32 CFR Part 170 is a section of the Code of Federal Regulations that establishes the rules governing the CMMC (Cybersecurity Maturity Model Certification) program under the authority of the Department of Defense (DoD).

The Cybersecurity Maturity Model Certification (CMMC) Model Overview outlines the Department of Defense’s approach to assessing the cybersecurity of its contractors.

The CMMC Scoping Guide for Level 1 provides guidance on identifying which assets within a contractor’s environment must be protected and assessed when handling Federal Contract Information (FCI).

The CMMC Level 1 Self-Assessment Guide provides instructions for DoD contractors to evaluate their compliance with 15 basic safeguarding practices required under FAR 52.204-21 to protect Federal Contract Information (FCI).

The CMMC Level 2 Scoping Guidance outlines how contractors must identify and categorize assets in their environment when preparing for an assessment related to Controlled Unclassified Information (CUI). This applies to both self-assessments and third-party/government-led assessments.

The CMMC Level 2 Assessment Guide provides detailed instructions for conducting assessments against the 110 security requirements outlined in NIST SP 800-171, which are mandatory for protecting Controlled Unclassified Information (CUI).

The CMMC Level 3 Assessment Guide provides a framework for evaluating an organization’s implementation of advanced cybersecurity practices required to protect highly sensitive Controlled Unclassified Information (CUI) in support of critical national security objectives.

The CMMC Level 3 Scoping Guidance (v2.13) outlines how DoD contractors must identify and document systems and assets in preparation for a Level 3 certification assessment, as defined in 32 CFR § 170.19. This guide is for organizations handling highly sensitive Controlled Unclassified Information (CUI) that supports national security missions.

The CMMC Hashing Guide (v2.13) provides instructions for using the CMMC Artifact Hashing Tool, a PowerShell-based script that generates cryptographic hashes (using SHA-256) of assessment artifacts. This process ensures the integrity of evidence collected during a CMMC Level 2 or Level 3 assessment.