Index of CMMC Audit Topics and Articles

General CMMC information (non-technical)

New to CMMC? Start here – Main page

CMMC Basics – the Full Details – In depth article about CMMC and its rollout.

CMMC Level 1 certification and preparation (how-to) – Very easy to understand article with explanations about CMMC Level 1 requirements as they apply to a very small (1-5 person) business.

CMMC Compliance FAQs – Organizations seeking certification – Very easy to understand article with simple explanations of CMMC topics that are often misunderstood or asked about.

CMMC Glossary, Terms, and Definitions. Who’s who in CMMC – This is a must read to understand terms and links to official sources on many CMMC topics. Starts with general terms like “DoD” and “FAR” and goes into more specifics as you progress.

What is FCI in CMMC and how does it affect scope? – Explains what FCI is and how it would be used to scope a CMMC level 1 (and above) assessment.

CMMC “allowable cost” discussion and thoughts – Opinion article about the statement that cybersecurity is an allowable cost for DoD contractors.

DFARS 252.204-7012 or 252.204-7021 enforces NIST 800-171 – Written when the DFARS Interim Rule introducing DFARS 252.204-7019 , 7020, and 7021 was just published. Warns contractors about the NIST SP 800-171 self-assessment requirement.

How to submit a NIST SP 800-171 self assessment to SPRS – FAQs and links for how to submit SPRS.

Where is the Easy Button for CMMC? Why MSPs may be the solution – Opinion article about the high cost of CMMC Level 3 and 800-171 compliance which is devastating for very small businesses. Gives ideas for how to change your processes so that your own network is not in-scope anymore.

Webinar on CMMC Level 1 by the Software Engineering Institute (CMU) – Video from the authors of the CMMC model, which gives an introduction to CMMC Level 1 and how to use the document.

Conversations from LinkedIn – index page for valuable CMMC and DFARS discussions on LinkedIn


Cybersecurity topics (for practitioners)

CMMC-AB Regan Edens interview on DFARS, FedRAMP, and AB authority. Interview with Regan Edens (CMMC-AB) about whether clouds that “store, process, or transmit” CUI will still need to be DFARS 7012 compliant once CMMC rolls out. Also discussion about CMMC-AB’s authority and role to clarify technical questions like these.

Answers about C3PAOs, Assessors, and other CMMC Professional questions. Interview with Jeff Dalton (CMMC-AB) about current status of various CMMC professional roles. Must-know information if you are a C3PAO, CA, RP, RPO or other professional.

CMMC-AB Jeff Dalton Interview #2 – C3PAOs, CAs, Instructors, Ethics. Second interview with Jeff Dalton (CMMC-AB) about current status of various CMMC professional roles. Must-know information if you are a Licensed Instructor, C3PAO, CA, RP, RPO or other professional.

How to read and use the CMMC. Geared towards internal cybersecurity team members.

Policy templates and tools for CMMC and 800-171. Most popular page on the site. Free and no-registration resources that you will want to include in your cybersecurity program.

How to become a CMMC auditor or certifier

CMMC Auditor Training Resources

Review of CMMC Registered Practitioner Training

Getting started with DFARS 252.204-7012

Getting started with NIST SP 800-171

Introducing the CMMC Kill Chain – Zero to full compliance

CMMC news: CMMC AB opens registration for C3PAOs and Assessors

How to submit a NIST SP 800-171 self assessment to SPRS

CMMC Level 1 Assessment Guide

CMMC Level 3 Assessment Guide Webinar and Review


Practice and Process deep-dives (for practitioners)

CMMC, CUI, and Cloud Vendors – do you need FedRAMP? Deep dive on DFARS requirement to use only FedRAMP Moderate + clouds (or equivalent), and why this is important.

Remote Management & Access Tools for 800-171 and CMMC. Deep dive on choosing a compliant remote management toolset for your helpdesk.

CMMC PS.2.127 Personnel Screening and US Citizen discussion. Considerations for building a screening program, discusses marijuana use in legalized states and citizenship requirements in the CMMC.

CMMC ML.2.999 Developing an effective CMMC Policy. Video from CMU SEI (co-authors of the CMMC Model) about developing good policies to support Maturity Level 2 and above

CMMC ML.4.996 Review and measure [DOMAIN NAME] activities for effectiveness. Video from CMU SEI (co-authors of the CMMC Model) about their intention for Maturity Level 4.

Address 19 CMMC Practices with Cybersecurity Training. Article describing how a cybersecurity training program either fully meets or contributes to meeting 19 different practice requirements within the CMMC.

CMMC RM.2.142 Scan for vulnerabilities in organizational systems. Article about the CMMC requirements for vulnerability scanning and related practices.


CMMC News Updates and Related Articles

CMMC News Rollup November 19 2020. C3PAO ISO 17021 update. RPs authorized. Discussion about encryption and clouds. Lots more.

CMMC News Rollup – October 25, 2020. 800-171 DoD Self Assessments info, free user training resources for awareness, CUI handling.

CMMC News Rollup October 6, 2020. DFARS Interim rule, Registered Practitioner track update, CUI Resources from DoD

September 28, 2020: CMMC News Roundup. DFARS Interim rule, OxBridge Lessons-Learned paper.

September 9, 2020: CMMC News Roundup. Incident handling tips, CMMC-AB “Sponsorship” drama, scoping your CMMC assessment, M365 GCC High features.

August 26, 2020: CMMC News Rollup. DAU webinar introduces CMMC requirements for MSPs, first pathfinder assessments started

August 15, 2020: When is a conformity assessment not a conformity assessment? (hint – it is CMMC). Guest article about CMMC hurdles

August 10, 2020: CMMC Provisional Auditor program opt-ins. Provisional assessors invited to apply (closed now)

July 31, 2020: CMMC Rollout Status – Taking stock

July 30, 2020: CMMC news round-up

June 29, 2020: A Practitioner’s thoughts on CMMC

June 22, 2020: CMMC news: CMMC AB opens registration for C3PAOs and Assessors

May 22, 2020: CMMC News – Auditor Training Update

May 21, 2020: CMMC News

February 4, 2020: CMMC Version 1.0 Released – Analysis for DoD contractors