Other Very Useful CMMC & NIST SP 800-171 Resources

If you are still thirsting for knowledge, the following CMMC & NIST SP 800-171 resources are worth exploring:

  • CUI / FCI Scoping Guide. If you want to see examples of how to scope your environment using leading practices, you can download a scoping guide at https://www.cmmc-scoping.com/. NIST released an updated version of NIST SP 800-171 R2 (18 Jan 21) that changes wording around the scoping of the CUI environment. Specifically, "The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components." Where it is footnoted to include "system components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications." This supports the CUI Scoping Guide.

  • Non-Federal Organization (NFO) Controls. If you want to learn more about NFO controls and how that impacts both NIST 800-171 and CMMC, you can read about them at https://www.nfo-controls.com/.  

  • Metaframework. For those juggling multiple statutory, regulatory and contractual obligations, you can download the Secure Controls Framework (SCF) at https://www.securecontrolsframework.com/. The SCF is a metaframework that includes mappings for CMMC, NIST 800-53, NIST 800-171, NIST CSF, ISO 27002 and about 100 other laws, regulations and frameworks.

  • Non-Applicable or "Self-Deleting" DFARS/FAR Clauses. For those organization that are legitimately out-of-scope for DFARS/FAR/CMMC, but are receiving contracts that stipulate compliance obligations, this Memorandum For Record (MFR) template may be useful to "prove a negative" by documenting the non-applicable nature of the contract clause. You can download that here. Ideally, the prime/sub contract would have a contract addendum to reflect this non-applicability. This is where legal counsel is recommended for any contract-specific issues.

  • CMMC Self-Assessment Tool. Are you tall enough to ride CMMC? Prove it! You can use this shiny new CMMC Assessment Tool that is NIST 800-171A & NIST 800-53A based to evaluate CMMC v1.02 practices and processes. Where NIST 800-171A assessment criteria exists, it is used. Where CMMC created their own controls, NIST 800-53A assessment criteria was used. If you don't like that, we really don't care and you can create your own tool. However, NARA's CUI Notice 2020-04 stated that NIST 800-171A is the authoritative source for CUI assessment criteria, so it if is good enough for them, then it works for us.​

Unfucking CMMC Cover Art - Small.jpg

© 2021. CMMC Center of Awesomeness (CMMC-COA)

The operator of this website disclaims any liability whatsoever for the use of this delightfully entertaining and educational website. Use the CMMC-COA at your own risk. The CMMC-COA is not meant to be politically correct, so it is your profound mistake if you think it is meant to be.


If you have compliance questions, you really, really, really need to consult a competent cybersecurity professional to discuss your specific needs. This website is for educational purposes only and does not render professional services - it is not a substitute for dedicated professional services from a competent cybersecurity professional. There is no endorsement of any kind for products or services listed on this website - It is entirely your responsibility to conduct appropriate due diligence and due care in selecting and engaging with a product or service in your implementation of the CMMC practices and processes.

We do not warrant or guarantee that the information will not be offensive to any person. You are hereby put on notice that by accessing and using the website, you assume the risk that the information and documentation contained in the web site may be offensive and/or may not meet your needs and requirements. The entire risk as to the use of this website, or its contents, is assumed by you. If you don't like these terms, then tough shit - don't use the website or any of the content it provides... go do your own research and work, since it will be good for you.


​We reserve the right to refuse service in accordance with applicable statutory and regulatory parameters.

  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon