CMMC, DFARS, and NIST: The Authoritative Sources (and Where to Find Them)

Read it at the source

There is a lot of secondhand commentary about CMMC. The best way to avoid being misled is to read the requirements at the authoritative source. This page is a pointer map — it tells you where each source lives and what it covers. It does not interpret the regulations, summarize them as advice, or tell you how they apply to your organization. For that, use qualified internal personnel, legal counsel, or an authorized advisor.

One currency note: the current CMMC Level 2 baseline is NIST SP 800-171 Rev. 2. Revision 3 exists and is worth watching for future planning, but do not treat it as the assessment baseline unless and until the program rule changes. Regulations move — always verify against the source.

CMMC

• 32 CFR Part 170 — CMMC Program Rule (program structure, levels, assessment requirements): https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170
• 48 CFR Part 204, Subpart 204.75 — CMMC Acquisition Rule (how CMMC enters contracts): https://www.ecfr.gov/current/title-48/chapter-2/subchapter-A/part-204/subpart-204.75
• DoD CMMC official site: https://dodcio.defense.gov/CMMC/

FAR and DFARS cyber clauses

• FAR 52.204-21 — Basic Safeguarding (FCI / Level 1): https://www.acquisition.gov/far/52.204-21
• DFARS 252.204-7012 — Safeguarding CDI and Cyber Incident Reporting: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7012
• DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7019
• DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7020
• DFARS 252.204-7021 — Contractor Compliance with CMMC Requirements: https://www.ecfr.gov/current/title-48/chapter-2/subchapter-H/part-252/subpart-252.2/section-252.204-7021

NIST

• NIST SP 800-171 Rev. 2 (current Level 2 baseline): https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
• NIST SP 800-171A (assessment procedures): https://csrc.nist.gov/pubs/sp/800/171/a/final
• NIST SP 800-172 (enhanced requirements / Level 3 planning): https://csrc.nist.gov/pubs/sp/800/172/final
• NIST SP 800-171 Rev. 3 (future-planning reference, not the current baseline): https://csrc.nist.gov/pubs/sp/800/171/r3/final

CUI

• National Archives CUI Registry (authoritative CUI categories and marking): https://www.archives.gov/cui
• DoD CUI Program: https://www.dodcui.mil/

From sources to evidence

Reading the requirements is step one; organizing the evidence that shows what you do is the ongoing work. If you want a standardized, self-service way to organize that evidence, see the DIBStack Evidence Binder or start free with the DIB evidence folder structure. DIBStack provides the organizing tools; it does not interpret these sources or determine your compliance.