-
Protect the Following Unclassified Information:
- Federal Contract Information (FCI)
- Controlled Unclassified Information (CUI)
- By 2026, all DoD contracts will have the CMMC integrated into its provisions
- Take what the DoD calls a "Defense in Strength" approach to data security
-
Adopt CMMC best practices to:
- Maximize the cybersecurity resilience of the DoD and DIB
- Increase your chances of winning contracts
- Prepare for potential cyber threats and breaches
- Recovering from a cyber incident without financial penalization
Learning Tree CMMC Certification Program Features
-
Free 1 Hour CMMC Consulting with Registration
-
Accredited Content from a CMMC APP (Approved Partner Publisher)
-
CMMC ATP (Approved Training Provider)
-
Delivered by Accredited CMMC Instructor/Assessors
CMMC Certification Training Courses
The CMMC Certification Pathway
Authorized training aligned with the Cyber-AB guidelines
- To sit for the CCP exam, you must attend CCP training with an official ATP (Approved Training Provider)
- OSCs – Have CCPs on staff to guide your preparations for your eventual CMMC assessment
- Assessors – CMMC CCP is the foundational certification you will need to start your CMMC assessor journey
- ATPs are not allowed to sell exam vouchers, but we can help you get yours
- The CMMC Assessor Course and Exams have not yet been released. Sign up below to be the first to know.
CMMC 2.0 Final Rule is Here
Background
The U.S. Department of Defenses (DoD) published the Final Cybersecurity Maturity Model Certification (CMMC) Rule in the Federal Register on October 15, 2024. The CMMC Final Rule will be implemented on December 16, 2025, at which time DoD may begin requiring CMMC Certification. A separate rule will be issued in early 2025. This rule will require all DoD contracts to have language requiring DoD contractors be CMMC Certified as a condition of award.
The CMMC program was designed to ensure DoD contractors are fully compliant with existing cybersecurity requirements aimed at protecting Controlled Unclassified Information (CUI). For those DoD contractors handling CUI, they will need to be assessed by a Third Party (C3PAO) to ensure they are meeting cybersecurity requirements as it relates to CUI. DoD contractors handling Federal Contract
Information (FCI) will be required to self-assess and self-certify with the DoD.
Here are some common questions and answers that will help you understand CMMC and the certification process.
All contractors and subcontractors in the DIB who handle FCI or CUI in DoD contracts are required to obtain CMMC 2.0 certification at the appropriate level specified in their contracts.
- Learning Tree offers readiness workshops to assist DoD Contractors in their CMMC Certification journey.
- Reviewing NIST SP 800-171 and, if necessary, NIST SP 800-172 to align cybersecurity practices with CMMC Level 2 or 3.
- Conducting a gap assessment to identify areas needing improvement.
- Preparing for self-assessments or engaging a C3PAO if a third-party assessment is required.
Failure to comply with CMMC 2.0 could result in being ineligible for future DoD contracts, termination of existing contracts, and other contractual penalties. Ensuring compliance is critical to maintain eligibility within the defense supply chain.
Learning Tree offers private workshops that are designed to assist an organization in determining their compliance level as well as what they need to do to achieve the appropriate level of compliance.
There are 3 Levels as follows:
1. Level 1 – Basic Cyber Hygiene
- Requirements: seventeen practices aligned with the Federal Acquisition Regulation (FAR) 52.204-21, which covers basic safeguarding requirements for Federal Contract Information (FCI).
- Goal: Protect FCI through basic cybersecurity practices, such as password protection and access controls.
- Assessment: Self-assessment
2. Level 2 – Intermediate Cyber Hygiene
- Requirements: 110 practices based on NIST SP 800-171 to protect Controlled Unclassified Information (CUI).
- Goal: Implement more comprehensive security practices, including access control, incident response, and risk management, to safeguard CUI.
- Assessment: Third-party assessment required for organizations handling certain CUI; others may perform self-assessments.
3. Level 3 – Advanced/Proactive Cyber Hygiene
- Requirements: More than 110 practices, with additional controls drawn from NIST SP 800-172 for higher levels of cybersecurity.
- Goal: Implement the most stringent cybersecurity practices, including advanced threat detection, response, and incident recovery.
- Assessment: Government-led assessment (for defense contractors handling highly sensitive information).
- Assessors are first required to earn their CCP (CMMC Certified Practitioner) designation. Training is REQUIRED to earn the CCP, and Learning Tree offers the Certified Professional CMMC Training (CCP) training course. This training must be delivered by a CMMC ATP (Approved Training Provider), of which Learning Tree was one of the first to be designated as an ATP. If someone takes the training from a company that is not an ATP, they will not be able to sit for the CCP exam.
- Once an assessor obtains their CCP, they will then proceed to obtain their CCA (CMMC Certified Assessor) designation. This is also obtained through REQUIRED training that is only delivered by CMMC ATPs (Approved Training Providers). Learning Tree offers the official training course, Certified CMMC Assessor Training (CCA).
The CMMC Program implementation date is 60 days after the publication of the final Title 48 CFR CMMC acquisition rule. CMMC assessment requirements will be implemented using a four-phase plan over three years. The phases add CMMC Level requirements incrementally, starting with self-assessments in Phase 1 and ending with full implementation of program requirements in Phase 4. This phased approach allows time to train assessors and companies to understand and implement CMMC assessment requirements.
Contractors at Level 1 and some Level 2 entities can self-assess their cybersecurity practices annually and submit self-assessment documentation instead of undergoing third-party assessments, depending on DoD contract requirements.
Learning Tree advises that organizations looking to self-assess attend the CCP and CCA training courses Certified Professional CMMC Training (CCP) and Certified CMMC Assessor Training (CCA). These training courses will provide self-assessing organizations with the knowledge and skills needed to appropriately assess their organization.
Companies heavily reliant on government contracts with DOD (as a prime contractor or subcontractor), getting in line early to avoid a resource issue with the availability of third-party assessors may be wise. Also, prime contractors may require compliance earlier than DOD.
CMMC will be applicable to every contract above the micro-purchase threshold (currently $10,000) that is not solely for commercial off-the-shelf products. As noted above, there is no exemption for small businesses. There are also no exemptions for contracts for commercial products and services. For businesses doing business with DOD, this will transform their compliance regime with respect to cybersecurity.
