NIST & CMMC References
Key publications and resources for CMMC Level 1 compliance guidance.
| Publication | Title | Description |
|---|---|---|
| NIST SP 800-171 | Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations | The primary NIST publication that CMMC Level 1 maps to. Defines 14 families of security requirements. |
| NIST SP 800-53 Rev. 5 | Security and Privacy Controls for Information Systems and Organizations | Comprehensive catalog of security and privacy controls for federal information systems. |
| NIST CSF 2.0 | Cybersecurity Framework Version 2.0 | Voluntary framework for improving cybersecurity risk management across all sectors. |
| NIST SP 800-171A | Assessing Security Requirements for Controlled Unclassified Information | Assessment procedures for NIST SP 800-171 security requirements, used for CMMC self-assessments. |
| DFARS 252.204-7012 | Safeguarding Covered Defense Information and Cyber Incident Reporting | The Defense Federal Acquisition Regulation Supplement clause requiring CMMC compliance for DoD contractors. |
| CMMC Model Overview | Cybersecurity Maturity Model Certification (CMMC) Program | Official DoD CMMC program page with current model documentation and implementation guidance. |
| NIST SP 800-37 Rev. 2 | Risk Management Framework for Information Systems and Organizations | Framework for integrating security and risk management activities into the system development life cycle. |
| CISA Cybersecurity Resources | CISA Free Cybersecurity Services and Tools | Free tools and resources from CISA to help organizations improve their cybersecurity posture. |
| NIST SP 800-61 Rev. 2 | Computer Security Incident Handling Guide | Guidelines for incident handling, including preparation, detection, containment, eradication, and recovery. |
| NIST SP 800-30 Rev. 1 | Guide for Conducting Risk Assessments | Guidance on conducting risk assessments to determine the likelihood and impact of security threats. |
How to Use These References
- Start with NIST SP 800-171 — This is the primary standard that CMMC Level 1 maps to
- Use SP 800-171A for self-assessment procedures and determining your compliance gaps
- Reference NIST CSF 2.0 for a broader cybersecurity risk management approach
- Check CISA resources for free tools to improve your security posture immediately
- Review DFARS 252.204-7012 if you are a DoD contractor to understand contractual requirements