CMMC/Resources
Official CMMC Resources

CMMC Resources &
Reference Materials

Official links, reference documents, and quick-reference checklists for CMMC Level 1 (17 practices) and Level 2 (110 practices across 14 domains). All content sourced from the Cyber-AB and DoD CMMC program office.

Official CMMC Links

Always verify CMMC information from these official government and Cyber-AB sources.

Official Accreditation Body

Cyber-AB (CMMC Accreditation Body)

The official Cyber-AB website — the DoD-authorized accreditation body that manages the CMMC ecosystem, RPO/C3PAO listings, and practitioner certifications.

Visit site
Official DoD Program

DoD CMMC Program Office

The official DoD CMMC program website with the latest policy updates, DFARS clauses, model documentation, and implementation guidance for contractors.

Visit site
Verify Providers

Cyber-AB CMMC Marketplace

The official Cyber-AB marketplace where you can verify RPO, C3PAO, and RP listings — including Galaxy Consulting's RPO authorization.

Visit site
NIST Standard

NIST SP 800-171 Rev 2

NIST Special Publication 800-171 Revision 2 — the security standard that underpins CMMC Level 2. Understanding this document provides context for Level 1 requirements.

Visit site
Legal Basis for Level 1

FAR 52.204-21

Federal Acquisition Regulation clause 52.204-21 — the legal basis for CMMC Level 1. The 15 requirements in this clause form the foundation of the 17 Level 1 practices.

Visit site
Legal Basis for Level 2

DFARS 252.204-7012

Defense Federal Acquisition Regulation Supplement clause 252.204-7012 — Safeguarding Covered Defense Information. The legal basis for CMMC Level 2. If this clause is in your contract, you handle CUI and need Level 2.

Visit site
Score Submission Portal

SPRS (Supplier Performance Risk System)

The DoD's Supplier Performance Risk System where contractors submit their CMMC self-assessment scores. DoD contracting officers can view your SPRS score.

Visit site
Quick Reference

CMMC Level 1 — All 17 Practices at a Glance

Use this checklist to do a quick self-check of your current compliance posture. For a thorough assessment, contact Galaxy Consulting.

Limit system access to authorized users only
Limit user access to authorized transaction types
Verify and control connections to external systems
Control FCI on publicly accessible systems
Identify all users, processes, and devices
Authenticate identities before granting access
Sanitize or destroy media before disposal or reuse
Limit physical access to authorized individuals
Escort visitors and monitor visitor activity
Maintain audit logs of physical access
Control and manage physical access devices
Monitor and protect communications at network boundaries
Implement subnetworks for publicly accessible components
Identify and correct system flaws in a timely manner
Deploy malicious code protection on all systems
Update malicious code protection mechanisms regularly
Perform periodic and real-time system scans

For detailed practice descriptions and implementation guidance, see the CMMC Level 1 page or visit cyberab.org.

Quick Reference

CMMC Level 2 — 14 Domains at a Glance

All 110 Level 2 practices from NIST SP 800-171 r2 are organized into 14 security domains. Every organization seeking Level 2 must demonstrate compliance across all domains.

ACAccess Control22 practices
ATAwareness & Training3 practices
AUAudit & Accountability9 practices
CMConfiguration Management9 practices
IAIdentification & Authentication11 practices
IRIncident Response3 practices
MAMaintenance6 practices
MPMedia Protection9 practices
PEPhysical Protection6 practices
PSPersonnel Security2 practices
RARisk Assessment3 practices
CASecurity Assessment4 practices
SCSystem & Communications Protection16 practices
SISystem & Information Integrity7 practices

Total: 110 practices across 14 domains — sourced from NIST SP 800-171 r2.

Full Level 2 Details

Need Help Interpreting These Requirements?

Galaxy Consulting is a Cyber-AB authorized CMMC RPO with Registered Practitioners on staff. We translate official CMMC requirements into plain-English action steps tailored to your specific business environment. Contact us for a free initial consultation.

Free Consultation CMMC FAQs