top of page

Other Very Useful CMMC & NIST SP 800-171 Resources

If you are still thirsting for knowledge, the following CMMC & NIST SP 800-171 resources are worth exploring:

  • NIST 800-171 & CMMC Maturity Spider Charts. This is a free spreadsheet to generate cool-looking spider charts for control-level maturity comparisons between current and targeted states. 

  • CUI / FCI Scoping Guide. UPDATE - this new version incorporates the DoD's L2 scoping guidance. If you want to see examples of how to scope your environment using leading practices, you can download the Unified Scoping Guide (USG) as a way to scope CUI, CTI and other forms of sensitive/regulated data that your organization may store, process and/or transmit. NIST released an updated version of NIST SP 800-171 R2 (18 Jan 21) that changes wording around the scoping of the CUI environment. Specifically, "The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components." Where it is footnoted to include "system components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications." This replaces their older CUI Scoping Guide. The DoD has since released its own scoping guide here.

  • Metaframework. For those juggling multiple statutory, regulatory and contractual obligations, you can download the Secure Controls Framework (SCF) at The SCF is a metaframework that includes mappings for CMMC, NIST 800-53, NIST 800-171, NIST CSF, ISO 27002 and about 100 other laws, regulations and frameworks.

  • Non-Applicable or "Self-Deleting" DFARS/FAR Clauses. For those organization that are legitimately out-of-scope for DFARS/FAR/CMMC, but are receiving contracts that stipulate compliance obligations, this Memorandum For Record (MFR) template may be useful to "prove a negative" by documenting the non-applicable nature of the contract clause. You can download that here. Ideally, the prime/sub contract would have a contract addendum to reflect this non-applicability. This is where legal counsel is recommended for any contract-specific issues.

  • CMMC Self-Assessment Tool. Are you tall enough to ride CMMC? Prove it! You can use this shiny new CMMC Assessment Tool that is NIST 800-171A & NIST 800-53A based to evaluate CMMC v2.0 practices and processes. Where NIST 800-171A assessment criteria exists, it is used. Where CMMC created their own controls, NIST 800-53A assessment criteria was used. If you don't like that, we really don't care and you can create your own tool. However, NARA's CUI Notice 2020-04 stated that NIST 800-171A is the authoritative source for CUI assessment criteria, so it if is good enough for them, then it works for us.​

  • International Traffic in Arms Regulations (ITAR) Reference. Not all ITAR is CUI. Not all CUI is ITAR. There is CUI that is ITAR. This guide is just a helpful reference to understand what ITAR is about and what that may mean for how you architect your network to take into account possible limitations for "foreign persons" that would be prohibited by ITAR. 

Unfucking CMMC Cover Art - Small.jpg
  • CMMC Life. Coming soon! All the CMMC questions you dared not ask your RPO and much, much more! (just kidding - we know you want it, but no. hell no)

  • CMMC Reciprocity & Inheritance. This article addresses the concept of reciprocity (e.g., FedRAMP) and inheritance. 

CMMC reciprocity vs inheritance 2.png
  • CUI Marking Registry Tool. This is a free Excel spreadsheet is a very useful tool from BDO to document what is CUI in your environment. If you have any questions on this, reach out to for more information.

BDO tool.PNG
CMMC Life Vol 1.jpg
bottom of page