This guide is very early in development. I’m building it as quickly as possible, so expect sections and content to change as the full idea behind the guide develops.

Introduction

This guide is based on NIST SP 800-171 revision 3.

Disclaimer

The guidance and advice I share is meant for general informational purposes only and does not represent a formal professional relationship between myself and anyone reading this. While my background informs the advice I give, I am not liable for any decisions made based on my guidance. If you are dealing with something serious, I strongly recommend reaching out to a qualified IT compliance professional, as my advice is not a replacement for specialized expert guidance.

CUI & CMMC

  • relationship between the CUI and CMMC programs
  • Levels in CMMC. If you need L1 only, see this post. This guide is specifically about L2.

Regulatory & Compliance Context

  • NIST SP 800-171 (the foundational requirement for non-federal CUI protection)
  • NIST SP 800-172 (enhanced requirements for critical programs)
  • CMMC 2.0 (if you’re in the defense industrial base)
  • DFARS 252.204-7012 (defense contractor requirements)
  • FISMA (if you’re a federal agency)
  • 32 CFR Part 170 (CUI Program law)
  • FedRAMP (for cloud service providers handling CUI)