Resources | Defense Cybersecurity Group, Inc.

CMMC & DFARS Compliance

CMMC & DFARS Compliance

NIST SP 800-171 Revision 3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” FPD

Final Public Draft (FPD) of the third version of 800-171, a foundational CMMC document.

NIST SP 800-171A Revision 3 “Assessing Security Requirements for Controlled Unclassified Information”

The pending version of objectives for assessing 171 implementation.

NIST SP 800-171 Revision 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”

The most current version of 800-171, a foundational CMMC document.

NIST SP 800-171A Revision 2 “Assessing Security Requirements for Controlled Unclassified Information”

The former version of 171A, a foundational CMMC document that includes assessment objectives as well as controls.

DFARS 7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”

Defense Federal Acquisition Regulation Supplement (DFARS) 7012, a document that underlies 800-171 and CMMC.

DoD CMMC Glossary and Acronyms

Department of Defense (DoD) search tool for CMMC lexicon and acronyms.

National Institute for Standards and Technology (NIST) Glossary

NIST's search tool for evolving cyber language.

DoD CMMC Master Page

Hub for CMMC docs owned by the DoD, including Scoping Guidance, Model Overview, Glossary, and more.

NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1

DoDAM for conducting assessments and self-assessments against 800-171 requirements.

National Archives and Records Administration (NARA) CUI Registry

A complete list of CUI categories helpful in determining if a document, process, or contract includes Controlled Unclassified Information (CUI).

CMMC 2.11 L2 Draft Scoping Guide

Guidance for determining scope in businesses that process, handle, or store CUI.

CMMC 2.11 L2 Draft Assessment Guide

Guidance in the preparation for and execution of a Level 2 Self-Assessment or Level 2 Certification Assessment under the Cybersecurity Maturity Model Certification (CMMC).

CMMC 2.11 L2 Draft Model Overview

CMMC 2.11 Draft Model Overview

DCG’s 171r2 Tracking Tool

Helps orgs track their progress towards compliance by assessment objective.

DoD FAQ regarding DFARS Subpart 204.73 and PGI Subpart 204.73 -2017 version

Cyber FAQ with reference to DFARS 7012, NIST 800-171, and Basic Safeguarding of Contractor Information Systems.

Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018) FAQ

DFARS FAQ with many nuggets of wisdom.

NDIA CMMC - DIB SCC CyberAssist

DIB SCC CMMC 101.

Network Penetration Reporting and Contracting for Cloud Services FAQ

FAQ Originally linked to DFARS Subpart 204.73 and PGI Subpart 204.73,
DFARS Subpart 239.76 and PGI Subpart 239.76

CMMC Assessment Process (CAP) Draft 1.0

FAQ Originally linked to DFARS Subpart 204.73 and PGI Subpart 204.73,
DFARS Subpart 239.76 and PGI Subpart 239.76

FedRAMP Moderate Equivalency for Cloud Service Provider's Offerings

Year-end 2023 guidance on FedRAMP moderate equivalency.

DoD CUI NDA Example

This can help to satisfy 3.2.1.

CMMC 2.0 Level 2 Assessment Guide

This is the CMMC Assessment Guide assessors will use to evaluate your environment for the initial roll out of certifications. It includes assessment objectives, which are necessary to implement prior to seeking a certification, and which are not included in 171 itself.

CMMC 2.11 Proposed Rule - 32 CFR Part 170

The most recent version of the proposed CMMC rule, published 12/26/23.

32CFR170 Registry

For convenience, we've linked major portions of the 32CFR 170 draft rule here; aka CMMC 2.11.

Subpart A—General Information - 170.1 Purpose

170.2 Incorporation by Reference

170.3 Applicability

170.4 Acronyms and definitions

170.5 Policy

Subpart B—Government Roles and Responsibilities - 170.6 CMMC PMO

170.7 DCMA DIBCAC

Subpart C—CMMC Assessment and Certification Ecosystem - 170.8 Accreditation Body

170.9 CMMC Third-Party Assessment Organizations (C3PAOs)

170.10 CMMC Assessor and Instructor Certification Organization (CAICO)

170.11 CMMC Certified Assessor (CCA)

170.12 CMMC Certified Instructor (CCI)

170.13 CMMC Certified Professional (CCP)

Subpart D—Key Elements of the CMMC Program - 170.14 CMMC Model

170.15 CMMC Level 1 Self-Assessment and Affirmation requirements

170.16 CMMC Level 2 Self-Assessment and Affirmation requirements

170.17 CMMC Level 2 Certification Assessment and Affirmation requirements

170.18 CMMC Level 3 Certification Assessment and Affirmation requirements

170.19 CMMC Scoping

170.20 Standards acceptance

170.21 Plan of Action and Milestones (POAM) Requirements

170.22 Affirmation

170.23 Application to subcontractors

Appendix A to Part 170 - Guidance

DIB Cybersecurity

FREE LINKS FOR DIB CYBERSECURITY

NSA Cybersecurity Collaboration Center

Protective Domain Name System Services, Attack Surface Management, and Threat Intelligence Collaboration

Center for Internet Security Software and Hardware Asset Tracking Spreadsheet

Examples of methods for tracking hardware, software, and sensitive information in an organization.

Defense Industrial Base Sector Coordinating Council (DIB SCC) CyberAssist

Information and links to helpful publicly available cybersecurity resources for the DIB.

TOTEM.TECH Free Tools for CMMC Compliance

SPRS Scoring Sheet, Separation of Duties Matrix, CUI ID Guide, etc.

Have I been Pwnd?

SPRS Scoring Sheet, Separation of Duties Matrix, CUI ID Guide, etc.

WinZip 26 Enterprise Installation and Configuration Guide

WinZip Enterprise Government and Regulated edition, in which the features are turned off, leaving only basic zipping and unzipping available by default.

Cybersecurity and Infrastructure Security Agency’s (CISA’s) “First 48”: What to Expect When a Cyber Incident Occurs

Developed in 2022 with public safety officials who have first hand experience with cyberattacks, this doc provides expectations and recommendations on how to proceed after a cyber incident.

CISA’s Tabletop Exercise Packages

Tools for stakeholders to conduct planning exercises on a wide range of threat scenarios.

The Office of the Chief Information Officer (SAF/CN) Small Business Cybersecurity Information

Tools for stakeholders to conduct planning exercises on a wide range of threat scenarios.

Navy SBIR/STTR Cybersecurity /CUI Information, Resources, and Opportunities

Updated on a rolling basis, this link maintains resources, training opportunities, webinars, etc.

Vendor Supply Chain Risk Management (SCRM) Template

A standardized template of questions to communicate ICT supply chain risk posture in a consistent way among public and private organizations of all sizes.

GitHub Cooey Tools

Tools by COOEY, for COOEY.

Defense Counterintelligence and Security Agency (DCSA) Cybersecurity Toolkit

DIB information security tools.

CISA Cyber Resilience Review (CRR)

An interview-based assessment to evaluate an organization’s operational resilience and cybersecurity practices.

MSP Shopping Guide

For small businesses.

FREE TRAININGS

Free Training

DCSA Cybersecurity CDSE Training

After reviewing these training products, additional training is available on this webpage to expand your knowledge and skills.

PCI DSS

Everything you need to get PCI DSS certified.

SOC 2

Everything you need to get an SOC 2 report.

Georgia Tech Professional Ed Massive Open Online Courses (MOOCs)

MOOCs are a self-paced and free online option, allowing you to be part of a virtual global network of faculty, peers, and industry experts.

Learning Paths: Google Cloud Skills Boost

Free G-Suite Training.

Amazon Web Services Skill Builder

Free, individual, and team cloud skills development options.

Renegade Labs Youtube: Penetration Testing Playlist

Video series on penetration testing, including: Network Penetration Testing, Cloud Based Penetration Testing, Web Application and API Penetration Testing.

Renegade Labs Youtube: Penetration Testing Playlist

Video series on penetration testing, including: Network Penetration Testing, Cloud Based Penetration Testing, Web Application and API Penetration Testing.

Microsoft CISO Training Center

Workshop that contains a collection of security learnings, principles, and recommendations for modernizing security in your organization.

ISO 27001

Videos related to ISO 27001 series of frameworks, including: ISO 27001(ISMS), ISO 27701 (PIMS), ISO 27017 (Cloud Security), ISO 27018 (Cloud Privacy), ISO 9001 (QMS), ISO 22301 (BCMS).

Simply Cyber School: GRC Master Course

Learn Governance, Risk, and Compliance Analyst skills, and the theory behind how those skills support a business, with this course.

Attack IQ Academy

Free classes on a variety of topics, from MITRE ATT&CK to purple teaming to cloud security.

SANS Institute Free Cybersecurity Training

Free resources and workshops.

Ask a question ↗