Integrity. Expertise. Operational Excellence. 

Timelines Backdrop.png


This page has a number of links to core Cybersecurity Maturity Model Certification (CMMC) documents, including model overviews, scoping guides, and assessment guides. It will also reflect changes to CMMC 2.0 when they become available.

This document includes Frequently Asked Questions (FAQs) and answers regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 204.73 DFARS Subpart 239.76 and PGI Subpart 239.76. If you have any questions about the content of this page, DCG team members are available for consult.

This document includes key definitions associated with Cybersecurity Maturity Model Certification (CMMC). Generally, CMMC terminology follows NIST's very closely. However, some terms are unique to this model, especially following the introduction of CMMC 2.0.

This document is provided by the National Institute of Standards and Technology (NIST) Computer Security Resource Center. It is a glossary of terms presented in NIST's cybersecurity and privacy-related publications.

This is the Defense Federal Acquisition Supplement (DFARS). The clauses contained within it dictate how the DoD mandates compliance with NIST SP 800-171 and CMMC; it also contains requirements that are not included in 171.

This special publication (SP) dictates how Controlled Unclassified Information (CUI) must be handled, stored, and protected in nonfederal systems and organizations.

This document is the corresponding Assessment Guide to NIST SP 800-171. The CMMC Assessment Guides draw heavily on this document. 

The Defense Contract Management Agency (DCMA) provides this document to inform the Basic Self Assessment required in DFARS. It is also the source of CMMC scoring matrices. Because CMMC 2.0 is in the process of being updated, this document is important to keep on hand.

This page is provided by the National Archives and Records Administration (NARA). NARA is the lead authority for Controlled Unclassified Information (CUI) governance. This is the go to source for understanding what constitutes CUI.

This is resources defines and deepens understanding of Controlled Unclassified Information (CUI).

This document provides the most up-to-date Cybersecurity Maturity Model Certification Assessment Process (CAP) methodology.

This document provides an in-depth dive into CMMC scoping guides, and provides scenarios to broaden your understanding of scope within the context of CMMC.

Timelines Backdrop.png


The Cyber DFARs journey is founded on the DFARs 252.204-7012 document, which mandates that all Department of Defense (DoD) contractors who possess or handle Federal Controlled Unclassified Information (CUI) must conform to the security controls contained in NIST SP 800-171.


The inclusion of Cybersecurity Maturity Model Certification (CMMC) in requests for proposals has already begun. The GSA has also included CMMC in its latest major solicitations. Every government prime contractor and subcontractor should be preparing now for CMMC, so that they can remain competitive for DoD opportunities beyond the year 2025.