CMMC Resources — CMMC Marketplace

DOD Resources

DFARS Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

DFARS Clause 252.204-7020: NIST SP 800-171 DoD Assessment Requirements

DFARS 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
- Effective 1 Oct 2025. Requires CMMC certificate by time of contract award. Until 1 Oct 2025, DoD must approve CMMC clause in new acquisitions. Contractor certification level must be maintained for contract duration and this clause must be flowed down, as required.

NIST SP 800-171 Rev. 2: Protecting CUI in Nonfederal Systems

NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information (A Supplement to NIST Special Publication 800-171)

Defense Counterintelligence and Security Agency (DCSA) CUI program overview

Supplier Performance Risk System (SPRS)
- SPRS “...is the authoritative source to retrieve supplier and product PI [performance information] assessments for the DoD [Department of Defense] acquisition community to use in identifying, assessing, and monitoring unclassified performance.” (DoDI 5000.79)

The Use of the Supplier Performance Risk System (SPRS) in Implementing DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements
- Provides offerors guidance on the use of SPRS in Implementing DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements.

DODI 5200.48 – Controlled Unclassified Information
- Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order 13556; 32 CFR Part 2002, "Controlled Unclassified Information;“ and DFARS secs. 252.204-7008 and 252.204-7012. Also, establishes the official DoD CUI Registry.

DODI 5000.90 – Cybersecurity for Acquisition Decision Authorities and Program Managers

Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021)