Expert CMMC · CMMC 2.13
CMMC Phase II
is dead.
Whatever the rollout does next, the requirements don't change. Long live the work that was always the point — knowing exactly which NIST SP 800-171, 800-172, and 800-53 controls satisfy every CMMC practice.
Free · No credit card · Nothing to install
The point
A single, honest cross-reference between CMMC and the NIST controls beneath it.
Every practice, cross-referenced
Each CMMC 2.13 practice mapped to the exact NIST SP 800-171, 800-172, and 800-53 controls behind it.
Free for assessors
Register a free account and search every CMMC practice and NIST control side by side. No paywalls.
Implementation strategies
Every control links to practical implementation strategies and cross-references to related frameworks.
Built by practitioners
Maintained by people who work CMMC assessments and remediation every day.
149
CMMC 2.13 practices
2,207
Supporting NIST controls
436
Cross-references mapped
The model
Browse CMMC 2.13 — by level and domain
Every CMMC practice, cross-referenced to the NIST SP 800-171, 800-172, and 800-53 controls that support it. Start with a maturity level, or jump straight to a domain.
By level
All 149 practices →15practices
Basic safeguarding of Federal Contract Information (FCI).
Browse Level 1110practices
Protecting Controlled Unclassified Information (CUI); aligned to NIST SP 800-171.
Browse Level 224practices
Reducing risk from advanced persistent threats; adds NIST SP 800-172 requirements.
Browse Level 3By domain
A worked example
One practice, mapped across every framework
This is a live record from the catalog — the same cross-references you get on every page.
Manage Visitors & Physical Access [FCI Data]
Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
Get started
Stop waiting on a timeline. Start on the controls.
Every CMMC practice and the NIST controls behind it — in one place, free for assessors and implementers alike.