Guidelines: Defining rules & the setting direction of travel

There are several references documents which are important in understanding the CMMC programme and its application to the protection of FCI and CUI data. 

Undersecretary of Defence for Acquisition and Sustainment (OUSD A&S)

Office of the Under Secretary of Defence and Acquisition Sustainment


CMMC 1.0 Level 1 assessment guide
CMMC 1.0 Level 3 assessment guide

Defence Contract Management Agency (DCMA) & NIST
Defence Acquisition Regulation

NIST SP 800 – 171r2

DoD Assessment Methodology (DAM) – NIST (SP) 800 – 171A
DCMA DoD Assessment Methodology
Defence Acquisition Regulation – DFARS Interim Final Ruling
Defence Acquisition Regulation


DFARS Case D041
Interim Final Ruling
DFARS Case 2019-D041
Regulatory Impact Assessment

Defence Acquisition Regulation
Defence Acquisition Regulation


FAR 48 CFR 52.204 – 21


DFARS 48 CFR 252.204 – 7012

National Institute for Science and Technology (NIST)

National Institute of Standards and Technology (NIST)

NIST SP 800 – 171 r2

National Archives

US National Archives for Controlled Unclassified Information (CUI)

CUI Policy and Guidance
CUI Implementation Regulation
Assessing CUI in non Federal Systems