An open reference library and template archive for the Defense Industrial Base. Curated by federal practitioners, given away because the underlying frameworks were never meant to be hoarded by consultants.
Direct links to the authoritative publications that govern CMMC, RMF, and DFARS compliance. The underlying material is free and public. We just put it in one place.
Protecting Controlled Unclassified Information in Nonfederal Systems. The 110-control core of CMMC Level 2.
Prior revision, still cited in active DFARS clauses and many existing contracts.
Assessment procedures for 800-171. The actual evaluation criteria assessors apply.
Security and privacy controls catalog. Source material for federal RMF authorizations.
The Risk Management Framework lifecycle. Prepare, categorize, select, implement, assess, authorize, monitor.
Enhanced security requirements for high-value assets. CMMC Level 3 source material.
Official DoD CIO documentation hub. Model definitions, level descriptions, and program updates.
How a CMMC L1 self-assessment is conducted. 17 requirements from FAR 52.204-21.
Full 110-control assessment methodology. Required for contractors handling CUI.
How to define your CMMC assessment scope. Identifies CUI, security protection, contractor risk managed, and out-of-scope assets.
Authorized C3PAOs, Registered Practitioners, training providers, and assessor directory.
Safeguarding covered defense information and cyber incident reporting. The clause that requires NIST 800-171.
SPRS scoring requirements, NIST DoD assessment methodology, and the CMMC clause itself.
Supplier Performance Risk System. Where your self-assessed NIST 800-171 score is reported and stored.
Working templates for SSPs, policies, and procedures. Request a bundle and we will email you the download. No payment, no upsell.
A complete policy starter kit aligned to the 17 controls of FAR 52.204-21 and CMMC Level 1. Designed for contractors who handle FCI but not CUI, who need to demonstrate basic safeguarding before bidding on prime work.
The full 110-control documentation kit aligned to NIST 800-171 and DFARS 252.204-7012. Includes every policy and procedure a CMMC Level 2 assessment will look for. Built from the same template set Howder Labs uses with paying clients.
A complete SSP shell with every 800-171 control prepopulated, ready for you to fill in environment, scope, and implementation specifics. Includes a guided framework for boundary diagrams, asset categorization, and POA&M tracking.
Individual documents for organizations that have most of their compliance documentation in place but need to fill specific gaps. Useful for spot-augmenting an existing SSP or responding to assessor findings.
Templates get you 60% of the way to an assessment. The other 40% is environment-specific implementation, evidence collection, and defending the artifacts in front of a real assessor. That's where Howder Labs is paid to help.
Howder Labs is an SDVOSB cybersecurity firm built by a former NASA Information System Owner and Navy Validator. We deliver CMMC readiness, managed security, and federal IT for Defense Industrial Base contractors.
Visit Howder Labs →