Awesome CMMC

A curated list of tools, resources, templates, and guides for CMMC (Cybersecurity Maturity Model Certification) and NIST SP 800-171 compliance.

Whether you're a defense contractor preparing for a CMMC Level 2 assessment, an MSP supporting DIB clients, or a C3PAO assessor, this list has something for you.

Contents

• Official Resources
• Frameworks & Standards
• DFARS Clauses
• Assessment & Certification
• Tools - Open Source
• Tools - Commercial
• Templates & Documentation
• Training & Certification
• Books
• Podcasts & Video
• Community
• News & Legal Analysis
• Cloud & Infrastructure
• Contributing

---

Official Resources

• DoD CIO CMMC Homepage - The official DoD CMMC program page with model documentation, assessment guides, and scoping guidance.
• CMMC Resources & Downloads - Downloadable resources including assessment guides, scoping guides, and the CMMC model itself.
• About CMMC - Overview of the CMMC program and its goals.
• CMMC FAQ (PDF) - Official frequently asked questions from DoD CIO.
• Office of Industrial Base Policy - CMMC 2.0 - CMMC 2.0 details from the Office of Industrial Base Policy.
• The Cyber AB - The official CMMC accreditation body (formerly CMMC-AB). Authorizes C3PAOs and certifies assessors.
• NIST SP 800-171 Rev 2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
• NIST SP 800-171 Rev 3 - Updated CUI protection requirements (February 2024).
• NIST SP 800-171A - Assessing Security Requirements for CUI. The 320 assessment objectives that define CMMC Level 2.
• NIST SP 800-172 - Enhanced security requirements for CUI (CMMC Level 3).
• OSCAL (Open Security Controls Assessment Language) - NIST's standardized format for machine-readable compliance data.
• CMMC Final Rule (32 CFR Part 170) - The CMMC program final rule published October 2024.
• NIST Cybersecurity Framework (CSF) - Complementary framework often mapped alongside 800-171.

Frameworks & Standards

• NIST SP 800-53 Rev 5 - Security and Privacy Controls (parent framework for 800-171).
• NIST SP 800-53B - Control Baselines for Information Systems and Organizations.
• CUI Registry - National Archives CUI Registry defining CUI categories and markings.
• FedRAMP - Federal Risk and Authorization Management Program for cloud services. CMMC accepts FedRAMP Moderate (or equivalent) for cloud components.
• CISA Cybersecurity Resources - Free tools and guidance from CISA applicable to CMMC controls.

DFARS Clauses

Key Defense Federal Acquisition Regulation Supplement clauses that drive CMMC:

• DFARS 252.204-7012 - Safeguarding Covered Defense Information and Cyber Incident Reporting. The foundational clause requiring NIST 800-171 compliance.
• DFARS 252.204-7019 - Notice of NIST SP 800-171 DoD Assessment Requirements. Requires self-assessment scores in SPRS.
• DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment Requirements. Governs Medium and High assessments by DIBCAC.
• DFARS 252.204-7021 - Cybersecurity Maturity Model Certification Requirements. The CMMC clause itself.
• SPRS (Supplier Performance Risk System) - Where contractors submit their NIST 800-171 self-assessment scores.

Assessment & Certification

• Cyber AB Marketplace - Find authorized C3PAOs, Registered Practitioners (RPs), and training providers.
• DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) - Conducts Medium and High assessments of contractor cybersecurity.
• CMMC Assessment Guide Level 2 (PDF) - Official assessment procedures and objectives for Level 2.
• DoD Assessment Methodology - Scoring methodology for NIST 800-171 self-assessments (Basic, Medium, High).
• DIBCAC Presentation - Leveraging DCMA Capabilities (PDF) - DAU presentation on DIBCAC's "over the shoulder" assessment methodology and CMMC integration.
• NDISAC CyberAssist - CMMC Resources - National Defense ISAC resources and links for DIB cybersecurity and CMMC.

Tools - Open Source

• cmmc-tracker - Self-hosted CMMC Level 2 compliance tracker with artifact management, POA&M generator, audit trail, and PDF reports. Flask + SQLite, Docker-ready. (MIT)
• CMMC-Bagel - Compliance assessment and POA&M management for CMMC/NIST 800-171A.
• JAKTOOL/cmmc - NIST SP 800-171 Rev 2 and Rev 3 compliance manager with local data storage and compliance summaries.
• NIST OSCAL - Official NIST OSCAL repository with schemas, examples, and the 800-53 catalog in machine-readable format.
• OSCAL CLI - Command-line tool for common OSCAL operations (validate, convert, resolve).
• Compliance Trestle - Opinionated tooling platform for managing compliance as code using OSCAL. Python/pip installable.
• OpenSCAP - Open source security compliance solution implementing SCAP standards. Useful for automated technical checks.
• Awesome OSCAL - Curated list of OSCAL tools, libraries, and resources.
• Awesome Compliance - Broader compliance resource list covering multiple frameworks.

Tools - Commercial

• RegScale - Continuous compliance automation platform with CMMC and 800-171 support.
• Drata - Compliance automation for SOC 2, CMMC, NIST 800-171, and other frameworks.
• Coalfire - Cybersecurity advisory and assessment firm, authorized C3PAO.
• Schellman - Assessment firm offering CMMC, FedRAMP, and SOC services.
• Fortra (Tripwire) - Security and compliance tools including configuration assessment and file integrity monitoring.
• Totem Technologies - CMMC-focused compliance platform designed for small DIB contractors.
• PreVeil - End-to-end encrypted email and file sharing purpose-built for CMMC/CUI compliance.
• Summit 7 - Microsoft GCC High and CMMC compliance services.
• ComplianceForge - Editable CMMC/NIST 800-171 policy and documentation templates.

Templates & Documentation

• NIST CUI SSP Template - Official NIST System Security Plan template for 800-171 (Word doc).
• Peak InfoSec Free Templates - Free SSP, POA&M, and policy templates for the DIB from a former DIBCAC assessor.
• CMMCAudit.org Templates - Curated list of free and paid policy template sources.
• NIST 800-171 Control Family Mapping - Appendix D maps 800-171 controls to 800-53 for organizations needing both.

Training & Certification

Certification Levels (The Cyber AB)

• CCP (Certified CMMC Professional) - Entry-level certification for individuals supporting CMMC.
• CCA (Certified CMMC Assessor) - Authorized to conduct CMMC Level 2 assessments as part of a C3PAO team.
• C3PAO (CMMC Third-Party Assessment Organization) - Organizations authorized to conduct official CMMC assessments.
• RP (Registered Practitioner) - Individuals registered with The Cyber AB to provide CMMC consulting.
• RPO (Registered Provider Organization) - Organizations registered to deliver CMMC consulting services.

Training Providers

• Cyber AB Marketplace - Training - Official list of Licensed Training Providers (LTPs) and Licensed Partner Publishers (LPPs).
• CyberSecInvestments CMMC Training Videos - Free video training covering CMMC assessment preparation.

Books

• NIST SP 800-171 Compliance: A Practitioner's Guide - Practical implementation guidance for each control family.
• CMMC for Small Business: A DIY Guide to Cybersecurity Compliance - Aimed at small contractors navigating CMMC without large budgets.

Podcasts & Video

• CMMC Compliance Guide Podcast - Hosted by Brooke and Austin Justice, covering practical CMMC compliance topics with industry guests.
• Mission Compliance Podcast - YouTube series for defense contractors navigating CMMC.
• As the CMMC Churns - Video series from Peak InfoSec covering SSP development and assessment preparation.

Community

• r/CMMC - Active Reddit community discussing CMMC implementation, tools, and assessment experiences.
• r/NISTControls - Reddit community focused on NIST 800-171 and related security controls.
• NDIA (National Defense Industrial Association) - Industry association representing defense contractors, active in CMMC policy discussions.
• PSC (Professional Services Council) - Advocacy organization for government services contractors.
• The Cyber AB Town Halls - Periodic public meetings and updates from the accreditation body.

News & Legal Analysis

• Husch Blackwell - CMMC Updates - Law firm with regular CMMC rulemaking analysis.
• Crowell & Moring - Government Contracts Blog - Legal analysis of DFARS and CMMC developments.
• PreVeil Blog - Regular CMMC compliance articles and implementation guides.
• CyberSecInvestments - CMMC news, analysis, and compliance resources.
• Federal News Network - Covers federal cybersecurity policy including CMMC updates.

Cloud & Infrastructure

CMMC Level 2 requires that cloud services processing, storing, or transmitting CUI meet FedRAMP Moderate (or equivalent):

• Microsoft GCC High - Microsoft 365 and Azure for CUI/ITAR workloads. Most popular choice for DIB.
• Azure Government - Azure regions with FedRAMP High authorization.
• AWS GovCloud - Isolated AWS regions designed for sensitive government workloads.
• Google Cloud for Government - Google's government cloud offerings with FedRAMP authorization.
• PreVeil - End-to-end encrypted email/files that meets CMMC requirements without requiring GCC High migration.

---

Contributing

Contributions welcome! Please read the contributing guidelines first.

License

This list is dedicated to the public domain under CC0 1.0 Universal.