For Suppliers
CMMC Resources
The resources on this page include additional government resources regarding both Cybersecurity Maturity Model Certification (CMMC) and available cybersecurity resources.
DoD CMMC Program Office
The CMMC Program aligns with the Department of Defense’s (DoD) existing information security requirements for the Defense Industrial Base (DIB). It is designed to enforce the protection of sensitive unclassified information shared by the department with its contractors and subcontractors. The program provides the DoD with increased assurance that contractors and subcontractors are meeting the cybersecurity requirements for nonfederal systems processing controlled unclassified information.
DoD CIO CMMC Frequently Asked Questions
This is the official DoD CIO CMMC FAQs page that also includes information about the most recent updates to the CMMC program.
CMMC Cyber Accreditation Body (Cyber AB) Marketplace
The Cyber AB is the official accreditation body of the CMMC ecosystem and the sole authorized nongovernmental partner of the DoD in implementing and overseeing the CMMC conformance regime. The Cyber AB also manages and maintains the CMMC Marketplace, which connects government contractors looking to achieve CMMC compliance with qualified CMMC service providers.
National Defense Information Sharing and Analysis Center (ND-ISAC)
ND-ISAC is the Information Sharing and Analysis Center for the Defense Industrial Base, offering defense sector companies, their suppliers, and related interests a community and forum for sharing cyber and physical security threat indicators, best practices, and mitigation strategies. ND-ISAC gives defense industry entities and suppliers the ability to leverage the best security data, tools, and services and the best practices available in a high-trust, collaborative industry environment. Through ND-ISAC, members share intelligence on cybersecurity and physical security, insider threats, vulnerabilities, and associated threat remediation. ND-ISAC enables members to develop and continually mature their secure enterprise. ND-ISAC serves as the national defense sector’s principal focal point for all hazards to the sector.
NSA Cybersecurity Collaboration Center (CCC)
The National Security Agency (NSA) CCC is how NSA scales intel-driven cybersecurity through open, collaborative partnerships. The CCC works with industry, interagency, and international partners to harden the U.S. Defense Industrial Base, operationalize NSA’s unique insights on nation-state cyber threats, jointly create mitigations guidance for emerging activity and chronic cybersecurity challenges, and secure emerging technologies.
DoD-Defense Industrial Base (DIB) Collaborative Information Sharing Environment (DCISE)
DCISE, the operational hub of DoD’s DIB Cybersecurity Program, safeguards intellectual property and DoD content on unclassified contractor networks. It facilitates public–private cyber threat information sharing and offers no-cost Cybersecurity-as-a-Service capabilities as well as collaboration events with government/industry. DC3 DCISE provides threat analysis, mitigation strategies, best practices, and exchanges for DIB participants of all sizes.
CISA Free Cybersecurity Services and Tools
CISA has curated a database of free cybersecurity services and tools as part of its continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments.
Additional Resources
Regulations
- Existing regulations
- CMMC regulations
- DFARS clause 252.204-7021 (pending revision)
Cyber Incident Reporting
- Cyber incident reporting website (required by DFARS 252.204-7012)
Cybersecurity Requirements and Assessment Guides
CMMC Level 1
- Requirements:
- NIST Assessment Guide: *
CMMC Level 2
- Requirements: *
- NIST Assessment Guide: *
- (supplemental to NIST’s)
CMMC Level 3
- Requirements: defined in the CMMC rule (see the CMMC final rule under CMMC resources)
- (supplemental to NIST’s)
*National Institute of Standards and Technology (NIST) special publications for Rev. 2 have been “withdrawn” by NIST but, in accordance with , and until further notice, the NIST 800-171 Rev. 2 requirements will still be used by DoD for the purpose of CMMC until such time as the rule is revised to require NIST SP 800-171 Rev. 3.