48 CFR "Assessing Contractor Implementation of Cybersecurity Requirement"
https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of#print
The CMMC Program Final Rule (published 2024-10-15)
https://public-inspection.federalregister.gov/2024-22905.pdf
CMMC v2.13 Scoping Guides, Assessment Guides and other supplemental documents
https://dodcio.defense.gov/cmmc/Resources-Documentation/
Memo: FEDRAMP Equivalency for Cloud Service Providers
https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf
DOD Memo on Implementing the CMMC Program
https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf
CUI Frequently Asked Questions
https://www.archives.gov/cui/faqs.html
FAR 52.204-21 "Basic Safeguarding Rule"
https://www.acquisition.gov/far/52.204-21
DOD Procurement Toolbox Cybersecurity FAQs
https://dodprocurementtoolbox.com/uploads/Cyber_DFARS_FA_Qs_rev_4_6_13_24_4702075bf4.pdf
DFARS 7012 Clause
https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
DFARS 7012 Class Deviation Memo requiring r2 until rescinded
https://www.acq.osd.mil/dpap/policy/policyvault/USA000814-24-DPC.pdf
Proposed FAR CUI Rule
https://public-inspection.federalregister.gov/2024-30437.pdf
The Interim Rule
https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
Supplier Performance Risk System (SPRS)
https://www.sprs.csd.disa.mil/
SPRS Quick Entry Guide for 800-171 self-assessments
https://www.sprs.csd.disa.mil/pdf/NISTSP800-171QuickEntryGuide.pdf
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf
NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
https://csrc.nist.gov/pubs/sp/800/171/a/final
NIST SP 800-171 r2
https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
NIST SP 800-171 r3
https://csrc.nist.gov/pubs/sp/800/171/r3/final
DoD defined ODPs for NIST SP 800-171r3
https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf
NIST SP 800-171A r3, Assessing Securifty Requirements for Controlled Unclassified Information
https://csrc.nist.gov/pubs/sp/800/171/A/r3/final
CUI SSP Template from NIST
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
CUI POAM Template from NIST
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx
NIST SP 800-53 r5
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
CMMC Assessment Process (CAP) v 2.0
https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf
Cyber AB Marketplace
https://cyberab.org/marketplace/
C3PAO Stakeholder Forum Position Papers
https://www.c3paoforum.org/position-papers/
National Archives CUI Registry
https://www.archives.gov/cui
NIST CSRC Cryptographic Module Validation Program CMVP
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules
NIST CSRC Glossary of Terms & Definitions
https://csrc.nist.gov/glossary
SP 800-18 Guide for Developing Security Plans for Federal Information Systems
https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
Microsoft's Shared Responsibility Model
https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility/
Amazon Web Services Shared Responsibility Model
https://aws.amazon.com/compliance/shared-responsibility-model/
Google Cloud Platform's Shared Responsibility Model
https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate
Free Training Resources
US CERT Alerts
https://us-cert.cisa.gov/ncas/alerts
SANS Newsletters
https://www.sans.org/newsletters/?msc=main-nav
InfraGard
https://www.infragard.org/
InfraGard Louisiana Member's Alliance
https://www.infragard-la.org/
https://www.federalregister.gov/documents/2025/09/10/2025-17359/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of#print
The CMMC Program Final Rule (published 2024-10-15)
https://public-inspection.federalregister.gov/2024-22905.pdf
CMMC v2.13 Scoping Guides, Assessment Guides and other supplemental documents
https://dodcio.defense.gov/cmmc/Resources-Documentation/
Memo: FEDRAMP Equivalency for Cloud Service Providers
https://dodcio.defense.gov/Portals/0/Documents/Library/FEDRAMP-EquivalencyCloudServiceProviders.pdf
DOD Memo on Implementing the CMMC Program
https://dodprocurementtoolbox.com/uploads/DOPSR_Cleared_OSD_Memo_CMMC_Implementation_Policy_d26075de0f.pdf
CUI Frequently Asked Questions
https://www.archives.gov/cui/faqs.html
FAR 52.204-21 "Basic Safeguarding Rule"
https://www.acquisition.gov/far/52.204-21
DOD Procurement Toolbox Cybersecurity FAQs
https://dodprocurementtoolbox.com/uploads/Cyber_DFARS_FA_Qs_rev_4_6_13_24_4702075bf4.pdf
DFARS 7012 Clause
https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
DFARS 7012 Class Deviation Memo requiring r2 until rescinded
https://www.acq.osd.mil/dpap/policy/policyvault/USA000814-24-DPC.pdf
Proposed FAR CUI Rule
https://public-inspection.federalregister.gov/2024-30437.pdf
The Interim Rule
https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
Supplier Performance Risk System (SPRS)
https://www.sprs.csd.disa.mil/
SPRS Quick Entry Guide for 800-171 self-assessments
https://www.sprs.csd.disa.mil/pdf/NISTSP800-171QuickEntryGuide.pdf
NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1, June 24, 2020
https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf
NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information
https://csrc.nist.gov/pubs/sp/800/171/a/final
NIST SP 800-171 r2
https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
NIST SP 800-171 r3
https://csrc.nist.gov/pubs/sp/800/171/r3/final
DoD defined ODPs for NIST SP 800-171r3
https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf
NIST SP 800-171A r3, Assessing Securifty Requirements for Controlled Unclassified Information
https://csrc.nist.gov/pubs/sp/800/171/A/r3/final
CUI SSP Template from NIST
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
CUI POAM Template from NIST
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx
NIST SP 800-53 r5
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
CMMC Assessment Process (CAP) v 2.0
https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf
Cyber AB Marketplace
https://cyberab.org/marketplace/
C3PAO Stakeholder Forum Position Papers
https://www.c3paoforum.org/position-papers/
National Archives CUI Registry
https://www.archives.gov/cui
NIST CSRC Cryptographic Module Validation Program CMVP
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules
NIST CSRC Glossary of Terms & Definitions
https://csrc.nist.gov/glossary
SP 800-18 Guide for Developing Security Plans for Federal Information Systems
https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final
Microsoft's Shared Responsibility Model
https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility/
Amazon Web Services Shared Responsibility Model
https://aws.amazon.com/compliance/shared-responsibility-model/
Google Cloud Platform's Shared Responsibility Model
https://cloud.google.com/architecture/framework/security/shared-responsibility-shared-fate
Free Training Resources
- DoD Mandatory Controlled Unclassified Information (CUI) Training
https://securityawareness.usalearning.gov/cui/index.html
- CISA Insider Threat training resources
https://www.cisa.gov/training-awareness
- CDSE's Insider Threat Program
https://www.cdse.edu/Training/Insider-Threat/
US CERT Alerts
https://us-cert.cisa.gov/ncas/alerts
SANS Newsletters
https://www.sans.org/newsletters/?msc=main-nav
InfraGard
https://www.infragard.org/
InfraGard Louisiana Member's Alliance
https://www.infragard-la.org/