CMMC Brain
CMMC Brain is a web-based knowledge graph designed to help Organizations Seeking Certification (OSCs) systematically understand, map, and manage the full set of 320 CMMC Level 2 and Level 3 controls. Built using a “web brain” model, it presents CMMC requirements as interconnected objects rather than isolated checklist items, allowing organizations to see how controls, assessment objectives, evidence, systems, and responsibilities relate to one another.
The platform consolidates critical, publicly available resources—CMMC requirements, NIST SP 800-171 mappings, assessment objectives, scoping considerations, and implementation references—into a single navigable structure. This enables OSCs to trace each control from requirement to implementation, identify gaps, and organize evidence in a way that aligns with assessor expectations.
The Open Source Edition of CMMC Brain is provided free for commercial use. It is intended as a reference and planning resource, not a turnkey compliance solution, and does not prescribe specific implementations. Instead, it supports informed decision-making, defensible documentation, and clearer internal communication as organizations prepare for CMMC assessments.
CMMC Level 1 Scoping and Assessment Guides
Level 1 scoping defines the limited set of people, systems, and processes that handle Federal Contract Information (FCI). The assessment guidance explains how basic safeguarding practices are verified, typically through documentation review and interviews, to confirm that FCI is protected from unauthorized disclosure. Level 1 assessments focus on clarity of boundaries and straightforward implementation rather than complex technical controls.
https://dowcio.war.gov/Portals/0/Documents/CMMC/ScopingGuideL1v2.pdf
https://dowcio.war.gov/Portals/0/Documents/CMMC/AssessmentGuideL1v2.pdf
CMMC Level 2 Scoping and Assessment Guides
Level 2 scoping establishes the assessment boundary for environments that store, process, or transmit Controlled Unclassified Information (CUI). It details how to categorize assets (CUI assets, security protection assets, specialized assets, and out-of-scope assets) and how information flows affect scope. The assessment guide explains how the 110 NIST SP 800-171–based practices are evaluated using documentation, interviews, and technical evidence to determine whether controls are implemented and operating as intended.
https://dowcio.war.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf
https://dowcio.war.gov/Portals/0/Documents/CMMC/AssessmentGuideL2v2.pdf
CMMC Level 3 Scoping and Assessment Guides
Level 3 scoping builds on Level 2 by addressing environments that support high-value or mission-critical CUI, incorporating enhanced requirements aligned with NIST SP 800-172. The assessment guide describes how advanced practices are examined, with greater emphasis on threat-informed controls, resilience, and institutionalized security processes. Scoping at Level 3 requires precise justification of boundaries and a clear understanding of how elevated threats impact control implementation.
https://dowcio.war.gov/Portals/0/Documents/CMMC/ScopingGuideL3v2.pdf
https://dowcio.war.gov/Portals/0/Documents/CMMC/AssessmentGuideL3v2.pdf
CMMC Assessment Process
The CyberAB CMMC Assessment Process (CAP) is an authoritative reference developed by CyberAB to standardize how CMMC assessments are planned, executed, and documented. It provides detailed guidance for assessors, C3PAOs, and Organizations Seeking Certification (OSCs) on how CMMC practices are evaluated against their assessment objectives, including what constitutes acceptable evidence and how determinations are made.
The guide clarifies assessor expectations around evidence types (documentation, interviews, and technical artifacts), how controls are tested in real environments, and how findings are recorded and scored. It serves as the practical companion to the CMMC model itself, translating control language into repeatable assessment activities and helping ensure consistency across assessments.
For OSCs, the Assessment Guide is especially valuable as a readiness and preparation tool, offering insight into how controls will be scrutinized and what “implemented and operating as intended” means in practice during a formal CMMC assessment.