CMMC & NIST SP 800-171

Title 48 of the Code of Federal Regulations (CFR), Chapter 2 Defense Acquisition Regulations System (also referred to as the Defense Acquisition Regulation Supplement, or DFARS) outlines requirements for solicitations and provisions for Federal Contractors. The 204.7304 Solicitation provision and contract clauses includes cyber requirements for Controlled Unclassified Information (CUI). It is within these provisions that requirements for cybersecurity are identified as NIST SP 800-171, identified in DFARS 252.204-7012.

The Cybersecurity Maturity Model Certification (CMMC) is a third-party attestation program and requirement for measuring adherence to NIST SP 800-171 (identified in the 48 CFR, specifically DFARS 252.204-7012). CMMC will be phased into contract requirements gradually, starting in Q4 of 2025.

Learn More about where requirements come from

Learn More about Implementing NIST controls and frameworks

International Standards - CPCSC

The Canadian Program for Cyber Security Certification (CPCSC) is a Canadian program focused on implementing cybersecurity baselines identified in the NIST SP 800-171 revision 3.

Initial Press Release: Read More

Cybersecurity Framework Breakdown: Coming Soon