Certified CMMC Assessor Level 1 Training (CCA-1)

Level: Advanced

The Cybersecurity Maturity Model Certification (CMMC), managed by the CMMC Accreditation Body (CMMC-AB), is a program through which an organization's cybersecurity program is measured by their initial and ongoing compliance with applicable cybersecurity practices as well as their integration of corresponding policies and plans into their overall business operations. By Fiscal Year 2026, all organizations providing products or services to the US DoD must obtain at least a Maturity Level 1 certification under this program.

CMMC-AB Certified Assessors (CCA) are authorized to conduct CMMC assessments and recommend a maturity level certification for organizations. This course prepares you to become a Certified Assessor Level 1, which enables you to conduct maturity level 1 assessments. Both the CMMC-AB Certified Professional (CCP) and the Level 1 Assessors are prerequisites for the Certified Assessor Levels 3 and 5.

Key Features of this Certified CMMC Assessor Level 1 Training:

  • CCA-1 Exam Prep
  • Multiple delivery format options

You Will Learn How To:

  • Identify Access Controls (AC)
  • Implement Identification and Authentication Controls (IA)
  • Develop Media Protection Controls (MP)
  • Execute Physical Protection Controls (PP)
  • Identify System and Communications Protection Controls (SC)
  • Apply System and Information Integrity Controls (SI)

Choose the Training Solution That Best Fits Your Individual Needs or Organizational Goals


In Class & Live, Online Training

  • 5-Day Instructor-Led Training Course
  • After-course instructor coaching included
  • Tuition fee can be paid later by invoice -OR- at the time of checkout by credit card
View Course Details & Schedule

Standard $4795 CAD

Government $4220 CAD




Team Training

  • Bring this or any training to your organization
  • Full - scale program development
  • Delivered when, where, and how you want it
  • Blended learning models
  • Tailored content
  • Expert team coaching

Customize Your Team Training Experience


Save More On Training with FlexVouchers – A Unique Training Savings Account

Our FlexVouchers help you lock in your training budgets without having to commit to a traditional 1 voucher = 1 course classroom-only attendance. FlexVouchers expand your purchasing power to modern blended solutions and services that are completely customizable. For details, please call 888-843-8733 or chat live.

In Class & Live, Online Training

Time Zone Legend:
Eastern Time Zone Central Time Zone
Mountain Time Zone Pacific Time Zone

Note: This course runs for 5 Days

  • Mar 7 - 11 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Apr 4 - 8 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • May 2 - 6 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Jun 6 - 10 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Jul 11 - 15 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Aug 8 - 12 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Aug 29 - Sep 2 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

Guaranteed to Run

When you see the "Guaranteed to Run" icon next to a course event, you can rest assured that your course event — date, time — will run. Guaranteed.

Important Certified CMMC Assessor Level 1 Training Information

  • Prerequisites

    • CMMC-AB Certified Professional (CCP) in good standing.
    • Be a U.S. citizen to participate as a team member on maturity level 2 (ML-2) assessments.
    • Have or gain a favorably adjudicated Tier 3 background check; or possess a NAC (National Agency Check), DHS Suitability credential or other DoD accepted clearance (required to participate on ML-2 or higher assessment teams).
  • Who Should Attend This Course

    • Certified CMMC Professionals (CCP) who are interested in becoming a Certified Assessor at Level 1
    • Cyber Professionals looking to provide CMMC guidance
    • OSC’s – Organizations seeking certification
    • Anyone looking to build a foundation of knowledge around the CMMC Level 1 requirements

Top 10 Things You Need to Know About CMMC

  • 1) What is CMMC?

    The US Department of Defence (DoD) recognizes risk of loss via their supply chain, the contracts making up the Defence Industrial Base (DIB) supplying our military. The Cybersecurity Maturity Model Certification is designed to assess the security posture of DIB companies to verify that appropriate practices and procedures are implemented prior to granting contracts.
  • 2) Who must be certified?

    All entities bidding on and awarded contracts must be CMMC certified to the level specified in the requirements document or statement of work, except for those contracts acquiring solely commercial off-the-shelf (COTS) products, according to Defence Federal Acquisition Regulations (DFARS) 7021. This also includes subcontractors. In other words, ANY entity directly or indirectly working DoD contracts containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) must comply or risk losing those contracts!
  • 3) What is FCI and CUI?

    FCI is Federal Contract Information. FCI is information provided by or generated for the federal government under contract not intended for public release. So, for example, information published as part of the bidding process or available on the DoD public website is not FCI, but companies should assume everything else pertaining to the contract is FCI. FCI has no specific handling or legal requirements beyond the contract and DFARS rules, but nonetheless must be protected at a basic, foundational level. CMMC requirements specific that companies handling FCI must minimally meet Level 1 (Performed – Basic Cyber Hygiene) certification. CUI is Controlled Unclassified Information. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. In other words, CUI has legal and policy requirements that must be met, but it doesn’t fall under the DoD classification scheme. It’s not that classified information doesn’t have to be protected. Of course, classified information must be protected, but classified information already has protection schemes and requirements surrounding it. CMMC is for everything else that has legal/policy requirements that falls outside that scope of DoD classification schemes. CMMC requirements specific that companies storing/processing/transporting CUI must minimally meet Level 3 (Managed – Good Cyber Hygiene) certification.
  • 4) How soon do we have to obtain certification?

    October 1, 2025. DoD states that contracts awarded on that date or after can only go to fully certified entities meeting the compliance requirements. Companies not certified as meeting those requirements risk losing their existing contracts. Even prior to that date, the DFARS Interim Rule applies. This rule went into effect November, 2020 in an attempt to phase in the CMMC program, and even now, some companies risk losing their contracts. Contract companies that have met the certification requirements have a huge competitive advantage over other contractors.
  • 5) What is the DFARS Interim Rule?

    The CMMC program is meant to be phased in. Effective November 20, 2020, DFARS 2019 Interim Rule went into effect. Contractors continue to be required to self-assess and enter themselves into the Supplier Performance Risk System (SPRS) database. However, some contracts will also need to take it all the way to CMMC certification. It is at the discretion of the Office of Undersecretary of Defence (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal/requirement is to award an increasing number of prime contracts each year to CMMC certified companies. In fiscal year 2021, DoD is only requiring a minimum of 15 prime contracts be awarded with the new CMMC requirements met, and that includes those primes subcontractors. If you are one of the few certified entities, you have a tremendous advantage outpacing your competition as more and more contracts are required to be awarded to CMMC certified companies. By 2025, all companies must be CMMC certified to successfully win contract awards.
  • 6) How is CMMC different from 800-53 or 800-171?

    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is for all US federal agencies and any entity housing US federal information or information systems. 800-171 is meant for protecting CUI stored/processed/disseminated in nonfederal systems. CMMC is not about auditing to ensure a set of specific boxes are checked. CMMC is about ascribing the overall cybersecurity posture of the organization as it pertains to CUI/FCI. It is not an audit, but rather an assessment. CMMC would say it is about the institutionalization of good cybersecurity practices throughout the organization. Much trust and faith is placed in the opinions of the assessment team to make those judgements. All CMMC requirements must be fully satisfied at that level of the Organization Seeking Certification (OSC) in order to be certified. The requirements for CMMC extend beyond those of 800-171. While many of the practices and assessment guidance is ripped straight from 800-171, CMMC extended these requirements to add an additional 46 practices designed to enhance the security posture of an organization, such as actually reviewing the audit logs as part of an organization’s regular practices.
  • 7) Will my 800-171 assessment count (or my ISO 27000… or SOC… or RMF)?

    The CMMC assessment is separate from the 800-171 and other assessments. While some work is being done to within the realm of model reciprocity to ensure that efforts are not continuously duplicated, right now the CMMC System Security Plan (SSP) is not the same document as the 800-53 SSP, the CCMC Plan of Action and Milestones (POA&M) is not the same as an ordinary system POA&M, and the CMMC certification is not the same as any other certification. These are separate certifications and must be treated as such, despite any overlap. It is ultimately up to the lead CMMC Certified Assessor (CCA) to determine when a CMMC control is met by an equivalent third party certification, including which controls were met, whether any gaps exist between the two control programs, if the third party assessment meets CMMC standards, etc… Regardless if some controls have been met, the OSC is not CMMC compliant until the assessment team evaluates their organization.
  • 8) What are the CMMC certification levels?

    There are 5 levels of CMMC certifications

    • Level 1 – Performed – Basic Cyber Hygiene
      • Foundational level indicating that 17 basic practices are performed
      • Documentation is not required at this level
    • Level 2 – Documented – Intermediate Cyber Hygiene
      • Practices and procedures are documented
      • Practices and procedures are cumulative – all level 1 must be met to achieve level 2
    • Level 3 – Managed – Good Cyber Hygiene
      • 130 practices and 3 procedures must be met
      • Planning and maintaining the security posture must be undertaken
      • Practices and procedures are cumulative – all level 2 must be met to achieve level 3
    • Level 4 – Reviewed – Proactive
      • Measurements must be taken and reviewed for effectiveness
      • Practices and procedures are cumulative – all level 3 must be met to achieve level 4
    • Level 5 – Optimizing – Progressive/Advanced
      • The organization attempts to standardize and optimize cybersecurity across the organization
      • Practices and procedures are cumulative – all level 4 must be met to achieve level 5

      Currently, organizations are only seeking provisional certifications because the requirements are not yet finalized, and the assessor organizations have not been approved as of yet. Currently, only Level 1 and Level 3 provisional requirements are fully defined, documented, and described. Level 2 isn’t defined as it is only the interim between Level 1 and Level 3. If this organization must comply with CMMC as per the contract, Level 2 is not good enough to handle CUI.

  • 9) My organization didn’t bid on a contract but we assist one that did. Do we need to be certified?

    If the organization handles CUI or FCI, even as a subcontractor, then that organization needs to be certified just as the prime contract owner is. This should be stated in the contract between the subcontractor and the prime contractor, but even if it is not explicitly stated, the subcontractor still needs to be certified or they need to inform the DoD and seek advice for how to remove/destroy the information appropriately from the systems. This does not mean that you will need to obtain the same assessment level as the prime contract. It depends upon the type of information that is handled. If the subcontract only handles FCI, then Level 1 is the highest level of certification they will need to achieve. It is possible that the prime achieves a lower level than the subcontract as well, such as a Level 1 certified organization awarded the prime contract while the subcontract has a Level 3 certification. If CUI needs to be processed, then it must transit directly to the subcontract and not be handled by the prime. As long as no organization handles information outside the realm of the level they are certified to, all involved are still fully compliant.
  • 10) My organization doesn’t handle CUI. Do we still need to be certified?

    Even if the organization is only handling FCI, the organization still needs to be certified at level 1. Pretty much any organization with a contract with the US DoD needs to be certified because the contract alone likely constitutes FCI. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.

Certified CMMC Assessor Level 1 Training Outline

Full outline to be released by CMMC soon.

Team Training

Certified CMMC Assessor Level 1 Training FAQs

  • Who needs the CMMC Certification?

    Vendors or contractors working in any part of the DoD supply chain will be required to obtain CMMC compliance in order to continue working with the DoD.

Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Why do we require your location?

It allows us to direct your request to the appropriate Customer Care team.

Preferred method of contact:
Chat Now

Please Choose a Language

Canada - English

Canada - Français