CMMC depends on the content from 800-171r2 and 171A... Here is something I created that combines all three into one place. I find this helps visualize and focus discussions between the driver (CMMC) requirement, implementation, and assessment.
Download it from my files here: 2022 CMMCv2 and SP 800-171r2 and SP 800-171A Combined.ver.02a
- OUSD A&S - Cybersecurity Maturity Model Certification (CMMC) (osd.mil)
- SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov)
- SP 800-171A, Assessing Security Requirements for CUI | CSRC (nist.gov)