CyberSecurity Maturity Model Certification (CMMC): Certified CMMC Professional (CCP)

Level: Foundation

The Cybersecurity Maturity Model Certification (CMMC), managed by the CMMC Accreditation Body (CMMC-AB), is a program through which an organization's cybersecurity program is measured by their initial and ongoing compliance with applicable cybersecurity practices as well as their integration of corresponding policies and plans into their overall business operations. By Fiscal Year 2026, all organizations providing products or services to the US DoD must obtain at least a Maturity Level 1 certification under this program.

This course prepares students for the CMMC-AB Certified Professional (CP) certification, which authorizes the holder to use the CMMC-AB Certified Professional logo, to participate as an assessment team member under the supervision of a Certified Assessor, and to be listed in the CMMC-AB Marketplace. The CP certification is also prerequisite for the other certifications (CA-1, CA-3, and CA-5).

Key Features of this CMMC Training:

  • This course is a prerequisite for the Certified Professional program, and it prepares students for the CMMC Certified Profession (CP) certification exam.
  • The CP certification is also a step toward becoming a certified assessor (CA), so students might take his course to begin down the path toward CA certification.

You Will Learn How To:

In this course, you will learn about the CMMC framework, model, context, and application within the DoD, as well as the expectations and requirements imposed upon organizations that do business with the DoD. It will also help students to identify threats to cybersecurity and privacy within an IoT ecosystem and implement appropriate countermeasures.

You Will:

  • Identify risks within the federal supply chain and the established standards for managing them.
  • Describe how the CMMC model ensures compliance with federal acquisitions regulation.
  • Identify responsibilities of the CMMC Certified Professional, including appropriate ethics and behavior.
  • Identify regulated information and establish the Certification and, Assessment scope boundaries for evaluating the systems that protect that regulated information.
  • Evaluate OSC readiness and determine the objective evidence you intend to present to the assessor.
  • Use the NIST 800-171A and CMMC Assessment Guide to assess objective evidence for processes and practices.
  • Implement and evaluate practices required to meet CMMC maturity level 1.
  • Implement and evaluate processes and practices required to meet CMMC maturity level 2.
  • Implement and evaluate processes and practices required to meet CMMC maturity level 3.
  • Identify processes and practices required to meet CMMC maturity levels 4 and 5.
  • As a Certified Professional, work through the logistics of a CMMC assessment, including planning for and conducting the assessment, as well as any follow-up processes, such as remediation and adjudication.
  • Perform the role of a Certified Professional.

Choose the Training Solution That Best Fits Your Individual Needs or Organizational Goals

LIVE, INSTRUCTOR-LED

In Class & Live, Online Training

  • 5-day instructor led training course
  • After-course instructor coaching included
  • Tuition fee can be paid later by invoice -OR- at the time of checkout by credit card
  • Exam Vouchers are only available throught CMMC-AB.
View Course Details & Schedule

Standard $4795 CAD

Government $4220 CAD

RESERVE SEAT

PRODUCT #2072

TRAINING AT YOUR SITE

Team Training

  • Bring this or any training to your organization
  • Full - scale program development
  • Delivered when, where, and how you want it
  • Blended learning models
  • Tailored content
  • Expert team coaching

Customize Your Team Training Experience

CONTACT US

Save More On Training with FlexVouchers – A Unique Training Savings Account

Our FlexVouchers help you lock in your training budgets without having to commit to a traditional 1 voucher = 1 course classroom-only attendance. FlexVouchers expand your purchasing power to modern blended solutions and services that are completely customizable. For details, please call 888-843-8733 or chat live.

In Class & Live, Online Training

Time Zone Legend:
Eastern Time Zone Central Time Zone
Mountain Time Zone Pacific Time Zone

Note: This course runs for 5 Days

  • Nov 1 - 5 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Nov 15 - 19 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Nov 29 - Dec 3 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Dec 6 - 10 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Dec 13 - 17 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Jan 24 - 28 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Feb 28 - Mar 4 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Mar 28 - Apr 1 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Apr 25 - 29 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • May 16 - 20 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Jun 13 - 17 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Jul 25 - 29 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Aug 22 - 26 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Sep 12 - 16 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

Guaranteed to Run

When you see the "Guaranteed to Run" icon next to a course event, you can rest assured that your course event — date, time — will run. Guaranteed.

Important CMMC Training Information

  • Prerequisites

    To ensure your success in this course you should have some foundational education or experience in cybersecurity.

    The CMMC-AB has established prerequisites for those who wish to apply for CP Certification, such as:

    • Favorable background checks. Additional citizenship and clearance credentials also required to perform higher level duties, such as participating as ML-2 assessment team member.
    • A college degree in a cyber or information technical field with 2+ years of experience or 3+ years of equivalent experience (including military) in a cyber, information technology, or assessment field.
    • At least two years of experience in cybersecurity or another information technology field.
    • CMMC-AB approval of your application.

    This is an unofficial summary provided for your convenience. Always refer to the CMMC-AB website (https://www.cmmcab.org) for official requirements and be aware that CMMC requirements are subject to change.

    Note: Students will have completed the above certification requirements prior to enrolling in the course through the CMMCAB website, this step is independent of their classroom participation.

Top 10 Things You Need to Know About CMMC

  • 1) What is CMMC?

    The US Department of Defence (DoD) recognizes risk of loss via their supply chain, the contracts making up the Defence Industrial Base (DIB) supplying our military. The Cybersecurity Maturity Model Certification is designed to assess the security posture of DIB companies to verify that appropriate practices and procedures are implemented prior to granting contracts.
  • 2) Who must be certified?

    All entities bidding on and awarded contracts must be CMMC certified to the level specified in the requirements document or statement of work, except for those contracts acquiring solely commercial off-the-shelf (COTS) products, according to Defence Federal Acquisition Regulations (DFARS) 7021. This also includes subcontractors. In other words, ANY entity directly or indirectly working DoD contracts containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) must comply or risk losing those contracts!
  • 3) What is FCI and CUI?

    FCI is Federal Contract Information. FCI is information provided by or generated for the federal government under contract not intended for public release. So, for example, information published as part of the bidding process or available on the DoD public website is not FCI, but companies should assume everything else pertaining to the contract is FCI. FCI has no specific handling or legal requirements beyond the contract and DFARS rules, but nonetheless must be protected at a basic, foundational level. CMMC requirements specific that companies handling FCI must minimally meet Level 1 (Performed – Basic Cyber Hygiene) certification. CUI is Controlled Unclassified Information. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. In other words, CUI has legal and policy requirements that must be met, but it doesn’t fall under the DoD classification scheme. It’s not that classified information doesn’t have to be protected. Of course, classified information must be protected, but classified information already has protection schemes and requirements surrounding it. CMMC is for everything else that has legal/policy requirements that falls outside that scope of DoD classification schemes. CMMC requirements specific that companies storing/processing/transporting CUI must minimally meet Level 3 (Managed – Good Cyber Hygiene) certification.
  • 4) How soon do we have to obtain certification?

    October 1, 2025. DoD states that contracts awarded on that date or after can only go to fully certified entities meeting the compliance requirements. Companies not certified as meeting those requirements risk losing their existing contracts. Even prior to that date, the DFARS Interim Rule applies. This rule went into effect November, 2020 in an attempt to phase in the CMMC program, and even now, some companies risk losing their contracts. Contract companies that have met the certification requirements have a huge competitive advantage over other contractors.
  • 5) What is the DFARS Interim Rule?

    The CMMC program is meant to be phased in. Effective November 20, 2020, DFARS 2019 Interim Rule went into effect. Contractors continue to be required to self-assess and enter themselves into the Supplier Performance Risk System (SPRS) database. However, some contracts will also need to take it all the way to CMMC certification. It is at the discretion of the Office of Undersecretary of Defence (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal/requirement is to award an increasing number of prime contracts each year to CMMC certified companies. In fiscal year 2021, DoD is only requiring a minimum of 15 prime contracts be awarded with the new CMMC requirements met, and that includes those primes subcontractors. If you are one of the few certified entities, you have a tremendous advantage outpacing your competition as more and more contracts are required to be awarded to CMMC certified companies. By 2025, all companies must be CMMC certified to successfully win contract awards.
  • 6) How is CMMC different from 800-53 or 800-171?

    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is for all US federal agencies and any entity housing US federal information or information systems. 800-171 is meant for protecting CUI stored/processed/disseminated in nonfederal systems. CMMC is not about auditing to ensure a set of specific boxes are checked. CMMC is about ascribing the overall cybersecurity posture of the organization as it pertains to CUI/FCI. It is not an audit, but rather an assessment. CMMC would say it is about the institutionalization of good cybersecurity practices throughout the organization. Much trust and faith is placed in the opinions of the assessment team to make those judgements. All CMMC requirements must be fully satisfied at that level of the Organization Seeking Certification (OSC) in order to be certified. The requirements for CMMC extend beyond those of 800-171. While many of the practices and assessment guidance is ripped straight from 800-171, CMMC extended these requirements to add an additional 46 practices designed to enhance the security posture of an organization, such as actually reviewing the audit logs as part of an organization’s regular practices.
  • 7) Will my 800-171 assessment count (or my ISO 27000… or SOC… or RMF)?

    The CMMC assessment is separate from the 800-171 and other assessments. While some work is being done to within the realm of model reciprocity to ensure that efforts are not continuously duplicated, right now the CMMC System Security Plan (SSP) is not the same document as the 800-53 SSP, the CCMC Plan of Action and Milestones (POA&M) is not the same as an ordinary system POA&M, and the CMMC certification is not the same as any other certification. These are separate certifications and must be treated as such, despite any overlap. It is ultimately up to the lead CMMC Certified Assessor (CCA) to determine when a CMMC control is met by an equivalent third party certification, including which controls were met, whether any gaps exist between the two control programs, if the third party assessment meets CMMC standards, etc… Regardless if some controls have been met, the OSC is not CMMC compliant until the assessment team evaluates their organization.
  • 8) What are the CMMC certification levels?

    There are 5 levels of CMMC certifications

    • Level 1 – Performed – Basic Cyber Hygiene
      • Foundational level indicating that 17 basic practices are performed
      • Documentation is not required at this level
    • Level 2 – Documented – Intermediate Cyber Hygiene
      • Practices and procedures are documented
      • Practices and procedures are cumulative – all level 1 must be met to achieve level 2
    • Level 3 – Managed – Good Cyber Hygiene
      • 130 practices and 3 procedures must be met
      • Planning and maintaining the security posture must be undertaken
      • Practices and procedures are cumulative – all level 2 must be met to achieve level 3
    • Level 4 – Reviewed – Proactive
      • Measurements must be taken and reviewed for effectiveness
      • Practices and procedures are cumulative – all level 3 must be met to achieve level 4
    • Level 5 – Optimizing – Progressive/Advanced
      • The organization attempts to standardize and optimize cybersecurity across the organization
      • Practices and procedures are cumulative – all level 4 must be met to achieve level 5

      Currently, organizations are only seeking provisional certifications because the requirements are not yet finalized, and the assessor organizations have not been approved as of yet. Currently, only Level 1 and Level 3 provisional requirements are fully defined, documented, and described. Level 2 isn’t defined as it is only the interim between Level 1 and Level 3. If this organization must comply with CMMC as per the contract, Level 2 is not good enough to handle CUI.

  • 9) My organization didn’t bid on a contract but we assist one that did. Do we need to be certified?

    If the organization handles CUI or FCI, even as a subcontractor, then that organization needs to be certified just as the prime contract owner is. This should be stated in the contract between the subcontractor and the prime contractor, but even if it is not explicitly stated, the subcontractor still needs to be certified or they need to inform the DoD and seek advice for how to remove/destroy the information appropriately from the systems. This does not mean that you will need to obtain the same assessment level as the prime contract. It depends upon the type of information that is handled. If the subcontract only handles FCI, then Level 1 is the highest level of certification they will need to achieve. It is possible that the prime achieves a lower level than the subcontract as well, such as a Level 1 certified organization awarded the prime contract while the subcontract has a Level 3 certification. If CUI needs to be processed, then it must transit directly to the subcontract and not be handled by the prime. As long as no organization handles information outside the realm of the level they are certified to, all involved are still fully compliant.
  • 10) My organization doesn’t handle CUI. Do we still need to be certified?

    Even if the organization is only handling FCI, the organization still needs to be certified at level 1. Pretty much any organization with a contract with the US DoD needs to be certified because the contract alone likely constitutes FCI. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.

CMMC Training Outline

(Pending CMMC-AB Approval)

  • Lesson 1:  Ensuring Compliance through CMMC

    Topic A: Identify Limitations of Self-Certification

    Identify ways in which self-certification is insufficient to ensure protection against threats to the federal supply chain.

    • Accountability
    • Contracts Involving Multiple Contractors
    • Self-Certification of Cybersecurity
    • Drawbacks and Limitations of Self-Certification
    • The False Claims Act
    • Consequences of Self-Certification
    • The Christian Doctrine
    • L. Christian & Associates v. United States, 312 F.2d 418 (Ct. Cl. 1963)
    • Legal Obligations of Contractors and Subcontractors
    • Guidelines for Identifying Your Legal Obligations
    • Identifying Where Things Went Wrong Due to Self-Certification
       

    Topic A: Identify Benefits of CMMC

    Describe how the Cybersecurity Maturity Model Certification is designed to ensure that suppliers comply with federal cybersecurity standards, providing benefits over the self-certification model.

    • Rationale for the Introduction of the CMMC Model
    • Process through which the CMMC Model was Developed
    • CMMC Reference/Source Documents (High Level)
    • CMMC’s Basis in Cybersecurity Standards and Best Practices
    • The CMMC Accreditation Body (CMMC-AB)
    • Roles and Responsibilities – DoD and CMMC-AB
    • How the CMMC-AB Is Funded
    • The CMMC-AB Marketplace
    • The CMMC Ecosystem
    • CMMC-AB affiliated people and organizations
    • Client or Credentialed Organizations
    • Registered or Certified Individuals
    • Roles and Responsibilities – Assessment
    • Third-Party Review
    • Scalability
    • Decentralization
    • Assessments
    • Cost Effectiveness for All
    • Identifying How CMMC Would Have Prevented Problems
       

    Topic B: Describe the CMMC Model Architecture

    Describe the general architecture of the CMMC Model.

    • Maturity Model
    • The CMMC Maturity Model
    • The CMMC Model Taxonomy
    • Domains of the CMMC Model
    • Capabilities of the CMMC Model
    • Practices of the CMMC Model
    • Distribution of Practices Across Maturity Levels
    • Accumulation of Practices Through Five Levels
    • Distribution of Practices Per Level Across Domains
    • Sources of CMMC Practices
    • Processes in the CMMC Model
    • Cumulative Practices and Processes
    • Practice and Process Numbering System
    • The Path to CMMC Certification
    • Transitioning from Level to Level
    • CMMC Documentation
    • Guidelines for CMMC Success
    • Describing the CMMC Model Architecture
  • Lesson 2: Performing the Responsibilities of a CMMC CP

    Topic A: Identify Responsibilities of the CMMC CP

    Identify responsibilities of a Certified Professional.

    • CP Responsibilities – In-house or Consultant
    • CP Responsibilities – Assessment Team
    • Various Roles Performed by a CP
    • Technical Opportunities
    • External Consulting
    • Assisting in Assessments
    • How Contractors Are Expected to Administer Self-Assessments
    • Separation of Duties
    • Guidelines for Maintaining an Appropriate Separation of Duties
    • Identifying Responsibilities of the CMMC Certified Professional
       

    Topic B: Demonstrate Appropriate Ethics and Behavior

    Demonstrate ethics and behavior that are appropriate for a CMMC Certified Professional, as outlined in the Code of Professional Conduct.

    • Code of Professional Conduct (CoPC)
    • Guidelines for Professional Conduct
    • Demonstrating Appropriate Ethics and Behavior
  • Lesson 3: Identifying and Scoping Regulated Information

    Topic A: Identify Regulated Information

    Define types of regulated information.

    • Federal Contract Information (FCI)
    • 48 CFR § 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems
    • Understanding CUI
    • DFARS Clause 252.204-7012 -- Safeguarding Covered Defence Information and Cyber Incident Reporting
    • NARA CUI Registry: CUI Types
    • NARA CUI Registry: CUI Groupings
    • NARA CUI Registry: CUI Defence Categories
    • NARA CUI Registry: CUI Defence Covered Technical Information
    • WORKING Covered Defence Information Definition
    • DODI 8582.1 (FCI/CUI)
    • Controlled Unclassified Information (CUI)
    • Controlling Authorities
    • DODI 5200.48 (CUI)
    • 32 CFR Part 2002, Controlled Unclassified Information (CUI)
    • Rules and Regulations Applying to CUI
    • FCI vs CUI
    • Controlled Technical Information (CTI)
    • Guidelines for Identifying CTI
    • Export Controlled Information (ECI)
    • Guidelines for Protecting and Restricting ITAR and Export Controlled Data
    • Guidelines for Determining the Type of Protected Information
    • Guidelines for Protecting FCI
    • Guidelines for Protecting CUI
    • Guidelines for Protecting CTI
    • Guidelines for Protecting ECI
    • Identifying Regulated Information
       

    Topic B: Establish the Certification and Assessment Scope Boundaries

    Establish appropriate scope boundaries for a CMMC Assessment.

    • Scoping
    • Scope Boundaries
    • How Does Scoping Affect Your Role as a CP?
    • Scoping: Roles & Responsibilities During Assessments
    • Scoping: Data-Centric Methodology
    • Guidelines for Establishing the Certification and Assessment Scope Boundaries
    • CMMC Level 1 Category A – In Scope
    • CMMC Level 1 Category B – Out of Scope
    • CMMC Level 1 Category C – Enabling Asset
    • Excluded Assets
    • Separation Techniques – Isolation
    • Separation Technique – Controlled Access
    • Separation Example: Guest Wireless – Logical Isolation
    • Separation Example: Access Control – Logical Isolation
    • Separation Example: Extended Untrusted User/System Access
    • Evolution of Artifacts and Evaluation Methods in Relation to Maturity Level
    • Identifying Appropriate Certification and Assessment Scope Boundaries
  • Lesson 4: Initiating the Assessment Process

    Topic A: Evaluate Readiness

    Evaluate the readiness of an organization seeking to undergo the CMMC assessment process.

    • Assessment as Partnership
    • The Path to CMMC Certification
    • Guidelines for Identifying the Scope of the Assessment
    • Identify Desired Maturity Level
    • Ways to Evaluate How Prepared You Are Before the Assessment
    • Gap Analysis
    • Closing Gaps
    • Benefits of an Evidence Validation
    • Guidelines for Evaluating Readiness
    • Evaluating Readiness
       

    Topic B: Determine Objective Evidence

    Determine what objective evidence you intend to present in the assessment.

    • Effective Assessments
    • Objective Evidence
    • CMMC Assessment Reference Documents
    • Methods Assessors Will Use to Make Their Evaluation
    • Limits on Assessors' Access to the Organization's CUI and FCI
    • Evidence Collection, Preparation, and Generation
    • Stakeholder Interviews
    • Organization of Documents and Other Evidence to Prepare for an Assessment
    • Guidelines for Determining Objective Evidence
    • Determining Objective Evidence Categories
  • Lesson 5: Assessing Objective Evidence

    Topic A: Assess the NIST 800-171 Practices Using the 800-171A Methodology

    Implement the NIST SP 800-171 requirements using the NIST SP 800-171A Assessment methodology.

    • CMMC Assessment Requirements Map
    • CMMC Source Documents
    • NARA ISOO (Information Security Oversight Office)
    • The Role of the Information Security Oversight Office (ISOO)
    • ISOO CUI Notice 2020-04: Assessing Security Requirements for CUI in Non-Federal Information Systems (dated 16 June 2020) (4 slides)
    • NIST SP 800-171A Assessment Depth & Coverage
    • NIST SP 800-171A Assessment Procedure
    • NIST SP 800-171A Assessment Methods (3 slides)
    • Multi-Factor Authentication: Requirement
    • Multi-Factor Authentication: Objectives
    • Multi-Factor Authentication: Methods & Objects
    • Requirement to Objectives to Systems
    • CMMC Assessment Procedures
    • Pass with Inheritance: Shared Service Responsibility Model
    • How the Assessment Procedures Affect Your Role as a CP
    • Guidelines for Assessing the NIST 800-171 Practices Using the 800-171A Methodology
    • Assessing the NIST 800-171 Practices Using the 800-171A Methodology
       

    Topic B: Assess Delta Practices

    Use the CMMC Assessment Guide to assess practices not covered in NIST 800-171.

    • The CMMC Delta Practices
    • The CMMC Assessment Guide
    • The CMMC Appendices
    • Supplemental Resources
    • Guidelines for Assessing Delta Practices
    • Assessing Delta Practices
       

    Topic C: Assess Processes

    Use the CMMC Assessment Guide to assess processes.

    • Processes in the Appendices
    • Processes in the CMMC Assessment Guide
    • CERT RMM v1.2 (Resilience Management Model)
    • Guidelines for Assessing Processes
    • Assessing a Process
  • Lesson 6: Implementing and Evaluating CMMC Level 1

    Topic A: Maturity Level 1 Domains and Practices

    Identify the domains and practices for basic cyber hygiene at ML1.

    • Maturity Level 1 Processes
    • CMMC vs FAR 52.204-21
    • Maturity Level 1 Domains
    • Maturity Level 1 Practices (Part 1)
    • Maturity Level 1 Practices (Part 2)
    • Identifying Maturity Level 1 Domains and Practices
       

    Topic B: Determine Scope Boundaries at Maturity Level 1

    Determine the scope boundaries at ML1.

    • CMMC ML1 Assessment Preparation Steps
    • Scenario: GrandMegaCorp
    • Step 1: Identify the FCI and CUI
    • Step 2.1: Determine the way FCI/CUI moves within the organization (5 slides)
    • Step 2.2: Will FCI be generated by GrandMegaCorp?
    • Step 2.3: Will FCI be shared with, or accessible by, others?
    • Step 2.4 Who in GrandMegaCorp has Access to it?
    • Step 2.5: Will FCI be sent to the government?
    • Step 3: Identify the Systems with FCI
    • Step 3: FCI and GrandMegaCorp End-user Devices
    • Step 4: Evaluate the In-scope Systems Against the CMMC Model Requirements
    • GrandMegaCorp Scope Boundaries
    • Determining Scope Boundaries at CMMC Level 1
       

    Topic C: Perform a Maturity Level 1 Gap Analysis

    Perform a maturity level 1 gap analysis.

    • NIST SP 800-171A – Assessments
    • NIST SP 800-171A – Assessment Attributes
    • CMMC ML1 Assessment Preparation Steps
    • GrandMegaCorp
    • Maturity Level 1 Practices we will Discuss
    • Creating and Evaluating an ML1 Environment
    • 1.001
    • 1.002
    • 1.131
    • 1.132—PE.1.134
    • 1.175
    • 1.176
    • Guidelines for Performing a Maturity Level 1 Gap Analysis
    • Performing a Maturity Level 1 Gap Analysis

    Topic D: Perform a Maturity Level 1 Evidence Validation

    Perform a ML1 evidence validation.

    • KB
    • Guidelines for Performing a Maturity Level 1 Evidence Validation
    • Performing a Maturity Level 1 Evidence Validation

    Topic E: Perform a Maturity Level 1 Pre-Assessment Readiness Review

    Perform a ML 1 pre-assessment readiness review.

    • KB
    • Guidelines for Performing a Maturity Level 1 Pre-Assessment Readiness Review
    • Performing a Maturity Level 1 Pre-Assessment Readiness Review
  • Lesson 7: Implementing and Evaluating CMMC Level 2

    Topic A: Maturity Level 2 Process Maturity Requirement

    Identify the processes for intermediate cyber hygiene at ML2.

    • Level 2 Processes
    • Process Maturity
    • Identifying Processes That Should Be Performed at CMMC Level 2

    Topic B: Maturity Level 2 Practices

    Identify the practices for intermediate cyber hygiene at ML2.

    • CMMC Level 2 Scoping
    • Level 2 Practices
    • Level 2 Delta Practices
    • Identifying Practices That Should Be Performed at CMMC Level 2

    Topic C: Perform a Maturity Level 2 Gap Analysis

    Perform a ML2 gap analysis.

    • KB
    • Guidelines for Performing a Maturity Level 2 Gap Analysis
    • Performing a Maturity Level 2 Gap Analysis

    Topic D: Perform a Maturity Level 2 Evidence Validation and a Pre-Assessment Readiness Review

    Perform ML2 evidence validation and pre-assessment readiness review.

    • KB
    • Guidelines for Performing a Maturity Level 2 Evidence Validation and a Pre-Assessment Readiness Review
    • Performing a Maturity Level 2 Evidence Validation and Pre-Assessment Readiness Review
  • Lesson 8: Implementing and Evaluating CMMC Level 3

    Topic A: Maturity Level 3 Processes

    Identify the processes for good cyber hygiene at ML3.

    • Level 3 Processes
    • Maintenance
    • Resourcing
    • Identifying Processes That Should Be Performed at CMMC Level 3

    Topic B: Maturity Level 3 Practices

    Identify the practices for good cyber hygiene at ML3.

    • Level 3 Practices
    • Level 3 Delta Practices
    • Identifying Practices That Should Be Performed at CMMC Level 3

    Topic C: Determine Scope Boundaries at Maturity Level 3

    Determine the scope boundaries at ML3.

    • CMMC Level 3 Scoping (5 slides)
    • KB
    • Guidelines for Determining Scope Boundaries at Maturity Level 3
    • Determining Scope Boundaries at Maturity Level 3

    Topic D: Perform a Maturity Level 3 Gap Analysis

    Perform a ML3 gap analysis.

    • KB
    • Guidelines for Performing a Maturity Level 3 Gap Analysis
    • Performing a Maturity Level 3 Gap Analysis
       
    Topic E: Perform a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
    • KB
    • Guidelines for Performing a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
    • Performing a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
  • Lesson 9: Identifying CMMC Levels 4 and 5

    Topic A: Maturity Level 4 Processes and Practices

    Identify the processes and practices for proactive cyber hygiene at ML4.

    • CMMC Level 4Scoping
    • Level 4 Processes
    • Review and Measurement
    • Level 4 Practices
    • Level 4 Delta Practices
    • Identifying Processes and Practices That Should Be Performed at CMMC Level 4

    Topic B: Maturity Level 5 Processes and Practices

    Identify the processes and practices for advanced/progressive cyber hygiene at ML5.

    • CMMC Level 5 Scoping
    • Level 5 Processes
    • Standardization and Optimization
    • Level 5 Practices
    • Level 5 Delta Practices
    • Identifying Processes and Practices That Should Be Performed at CMMC Level 5
  • Lesson 10: Working Through a CMMC Assessment

    Topic A: Define the Assessment Logistics

    Define the logistics required to schedule, complete, and finalize a CMMC assessment as required to receive CMMC-AB certification.

    • The Assessment Process
    • Prep Work
    • On-Site Work
    • Pre-assessment Readiness Review
    • Responsibilities of the OSC and the OSC Point of Contact (POC)
    • Responsibilities of the Certified Assessor and the Assessment Team Members
    • Access to Facilities and Resources Required by the Assessment Team
    • Opening or Kick Off Briefing
    • Daily Checkpoints
    • Final Recommended Findings Briefing
    • Post Assessment
    • Guidelines for Defining the Assessment Logistics
    • Defining the Assessment Logistics

    Topic B: Resolve Assessment Related Issues

    Describe the process for resolving assessment related issues.

    • Assessment Related Issues
    • Assessment Related Conflicts
    • Post Assessment When Remediation is Required
    • Remediation
    • Assessor’s Withdrawal Due to Ethical or Other Violations
    • Adjudication
    • Process to Dispute CMMC-AB Decisions
    • CMMC-AB Adjudication Process
    • Guidelines for Resolving Assessment Related Issues
    • Resolving Assessment Related Issues
  • Lesson 11: Performing the Role of a Certified Professional

    Topic A: Best Practices for Certified Professionals
    • Perform the roles and characteristics of a good CP.
    • Roles for a CP
    • Characteristics of a Good Consultant
    • Guidelines for Being a Professional Consultant
    • CP on an Assessment Team
    • Guidelines for Participating on an Assessment Team
    • Following Best Practices

    Topic B: Cybersecurity Beyond CMMC

    Discuss security risks that go beyond the CMMC Model framework and professional resources and communities to help continued learning.

    • Cybersecurity Culture Change
    • Awareness of Evolving Risks
    • Ways to Stay Informed

Team Training

CMMC Training FAQs

  • If someone has several active Cybersecurity related certifications such as CISSP, CISM, or CISA, do they still have to start with the CMMC Certified Professional level? Is there a credit level applied for being certified and practicing Cybersecurity for several years?

    The CP is a “gateway” certification and proves out your knowledge of CMMC - not just cybersecurity.

    While CMMC is based on much of NIST 800-171, there are additional practices and content for developing processes that are institutionalized. So all Certified Assessor candidates will need to first become CPs.

  • If I would like additional information on this new certification, where is the best place for me to go online?

    For more information on the CMMC certification, go here.

Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Why do we require your location?

It allows us to direct your request to the appropriate Customer Care team.

Preferred method of contact:
Chat Now

Please Choose a Language

Canada - English

Canada - Français