CMMC student guide: Additional CMMC resources
The new Cybersecurity Maturity Model Certification (CMMC) framework, which has been slowly rolling out in 2021, will have a massive impact once fully implemented. According to the Department of Defense, more than 300,000 organizations in the Defense Industrial Base (DIB) supply chain need to be assessed and certified — and thousands of assessors and other professionals will need to be trained to support the new ecosystem.
However, many aspects of the ecosystem, certification process and training are still in flux and may change based on feedback and lessons learned from the initial rollout.
Here is a list of the best CMMC resources, CMMC documents and CMMC guides that are currently available. We’ll update this list as more resources are finalized and released.
Official CMMC resources and links
Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)
The CMMC-AB is an independent entity established in January 2020 to manage, control and administer all the aspects of the CMMC framework, including the assessment, certification, training and accreditation processes.
- CMMC-AB website: This is your go-to source for finding the latest information about the CMMC marketplace, applying to become an RPO or C3PAO, and confirming the requirements for various CMMC-related career paths (RP, CCP, CCA, etc.).
- CMMM-AB RFI/RFPs: This section of the CMMC-AB website contains the current and previous Requests for Information (RFIs) and Requests for Proposals (RFPs) from the body.
- CMMC-AB town hall videos: CMMC information continues to evolve, and the CMMC-AB holds regular town hall meetings to communicate those changes and answer questions from the community.
Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S))
The OUSD(A&S), along with other stakeholders, developed the CMMC framework to “combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels.”
- OUSD(A&S) website: This website contains information around the CMMC standard along with any updates to the CMMC framework, frequently asked questions about CMMC and other official CMMC materials.
- CMMC Model and Assessment Guides: A variety of official documents and guides are available here, including:
- CMMC Model v1.02, its appendices and its appendices in tabular form
- CMMC Model Errata v1.0
- CMMC Level 1 Assessment Guide (editable)
- CMMC Level 3 Assessment Guide (editable)
- CMMC Glossary (editable)
Infosec CMMC resources and training
Infosec is both a CMMC-AB Licensed Partner Publisher (LPP) and Licensed Training Provider (LTP), which means it is both helping develop CMMC-AB approved training materials and delivering training courses for individuals and teams looking to get certified.
- Infosec CMMC resources: Infosec collects all of its free CMMC resources and paid CMMC training courses on this page, which is updated regularly.
- CMMC training: Learn more about Infosec’s CMMC boot camps, which will open for enrollment once training materials are approved by the CMMC-AB.
NIST documentation and resources related to CMMC
The CMMC framework may be new, but most of the security requirements it contains are pulled from existing documents. For example, 110 of the 171 CMMC practices are specified in NIST SP 800-171 Rev. 2.
- NIST documentation
- NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
- NIST 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
- NIST 800-53 Rev 005: Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization
- Other NIST resources
- National Checklist Program (NCP) Repository: NCP is defined by NIST SP 800-70 and contains security checklists (or benchmarks) around the security configurations of operating systems and applications.
- National Vulnerability Database (NVD): NVD is a government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).
Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) resources
Three years after the implementation of DFARS 252.204-7012, the DoD publicly recognized that it alone was not effective in securing government contractors in the DIB. Therefore, the new DFARS 70 Series (7019, 7020 and 7021) are intended to close the gap between DFARS and CMMC and rectify the industry’s lack of responsiveness.
- FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
- DFARS 252.204: Defense Federal Acquisition Regulation Supplement (DFARS)
Controlled Unclassified Information (CUI) resources
CUI requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations and government-wide policies, excluding information that is classified under Executive Order 13526 or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended.
- Controlled Unclassified Information (Executive Order 13556)
- Controlled Unclassified Information (National Archives)
- DoD Instruction 5200.48 CUI
- DoD CUI Presentation
- DoD Mandatory CUI Training IF141.06
Additional CMMC resources
Here are some additional CMMC-related resources you may find useful.