Course 2074

  • Duration: 4 days
  • Language: English
  • Level: Intermediate

Recent sweeping updates to the U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements have left the consultants, contractors, and the Defense Industrial Base (DIB) questioning where this leaves us and how to proceed. This course is intended to address the questions of what CMMC 2.0 is all about, how certification will work under the new model, the SP 800-171 requirements that must be satisfied and how to meet them, and what this means for DoD contracting organizations. These same 800-171 requirements cover all Non-Federal Organizations (NFOs) that handle U.S. Federal Government controlled unclassified information. This course will also feature self-attestation guidance and will help organizations meet the external 3rd party assessments that will still be required for a subset of businesses handling protected U.S. Federal Government information.

CMMC 2.0 and NIST SP 800-171 Training Delivery Methods

  • In-Person

  • Online

CMMC 2.0 and NIST SP 800-171 Training Course Benefits

Understand and comply with the new CMMC 2.0 frameworkAssess CMMC 2.0 and CMMC 1.0 differences and repercussions to your organizationMeet NIST SP 800-171 requirementsPerform self-assessments conforming to DFARS standards and generate a SPRS scoreIdentify which contract levels are subject to independent assessmentsSatisfy third-party CMMC 2.0/SP 800-171 assessmentsMaintain an acceptable security posture over the contract lifecycle

Continue learning and face new challenges with after-course one-on-one instructor coaching

CMMC 2.0 and NIST SP 800-171 Training Outline


Prior security experience is helpful but not necessary. Critical thinking skills and the ability to make decisions are key.

Who should attend?

Organizations Seeking Approval (OSC) personnel, including:

  • System development life cycle personnel (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, system/security engineers, and systems integrators).
  • Personnel with system security or risk management and oversight responsibilities (e.g., chief information officers, chief information security officers, system owners, information system security managers).
  • Security assessment and monitoring personnel (e.g., auditors, system evaluators, assessors, verifiers/validators, analysts).
  • Third parties providing CMMC 2.0 implementation and assessment support services.
  • Acknowledging the importance of protecting US Government information
  • Recognizing categories of protected information
  • Describing protected information and the law
  • Defining types of security failures
  • Judging the impact of security failures
  • Defining risk
  • Identifying threats and vulnerabilities in organizational systems
  • Recognizing motivations for data compromise
  • Identifying characteristics of threat actors
  • Describing CMMC Goals
  • Synopsizing CMMC Evolution
  • Defining the model tiers
  • Describing the four CMMC 2.0 program phases
  • Listing assessment requirements
  • Explaining model implementation
  • Charting the CMMC implementation timeline
  • Describing NIST SP 800-171, SP 800-171A, and SP 800-172
  • Categorizing security controls
  • Identifying SP 800-171 control families
  • Describing SP 800-171 security control structure
  • Explaining the importance of basic assumptions underlying SP 800-171
  • Identifying NARA CUI categories and markings
  • Verifying confidentiality impact level
  • Identifying special considerations for classified defense information
  • Determining the organizational system boundary
  • Building the System Security Plan
  • Determining the security control baseline
  • Assessing the need for enhanced assurance
  • Updating the System Security Plan
  • Tailoring the security control baseline
  • Selecting the approach to securing organizational systems
  • Implementing security controls
  • Documenting security control implementation, compliance, and effectiveness
  • Building the Security Assessment Plan
  • Assessment methodologies
  • Assessment optimization
  • Assessing security control compliance and effectiveness
  • Documenting security control compliance
  • Completing the System Security Plan
  • Building the Plan of Action and Milestones (POA&M)
  • Requesting CMMC waivers
  • Compiling the assessment report
  • Preserving an acceptable system security posture

Need Help Finding The Right Training Solution?

Our training advisors are here for you.

CMMC 2.0 and NIST SP 800-171 Training FAQs

No. C3PAOs will be needed to assess the OSCs requiring a Level 2 Assessment. Keep in mind that Level 2 is bifurcated, and some OSCs will be able to self-attest.

No, NIST is the What, and CMMC is the How. They are both needed and play an integral role in the new cyber security mandate.

Yes, this will lay a great foundation prior to attending Course 2072, Cybersecurity Maturity Model Certification (CMMC) Training Course, and sitting for the CCP Certification exam.

Chat With Us