Deretti Cyber Labs CMMC Desk · Source Library

Source library.

The bibliography, and how to read it.

Everything on this desk traces back to one of the documents below. This page does not just link them — it says when to reach for each one. For what a specific term means, see the Glossary; for a shortcut from a specific question to a specific source, see The System.

01The program rule

The CMMC program rule
DocumentWhat it isWhen to reach for it
32 CFR Part 170
Cybersecurity Maturity Model Certification (CMMC) Program
The program rule itself: levels, assessment types, statuses, scoring, POA&M, scoping, phasing. Any question about how CMMC itself works, as opposed to a specific security requirement.

02The acquisition rule

The CMMC acquisition rule
DocumentWhat it isWhen to reach for it
DFARS 252.204-7021
Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements · Nov 2025
The clause that puts a CMMC Status requirement into an actual contract — part of the broader final rule amending 48 CFR Parts 204, 212, 217, and 252 (DFARS Case 2019-D041), effective 2025-11-10. The contract-clause mechanics: what a contracting officer must insert, what “current” status means, what flow-down requires, what a contractor must report.
DFARS 252.204-7025
Notice of Cybersecurity Maturity Model Certification Level Requirements · Nov 2025
The solicitation provision that names the CMMC level a specific award requires, makes a current status and affirmation in SPRS a condition of award eligibility, and asks offerors for the CMMC UIDs of the systems involved. Confirming exactly what a solicitation requires before award, and what has to be current in SPRS at that moment.

03Companion clauses

DFARS companion clauses related to CMMC
DocumentWhat it isWhen to reach for it
DFARS 252.204-7012
Safeguarding Covered Defense Information and Cyber Incident Reporting
The baseline safeguarding duty that predates CMMC, plus the 72-hour cyber-incident reporting obligation. Understanding the incident-reporting clock, or the safeguarding duty that CMMC now verifies rather than replaces.
DFARS 252.204-7019
Notice of NIST SP 800-171 DoD Assessment Requirements
The provision requiring a current NIST SP 800-171 DoD Assessment score posted to SPRS before award. Removed from new solicitations by an interim class deviation (February 2026); contracts that already carry it still mean what they say. Confirming the SPRS-score-posting obligation tied to a specific solicitation.
DFARS 252.204-7020
NIST SP 800-171 DoD Assessment Requirements
Government access to assessment information, plus the mechanics of flowing requirements down to subcontractors. Appears as 252.240-7997 in new solicitations from February 2026 (interim class deviation). Subcontractor flow-down questions, or understanding what a government assessment team can ask to see.

Where the 2026 numbering changes live: DoD publishes the interim class deviations that removed 7019, renumbered 7020 to 252.240-7997, and moved the DFARS cyber subparts into Part 240 as memoranda on the Defense Pricing, Contracting, and Acquisition Policy (DPCAP) class-deviations page — they are not yet in the codified DFARS text. The contract clauses carries the desk’s full old-to-new map.

04Assessment guides

CMMC assessment guides by level
DocumentWhat it isWhen to reach for it
CMMC Level 1 Self-Assessment Guide DoD’s guide to how a Level 1 self-assessment is actually performed. Preparing to understand what an L1 self-assessment checks, requirement by requirement.
CMMC Level 2 Assessment Guide DoD’s guide to Level 2 assessment methodology, built on NIST SP 800-171A’s objectives. Understanding assessment objectives and methodology for the 110, whether self-assessing or preparing for a C3PAO.
CMMC Level 3 Assessment Guide DoD’s guide to DIBCAC’s Level 3 assessment methodology. Understanding how the 24 selected enhanced requirements get assessed.

05Scoping guides

CMMC scoping guides by level
DocumentWhat it isWhen to reach for it
CMMC Level 1 Scoping Guidance How to determine which assets fall inside a Level 1 assessment. Drawing the boundary for an FCI-only environment.
CMMC Level 2 Scoping Guidance How to sort assets into the five categories — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, Out-of-Scope Assets. Determining what is actually in a Level 2 CMMC Assessment Scope (Boundary page).
CMMC Level 3 Scoping Guidance How Level 3 scope builds on a Level 2 scope already established. Confirming what changes in scope between a Final Level 2 (C3PAO) assessment and the Level 3 assessment that follows it.

06The NIST layer

NIST publications underlying CMMC
DocumentWhat it isWhen to reach for it
NIST SP 800-171 Rev. 2
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
The actual text of the 110 security requirements Level 2 is built on. Reading exactly what a specific requirement (e.g. 3.5.3) says.
NIST SP 800-171A
Assessing Security Requirements for Controlled Unclassified Information
The assessment objectives — the determination statements an assessor actually works through. Understanding how MET is decided, requirement by requirement, not just what the requirement says.
NIST SP 800-172
Enhanced Security Requirements for Protecting Controlled Unclassified Information
The pool of 39 enhanced requirements Level 3 selects 24 from. Understanding what a Level 3 enhancement actually adds on top of the 110.

07The systems

Operational systems used in the CMMC program
SystemWhat it isWhen to reach for it
SPRS
Supplier Performance Risk System
Where scores, statuses, and affirmations are officially posted and stored. Checking or posting a CMMC Status, score, or affirmation.
eMASS (CMMC instance)
Enterprise Mission Assurance Support Service
The government system where C3PAO and DIBCAC certification assessment results are formally filed. See the CMMC eMASS briefing (DoD CIO, Feb 2025). Understanding where certification results go before a status shows up in SPRS.
Cyber AB Marketplace The Cyber AB’s public catalog of accredited C3PAOs and certified assessors. Looking up whether an organization or individual is actually accredited or certified.
DoD CUI Program DoD’s implementation of the government-wide CUI Program — categories, markings, and DoD-specific guidance. Identifying CUI categories and markings (Data page).

08How this desk stays current

CMMC is an active rulemaking program. This desk is reviewed on a standing quarterly cadence, and sooner if any of the following happen:

  1. Rulemaking to incorporate NIST SP 800-171 Revision 3 — supersedes the class-deviation pin described on The System. The highest-impact trigger on this list.
  2. Phase transitions — 2026-11-10 (Phase 2), 2027-11-10 (Phase 3), 2028-11-10 (Phase 4). Status lines and FAQ answers across the desk change with each.
  3. New or changed DoD class deviations, or CMMC FAQ updates; Assessment Guide or Scoping Guide revisions.
  4. Amendments to 32 CFR Part 170 or the DFARS clauses — including the rulemaking that will formalize (or revise) the 2026 interim clause renumbering; SPRS scoring methodology changes.
  5. Material changes to the Cyber AB / C3PAO ecosystem.
  6. Standing cadence: quarterly review regardless of whether any trigger above has fired.

Last full review: 2026-07-07.