CMMC student guide: Additional CMMC resources

Jeff Peters
June 10, 2021 by
Jeff Peters

The new Cybersecurity Maturity Model Certification (CMMC) framework, which has been slowly rolling out in 2021, will have a massive impact once fully implemented. According to the Department of Defense, more than 300,000 organizations in the Defense Industrial Base (DIB) supply chain need to be assessed and certified — and thousands of assessors and other professionals will need to be trained to support the new ecosystem. 

However, many aspects of the ecosystem, certification process and training are still in flux and may change based on feedback and lessons learned from the initial rollout. 

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

Here is a list of the best CMMC resources, CMMC documents and CMMC guides that are currently available. We’ll update this list as more resources are finalized and released.

Official CMMC resources and links

Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB)

The CMMC-AB is an independent entity established in January 2020 to manage, control and administer all the aspects of the CMMC framework, including the assessment, certification, training and accreditation processes.

  • CMMC-AB website: This is your go-to source for finding the latest information about the CMMC marketplace, applying to become an RPO or C3PAO, and confirming the requirements for various CMMC-related career paths (RP, CCP, CCA, etc.).
  • CMMM-AB RFI/RFPs: This section of the CMMC-AB website contains the current and previous Requests for Information (RFIs) and Requests for Proposals (RFPs) from the body.
  • CMMC-AB town hall videos: CMMC information continues to evolve, and the CMMC-AB holds regular town hall meetings to communicate those changes and answer questions from the community.

Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S))

The OUSD(A&S), along with other stakeholders, developed the CMMC framework to “combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels.”

  • OUSD(A&S) website: This website contains information around the CMMC standard along with any updates to the CMMC framework, frequently asked questions about CMMC and other official CMMC materials.
  • CMMC Model v1.02, its appendices and its appendices in tabular form
  • CMMC Model Errata v1.0
  • CMMC Level 1 Assessment Guide (editable)
    • CMMC Level 3 Assessment Guide (editable)
    • CMMC Glossary (editable)

Infosec CMMC resources and training


Infosec is both a CMMC-AB Licensed Partner Publisher (LPP) and Licensed Training Provider (LTP), which means it is both helping develop CMMC-AB approved training materials and delivering training courses for individuals and teams looking to get certified.


    • Infosec CMMC resources: Infosec collects all of its free CMMC resources and paid CMMC training courses on this page, which is updated regularly.



    • CMMC training: Learn more about Infosec's CMMC boot camps, which will open for enrollment once training materials are approved by the CMMC-AB.



NIST documentation and resources related to CMMC


The CMMC framework may be new, but most of the security requirements it contains are pulled from existing documents. For example, 110 of the 171 CMMC practices are specified in NIST SP 800-171 Rev. 2.


    • NIST documentation


      • NIST SP 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
      • NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information
      • NIST 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
      • NIST 800-53 Rev 005: Security and Privacy Controls for Information Systems and Organizations
      • NIST SP 800-88 Rev. 1: Guidelines for Media Sanitization


    • Other NIST resources



Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) resources


Three years after the implementation of DFARS 252.204-7012, the DoD publicly recognized that it alone was not effective in securing government contractors in the DIB. Therefore, the new DFARS 70 Series (7019, 7020 and 7021) are intended to close the gap between DFARS and CMMC and rectify the industry's lack of responsiveness.

  • FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
  • DFARS 252.204: Defense Federal Acquisition Regulation Supplement (DFARS) 
    • 7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
    • 7019: Notice of NIST SP 800-171 DoD Assessment Requirements
    • 7020: NIST SP 800-171 DoD Assessment Requirements
    • 7021: Cybersecurity Maturity Model Certification Requirement

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!


Controlled Unclassified Information (CUI) resources


CUI requires safeguarding or dissemination controls pursuant to and consistent with the law, regulations and government-wide policies, excluding information that is classified under Executive Order 13526 or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. 




Additional CMMC resources


Here are some additional CMMC-related resources you may find useful.

Jeff Peters
Jeff Peters

Jeff Peters is a communications professional with more than a decade of experience creating cybersecurity-related content. As the Director of Content and Brand Marketing at Infosec, he oversees the Infosec Resources website, the Cyber Work Podcast and Cyber Work Hacks series, and a variety of other content aimed at answering security awareness and technical cybersecurity training questions. His focus is on developing materials to help cybersecurity practitioners and leaders improve their skills, level up their careers and build stronger teams.