Other Very Useful CMMC & NIST SP 800-171 Resources

If you are still thirsting for knowledge, the following CMMC & NIST SP 800-171 resources are worth exploring:

  • CUI / FCI Scoping Guide. If you want to see examples of how to scope your environment using leading practices, you can download a scoping guide at https://www.unified-scoping-guide.com. NIST released an updated version of NIST SP 800-171 R2 (18 Jan 21) that changes wording around the scoping of the CUI environment. Specifically, "The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components." Where it is footnoted to include "system components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications." This supports the CUI Scoping Guide.

  • Non-Federal Organization (NFO) Controls. If you want to learn more about NFO controls and how that impacts both NIST 800-171 and CMMC, you can read about them at https://www.nfo-controls.com.  

  • Metaframework. For those juggling multiple statutory, regulatory and contractual obligations, you can download the Secure Controls Framework (SCF) at https://www.securecontrolsframework.com. The SCF is a metaframework that includes mappings for CMMC, NIST 800-53, NIST 800-171, NIST CSF, ISO 27002 and about 100 other laws, regulations and frameworks.

  • Non-Applicable or "Self-Deleting" DFARS/FAR Clauses. For those organization that are legitimately out-of-scope for DFARS/FAR/CMMC, but are receiving contracts that stipulate compliance obligations, this Memorandum For Record (MFR) template may be useful to "prove a negative" by documenting the non-applicable nature of the contract clause. You can download that here. Ideally, the prime/sub contract would have a contract addendum to reflect this non-applicability. This is where legal counsel is recommended for any contract-specific issues.

  • CMMC Self-Assessment Tool. Are you tall enough to ride CMMC? Prove it! You can use this shiny new CMMC Assessment Tool that is NIST 800-171A & NIST 800-53A based to evaluate CMMC v1.02 practices and processes. Where NIST 800-171A assessment criteria exists, it is used. Where CMMC created their own controls, NIST 800-53A assessment criteria was used. If you don't like that, we really don't care and you can create your own tool. However, NARA's CUI Notice 2020-04 stated that NIST 800-171A is the authoritative source for CUI assessment criteria, so it if is good enough for them, then it works for us.​

Unfucking CMMC Cover Art - Small.jpg
  • CMMC Life. Coming soon! All the CMMC questions you dared not ask your RPO and much, much more! (just kidding - we know you want it, but no. hell no)

  • CMMC Reciprocity & Inheritance. This article addresses the concept of reciprocity (e.g., FedRAMP) and inheritance. 

CMMC reciprocity vs inheritance 2.png
CMMC Life Vol 1.jpg