Other Very Useful CMMC & NIST SP 800-171 Resources

If you are still thirsting for knowledge, the following CMMC & NIST SP 800-171 resources are worth exploring:

• NIST 800-171 & CMMC Maturity Spider Charts. This is a free spreadsheet to generate cool-looking spider charts for control-level maturity comparisons between current and targeted states. 

​

• CUI / FCI Scoping Guide. UPDATE - this new version incorporates the DoD's L2 scoping guidance. If you want to see examples of how to scope your environment using leading practices, you can download the Unified Scoping Guide (USG) as a way to scope CUI, CTI and other forms of sensitive/regulated data that your organization may store, process and/or transmit. NIST released an updated version of NIST SP 800-171 R2 (18 Jan 21) that changes wording around the scoping of the CUI environment. Specifically, "The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components." Where it is footnoted to include "system components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications." This replaces their older CUI Scoping Guide. The DoD has since released its own scoping guide here.

​

• Non-Federal Organization (NFO) Controls. If you want to learn more about NFO controls and how that impacts both NIST 800-171 and CMMC, you can read about them at https://www.nfo-controls.com. If you are still not convinced about the need for NFO controls, the Michael Oxmal School For Consultants Who Don't Read Good is a great place to start to understand what the baseline requirements are.

​

• Metaframework. For those juggling multiple statutory, regulatory and contractual obligations, you can download the Secure Controls Framework (SCF) at https://www.securecontrolsframework.com. The SCF is a metaframework that includes mappings for CMMC, NIST 800-53, NIST 800-171, NIST CSF, ISO 27002 and about 100 other laws, regulations and frameworks.

​

• Non-Applicable or "Self-Deleting" DFARS/FAR Clauses. For those organization that are legitimately out-of-scope for DFARS/FAR/CMMC, but are receiving contracts that stipulate compliance obligations, this Memorandum For Record (MFR) template may be useful to "prove a negative" by documenting the non-applicable nature of the contract clause. You can download that here. Ideally, the prime/sub contract would have a contract addendum to reflect this non-applicability. This is where legal counsel is recommended for any contract-specific issues.

​

• CUI Training Resources. If you are looking for training resources for CUI, there are a few:

  • Mandatory DoD Training Video - https://www.dodcui.mil/Home/Training (you can print out a certificate of completion)

  • US National Archives (NARA) Training Videos - https://www.archives.gov/cui/training.html

​

• CMMC Self-Assessment Tool. Are you tall enough to ride CMMC? Prove it! You can use this shiny new CMMC Assessment Tool that is NIST 800-171A & NIST 800-53A based to evaluate CMMC v2.0 practices and processes. Where NIST 800-171A assessment criteria exists, it is used. Where CMMC created their own controls, NIST 800-53A assessment criteria was used. If you don't like that, we really don't care and you can create your own tool. However, NARA's CUI Notice 2020-04 stated that NIST 800-171A is the authoritative source for CUI assessment criteria, so it if is good enough for them, then it works for us.​

​

• International Traffic in Arms Regulations (ITAR) Reference. Not all ITAR is CUI. Not all CUI is ITAR. There is CUI that is ITAR. This guide is just a helpful reference to understand what ITAR is about and what that may mean for how you architect your network to take into account possible limitations for "foreign persons" that would be prohibited by ITAR.