Source library.
The bibliography, and how to read it.
Everything on this desk traces back to one of the documents below. This page does not just link them — it says when to reach for each one. For what a specific term means, see the Glossary; for a shortcut from a specific question to a specific source, see The System.
01The program rule
| Document | What it is | When to reach for it |
|---|---|---|
| 32 CFR Part 170 Cybersecurity Maturity Model Certification (CMMC) Program |
The program rule itself: levels, assessment types, statuses, scoring, POA&M, scoping, phasing. | Any question about how CMMC itself works, as opposed to a specific security requirement. |
02The acquisition rule
| Document | What it is | When to reach for it |
|---|---|---|
| DFARS 252.204-7021 Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements · Nov 2025 |
The clause that puts a CMMC Status requirement into an actual contract — part of the broader final rule amending 48 CFR Parts 204, 212, 217, and 252 (DFARS Case 2019-D041), effective 2025-11-10. | The contract-clause mechanics: what a contracting officer must insert, what “current” status means, what flow-down requires, what a contractor must report. |
| DFARS 252.204-7025 Notice of Cybersecurity Maturity Model Certification Level Requirements · Nov 2025 |
The solicitation provision that names the CMMC level a specific award requires, makes a current status and affirmation in SPRS a condition of award eligibility, and asks offerors for the CMMC UIDs of the systems involved. | Confirming exactly what a solicitation requires before award, and what has to be current in SPRS at that moment. |
03Companion clauses
| Document | What it is | When to reach for it |
|---|---|---|
| DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting |
The baseline safeguarding duty that predates CMMC, plus the 72-hour cyber-incident reporting obligation. | Understanding the incident-reporting clock, or the safeguarding duty that CMMC now verifies rather than replaces. |
| DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements |
The provision requiring a current NIST SP 800-171 DoD Assessment score posted to SPRS before award. Removed from new solicitations by an interim class deviation (February 2026); contracts that already carry it still mean what they say. | Confirming the SPRS-score-posting obligation tied to a specific solicitation. |
| DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements |
Government access to assessment information, plus the mechanics of flowing requirements down to subcontractors. Appears as 252.240-7997 in new solicitations from February 2026 (interim class deviation). | Subcontractor flow-down questions, or understanding what a government assessment team can ask to see. |
Where the 2026 numbering changes live: DoD publishes the interim class deviations that removed 7019, renumbered 7020 to 252.240-7997, and moved the DFARS cyber subparts into Part 240 as memoranda on the Defense Pricing, Contracting, and Acquisition Policy (DPCAP) class-deviations page — they are not yet in the codified DFARS text. The contract clauses carries the desk’s full old-to-new map.
04Assessment guides
| Document | What it is | When to reach for it |
|---|---|---|
| CMMC Level 1 Self-Assessment Guide | DoD’s guide to how a Level 1 self-assessment is actually performed. | Preparing to understand what an L1 self-assessment checks, requirement by requirement. |
| CMMC Level 2 Assessment Guide | DoD’s guide to Level 2 assessment methodology, built on NIST SP 800-171A’s objectives. | Understanding assessment objectives and methodology for the 110, whether self-assessing or preparing for a C3PAO. |
| CMMC Level 3 Assessment Guide | DoD’s guide to DIBCAC’s Level 3 assessment methodology. | Understanding how the 24 selected enhanced requirements get assessed. |
05Scoping guides
| Document | What it is | When to reach for it |
|---|---|---|
| CMMC Level 1 Scoping Guidance | How to determine which assets fall inside a Level 1 assessment. | Drawing the boundary for an FCI-only environment. |
| CMMC Level 2 Scoping Guidance | How to sort assets into the five categories — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets. | Determining what is actually in a Level 2 CMMC Assessment Scope (Boundary page). |
| CMMC Level 3 Scoping Guidance | How Level 3 scope builds on a Level 2 scope already established. | Confirming what changes in scope between a Final Level 2 (C3PAO) assessment and the Level 3 assessment that follows it. |
06The NIST layer
| Document | What it is | When to reach for it |
|---|---|---|
| NIST SP 800-171 Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
The actual text of the 110 security requirements Level 2 is built on. | Reading exactly what a specific requirement (e.g. 3.5.3) says. |
| NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information |
The assessment objectives — the determination statements an assessor actually works through. | Understanding how MET is decided, requirement by requirement, not just what the requirement says. |
| NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information |
The pool of 39 enhanced requirements Level 3 selects 24 from. | Understanding what a Level 3 enhancement actually adds on top of the 110. |
07The systems
| System | What it is | When to reach for it |
|---|---|---|
| SPRS Supplier Performance Risk System |
Where scores, statuses, and affirmations are officially posted and stored. | Checking or posting a CMMC Status, score, or affirmation. |
| eMASS (CMMC instance) Enterprise Mission Assurance Support Service |
The government system where C3PAO and DIBCAC certification assessment results are formally filed. See the CMMC eMASS briefing (DoD CIO, Feb 2025). | Understanding where certification results go before a status shows up in SPRS. |
| Cyber AB Marketplace | The Cyber AB’s public catalog of accredited C3PAOs and certified assessors. | Looking up whether an organization or individual is actually accredited or certified. |
| DoD CUI Program | DoD’s implementation of the government-wide CUI Program — categories, markings, and DoD-specific guidance. | Identifying CUI categories and markings (Data page). |
08How this desk stays current
CMMC is an active rulemaking program. This desk is reviewed on a standing quarterly cadence, and sooner if any of the following happen:
- Rulemaking to incorporate NIST SP 800-171 Revision 3 — supersedes the class-deviation pin described on The System. The highest-impact trigger on this list.
- Phase transitions — 2026-11-10 (Phase 2), 2027-11-10 (Phase 3), 2028-11-10 (Phase 4). Status lines and FAQ answers across the desk change with each.
- New or changed DoD class deviations, or CMMC FAQ updates; Assessment Guide or Scoping Guide revisions.
- Amendments to 32 CFR Part 170 or the DFARS clauses — including the rulemaking that will formalize (or revise) the 2026 interim clause renumbering; SPRS scoring methodology changes.
- Material changes to the Cyber AB / C3PAO ecosystem.
- Standing cadence: quarterly review regardless of whether any trigger above has fired.
Last full review: 2026-07-07.