Contact Us

CMMC Helpful Links

Additional CMMC Resources

112Cyber is here to help you navigate Cyber Compliance.

CUI Training

DOD Mandatory Controlled Unclassified Information (CUI) Training
Description: Mandatory training for all DoD personnel with access to CUI. It covers the required procedures for identifying, marking, safeguarding, decontrolling, destroying, and reporting incidents involving CUI. It also satisfies CUI training requirements for industry when mandated by government contracts.

Cybersecurity Awareness
Description: Provides foundational awareness of cyber threats, vulnerabilities, and intrusion methods within government and defense environments. Using a large simulated cyber incident and support scenarios, the course teaches how attacks occur, what information is targeted, how to apply cybersecurity countermeasures, and when to report suspicious activity—showing how small events can lead to major consequences.
 
DOD Annual Security Awareness Refresher
Description: Interactive refresher training that reinforces core security requirements from DODM 5200.01, NISPOM, and related policies to ensure continued awareness of essential safeguarding and compliance responsibilities.

DOD Initial Orientation and Awareness Training
Description: Interactive initial security training that introduces the basic requirements from DODM 5200.01, NISPOM, and other applicable policies to ensure new personnel understand their foundational security responsibilities.

Identifying and Safeguarding Personally Identifiable Information (PII)
Description: Covers what PII and PHI are, why they matter, and the laws that govern their protection. The course trains personnel to identify sensitive information, understand proper and improper handling, and follow required safeguards. It also explains the consequences of unauthorized disclosure for both individuals and organizations. Designed for DoD personnel but applicable across federal agencies.

Marking Special Categories of Classified Information
Description: Explains the rules and methods for properly marking special categories of classified information, including general marking requirements and specific guidance for unique material types and information categories.
 
Unauthorized Disclosure of Classified Information and Controlled Unclassified Information
Description: Introduces what unauthorized disclosure is, clears up common misconceptions, and explains the potential damage it can cause. The course also outlines the penalties and sanctions for mishandling classified or controlled unclassified information.

DoD Cyber Awareness Challenge
Description: The official DoD foundational cybersecurity training. Covers core cybersecurity practices, insider threat awareness, information protection, and safe handling expectations relevant to CMMC Level 2 users.
Recognizing and reporting Insider threat (DHS / CISA Perspective)  

Establishing an Insider Threat Program for Your Organization 

Description: This resource provides guidance for Insider Threat Program Managers on how to design, structure, and implement an effective insider threat program. It covers required standards from Executive Order 13587, identifies key organizational disciplines that should form the insider threat team, and outlines essential training needed to meet national policy requirements. 

Insider Threat Awareness 

Description: Teaches the importance of insider threat awareness within a security program, using scenarios to highlight common risk indicators. The course encourages proactive reporting of concerning behaviors to help prevent harm and support positive outcomes in the workplace. 

Maximizing Organizational Trust 

Description: Explains how strong organizational trust motivates employees to support security and safety efforts. Based on research across business, psychology, and communication fields, this guide outlines best practices leaders can use to build and maintain a fair, honest, and transparent workplace culture. 

Insider Threat Mitigation 

Description: Effective insider threat mitigation requires a holistic program that integrates physical security measures, personnel awareness, and strong information-protection practices to reduce risk across the organization. 

The CUI Registry (NARA)  

Description: The official authoritative source for CUI categories, markings, safeguarding requirements, and decontrol guidance. 

DoD 
DHS – Cybersecurity & Infrastructure Security Agency (CISA) Training Material
  • Reference Securing Critical and High-Value Assets (HVAs) – CMMC Level 3 
  • Intro to Investigating Logs for Incidents – CMMC Level 2
  • Intro to incident Analysis
  • Understanding Indicators of Compromise (IOCs) for HVAs
CISA Tabletop Exercise Packages (Test your Incident Response Plan Per CMMC Level 2)

Cyber Incident Reporting for DoD Contractors

Medium Assurance Certificate / External Certification Authority (ECA) External Certification Authorities (ECA) – DoD Cyber Exchange

Description: Contractors must report cyber incidents that impact CUI, covered contractor information systems, or operationally critical support within 72 hours as required by DFARS 252.204-7012.

CMMC Incident Response Procedures

Description: Provides guidance on the required procedures for safeguarding Covered Defense Information (CDI) and reporting cyber incidents under DFARS 204.73. These procedures outline how contracting officers and contractors must identify, mark, protect, and respond to compromises of CDI or operationally critical support, ensuring compliance with CMMC-aligned incident response and DoD reporting requirements.

Incident Response Tabletop Exercises

Description: Provides customizable tabletop exercise packages from CISA that help organizations evaluate and strengthen their incident response readiness. Each package includes scenarios, objectives, discussion questions, and reference materials to facilitate internal discussions and preparedness for various cyber threat events.

Report Cyber Incidents via the DoD DIBNet Portal

Description: This is the official DoD Cyber Crime Center (DC3) portal for reporting cyber incidents under DFARS 7012.

Alternative Resources

Defense Industrial Base Cybersecurity Information Sharing Program (dod.mil)

Defense Industrial Base Cybersecurity Information Sharing Program (dod.mil)

DHS / CISA Incident Reporting Form

FBI “Response and Report” Cyber Incidents / Internet Crime Complaint Center (IC3)

US-CERT / CISA – Cyber Threat Intelligence

Staying informed on emerging cyber threats is a requirement under both CMMC and NIST SP 800-171. One of the simplest and most effective ways to meet this requirement is to follow authoritative government threat-intelligence feeds.


U.S. Cybersecurity & Infrastructure Security Agency (CISA)

Description: CISA publishes timely alerts, advisories, and threat-intelligence bulletins for government contractors and critical-infrastructure organizations. These updates help organizations understand active threats, vulnerabilities, exploitation trends, and recommended defensive actions. To stay current, scroll to the bottom of the CISA page and use the Subscribe option to receive real-time email notifications.

Subscribe for Threat Intelligence

Security Configuration Standards and Hardening Guides

DISA Security Technical Implementation Guides (STIGs) & SRGs

Description: The DoD’s official configuration standards for securing operating systems, applications, databases, and network devices. Commonly referenced for CMMC and high-assurance environments.

Center for Internet Security (CIS) Benchmarks

Description: Industry-standard hardening baselines for modern operating systems, cloud platforms, and applications. Widely used in commercial and federal environments.

CIS Hardened Images

Description: Pre-hardened AMIs, VM images, and container baselines aligned with CIS Level 1 and Level 2 controls — suitable for CUI cloud workloads.

NIST Secure Configuration Checklists (National Checklist Program)

Description: NIST’s federal repository of secure configuration checklists for federal information systems. Maps directly to NIST SP 800-70 and supports CMMC alignment.

NIST Cryptographic Module Validation Program (CMVP)

Description: Use the CMVP database to confirm whether the cryptographic modules in your environment are FIPS 140-2 or FIPS 140-3 validated. For systems handling CUI, assessors expect organizations to reference the specific validation certificates associated with the encryption mechanisms they rely on. This resource supports the CMMC requirement to implement FIPS-validated cryptography, and serves as the authoritative evidence source for verifying that your encryption products meet federal validation standards.

Examples include:

NIST Templates

CMMC Resources & Documentation

Core documents required for CMMC Level 2 readiness and assessment preparation.

Helpful supporting documentation and compliance guidance for OSCs.