Websites: Closing the knowledge gap

CMMC is a multi-disciplinary cyber security programme for the protection of FCI and CUI.  Owned by the US Department of Defence and managed by the CMMC Accreditation Body.  The following websites provide some appropriate references for the CMMC programme and associated regulation.

The DoD DFARS Case 2019 - D041 Interim Final Ruling

DFARS Case D041 - Interim Final Ruling

The Interim Final Ruling released on the 29th September 2020. Effective 30th November 2020.  To be applied to and by contractors and subcontractors to the DoD.

DFARS Case 2019 - D041 Regulatory Impact Assessment

DFARS Case 2019 - D041 Regulatory Impact Assessment (RIA)

The Regulatory Impact Assessment(RIA) which accompanies the Interim Final ruling for DFARS Case 2019 – D041.  Provide valuable insight into the ruling.

The Office of the Under Secretary of Defence for Acquisition and Sustainment (OUSD(A&S))

Office of the Undersecretary of Defence Acquisition (OUSD A&P)

The OUSD (A&S) is the office responsible for the CMMC programme, within the US Department of Defence.  The website provides the latest CMMC model and associated appendices.

The CMMC Accreditation Body (CMMC - AB)

CMMC Advisory Board

The CMMC AB are responsible for the design, delivery and on-going management of the CMMC programme and accreditation on behalf of the US DoD.

Defence Federal Acquisition Regulation Supplement (DFARS 252.204 - 7012)

Defence Federal Acquisition Supplement Regulation (DFARS) 48 CFR § 252.204-7012.

Federal Acquisition Regulation (FAR - 52.204 - 21

Department of Defense

Federal Acquisition Regulation (FAR) Clause 48 CFR 52.204-21.

The National Archives

US National Archives

The National Archives, the Federal Agency responsible for publication of US laws, regulations, Presidential, and other public documents.  They hold the records of definitions and categories of Controlled Unclassified Information (CUI).

National Institute of Standards and Technology (NIST)

National Institute of Science and Technology (NIST)

NIST, the Federal Agency responsible for the development and management of the NIST 800 – 171 family of cyber security standards.  Defined within DFARS for the protection of CUI.  NIST 800 – 171 is also the CMMC standard.