CMMC student guide: Additional CMMC resources

June 10, 2021 by Jeff Peters

The new Cybersecurity Maturity Model Certification (CMMC) framework, which has been slowly rolling out in 2021, will have a massive impact once fully implemented. According to the Department of Defense, more than 300,000 organizations in the Defense Industrial Base (DIB) supply chain need to be assessed and certified — and thousands of assessors and other professionals will need to be trained to support the new ecosystem. 

However, many aspects of the ecosystem, certification process and training are still in flux and may change based on feedback and lessons learned from the initial rollout. 

Here is a list of the best CMMC resources, CMMC documents and CMMC guides that are currently available. We’ll update this list as more resources are finalized and released.

Official CMMC resources and links

Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)

The CMMC-AB is an independent entity established in January 2020 to manage, control and administer all the aspects of the CMMC framework, including the assessment, certification, training and accreditation processes.

  • CMMC-AB website: This is your go-to source for finding the latest information about the CMMC marketplace, applying to become an RPO or C3PAO, and confirming the requirements for various CMMC-related career paths (RP, CCP, CCA, etc.).
  • CMMM-AB RFI/RFPs: This section of the CMMC-AB website contains the current and previous Requests for Information (RFIs) and Requests for Proposals (RFPs) from the body.
  • CMMC-AB town hall videos: CMMC information continues to evolve, and the CMMC-AB holds regular town hall meetings to communicate those changes and answer questions from the community.

Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S))

The OUSD(A&S), along with other stakeholders, developed the CMMC framework to “combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels.”

Infosec CMMC resources and training

Infosec is both a CMMC-AB Licensed Partner Publisher (LPP) and Licensed Training Provider (LTP), which means it is both helping develop CMMC-AB approved training materials and delivering training courses for individuals and teams looking to get certified.

NIST documentation and resources related to CMMC

The CMMC framework may be new, but most of the security requirements it contains are pulled from existing documents. For example, 110 of the 171 CMMC practices are specified in NIST SP 800-171 Rev. 2.

  • NIST documentation
    • NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
    • NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
    • NIST 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
    • NIST 800-53 Rev 005: Security and Privacy Controls for Information Systems and Organizations
    • NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization
  • Other NIST resources

Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) resources

Three years after the implementation of DFARS 252.204-7012, the DoD publicly recognized that it alone was not effective in securing government contractors in the DIB. Therefore, the new DFARS 70 Series (7019, 7020 and 7021) are intended to close the gap between DFARS and CMMC and rectify the industry’s lack of responsiveness.

  • FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
  • DFARS 252.204: Defense Federal Acquisition Regulation Supplement (DFARS) 
    • 7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
    • 7019: Notice of NIST SP 800-171 DoD Assessment Requirements
    • 7020: NIST SP 800-171 DoD Assessment Requirements
    • 7021: Cybersecurity Maturity Model Certification Requirement

Controlled Unclassified Information (CUI) resources

CUI requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations and government-wide policies, excluding information that is classified under Executive Order 13526 or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. 

Additional CMMC resources

Here are some additional CMMC-related resources you may find useful.

Posted: June 10, 2021
Articles Author
Jeff Peters
View Profile

Jeff Peters is a communications professional with eight years of experience creating cybersecurity-related content. As the Director of Content Marketing at Infosec, he focuses on developing materials to help cybersecurity professionals improve their skills and advance their careers. He oversees the Infosec Resources website, the Cyber Work series (Cyber Work Podcast, Cyber Work Applied and Cyber Work Live) and a variety of other Infosec content.

Leave a Reply

Your email address will not be published. Required fields are marked *