Tell us about the engagement
What best describes your engagement? (pick one or more)
These choices reveal the rest of the questions that matter for your case.
Agency / Customer
Pick the most specific owner of the work.
Role
Data sensitivity
Hosting / Processing
Program criticality
Used to decide C3PAO vs self-assessment under CMMC L2.
Special data regimes
Supply-chain depth
Third-party involvement
Contract context (optional)
How to proceed
Execution plan
What this covers
- FAR 52.204-21 (FCI basic safeguarding) → CMMC L1.
- DFARS 252.204-7012/-7019/-7020/-7021 for CUI → CMMC L2; L3 for select DoD programs.
- FedRAMP Moderate when CUI is in a CSP; options for StateRAMP and DoD SRG IL4/IL5.
- FISMA/RMF (800-37) + 800-53 baselines when operating systems on behalf of an agency (ATO path).
- NIST SSDF (800-218), SBOM, provenance for software suppliers.
- NIST 800-161 r1 C-SCRM and flow-downs; overlays such as CJIS, IRS 1075, FERPA, HIPAA, PCI.
Accuracy & review
- Built on widely published requirements (FAR 52.204-21; DFARS 252.204-7012/-7019/-7020/-7021; CMMC 2.0 ↔ NIST 800-171; FedRAMP Moderate; FISMA/RMF + 800-53 for ATOs).
- Contracts control: solicitation/KO + agency overlays (DHS 4300A/B, CJIS, IRS 1075, etc.).
- Last reviewed: 2025-11-03. Re-validate per award/option year.
Need an authoritative read-through? ABI can review clauses, confirm scope (FCI vs CUI), and build your SSP/POA&M and flow-down package.