified, to the Congress, and assigns responsibilities for approving and coordinating responses to requests for information from the Congress (Provision of Information to Congress).
DoD Instruction 8500.01 Establish a DoD cybersecurity program to protect and defend DoD information and information technology (IT); establishes the positions of DoD principal authorizing official (PAO) and the DoD Senior Information Security Officer (SISO) and continues the DoD Information Security Risk Management Committee (DoD ISRMC); and adopts the term “cybersecurity” as it is defined in National Security Presidential Directive-54/Homeland Security Presidential Directive-23 (Reference (m)) to be used throughout DoD instead of the term “information assurance (IA).”
DoD Instruction 8510.01 Implements the Risk Management Framework (RMF) for the Department of Defense Education Activity (DoDEA) in accordance with the DoD Instruction 8510.01; DoDEA Administrative Instruction 8500.01; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37; Subchapter III of Chapter 35 of Title 44, United States Code (also known and referred to as the “Federal Information Security Management Act of 2002” and in this Issuance as FISMA); the Committee on National Security Systems Instruction (CNSSI) 1253; and NIST SP 800-53.
DoD Instruction 8582.01 Establishes policy, assigns responsibilities, and provides direction for managing the security of non-DoD information systems that process, store, or transmit unclassified nonpublic DoD information, including controlled unclassified information (CUI).
DoD Manual 5200.01 Volume 1 DoD Information Security Program: Overview, Classification, and Declassification
DoD Manual 5200.01 Volume 2 DoD Information Security Program: Marking of Information
DoD Manual 5200.01 Volume 3 DoD Information Security Program: Protection of Classified Information
DoD Manual 5400.07 DoD Freedom of Information Act (FOIA) Program
DoD OCONUS Cloud Strategy Department of Defense Outside the Continental United States Cloud Strategy
Executive Order 13526 — Classified National Security Information
Executive Order 13556 — Controlled Unclassified Information
FAR 4.1901 Definitions (covered contractor information system, Federal contract information, information, information system, and safeguarding)
FAR 52.204-21_48 CFR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
FedRAMP Low or Moderate Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this Low or Moderate Control Implementation Summary (CIS) Workbook Template to summarize a Low or Moderate system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.
FedRAMP High Control Implementation Summary/Customer Responsibility Matrix (CIS/CRM) Workbook Template: Cloud Service Providers (CSPs) use this High Control Implementation Summary (CIS) Workbook Template to summarize a High system’s implementation status for all controls and enhancements, and to identify and describe the customer Agency/CSP responsibilities. The CSP submits the completed CIS Workbook as part of the system’s final security authorization package, as System Security Plan (SSP) Attachment 9.
FedRAMP Security Controls Baseline
FedRAMP SSP Moderate Baseline Template
FIPS 140-1 Federal Information Processing Standard: Security Requirements for Cryptographic Modules
FIPS 140-2 Federal Information Processing Standard: Security Requirements for Cryptographic Modules
FIPS 140-3 Federal Information Processing Standard: Security Requirements for Cryptographic Modules
FIPS 199 Federal Information Processing Standard: Standards for Security Categorization of Federal Information and Information Systems
FIPS 200 Federal Information Processing Standard: Minimum Security Requirements for Federal Information and Information Systems
Guidance for Assessing Compliance of and Enhancing Protections for a Contractor’s Internal Unclassified Information System, Contract Data Requirements List (CDRL) DD Form 1423-1, Contractor’s Systems Security Plan and Associated Plans of Action to Implement NIST SP 800-171 on a Contractor’s Internal Unclassified Information System (DI-MGMT-82247), & Contractor’s Record of Tier 1 Level Suppliers Receiving/Developing Covered Defense
Information
Intelligence Community Directive 710 Classification Management and Control Markings System
Intelligence Community Policy Guidance 403.1 Criteria for Foreign Disclosure and Release of Classified National Intelligence
Introduction to the Risk Management Framework Student Guide
Microsoft Technical Reference Guide for CMMC v2_(Public Preview)_20220304
NARA CUI Categories Not in DoD CUI Registry
NARA CUI REL TO Country Trigraphs
NARA ISOO CUI Notice 2019-03 Destroying Controlled Unclassified Information (CUI) in paper form
NARA ISOO CUI Notice 2020-04 Assessing Security Requirements for CUI in Non-Federal Information Systems
NIST CSF National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity
NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
NIST SP 500-292 NIST Cloud Computing Reference Architecture
NIST SP 800-171 Implementation Approach
NIST SP 800-171 DOD Assessment Methodology 9.22.20
NIST Definition of Cloud Computing
NIST.IR.7621r1 Small Business Information Security: The Fundamentals
NIST SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model
NIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems (SSP)
NIST SP 800-30r1 Guide for Conducting Risk Assessments (Information Security)
NIST SP 800-37r2 Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy
NIST SP 800-39 Managing Information Security Risk: Organization, Mission, and Information System View
NIST SP 800-40r4 Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
NIST SP 800-41r1 Guidelines on Firewalls and Firewall Policy
NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
NIST SP 800-53Ar5-draft Assessing Security and Privacy Controls in Information Systems and Organizations
NIST SP 800-53B Control Baselines for Information Systems and Organizations
NIST SP 800-53r5 Security and Privacy Controls for Information Systems and Organizations
NIST SP 800-60v1r1 Volume I: Guide to Mapping Types of Information and Information Systems to Security Categories (Information Security)
NIST SP 800-63-3 Digital Identity Guidelines
NIST SP 800-88r1 Digital Identity Guidelines
NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices
NIST SP 800-124r1 Guidelines for Managing the Security of Mobile Devices in the Enterprise
NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) Protection
NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
NIST 800-161r1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
NIST SP 800-171 Assessment Methodology
NIST SP 800-171a Assessing Security Requirements for Controlled Unclassified Information
NIST SP 800-171r2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
NIST SP 800-172A Assessing Enhanced Security Requirements for Controlled Unclassified Information
Office of Management and Budget (OMB) Circular A-130: Managing Information as a Strategic Resource
Realignment of Responsibility for CMMC
Risk Management Framework Glossary
State Of Competition Within The Defense Industrial Base