Authoritative Frameworks and References
DoD CMMC Program Website
https://dodcio.defense.gov/CMMC/
Centralized resource for CMMC 2.0 guidance, FAQs, and official updates from the DoD CIO.
NIST SP 800-171 Revision 3
https://csrc.nist.gov/pubs/sp/800/171/r3/final
The latest version of NIST’s baseline security requirements for protecting CUI in nonfederal systems, with expanded families for planning, acquisition security, and supply chain risk management.
CISA Known Exploited Vulnerabilities Catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Regularly updated list of vulnerabilities actively exploited in the wild, including CVE-2009-0556 highlighted this week.
DFARS 252.204-7021 (CMMC Clause)
The specific DFARS clause that integrates CMMC requirements into DoD contracts, now active in solicitations.
CMMC Final Rule – Federal Register
https://www.federalregister.gov/documents/2025/09/10/2025-17359/
The official CMMC final rule with Phase 2 requirements and timelines.
FY 2026 NDAA – Cybersecurity Provisions Summary
Analysis of AI/ML, supply chain, and harmonization requirements in the 2026 NDAA.
DoD CIO Memorandum: Incident Reporting and CUI Classification Alignment
https://dodcio.defense.gov/Cyber-Exchange/
Clarifying guidance integrating CUI classification determinations within DFARS 252.204-7012 72-hour reporting timelines. Critical reference for incident response procedure updates.
NIST SP 800-218A: Secure Software Development Framework for AI/ML (Draft)
https://csrc.nist.gov/publications/
Emerging framework for AI/ML security assessment applicable to third-party vendor evaluation. Monitor for final publication expected Q2 2026 to inform vendor assessment questionnaire development.
DIBCAC C3PAO Registry and Performance Metrics
https://www.dibcac.org/c3pao-registry
Official registry of DIBCAC-accredited assessment organizations with qualification summaries. Use as primary verification source when evaluating C3PAO proposals.