Open Reference Library
For the DIB
For the DIB
Free Templates
For the DIB
For the DIB
An open reference library and template archive for the Defense Industrial Base. Curated by federal practitioners, given away because the underlying frameworks were never meant to be hoarded by consultants.
Direct links to the authoritative publications that govern CMMC, RMF, and DFARS compliance. The underlying material is free and public. We just put it in one place.
Protecting Controlled Unclassified Information in Nonfederal Systems. The 110-control core of CMMC Level 2.
Prior revision, still cited in active DFARS clauses and many existing contracts.
Assessment procedures for 800-171. The actual evaluation criteria assessors apply.
Security and privacy controls catalog. Source material for federal RMF authorizations.
The Risk Management Framework lifecycle. Prepare, categorize, select, implement, assess, authorize, monitor.
Enhanced security requirements for protecting CUI associated with high-value assets and critical programs. CMMC Level 3 source material. Released May 2026, superseding the original SP 800-172.
Assessment procedures for the enhanced security requirements in 800-172r3. The evaluation criteria used to assess Level 3 controls. Released May 2026 alongside the parent publication.
Official DoD CIO documentation hub. Model definitions, level descriptions, and program updates.
How a CMMC L1 self-assessment is conducted. 17 requirements from FAR 52.204-21.
Full 110-control assessment methodology. Required for contractors handling CUI.
How to define your CMMC assessment scope. Identifies CUI, security protection, contractor risk managed, and out-of-scope assets.
Authorized C3PAOs, Registered Practitioners, training providers, and assessor directory.
Safeguarding covered defense information and cyber incident reporting. The clause that requires NIST 800-171. Still active after the 2026 FAR Overhaul.
Contractor compliance with the Cybersecurity Maturity Model Certification level requirements. The clause that makes CMMC a contract obligation.
The SPRS scoring notification clause. Eliminated as a separate provision under the February 2026 FAR Overhaul, but still cited in active solicitations and contracts. Linked via the eCFR.
Supplier Performance Risk System. Where your self-assessed NIST 800-171 score is reported and stored.
The official DoD-developed CUI awareness course. Self-paced, free, and provides a completion certificate. Suitable for satisfying CUI training obligations under DFARS 252.204-7012.
DoD Counterintelligence and Security Agency's cybersecurity awareness training. Covers fundamental security practices and threat awareness for personnel handling sensitive information.
DoD-issued information technology awareness training. Covers acceptable use, social engineering, phishing, removable media, and incident reporting fundamentals.
CDSE training on unauthorized disclosure of classified information and CUI. Recommended supplement to IF141 for personnel who routinely handle controlled information.
Working templates for SSPs, policies, and procedures. A short form, then your download.
A complete policy starter kit aligned to the 17 controls of FAR 52.204-21 and CMMC Level 1. Designed for contractors who handle FCI but not CUI, who need to demonstrate basic safeguarding before bidding on prime work.
The full 110-control documentation kit aligned to NIST 800-171 and DFARS 252.204-7012. Includes every policy and procedure a CMMC Level 2 assessment will look for. Built from the same template set Howder Labs uses with paying clients.
A complete SSP shell with every 800-171 control prepopulated, ready for you to fill in environment, scope, and implementation specifics. Includes a guided framework for boundary diagrams, asset categorization, and POA&M tracking.
Individual documents for organizations that have most of their compliance documentation in place but need to fill specific gaps. Useful for spot-augmenting an existing SSP or responding to assessor findings.
Templates are a starting point. The work that follows is environment-specific implementation, evidence collection, and defending the artifacts in front of a real assessor. That's where Howder Labs is paid to help.
Howder Labs is an SDVOSB cybersecurity firm built by a former NASA Information System Owner and Navy Validator. We deliver CMMC readiness, managed security, and federal IT for Defense Industrial Base contractors.
Visit Howder Labs →