Open Reference Library
For the DIB
For the DIB
Free Templates
For the DIB
For the DIB
An open reference library and template archive for the Defense Industrial Base. Curated by federal practitioners, given away because the underlying frameworks are public and the templates should be too.
Direct links to the authoritative publications that govern CMMC, RMF, and DFARS compliance. The underlying material is free and public. We just put it in one place.
The authoritative DoD CIO page describing the CMMC program. Tiered model, the four-phase implementation timeline that began November 10, 2025, and the assessment requirements at each level.
DoD CIO documentation hub. Model definitions, level descriptions, scoping guides, assessment guides, and program updates.
How a CMMC L1 self-assessment is conducted. The 15 basic safeguarding requirements from FAR 52.204-21.
Full 110-control assessment methodology. Required for contractors handling CUI.
How to define your CMMC assessment scope. Identifies CUI, security protection, contractor risk managed, and out-of-scope assets.
Authorized C3PAOs, Registered Practitioners, training providers, and assessor directory.
Protecting Controlled Unclassified Information in Nonfederal Systems. The 110-control core of CMMC Level 2.
Prior revision, still cited in active DFARS clauses and many existing contracts.
Assessment procedures for 800-171. The actual evaluation criteria assessors apply.
Security and privacy controls catalog. Source material for federal RMF authorizations.
The Risk Management Framework lifecycle. Prepare, categorize, select, implement, assess, authorize, monitor.
Enhanced security requirements for protecting CUI associated with high-value assets and critical programs. CMMC Level 3 source material. Released May 2026, superseding the original SP 800-172.
Assessment procedures for the enhanced security requirements in 800-172r3. The evaluation criteria used to assess Level 3 controls. Released May 2026 alongside the parent publication.
Basic Safeguarding of Covered Contractor Information Systems. The 15 requirements at the foundation of CMMC Level 1. Linked via the eCFR.
Safeguarding Covered Defense Information and Cyber Incident Reporting. The clause that requires NIST 800-171 and 72-hour cyber incident reporting to DC3. Still active after the 2026 FAR Overhaul.
The SPRS scoring notification clause. Eliminated as a separate provision under the February 2026 FAR Overhaul, but still cited in active solicitations and contracts.
NIST SP 800-171 DoD Assessment Requirements. Requires Basic Assessment in SPRS for contractors and subcontractors. Linked via the eCFR.
Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements. The clause that makes CMMC a contract obligation. Active enforcement began November 10, 2025.
Notice of CMMC Level Requirements. The solicitation gatekeeper provision. If it appears in an RFP, you must have the required CMMC status in SPRS before you are eligible for award.
The six-step guide for new vendors. SAM registration, CAGE setup, Contractor Administrator (CAM) appointment, self-registration, and adding roles. Start here if you have no PIEE account.
The Procurement Integrated Enterprise Environment landing page. Where contractors actually log in to access SPRS and other DoD vendor systems.
How to add the SPRS Cyber Vendor User role to an existing PIEE account. Required to enter NIST 800-171 and CMMC assessment information.
For brand-new vendors without a PIEE account. Walks through registration plus SPRS role assignment in one flow.
How to enter your Basic Assessment score in SPRS. Required for compliance with DFARS 252.204-7019 / 7020.
How to enter your CMMC Level 2 self-assessment results in SPRS. Required for the affirmation cycle under DFARS 252.204-7021.
Supplier Performance Risk System. Where your self-assessed NIST 800-171 score and CMMC status are reported and stored.
The official DoD-developed CUI awareness course. Self-paced, free, and provides a completion certificate. Suitable for satisfying CUI training obligations under DFARS 252.204-7012.
DoD Counterintelligence and Security Agency's cybersecurity awareness training. Covers fundamental security practices and threat awareness for personnel handling sensitive information.
DoD-issued information technology awareness training. Covers acceptable use, social engineering, phishing, removable media, and incident reporting fundamentals.
CDSE training on unauthorized disclosure of classified information and CUI. Recommended supplement to IF141 for personnel who routinely handle controlled information.
Working templates for SSPs, policies, and procedures. A short form, then your download.
A complete policy starter kit aligned to the 17 controls of FAR 52.204-21 and CMMC Level 1. Designed for contractors who handle FCI but not CUI, who need to demonstrate basic safeguarding before bidding on prime work.
The full 110-control documentation kit aligned to NIST 800-171 and DFARS 252.204-7012. Includes every policy and procedure a CMMC Level 2 assessment will look for. Built from the same template set Howder Labs uses with paying clients.
A complete SSP shell with every 800-171 control prepopulated, ready for you to fill in environment, scope, and implementation specifics. Includes a guided framework for boundary diagrams, asset categorization, and POA&M tracking.
Individual documents for organizations that have most of their compliance documentation in place but need to fill specific gaps. Useful for spot-augmenting an existing SSP or responding to assessor findings.
Templates are a starting point. The work that follows is environment-specific implementation, evidence collection, and defending the artifacts in front of an assessor. That's where Howder Labs comes in.
Howder Labs is an SDVOSB cybersecurity firm built by a former NASA Information System Owner and Navy Validator. We deliver CMMC readiness, managed security, and federal IT for Defense Industrial Base contractors.
Visit Howder Labs →