CMMC 2.0 Level 1 and Level 2 certification documentation templates for small business: Deep Research Report

Generated: 2026-03-09 04:30 UTC | Run: cmmc-templates-v3 | Sources: 73 | Workers: 5

Executive Summary

[To be filled in by the synthesizing agent or manually]

Top Sources (Quality Ranked)

[5/5] DoD CIO — CMMC Resources Documentation (worker: academic)
[5/5] NIST — Small Business Primer for SP 800-171 Rev 3 (worker: academic)
[5/5] SERDP/ESTCP (DoD) — NIST SP 800-171 Templates and Checklists (worker: academic)
[5/5] NIST MEP — Cybersecurity Resources for Manufacturers (Where to Start) (worker: academic)
[5/5] NIST SP 800-171 Official Templates (via CMMCAudit.org research) (worker: consulting)
[5/5] NIST CUI SSP Template (official) (worker: github)
[5/5] CMMC Level 1 Scoping Guidance v2 (PDF) (worker: gov)
[5/5] CMMC Level 1 Self-Assessment Guide v2 (PDF) (worker: gov)
[5/5] CMMC Level 2 Scoping Guidance v2 (PDF) (worker: gov)
[5/5] CMMC Level 2 Assessment Guide v2 (PDF) (worker: gov)
[5/5] CMMC 101 Brief Nov 2025 (PDF) (worker: gov)
[5/5] NIST SP 800-171 Rev 2 - CSRC Publication Page (worker: gov)
[5/5] NIST SP 800-171 Rev 3 - CSRC Publication Page (worker: gov)
[5/5] DCSA CMMC Information Page (worker: gov)
[5/5] DFARS 252.204-7012 - Safeguarding Covered Defense Information (worker: gov)

Full Worker Results

Worker: academic

Academic Worker Results - CMMC Templates

[4/5] Maryland APEX Accelerator CMMC Resources

Type: official doc
Relevance: DoD-funded APEX Accelerator providing curated CMMC compliance resources, programs, and funding info for Maryland DIB contractors.
Key findings:
Maryland DCAP (Defense Cybersecurity Assistance Program) via Maryland MEP offers funding for SSP development, gap analysis, POAM creation
Contact: skeith@mdmep.org for financial assistance with NIST 800-171/CMMC prep
Links to JHU APL CMMC resources, NIST, DAU free training, Project Spectrum
CMMC Information Institute (cmmcinfo.org) — free/affordable templates and training videos
Links to downloadable PDF resource list
Direct downloads: https://www.marylandapex.org/_files/ugd/12fb56_bf46f61907a14254ab556775ebf3b952.pdf
Fetched: 2026-03-09T00:23:00Z

[4/5] Virginia APEX Accelerator (George Mason University) — Cybersecurity Compliance Resources

Type: official doc
Relevance: DoD-funded APEX Accelerator at GMU listing free CMMC compliance resources including downloadable templates.
Key findings:
Direct download: CMMC Level 1 Readiness Checklist (Del Mar College PTAC)
Direct download: CMMC Self Assessment Checklist in Excel with POAM template
Links to NIST 800-171 SSP and POAM templates, Project Spectrum self-assessment
DAU free cybersecurity courses, CMMC AB Marketplace for C3PAOs
Georgia Tech PTAC cybersecurity training video
Direct downloads: https://virginiaptac.org/wp-content/uploads/2021/09/CMMC_Level_1_Readiness_Checklist.pdf | https://virginiaptac.org/wp-content/uploads/2021/09/CMMC-Self-Assessment-Checklist-with-tabs-excel.xlsx
Fetched: 2026-03-09T00:23:00Z

[5/5] DoD CIO — CMMC Resources Documentation

Type: official doc
Relevance: Official DoD CIO page with all CMMC Level 1 and Level 2 assessment guides, scoping guides, and briefings as free PDF downloads.
Key findings:
CMMC Level 1 Self-Assessment Guide PDF (official)
CMMC Level 2 Assessment Guide PDF (official)
CMMC Level 1 and Level 2 Scoping Guidance PDFs
CMMC 101 Brief, Model Overview, Hashing Guide
DoD Org-Defined Parameters for NIST SP 800-171 Rev3 memo
CMMC Phase 1 Implementation active Nov 2025 – Nov 2026 (L1 and L2 self-assessments)
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf | https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf | https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf | https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf | https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-101-Nov2025.pdf
Fetched: 2026-03-09T00:23:00Z

[5/5] NIST — Small Business Primer for SP 800-171 Rev 3

Type: official doc
Relevance: NIST released Aug 2025 small business primer specifically to help smaller organizations protect CUI and implement NIST 800-171r3 (CMMC Level 2 basis).
Key findings:
Free primer covering 800-171r3 implementation for under-resourced orgs
FAQ, key differences between Rev 2 and Rev 3
Tips for getting started and concepts for working with cybersecurity teams
Foundation for CMMC Level 2 compliance
Direct downloads: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1318.pdf
Fetched: 2026-03-09T00:23:00Z

[3/5] CUI Institute (CMMC Info) — Document Template Repository

Type: other (nonprofit/community)
Relevance: Nonprofit CMMC community org with free and member-gated policy/procedure templates for CMMC compliance.
Key findings:
Free tools: CMMC 2.0/NIST SP 800-171 Self-Assessment Tool, FCI/CUI Flowcharts
Template repository includes: Data Breach IR Policy, Data Protection Policy, Employee Offboarding Procedure, IR Plan, Visitor/User lists
Full template access requires $25/year membership (low cost)
Also has free CMMC glossary, FAQs, and self-assessment tool
Direct downloads: none (some free, most require login)
Fetched: 2026-03-09T00:23:00Z

[3/5] CMMC Audit Preparation — Policy Templates and Tools for CMMC and 800-171

Type: blog
Relevance: Comprehensive community-curated page linking to all major free CMMC/800-171 templates with evaluations.
Key findings:
NIST SP 800-171 official SSP Template (DOCX, free from NIST)
NIST SP 800-171 POAM Template (DOCX, free from NIST)
SERDP/ESTCP DoD Environmental Research ~20 downloadable 800-171 templates (best free set per author)
Educational Institutions Reference SSP at regulatedresearch.org (free with .edu email)
C3PAO Forum Shared Responsibility Matrix template
DoD free CUI training links, DCISE threat sharing
SANS Institute security policy templates
Direct downloads: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx | https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx | https://www.c3paoforum.org/wp-content/uploads/2022/05/Shared-Responsibility-Matrix-Template-C3PAOForum.docx
Fetched: 2026-03-09T00:23:00Z

[5/5] SERDP/ESTCP (DoD) — NIST SP 800-171 Templates and Checklists

Type: official doc
Relevance: DoD-hosted template library with directly downloadable SSP, POAM, IR Plan, and CUI checklist documents for NIST 800-171/CMMC.
Key findings:
Full SSP template (PDF) aligned to NIST 800-171
POAM procedures template (DOCX)
DFARS CUI Cyber Incident Report Form (XLSX)
NIST 800-171 Cyber Risk Management Plan Checklist (XLSX)
Incident Response Plan and Communications Plan (PDF)
ESTCP IT Policies and Procedures Template (PDF) — comprehensive
All free, no registration required
Direct downloads: https://sepub-prod-0001-124733793621-us-gov-west-1.s3.us-gov-west-1.amazonaws.com/s3fs-public/documents/FRCS%2BNIST%2BSP%2B800-171%2BSSP%2B07-07-2017.pdf | https://sepub-prod-0001-124733793621-us-gov-west-1.s3.us-gov-west-1.amazonaws.com/s3fs-public/documents/ESTCP%2BIT%2BPolicies%2Band%2BProcedures%2BTemplate.pdf
Fetched: 2026-03-09T00:23:00Z

[4/5] Regulated Research Community of Practice — SSP Peer Practices

Type: other (university/research community nonprofit)
Relevance: University-focused community sharing SSP peer practices; SSP available free to .edu email holders; Purdue End-to-End CUI workflows.
Key findings:
Reference SSP available (requires .edu email) covering ~40 of the 800-171/CMMC L2 requirements
Purdue University End-to-End CUI Workflows peer practice available
"A Day With the CMMC Assessors 2024" workshop recordings
"Ask the Assessor" Q&A series on policy hierarchy, security protection assets
Tools & Templates section and community-curated resources
Direct downloads: none (requires .edu registration for SSP)
Fetched: 2026-03-09T00:23:00Z

[4/5] CMU SEI — How to Use the CMMC Assessment Guides

Type: official doc
Relevance: CMU Software Engineering Institute (DoD FFRDC) — architects of CMMC 1.0 explaining how to use assessment guides for L1 and L2 compliance.
Key findings:
SEI developed CMMC 1.0 model; authoritative source for understanding the framework
Walks through Assessment Guide structure: objectives, methods, evidence requirements
Advises creating network boundary documentation first (FCI/CUI scope)
Practice-by-practice breakdown of what evidence is needed
Links to CMMC Level 1 and Level 3 Assessment Guides (pre-CMMC 2.0, reference only)
SEI podcast "An Introduction to CMMC Assessment Guides" available
Direct downloads: none (blog post)
Fetched: 2026-03-09T00:23:00Z

[2/5] Totem Tech — Project Spectrum CMMC Overview

Type: blog
Relevance: Honest third-party analysis of Project Spectrum's offerings; links to Totem's free CMMC tools including templates.
Key findings:
Project Spectrum is free (DoD-funded) with CMMC L1/L2 Cyber Readiness Checks (self-assessment checklists using 800-171A objectives)
Project Spectrum offers CUI, SSP, POAM, FOCI training courses for free
Totem Technologies offers free template downloads at https://www.totem.tech/free-tools/ (Incident Response Plan, Separation of Duties matrix, System Inventory template, more)
Project Spectrum scoping assessments and L1/L2/L3 courses available after free account registration
Critical review: Project Spectrum content may be incomplete for full CMMC compliance
Direct downloads: none (see https://www.totem.tech/free-tools/ for free templates)
Fetched: 2026-03-09T00:23:00Z

[2/5] Totem Technologies — Free CMMC Tools & Templates

Type: consulting page
Relevance: CMMC consulting company offering free downloadable templates for small business CMMC compliance (requires email signup via popup).
Key findings:
Free templates include: CUI Data Flow Diagram, Supply Chain Risk Management Plan, Security Impact Analysis, Employee CUI Handling Guide, CUI & System Inventory, FIPS Cryptography Scoping, SSP Introduction & SEPG, Incident Response Plan, Separation of Duties matrix
All downloadable via popup form (email required)
Latest versions require paid Totem subscription
Good starting point for CMMC L1/L2 document kit
Direct downloads: none (email capture popup)
Fetched: 2026-03-09T00:23:00Z

[4/5] Indiana APEX Accelerator — Free CMMC Resource Kit

Type: official doc
Relevance: DoD-funded APEX Accelerator confirming CMMC Phase 1 started Nov 10, 2025; pointing DIB businesses to Project Spectrum as official free resource.
Key findings:
CMMC Phase 1 officially began Nov 10, 2025 per Federal Register DFARS rule
Project Spectrum is the DoD-endorsed free platform for CMMC L1/L2/L3 training and assessments
Free Project Spectrum account gives access to CMMC Level 1 & 2 self-assessments
Contact: support@projectspectrum.io for Cyber Advisor support (free)
Direct downloads: none (via projectspectrum.io account)
Fetched: 2026-03-09T00:23:00Z

[4/5] Maryland MEP — Defense Cybersecurity Assistance Program

Type: official doc
Relevance: Maryland MEP (NIST-funded) offers financial assistance to Maryland manufacturers for CMMC/NIST 800-171 compliance documentation and training.
Key findings:
Funding available to qualifying Maryland manufacturers for cybersecurity training and assessments
Supports: CMMC/NIST 800-171 compliance, Incident Response Planning, Employee Cyber Awareness, IT/OT Training
Contact: Sara Keith, skeith@mdmep.org
Non-profit; NIST and State of Maryland funded — can offset cost of SSP development
Direct downloads: none
Fetched: 2026-03-09T00:23:00Z

[4/5] Johns Hopkins University APL — CMMC Resources for DIB Suppliers

Type: official doc
Relevance: JHU Applied Physics Lab (DoD FFRDC) curated CMMC resource list for their supply chain partners; links to all official CMMC docs.
Key findings:
Links to CMMC L1 and L2 Scoping Guide and Assessment Guide PDFs (DoD CIO)
NIST SP 800-171 Rev 2 and 800-171A links
ND-ISAC membership for threat intelligence sharing (DIB community)
CISA Free Cybersecurity Services and Tools catalog
Cyber AB Marketplace for finding C3PAOs and RPOs
32 CFR Part 170 (CMMC final rule) link
Direct downloads: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171a.pdf
Fetched: 2026-03-09T00:23:00Z

[5/5] NIST CSRC — SP 1318: NIST 800-171 Rev. 3 Small Business Primer (2025)

Type: official doc
Relevance: Free, officially released Aug 2025 NIST primer specifically designed for small businesses implementing NIST 800-171r3 (CMMC Level 2 basis).
Key findings:
Two sections: one for business leaders, one for implementers
Covers all 800-171r3 control families at intro level
Includes FAQ, tips for getting started, key differences Rev 2 vs Rev 3
CMMC 2.0 Level 2 is based on NIST 800-171 Rev 3 (as of Phase 1 Nov 2025)
Free PDF from NIST; authoritative and zero-cost
Direct downloads: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1318.pdf
Fetched: 2026-03-09T00:23:00Z

[5/5] NIST MEP — Cybersecurity Resources for Manufacturers (Where to Start)

Type: official doc
Relevance: NIST MEP page with direct links to Incident Response Plan and System Recovery Plan templates specific to small manufacturers.
Key findings:
Manufacturer's Guide to Cybersecurity for SMMs (free PDF download from MEP)
NIST IR 8183A-2 — Incident Response Plan templates for process-based manufacturing (PDF)
NIST IR 8183A-3 — Incident Response and System Recovery Plan for discrete manufacturing (PDF)
CISA Cyber Security Evaluation Tool (CSET) — free desktop tool for ICS/IT security assessment
CISA Tabletop Exercise Packages (CTEPs) — free incident response exercises
Idaho National Lab Malcolm — free ICS network traffic analysis tool
Direct downloads: https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8183A-2.pdf | https://doi.org/10.6028/NIST.IR.8183A-3
Fetched: 2026-03-09T00:23:00Z

Worker: community

Community Worker Results — CMMC Templates v3

[4/5] CMMC Audit Preparation - Home

Type: community resource / nonprofit-style
Relevance: Central community hub for CMMC preparation with comprehensive resource links for contractors.
Key findings:
Sponsor: Kieri Solutions (authorized C3PAO) — free resources available
Links to policy templates, assessment guides, glossary, scoping guides
Discord community "Cooey (CUI) Center of Excellence" for peer support
CMMC Level 1 (self-assessment) vs Level 2 (C3PAO assessment) explained
Timeline: 48CFR rule enforcement projected mid-2025
Direct downloads: none
Fetched: 2026-03-09T00:24:00Z

[4/5] CMMC Policy Templates and Tools for CMMC and 800-171

Type: community resource
Relevance: Curated, reviewed list of free and paid policy templates and tools for CMMC/NIST 800-171.
Key findings:
ESTCP IT Policies and Procedures template (DOC format, ~20 docs, no sign-up): https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists
NIST SP 800-171 SSP Template (official DOCX): https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
NIST SP 800-171 POA&M Template (official DOCX): https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx
C3PAO Forum Shared Responsibility Matrix (DOCX): https://www.c3paoforum.org/wp-content/uploads/2022/05/Shared-Responsibility-Matrix-Template-C3PAOForum.docx
DIBCAC 800-171 Self-Assessment Database (Access DB): https://www.dcma.mil/Portals/31/Documents/DIBCAC/Public_800-171_Self_Asmt_DB_v1.zip
SANS Institute policies (PDF/DOC, no registration): https://www.sans.org/information-security-policy/
Kieri Compliance Documentation (paid, CMMC-specific): https://www.kieri.com/kcd
DoD Cybersecurity Awareness Training (free): https://public.cyber.mil/training/cyber-awareness-challenge/
Educational SSP reference (requires .edu email): https://www.regulatedresearch.org/resources/peer-practices/ssp
Direct downloads: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx | https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx | https://www.c3paoforum.org/wp-content/uploads/2022/05/Shared-Responsibility-Matrix-Template-C3PAOForum.docx
Fetched: 2026-03-09T00:25:00Z

[4/5] System Security Plan for 800-171 and CMMC

Type: community resource / training
Relevance: Free 1-hour video training on creating a high-quality SSP for NIST 800-171 and CMMC Level 2.
Key findings:
Video by Amira Armond (CISSP, CISA) — walks through SSP creation step by step
SSP is required for CMMC Level 2+ and must accompany NIST 800-171 self-assessment
References: NIST 800-171 Rev 2, NIST 800-18 (SSP guide), DoD Assessment Methodology
Comments suggest SSP does NOT have to be a single document — addendums by control family accepted
Kieri Solutions LLC is the sponsoring C3PAO
Direct downloads: none (video training)
Fetched: 2026-03-09T00:26:00Z

[1/5] r/CMMC on Reddit

Type: reddit thread / community forum
Relevance: Active community for CMMC guidance; practitioners, assessors, and OSCs participate.
Key findings:
MEGATHREAD: "We Passed Our CMMC Assessment and Here's What We Learned" - 45 comments
Active discussion on evidence packages, SSPs, scoping, MSPs, and tooling
Discord community linked: https://discord.gg/tpbF54E
Sister subs: r/NISTControls, r/GovIT, r/AzureGov
Direct downloads: none
Fetched: 2026-03-09T00:27:00Z

[1/5] r/CMMC "We Passed" MEGATHREAD

Type: reddit thread
Relevance: Real-world lessons from organizations that passed CMMC Level 2 C3PAO assessments.
Key findings:
Key lesson: Create separate policy/procedure docs for each of the 14 domains (not one big doc)
110/110 score with 0 negative findings achievable with thorough prep
C3PAO requested ~80 optional evidence artifacts ahead of assessment — providing them cut assessment time by 2/3
Tools mentioned: accusights.com ($10K full mock + consultation), Drata (not recommended - AI hallucinations)
C3PAOs mentioned: Redspin
Documentation tip: SSP + network/data flow diagrams + policy/proc docs per domain
Thread: "Experiences with CMMC documentation package vendors?" also active
Direct downloads: none
Fetched: 2026-03-09T00:28:00Z

[3/5] NIST 800-171 & CMMC Templates - Peak InfoSec

Type: consulting page / free templates
Relevance: Comprehensive set of free pro-bono NIST SP 800-171 / CMMC templates from authorized C3PAO.
Key findings:
SSP Template (with DTM): free DOCX download
SSP Template (without DTM): free DOCX download - includes tables per requirement for traceability
Document Traceability Matrix (DTM): free DOCX - maps requirements to policies/plans/procedures
Scope Diagram Template: free VSDX (Visio format)
Certificate of Storage Drive/Media Sanitization Form: free PDF (fillable, based on NIST 800-88)
Customer Responsibility Matrix (CRM): free XLSX - for shared services with MSPs/cloud providers
NIST SP 800-171 Rev2 DoDAM Scoring Template: free XLSX - for SPRS score entry
CMMC Metrics for C-Suite: free PPTX - executive communication slides
Video training series "As the CMMC Churns" accompanies templates
All free, no registration, pro bono from Peak InfoSec (authorized C3PAO)
Direct downloads:
https://peakinfosec.com/wp-content/uploads/2026/01/ACME-Anvil-NIST-SP-800-171-System-Security-Plan-Master-Template-20240312.docx
https://peakinfosec.com/wp-content/uploads/2026/01/ACME-Anvil-NIST-SP-800-171-System-Security-Plan-wo-DTM-Master-Template-20240312.docx
https://peakinfosec.com/wp-content/uploads/2026/01/Document-Traceability-Matrix-Template.docx
https://peakinfosec.com/wp-content/uploads/2026/01/Scope-Diagram-Template-20240312.vsdx
https://peakinfosec.com/wp-content/uploads/2026/01/Certificate-of-Storage-Drive-Media-Sanitization-Template.pdf
https://peakinfosec.com/wp-content/uploads/2026/01/Peak_InfoSec_Customer_Responsibility_Matrix_Template.xlsx
https://peakinfosec.com/wp-content/uploads/2026/01/Peak-InfoSec-NIST-SP-800-171-rev-2-DoDAM-Scoring-Template.xlsx
https://peakinfosec.com/wp-content/uploads/2026/01/CMMC-Metrics-for-the-C-Suite.pptx
Fetched: 2026-03-09T00:29:00Z

[2/5] Totem Technologies Free CMMC Tools

Type: consulting page / free templates
Relevance: Free CMMC templates for small business including Level 1 checklist, SSP, AUP, IRP.
Key findings:
CMMC Level 1 Checklist (17 safeguards assessment)
CUI Data Flow Diagram Template
Supply Chain Risk Management (SCRM) Plan Template
Security Impact Analysis Template
Qualitative Cyber Risk Assessment Template (small business-focused)
CUI Handling Guide Template (for employees)
Asset Inventory Template
FIPS-Validated Cryptography Template
SSP Introduction & SEPG Template
Acceptable Use Policy (AUP) Template
Shared Responsibility Matrix (SRM) for ESPs
CMMC Continuous Monitoring Template
Incident Response Plan (IRP) Template
Totem Top 10 NIST 800-171/CMMC Checklist
All free downloads (email signup likely required)
Direct downloads: https://www.totem.tech/free-tools/ (forms behind page)
Fetched: 2026-03-09T00:30:00Z

[2/5] CMMC Policy Creator

Type: consulting tool / paid generator
Relevance: Automated CMMC 2.0 policy generator for Level 1 (7 docs) and Level 2 (15 docs), low-cost.
Key findings:
Level 1: $79.99 one-time — generates 7 policies (6 domain-specific + 1 integrated)
Level 2: $149.99 one-time — generates 15 policies (14 domain-specific + 1 integrated)
Policies delivered in Word (DOCX) via email in 30-90 seconds
Includes NIST 800-171 practice/control mapping per domain
Not free but very low cost vs competitors (Exostar PolicyPro is $999/year)
Policies are complete (not partially filled), just need review for org-specific details
Direct downloads: none (form-based delivery via email)
Fetched: 2026-03-09T00:31:00Z

[2/5] Nexeris Free CMMC Templates

Type: consulting page / free templates
Relevance: Free CMMC template suite including SSP, policies, Level 2 audit readiness checklist, IRP.
Key findings:
Free SSP Template (DFARS/NIST 800-171/CMMC Level 2 aligned)
Free CMMC Policy Templates: https://nexeris.us/free-cmmc-policy-template/
Free CMMC Level 2 Audit Readiness Checklist: https://nexeris.us/free-cmmc-level-2-audit-readiness-checklist/
Free Incident Response Plan Template: https://nexeris.us/incident-response-plan-template/
All require form submission (email likely needed)
Direct downloads: none (form-gated)
Fetched: 2026-03-09T00:32:00Z

[1/5] r/CMMC - Experiences with CMMC Documentation Package Vendors

Type: reddit thread
Relevance: Community comparison of paid documentation packages and free template approaches.
Key findings:
Kieri KCD (~$14K for KCD+KRA) — widely praised, proven to pass C3PAO assessments, but complex/interconnected
ComplianceForge — good library but "overwhelmingly overkill for small business"; Word files too large
Scytale — automation-focused, solid for ongoing compliance
PreVeil — offers docs covering large portion of controls if using PreVeil for CUI storage
Community consensus: countless free templates online; subreddit + Discord > paid packages for small orgs
Key insight: SSP narratives must describe YOUR actual environment, not template assumptions — 100s of hours of tailoring required regardless of package
Kieri documentation proven to pass CMMC Level 2 certification
Direct downloads: none
Fetched: 2026-03-09T00:33:00Z

[4/5] DIB SCC CyberAssist - CA.L2-3.12.4 SSP Requirement

Type: official nonprofit (NDISAC/DIB SCC)
Relevance: Official CMMC Level 2 SSP requirement guidance with direct template links.
Key findings:
Lists multiple free SSP templates with direct DOCX links
Carnegie Mellon University SSP Template: https://www.cmu.edu/iso/compliance/800-171/CMU%20SSP%20Template.docx
DHS SSP Template: https://www.dhs.gov/sites/default/files/publications/Security%20Plan%20Extensible.docx
FedRAMP Moderate Baseline SSP Template: https://www.fedramp.gov/assets/resources/documents/rev4/REV_4_FedRAMP-SSP-Moderate-Baseline-Template.docx
NIST CUI SSP Template: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-1/final/documents/CUI-SSP-Template-final.docx
SSP absence at time of assessment = automatic finding (assessment cannot be completed)
OSAs free to choose SSP format; plans can be a collection of documents, not just one
Direct downloads:
https://www.cmu.edu/iso/compliance/800-171/CMU%20SSP%20Template.docx
https://www.dhs.gov/sites/default/files/publications/Security%20Plan%20Extensible.docx
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-1/final/documents/CUI-SSP-Template-final.docx
Fetched: 2026-03-09T00:34:00Z

[4/5] CMMCAudit.org Index of All Articles

Type: community resource
Relevance: Complete index of all CMMCAudit.org articles; useful navigation for template/prep resources.
Key findings:
CMMC Level 1 Certification and Preparation How-To: https://www.cmmcaudit.org/cmmc-level-1-certification-and-preparation-how-to/
CMMC Level 1 Assessment Guide and Review: https://www.cmmcaudit.org/cmmc-level-1-assessment-guide-and-review/
CMMC Scoping for Level 1: https://www.cmmcaudit.org/cmmc-scoping-for-level-1/
CMMC Scoping for Level 2: https://www.cmmcaudit.org/cmmc-scoping-for-level-2/
Developing an Effective CMMC Policy: https://www.cmmcaudit.org/cmmc-ml-2-999-developing-an-effective-cmmc-policy/
CMMC Level 2 Self-Assessment Analysis: https://www.cmmcaudit.org/cmmc-level-2-self-assessment-analysis/
Direct downloads: none
Fetched: 2026-03-09T00:35:00Z

[4/5] CMMC Scoping for Level 1 - CMMCAudit.org

Type: community resource / video training
Relevance: Video guide covering Level 1 scope decisions — essential for small businesses determining if they need Level 1 or Level 2.
Key findings:
Covers: What is FCI vs CUI, FCI Assets, Specialized Assets, Out-of-Scope determination
Level 1 = protect FCI (basic cybersecurity, 17 practices, FAR 52.204-21)
Level 2 = protect CUI (110 practices, NIST 800-171)
Key determination: DoD intentionally reduces cost at Level 1
Many small businesses only need Level 1 if they don't handle CUI
Kieri Solutions (C3PAO) provides free training
Direct downloads: none
Fetched: 2026-03-09T00:35:00Z

[3/5] OpenCMMC GitHub - Open-Source CMMC Level 2 Framework

Type: github repo
Relevance: Open-source CMMC Level 2 framework with SSP templates, objective-level control responses, enclave designs.
Key findings:
SSP templates for Level 2 (110 controls/NIST 800-171)
Objective-level control responses with assessor-aware language
Enclave designs for small defense contractors
Evidence artifact templates
Continuous monitoring guidance
Specifically targeted at small defense contractors implementing NIST 800-171
Free/open source on GitHub
Direct downloads: https://github.com/leehowder/OpenCMMC/archive/refs/heads/main.zip
Fetched: 2026-03-09T00:36:00Z

Worker: consulting

Consulting Results

[2/5] Totem.tech Free Tools - CMMC Templates

Type: consulting page
Relevance: Free CMMC template library including SSP, Level 1 checklist, CUI inventory, POA&M, and more — no purchase required but email registration likely needed
Key findings:
CMMC Level 1 Checklist (17 safeguards)
SSP Introduction & SEPG Template
CUI & System Inventory Template
Separation of Duties Matrix
Security Impact Analysis (SIA) Process Template
CUI Identification Guide Flowchart
Assumed Risk Assessment Template
Employee CUI Handling Guide Template
FIPS-Validated Cryptography Scoping Template
Supply Chain Risk Management Plan Template
CUI Data Flow Diagram Template
CMMC Compliance Roadmap (interactive)
DoD Self-Assessment SPRS Scoring Sheet
Direct downloads: Forms behind popup/email gate at https://www.totem.tech/free-tools/
Fetched: 2026-03-09T00:23:00Z

[2/5] Secureframe CMMC Documentation Templates

Type: consulting page
Relevance: Free CMMC template pack from Secureframe (CMMC.com) including SSP, POA&M, IR plan, and risk templates
Key findings:
System Security Plan (SSP) Template — free download
POA&M Template — track gaps and remediation actions
Configuration Management Plan Template
Incident Response Plan Template
Risk Assessment Template
Risk Mitigation Plan Template
Templates created by former federal auditors
Downloads appear to be direct (no mention of email gate on page)
Direct downloads: Downloads via buttons at https://secureframe.com/hub/cmmc/templates (likely gated)
Fetched: 2026-03-09T00:24:00Z

[2/5] RADICL Resources

Type: consulting page
Relevance: RADICL offers a CMMC Level 1 Template Toolkit (found via nav menu)
Key findings:
Page 404'd but nav shows: CMMC Toolkit at https://radicl.com/cmmc-level-1-template-toolkit
Resources include RADLabs Research, Industry Insights, RADICL Content
Direct downloads: none from this URL
Fetched: 2026-03-09T00:24:00Z

[3/5] RADICL CMMC Level 1 Requirements Toolkit

Type: consulting page
Relevance: Comprehensive FREE CMMC Level 1 template toolkit with direct .docx/.zip downloads, no email gate
Key findings:
Full Level 1 template package as ZIP: RADICL_CMMC_L1_TemplateSet_07-22-2024.zip
CMMC Level 1 SSP Template (.docx)
Physical Security Policy Template
Access Control and Termination Policy Template
Data Retention and Disposal Policy Template
System User Accounts Template
Authorized Devices Template
Visitor Log Template
Connections to External Systems Template
Authorized Administrative Access Template
Personal Social Media Security Policy Template
All templates mapped to specific CMMC practice objectives
All in editable Word format — NO registration required
Direct downloads:
https://radicl.com/hubfs/Compliance%20Templates/RADICL_CMMC_L1_TemplateSet_07-22-2024.zip (full pack)
https://radicl.com/hubfs/Compliance%20Templates/CMMC%20Level%201%20SSP%20Template%207.22.24.docx
https://radicl.com/hubfs/PDFs/Welcome%20to%20the%20RADICL%20CMMC%20Toolkit%20(START%20HERE).pdf
Fetched: 2026-03-09T00:25:00Z

[3/5] CMMCAudit.org — Policy Templates and Tools for CMMC and 800-171

Type: blog/consulting
Relevance: Curated list of free CMMC/NIST 800-171 templates with reviews and direct links, including NIST official SSP template
Key findings:
NIST SP 800-171 SSP Template (official NIST .docx): https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
ESTCP IT Policies and Procedures Template (~20 docs, no signup): https://www.serdp-estcp.org/Tools-and-Training/Installation-Energy-and-Water/Cybersecurity/Templates-and-Checklists
SANS Information Security Policy templates: https://www.sans.org/information-security-policy/
Kieri templates: https://www.kieri.com/kcd
StateRAMP Policy Templates for 800-53: https://stateramp.org/templates-resources/
Community-curated page, updated Oct 2024
Direct downloads: https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
Fetched: 2026-03-09T00:25:00Z

[2/5] ComplyUp CMMC SSP Template

Type: consulting page
Relevance: Free CMMC SSP template with email gate, current version v1.02
Key findings:
SSP template requires email address to receive
Based on CMMC 2.0 model
Includes table of contents and practice-level documentation
Direct downloads: Email-gated at https://complyup.com/cmmc-ssp-template/
Fetched: 2026-03-09T00:25:00Z

[2/5] Hive Systems CMMC 101 SSP Template

Type: consulting page
Relevance: Free CMMC 2.0 SSP template in Word and PDF format; requires name/email registration
Key findings:
Pre-formatted sections aligning with CMMC 2.0 control families
Editable in Word or PDF formats
Targeted at small and mid-sized businesses
Registration required (name + email)
Direct downloads: Form-gated at https://www.hivesystems.com/cmmc101-ssp
Fetched: 2026-03-09T00:26:00Z

[2/5] CyberSaint Resources

Type: consulting page
Relevance: CyberSaint resource center — primarily enterprise GRC platform; limited free CMMC templates
Key findings:
Focused on enterprise GRC software (CyberStrong platform)
Resources are whitepapers and analyst reports, not downloadable templates
No direct CMMC policy templates found on resource page
Direct downloads: none
Fetched: 2026-03-09T00:26:00Z

[2/5] Redspin CMMC Resources

Type: consulting page
Relevance: Redspin is a C3PAO (certified CMMC assessor org); resources hub with checklists and guides
Key findings:
Checklists section: https://redspin.com/resource-center/checklists/
CMMC Guides section: https://redspin.com/resource-center/cmmc-guides/
Research reports on DIB readiness (not templates)
No direct policy template downloads visible on main resource page
Direct downloads: none found on this page
Fetched: 2026-03-09T00:26:00Z

[3/5] Redspin CMMC Checklists

Type: consulting page
Relevance: Redspin (C3PAO) has a 5-Step CMMC Compliance Implementation Checklist
Key findings:
CMMC Compliance Implementation Checklist (5-step): https://redspin.com/checklists/cmmc-compliance-implementation-checklist/
Primarily guides and checklists, not full policy templates
Direct downloads: none (web pages only)
Fetched: 2026-03-09T00:27:00Z

[5/5] NIST SP 800-171 Official Templates (via CMMCAudit.org research)

Type: official doc
Relevance: Official NIST/DoD templates for SSP and POA&M — the authoritative source for CMMC documentation
Key findings:
NIST SP 800-171 SSP Template (.docx): https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
NIST SP 800-171 POA&M Template (.docx): https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx
No registration required — direct government download
Used as basis for many commercial templates
Direct downloads:
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-SSP-Template-final.docx
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171/rev-2/final/documents/CUI-Plan-of-Action-Template-final.docx
Fetched: 2026-03-09T00:27:00Z

[2/5] CyberSierra - POAM Templates & Examples for NIST 800-171

Type: blog/consulting
Relevance: Comprehensive guide to POA&M templates with direct download links for NIST 800-171/CMMC compliance
Key findings:
StateRAMP POAM Template (Excel): direct download link provided
ND-ISAC offers free POAM templates and assessment guides
Includes example POA&M rows with all required fields
Blog article explains all required POAM components for CMMC
Direct downloads: https://s33104.pcdn.co/wp-content/uploads/2023/02/StateRAMP_POAM_Template-1.xlsx
Fetched: 2026-03-09T00:27:00Z

[2/5] CMMC Dashboard - Level 2 POA&M, Evidence Log & Review Templates

Type: consulting page
Relevance: Guidance on CMMC Level 2 templates with links to POA&M and Evidence Log templates
Key findings:
POA&M Template Guide: https://cmmcdashboard.com/kb/poam-clean-template-guide
Evidence Log Template: https://cmmcdashboard.com/kb/cmmc-evidence-log-template
Three core templates for Level 2: POA&M, Evidence Log, Periodic Review Schedule
Platform offers free trial for automated tracking
Direct downloads: none (web-based templates)
Fetched: 2026-03-09T00:27:00Z

[3/5] SANS Information Security Policy Templates

Type: consulting page (SANS - highly reputable training org)
Relevance: Free library of cybersecurity policy templates, many mapping to CMMC/NIST controls; requires free account
Key findings:
Library includes: Privileged Account Management Policy, Access Management Policy, Network Device Management Policy, Cloud Service Provider Policy, and many more
Created in partnership with Cybersecurity Risk Foundation (CRF) — maps to CIS Controls/NIST
Free SANS membership required to download
3 pages of templates available
Direct downloads: Requires free SANS account at https://www.sans.org/information-security-policy/
Fetched: 2026-03-09T00:28:00Z

[2/5] StrikeGraph - CMMC SSP Template & Starter Kit

Type: consulting page
Relevance: Enhanced CMMC SSP template with assessment objectives and guidance for each control; plus a starter kit
Key findings:
Enhanced CMMC SSP Template (PDF, with assessment objectives): https://www.strikegraph.com/hubfs/SEO%20Downloads/CMMC%20System%20Security%20Plan/CMMC_SSP_Template_version%202.pdf
Steps to Create CMMC SSP (PNG infographic): free download
CMMC SSP Starter Kit available (likely email-gated)
Points to NIST official SSP template as starting point
Direct downloads: https://www.strikegraph.com/hubfs/SEO%20Downloads/CMMC%20System%20Security%20Plan/CMMC_SSP_Template_version%202.pdf
Fetched: 2026-03-09T00:28:00Z

[2/5] Secureframe Blog - How to Write a CMMC SSP + Template

Type: consulting page
Relevance: CMMC SSP guide with downloadable templates from Secureframe (former federal auditors)
Key findings:
CMMC 2.0 SSP Template at: https://secureframe.com/compliance-resources/cmmc-ssp-template
CMMC POA&M Template at: https://secureframe.com/compliance-resources/cmmc-poam-template
Templates written by former federal auditors
Links to NIST official template as well
Direct downloads: Via buttons at https://secureframe.com/hub/cmmc/templates (likely email-gated)
Fetched: 2026-03-09T00:28:00Z

[4/5] University of Washington IT - CMMC Level 1 System Security Plan Template

Type: University/accredited nonprofit
Relevance: CMMC Level 1 SSP template from University of Washington IT — authoritative, no registration, direct .docx download
Key findings:
Direct .docx download, no registration required
Published Jan 2024 by UW IT department
Designed specifically for CMMC Level 1 compliance (FCI protection)
Direct downloads: https://it.uw.edu/wp-content/uploads/2024/01/CMMC_Level_1_Template.docx
Fetched: 2026-03-09T00:29:00Z

Worker: github

GitHub CMMC Research Results

Worker: github | Topic: CMMC 2.0 Level 1 & Level 2 Templates

[3/5] SecurityBagel/CMMC-Bagel

Type: github repo
Relevance: Open-source Power BI template for CMMC/NIST 800-171A compliance assessment tracking and POA&M management.
Key findings:
Power BI dashboard for compliance metrics and combined scoring across multiple assessments
Includes Assessment Template.xlsx and POA&M Template.xlsx Excel files
Supports CMMC Level 1 and Level 2 assessment workflows
Downloadable Excel templates are the core artifact for small businesses
Direct downloads: https://github.com/SecurityBagel/CMMC-Bagel/raw/main/Assessment%20Template.xlsx | https://github.com/SecurityBagel/CMMC-Bagel/raw/main/POAM%20Template.xlsx
Fetched: 2026-03-09T00:23:00Z

[3/5] proinsights/CMMC-Bagel-Lite

Type: github repo
Relevance: Fork of CMMC-Bagel with ready-to-download Excel templates for CMMC POA&M and assessments.
Key findings:
Contains Assessment Template.xlsx, POAM Template.xlsx, and Control Info.xlsx directly in repo
Lighter-weight version of CMMC-Bagel without Power BI dependency
Ideal for small businesses wanting standalone Excel-based tracking
Direct downloads: https://github.com/proinsights/CMMC-Bagel-Lite/raw/main/POAM%20Template.xlsx | https://github.com/proinsights/CMMC-Bagel-Lite/raw/main/Assessment%20Template.xlsx | https://github.com/proinsights/CMMC-Bagel-Lite/raw/main/Control%20Info.xlsx
Fetched: 2026-03-09T00:23:00Z

[3/5] TEKIMAX/cmmc-level-1-compliance

Type: github repo
Relevance: Free open-source CMMC Level 1 compliance platform explicitly built by small business for small business, self-hosted with local AI.
Key findings:
Full platform (CMMC Compass) with document management, AI-powered search, and pre-built policy/procedure templates
Document template library with pre-built policy and procedure templates
Self-hosted on Convex backend — no vendor lock-in, no monthly fees
Covers all CMMC Level 1 requirements
Direct downloads: none (application framework, templates embedded)
Fetched: 2026-03-09T00:23:00Z

[3/5] Leguy42/CMMC_SSP_Builder

Type: github repo
Relevance: Web app specifically for building CMMC Level 2 System Security Plans with structured guidance.
Key findings:
Covers all major SSP sections: System ID, Description, Architecture, Boundaries, Data Flow, Users, Security Controls (AC, AU, CM, IA, IR, MA, MP, PE, RA, CA, SC, SI)
Field-level prompts guide what to include in each section
Outputs formatted text that can be pasted into Apptega or downloaded as timestamped text file
Tailored for CMMC Level 2 / NIST 800-171 Rev 2
Direct downloads: none (web app generator)
Fetched: 2026-03-09T00:23:00Z

[2/5] JAKTOOL/cmmc

Type: github repo
Relevance: Browser-based app to manage NIST 800-171 Rev 2 & Rev 3 controls, generate SSP markdown, and export POA&M CSV.
Key findings:
Local-first: stores data client-side with IndexedDB — no privacy concerns
Generates markdown SSP report and CSV POA&M for gap items
Supports both Rev 2 and Rev 3, with withdrawn control filtering on migration
Good for small businesses who want a free, lightweight compliance tracker
Direct downloads: none (web app)
Fetched: 2026-03-09T00:23:00Z

[2/5] nealfennimore/nist-sp-800-171

Type: github repo
Relevance: Similar to JAKTOOL/cmmc — browser-based NIST 800-171 Rev 3 compliance tracker with SSP markdown and POA&M CSV generation.
Key findings:
Generates markdown SSP and CSV POA&M
Focuses on Rev 3 with Rev 2 → Rev 3 migration support
Client-side only (IndexedDB), no privacy concerns
Direct downloads: none (web app)
Fetched: 2026-03-09T00:23:00Z

[3/5] timames/cmmc-level2-implementation-graylog_ollama

Type: github repo
Relevance: CMMC Level 2 implementation guide with all 110 practices, SSP framework, policy templates, and phased roadmap using Graylog SIEM + Ollama.
Key findings:
All 110 CMMC Level 2 practices with implementation guidance
SSP framework and templates included
6-12 month phased implementation roadmap
Policy templates and compliance documentation
Assessment prep and C3PAO readiness guidance
Includes QUICKSTART.md for 30-minute quick start
Direct downloads: none directly, but links to free government templates in docs
Fetched: 2026-03-09T00:23:00Z

[2/5] nightstalker117/nistify-800-171r2

Type: github repo
Relevance: Python network scanner that auto-generates NIST 800-171 Rev 2 compliance reports and POA&M Excel spreadsheets.
Key findings:
Generates poam_YYYYMMDD.xlsx — automated POA&M Excel output
Also generates HTML, PDF, JSON, XML, and text compliance reports
Calculates SPRS scores automatically
Creates network topology diagrams
Practical tool for IT-capable small defense contractors
Direct downloads: none (tool generates outputs)
Fetched: 2026-03-09T00:23:00Z

[2/5] mlunato47/claude-grc-plugin

Type: github repo
Relevance: Claude Code plugin with 72+ reference files for 15 compliance frameworks including CMMC, with SSP drafting, POA&M, and control review slash commands.
Key findings:
/grc:ssp-section — drafts SSP narrative language by control family
/grc:review-narrative — reviews SSP narratives with 0-5 maturity scoring
/grc:poam-help — POA&M creation, templates, and metrics
Covers CMMC 2.0 framework fully via frameworks/cmmc.md
15 frameworks with cross-mapping through NIST 800-53 as hub
Direct downloads: none (Claude Code plugin)
Fetched: 2026-03-09T00:23:00Z

[2/5] ceagan/oscal-cmmc

Type: github repo
Relevance: OSCAL-format CMMC v2 catalog JSON — machine-readable control definitions for automation.
Key findings:
CMMC_v2_catalog.json in OSCAL format
Useful for developers building compliance automation tools
Contains all CMMCv2 controls with assessment objects
Direct downloads: https://github.com/ceagan/oscal-cmmc/raw/main/CMMC_v2_catalog.json
Fetched: 2026-03-09T00:23:00Z

[2/5] CyberSecurityUP/information-security-relatory

Type: github repo
Relevance: Large collection of information security spreadsheets including CMMC-v1.02.xls and NIST-800-171-Compliance-Scoping-Guide.xls.
Key findings:
CMMC-v1.02.xls — CMMC version 1.02 controls spreadsheet
NIST-800-171-Compliance-Scoping-Guide.xls — scoping guide for 800-171
Large repo of 100+ security templates across multiple frameworks
Direct downloads: https://github.com/CyberSecurityUP/information-security-relatory/raw/master/CMMC-v1.02.xls | https://github.com/CyberSecurityUP/information-security-relatory/raw/master/NIST-800-171-Compliance-Scoping-Guide.xls
Fetched: 2026-03-09T00:23:00Z

[2/5] kawa5604/CMMC_mapping

Type: github repo
Relevance: CMMC to NIST SP 800-171 to NIST SP 800-53 crosswalk/mapping tool.
Key findings:
Web-based tool mapping CMMC controls to 800-171 and 800-53
Includes questions and examples for each control
Apache 2.0 licensed
Direct downloads: none (web app)
Fetched: 2026-03-09T00:23:00Z

[5/5] NIST CUI SSP Template (official)

Type: official doc
Relevance: Official NIST SP 800-171 Rev 2 SSP template for CUI — the authoritative baseline document for CMMC Level 2 compliance.
Key findings:
Official NIST-provided SSP template referenced in CMMC assessment guidance
.docx format, directly downloadable
Mentioned in Reddit/CMMC community as the authoritative format to follow
Direct downloads: https://csrc.nist.gov/files/pubs/sp/800/171/r2/upd1/final/docs/cui-ssp-template-final.docx
Fetched: 2026-03-09T00:23:00Z

[2/5] shikha1149myprojects/CMMC-Level1-Assessment

Type: github repo
Relevance: Academic CMMC Level 1 assessment project with Google Sheet/Excel template and evidence collection examples.
Key findings:
Includes Google Sheet/Excel template for CMMC 2.0 Level 1 requirements
Practical evidence collection examples organized by control domain
Good starting point for small businesses new to CMMC Level 1
Direct downloads: Google Drive (not directly available via GitHub raw)
Fetched: 2026-03-09T00:23:00Z

Worker: gov

[5/5] CMMC Resources & Documentation - DoD CIO

Type: official doc
Relevance: Central DoD CIO page listing all official CMMC 2.0 documents including Level 1/2 scoping guides, assessment guides, and briefings.
Key findings:
CMMC Level 1 Scoping Guidance PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf
CMMC Level 1 Self-Assessment Guide PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf
CMMC Level 2 Scoping Guidance PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf
CMMC Level 2 Assessment Guide PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf
CMMC 101 Brief PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-101-Nov2025.pdf
CMMC Model Overview PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverviewv2.pdf
DoD Memo: Org-Defined Parameters NIST SP 800-171 Rev3 PDF: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf
Phase 1 Implementation active (Nov 2025-Nov 2026) focusing on L1 and L2 self-assessments
External: Cyber AB CAP, NIST SP 800-171 Rev.2, SPRS portal
Direct downloads:
https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf
https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf
https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf
Fetched: 2026-03-09T00:23:00-05:00

[5/5] CMMC Level 1 Scoping Guidance v2 (PDF)

Type: official doc
Relevance: Official DoD CMMC Level 1 scoping guidance document defining FCI boundary and scoping decisions.
Key findings:
Defines scope for CMMC Level 1 assessments (Federal Contract Information)
Guides contractors on what systems are in-scope for L1 self-assessment
Direct PDF download from dodcio.defense.gov
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf
Fetched: 2026-03-09T00:23:00-05:00

[5/5] CMMC Level 1 Self-Assessment Guide v2 (PDF)

Type: official doc
Relevance: Official DoD self-assessment guide for CMMC Level 1 with all 17 practices and assessment procedures.
Key findings:
17 practices across 6 domains for Level 1
Self-assessment methodology for small businesses handling FCI
Scoring guidance for SPRS submission
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf
Fetched: 2026-03-09T00:23:00-05:00

[5/5] CMMC Level 2 Scoping Guidance v2 (PDF)

Type: official doc
Relevance: Official DoD CMMC Level 2 scoping guidance defining CUI boundary and scoping decisions for 110 NIST SP 800-171 controls.
Key findings:
Defines CUI scope for Level 2 assessments
Asset categorization (CUI assets, security protection assets, contractor risk managed assets, specialized assets, out-of-scope assets)
Essential for small businesses determining what's in scope before SSP development
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf
Fetched: 2026-03-09T00:23:00-05:00

[5/5] CMMC Level 2 Assessment Guide v2 (PDF)

Type: official doc
Relevance: Official DoD assessment guide for CMMC Level 2 with all 110 NIST SP 800-171 Rev 2 practices and assessment procedures.
Key findings:
110 practices mapped to NIST SP 800-171 Rev 2
Assessment objectives, methods, and objects for each practice
Used by both self-assessors (L2 self) and C3PAOs (L2 third-party)
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf
Fetched: 2026-03-09T00:23:00-05:00

[5/5] CMMC 101 Brief Nov 2025 (PDF)

Type: official doc
Relevance: Updated CMMC 101 overview brief from November 2025 covering Phase 1 implementation details.
Key findings:
Phase 1 implementation active Nov 10, 2025 - Nov 9, 2026
Focuses on L1 and L2 self-assessments
Affirmation requirements in SPRS
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-101-Nov2025.pdf
Fetched: 2026-03-09T00:23:00-05:00

[5/5] NIST SP 800-171 Rev 2 - CSRC Publication Page

Type: official doc
Relevance: NIST CSRC official page for SP 800-171 Rev 2 with downloadable SSP template, POA&M template, and security requirements spreadsheet.
Key findings:
Official CUI SSP Template (.docx) available for download — the foundational template for CMMC L2
Official CUI Plan of Action (POA&M) template (.docx) available for download
Security Requirements Spreadsheet (.xlsx) with all 110 controls
Planning note: no prescribed SSP format, but 3.12.4 requirements must be met
Direct downloads:
https://csrc.nist.gov/files/pubs/sp/800/171/r2/upd1/final/docs/cui-ssp-template-final.docx
https://csrc.nist.gov/files/pubs/sp/800/171/r2/upd1/final/docs/cui-plan-of-action-template-final.docx
https://csrc.nist.gov/files/pubs/sp/800/171/r2/upd1/final/docs/sp800-171r2-security-reqs.xlsx
Fetched: 2026-03-09T00:24:00-05:00

[5/5] NIST SP 800-171 Rev 3 - CSRC Publication Page

Type: official doc
Relevance: Latest version of NIST SP 800-171 (Rev 3) — basis for CMMC Level 2 updated requirements per DoD Org-Defined Parameters memo.
Key findings:
Rev 3 published; DoD memo establishes org-defined parameters for CMMC use
Change analysis spreadsheet Rev 2 to Rev 3: https://csrc.nist.gov/files/pubs/sp/800/171/r3/final/docs/sp800-171r2-to-r3-analysis.xlsx
CUI Overlay xlsx available: https://csrc.nist.gov/files/pubs/sp/800/171/r3/final/docs/sp800-171r3-cui-overlay.xlsx
No SSP template specific to Rev 3 found on this page; Rev 2 template still primary
Companion: SP 800-171A Rev 3 for assessment procedures
Direct downloads:
https://csrc.nist.gov/files/pubs/sp/800/171/r3/final/docs/sp800-171r2-to-r3-analysis.xlsx
https://csrc.nist.gov/files/pubs/sp/800/171/r3/final/docs/sp800-171r3-cui-overlay.xlsx
Fetched: 2026-03-09T00:24:00-05:00

[5/5] DCSA CMMC Information Page

Type: official doc
Relevance: DCSA (Defense Counterintelligence and Security Agency) CMMC overview page for cleared defense contractors.
Key findings:
DCSA confirms CMMC implements NIST SP 800-171 under 32 CFR Part 2002 and DFARS 252.204-7012
POA&M allowed for a limited subset of requirements at contract award
Some requirements cannot be on POA&M — specific subset defined
DCSA defers to dodcio.defense.gov/CMMC/ for primary resources
NISP eMASS contains artifact templates and guides for classified IS (separate from CMMC)
Direct downloads: none
Fetched: 2026-03-09T00:25:00-05:00

[5/5] DFARS 252.204-7012 - Safeguarding Covered Defense Information

Type: official doc
Relevance: The contract clause mandating NIST SP 800-171 compliance — the legal basis for CMMC requirements on DIB contractors.
Key findings:
Requires NIST SP 800-171 implementation for covered contractor information systems
"Covered defense information" = CUI as defined by the CUI Registry
Cloud service providers must meet FedRAMP Moderate baseline equivalency
System security plan (SSP) may address temporary deficiencies
This clause is the contractual trigger for CMMC Level 2 compliance
Direct downloads: https://www.acquisition.gov/node/36383/printable/pdf
Fetched: 2026-03-09T00:25:00-05:00

[5/5] NIST SP 800-171A Rev 3 - Assessing Security Requirements for CUI

Type: official doc
Relevance: NIST assessment guide for SP 800-171 Rev 3 requirements — the methodology used by C3PAOs and self-assessors for CMMC Level 2.
Key findings:
Published May 14, 2024 — companion to SP 800-171 Rev 3
Provides assessment procedures for all 17 families of security requirements
FAQ PDF available covering Rev 3 changes
No SSP/POA&M template downloads found on this specific page
Dataset available on CPRT (Cybersecurity and Privacy Reference Tool)
Direct downloads:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171Ar3.pdf
https://csrc.nist.gov/files/projects/protecting-controlled-unclassified-information/documents/FAQ/FAQ-SP800-171R3-171AR3.pdf
Fetched: 2026-03-09T00:25:00-05:00

[5/5] NIST HB 162 - MEP Cybersecurity Self-Assessment Handbook

Type: official doc
Relevance: NIST self-assessment handbook designed specifically for small/medium manufacturers (MEP) to assess NIST SP 800-171 controls.
Key findings:
Organized around all 14 SP 800-171 families
Specifically designed for small manufacturers in the DIB
Includes self-assessment worksheets and scoring guidance
Useful companion to CMMC L2 self-assessment for manufacturers
Direct downloads: https://nvlpubs.nist.gov/nistpubs/hb/2017/nist.hb.162.pdf
Fetched: 2026-03-09T00:26:00-05:00

[4/5] Cyber AB - CMMC Assessment Process (CAP) v2.0

Type: official doc
Relevance: Official CMMC Accreditation Body document defining the C3PAO assessment process for Level 2 third-party certifications.
Key findings:
Defines the formal assessment process used by C3PAOs
Referenced directly by DoD CIO on the official CMMC resources page
Critical for understanding what documentation assessors expect
Direct downloads: https://cyberab.org/Portals/0/CMMC%20Assessment%20Process%20v2.0.pdf
Fetched: 2026-03-09T00:26:00-05:00

[5/5] DoD CMMC-SPRS Submission Guide (PDF)

Type: official doc
Relevance: Official DoD guide for submitting CMMC assessment results and affirmations in SPRS — required step for both L1 and L2.
Key findings:
Step-by-step SPRS entry for Level 1 and Level 2 CMMC assessments
Affirmation workflow: self-assessment → send to Affirming Official → SPRS submission
Required for Phase 1 compliance starting Nov 2025
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/CMMC-SPRS.pdf
Fetched: 2026-03-09T00:26:00-05:00

[5/5] DoD Memo: Org-Defined Parameters for NIST SP 800-171 Rev 3

Type: official doc
Relevance: Critical DoD memo defining the specific parameter values for NIST SP 800-171 Rev 3 requirements as applied to CMMC — tells contractors exactly what values to implement.
Key findings:
Establishes specific ODP (Organization-Defined Parameter) values for Rev 3 controls
Required reading for contractors implementing L2 under Rev 3 framework
Published February 2025
Direct downloads: https://dodcio.defense.gov/Portals/0/Documents/CMMC/OrgDefinedParmsNISTSP800-171.pdf
Fetched: 2026-03-09T00:26:00-05:00

[5/5] 32 CFR Part 170 - CMMC Program Final Rule (Federal Register)

Type: official doc
Relevance: The official federal regulation establishing CMMC 2.0 program — defines SSP requirements, POA&M rules, scoring, small business cost analysis.
Key findings:
SSP is required by DFARS 252.204-7012 for all contractors handling CUI
Level 2 minimum passing score: 80% (88/110) with permittable NOT MET items on POA&M
POA&M closeout required within 180 days of Conditional CMMC Status
Specific small business cost estimates for L1 self-assessment, L2 self-assessment, L2 C3PAO assessment
SPRS score must be submitted at contract award and no more than 3 years old
~135 C3PAO assessments expected year 1 ramp up
Direct downloads: none (HTML regulation)
Fetched: 2026-03-09T00:27:00-05:00

[5/5] NIST SP 800-171A (Original) - Assessment Procedures + Templates

Type: official doc
Relevance: Original SP 800-171A with assessment procedures spreadsheet and SSP/POA&M templates — still widely used for CMMC L2 assessments.
Key findings:
Assessment Procedures Spreadsheet (.xlsx) with all assessment procedures
CUI SSP Template (.docx) — same as Rev 2 page link
CUI Plan of Action Template (.docx) — older version also available
Assessment Procedures CSV also available for automation/tooling
Direct downloads:
https://csrc.nist.gov/files/pubs/sp/800/171/a/final/docs/sp800-171a-assessment-procedures.xlsx
https://csrc.nist.gov/files/pubs/sp/800/171/r2/upd1/final/docs/cui-ssp-template-final.docx (same SSP template)
https://csrc.nist.gov/CSRC/media//Publications/sp/800-171/rev-1/final/documents/CUI-Plan-of-Action-Template-final.docx
Fetched: 2026-03-09T00:27:00-05:00

[5/5] DCMA DIBCAC - CMMC Assessment Info

Type: official doc
Relevance: DCMA's Defense Industrial Base Cybersecurity Assessment Center — the DoD's primary NIST 800-171 assessor and C3PAO assessor for CMMC.
Key findings:
DIBCAC is the sole entity for CMMC L3 assessments and C3PAO certification assessments
Also assesses NIST SP 800-171 for DIB companies
CMMC L2 C3PAO Appeals Process PDF: https://www.dcma.mil/Portals/31/Documents/DIBCAC/DCMA%20DIBCAC%20CMMC%20L2%20C3PAO%20Appeals%20Process..pdf
DIBCAC email for CMMC inquiries: dcma_dibcac_cmmc@mail.mil
Direct downloads: https://www.dcma.mil/Portals/31/Documents/DIBCAC/DCMA%20DIBCAC%20CMMC%20L2%20C3PAO%20Appeals%20Process..pdf
Fetched: 2026-03-09T00:28:00-05:00

Gaps & Limitations

Methodology

🕸️ Ada Research Browser