Cybersecurity Maturity Model Certification (CMMC) Training: Certified Professional

Level: Foundation

The Cybersecurity Maturity Model Certification (CMMC), managed by the CMMC Accreditation Body (CMMC-AB), is a program through which an organization's cybersecurity program is measured by their initial and ongoing compliance with applicable cybersecurity practices as well as their integration of corresponding policies and plans into their overall business operations. By Fiscal Year 2026, all organizations providing products or services to the US DoD must obtain at least a Maturity Level 1 certification under this program.

This course prepares students for the CMMC-AB Certified Professional (CP) certification, which authorizes the holder to use the CMMC-AB Certified Professional logo, to participate as an assessment team member under the supervision of a Certified Assessor, and to be listed in the CMMC-AB Marketplace. The CP certification is also prerequisite for the other certifications (CA-1, CA-3, and CA-5).

Key Features of this CMMC Training:

  • This course is a prerequisite for the Certified Professional program, and it prepares students for the CMMC Certified Profession (CP) certification exam.
  • The CP certification is also a step toward becoming a certified assessor (CA), so students might take his course to begin down the path toward CA certification.

You Will Learn How To:

In this course, you will learn about the CMMC framework, model, context, and application within the DoD, as well as the expectations and requirements imposed upon organizations that do business with the DoD. It will also help students to identify threats to cybersecurity and privacy within an IoT ecosystem and implement appropriate countermeasures.

You Will:

  • Identify risks within the federal supply chain and the established standards for managing them.
  • Describe how the CMMC model ensures compliance with federal acquisitions regulation.
  • Identify responsibilities of the CMMC Certified Professional, including appropriate ethics and behavior.
  • Identify regulated information and establish the Certification and, Assessment scope boundaries for evaluating the systems that protect that regulated information.
  • Evaluate OSC readiness and determine the objective evidence you intend to present to the assessor.
  • Use the NIST 800-171A and CMMC Assessment Guide to assess objective evidence for processes and practices.
  • Implement and evaluate practices required to meet CMMC maturity level 1.
  • Implement and evaluate processes and practices required to meet CMMC maturity level 2.
  • Implement and evaluate processes and practices required to meet CMMC maturity level 3.
  • Identify processes and practices required to meet CMMC maturity levels 4 and 5.
  • As a Certified Professional, work through the logistics of a CMMC assessment, including planning for and conducting the assessment, as well as any follow-up processes, such as remediation and adjudication.
  • Perform the role of a Certified Professional.

Choose the Training Solution That Best Fits Your Individual Needs or Organizational Goals

LIVE, INSTRUCTOR-LED

In Class & Live, Online Training

  • 5-day instructor led training course
  • After-course instructor coaching included
  • Tuition fee can be paid later by invoice -OR- at the time of checkout by credit card
View Course Details & Schedule

Standard $3495 USD

Government $3495 USD

RESERVE SEAT

PRODUCT #2072

TRAINING AT YOUR SITE

Team Training

  • Bring this or any training to your organization
  • Full - scale program development
  • Delivered when, where, and how you want it
  • Blended learning models
  • Tailored content
  • Expert team coaching

Customize Your Team Training Experience

CONTACT US

Save More On Training with FlexVouchers – A Unique Training Savings Account

Our FlexVouchers help you lock in your training budgets without having to commit to a traditional 1 voucher = 1 course classroom-only attendance. FlexVouchers expand your purchasing power to modern blended solutions and services that are completely customizable. For details, please call 888-843-8733 or chat live.

In Class & Live, Online Training

Time Zone Legend:
Eastern Time Zone Central Time Zone
Mountain Time Zone Pacific Time Zone

Note: This course runs for 5 Days

  • Jul 19 - 23 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Aug 16 - 20 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Sep 13 - 17 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Oct 18 - 22 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Nov 15 - 19 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Dec 13 - 17 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Jan 24 - 28 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Feb 28 - Mar 4 9:00 AM - 4:30 PM EST Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Mar 28 - Apr 1 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • Apr 25 - 29 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

  • May 16 - 20 9:00 AM - 4:30 PM EDT Online (AnyWare) Online (AnyWare) Reserve Your Seat

Guaranteed to Run

When you see the "Guaranteed to Run" icon next to a course event, you can rest assured that your course event — date, time — will run. Guaranteed.

Important CMMC Training Information

  • Prerequisites

    To ensure your success in this course you should have some foundational education or experience in cybersecurity.

    The CMMC-AB has established prerequisites for those who wish to apply for CP Certification, such as:

    • Favorable background checks. Additional citizenship and clearance credentials also required to perform higher level duties, such as participating as ML-2 assessment team member.
    • A college degree in a cyber or information technical field with 2+ years of experience or 3+ years of equivalent experience (including military) in a cyber, information technology, or assessment field.
    • At least two years of experience in cybersecurity or another information technology field.
    • CMMC-AB approval of your application.

    This is an unofficial summary provided for your convenience. Always refer to the CMMC-AB website (https://www.cmmcab.org) for official requirements and be aware that CMMC requirements are subject to change.

    Note: Students will have completed the above certification requirements prior to enrolling in the course through the CMMCAB website, this step is independent of their classroom participation.

CMMC Training Outline

(Pending CMMC-AB Approval)

  • Lesson 1:  Ensuring Compliance through CMMC

    Topic A: Identify Limitations of Self-Certification

    Identify ways in which self-certification is insufficient to ensure protection against threats to the federal supply chain.

    • Accountability
    • Contracts Involving Multiple Contractors
    • Self-Certification of Cybersecurity
    • Drawbacks and Limitations of Self-Certification
    • The False Claims Act
    • Consequences of Self-Certification
    • The Christian Doctrine
    • L. Christian & Associates v. United States, 312 F.2d 418 (Ct. Cl. 1963)
    • Legal Obligations of Contractors and Subcontractors
    • Guidelines for Identifying Your Legal Obligations
    • Identifying Where Things Went Wrong Due to Self-Certification
       

    Topic A: Identify Benefits of CMMC

    Describe how the Cybersecurity Maturity Model Certification is designed to ensure that suppliers comply with federal cybersecurity standards, providing benefits over the self-certification model.

    • Rationale for the Introduction of the CMMC Model
    • Process through which the CMMC Model was Developed
    • CMMC Reference/Source Documents (High Level)
    • CMMC’s Basis in Cybersecurity Standards and Best Practices
    • The CMMC Accreditation Body (CMMC-AB)
    • Roles and Responsibilities – DoD and CMMC-AB
    • How the CMMC-AB Is Funded
    • The CMMC-AB Marketplace
    • The CMMC Ecosystem
    • CMMC-AB affiliated people and organizations
    • Client or Credentialed Organizations
    • Registered or Certified Individuals
    • Roles and Responsibilities – Assessment
    • Third-Party Review
    • Scalability
    • Decentralization
    • Assessments
    • Cost Effectiveness for All
    • Identifying How CMMC Would Have Prevented Problems
       

    Topic B: Describe the CMMC Model Architecture

    Describe the general architecture of the CMMC Model.

    • Maturity Model
    • The CMMC Maturity Model
    • The CMMC Model Taxonomy
    • Domains of the CMMC Model
    • Capabilities of the CMMC Model
    • Practices of the CMMC Model
    • Distribution of Practices Across Maturity Levels
    • Accumulation of Practices Through Five Levels
    • Distribution of Practices Per Level Across Domains
    • Sources of CMMC Practices
    • Processes in the CMMC Model
    • Cumulative Practices and Processes
    • Practice and Process Numbering System
    • The Path to CMMC Certification
    • Transitioning from Level to Level
    • CMMC Documentation
    • Guidelines for CMMC Success
    • Describing the CMMC Model Architecture
  • Lesson 2: Performing the Responsibilities of a CMMC CP

    Topic A: Identify Responsibilities of the CMMC CP

    Identify responsibilities of a Certified Professional.

    • CP Responsibilities – In-house or Consultant
    • CP Responsibilities – Assessment Team
    • Various Roles Performed by a CP
    • Technical Opportunities
    • External Consulting
    • Assisting in Assessments
    • How Contractors Are Expected to Administer Self-Assessments
    • Separation of Duties
    • Guidelines for Maintaining an Appropriate Separation of Duties
    • Identifying Responsibilities of the CMMC Certified Professional
       

    Topic B: Demonstrate Appropriate Ethics and Behavior

    Demonstrate ethics and behavior that are appropriate for a CMMC Certified Professional, as outlined in the Code of Professional Conduct.

    • Code of Professional Conduct (CoPC)
    • Guidelines for Professional Conduct
    • Demonstrating Appropriate Ethics and Behavior
  • Lesson 3: Identifying and Scoping Regulated Information

    Topic A: Identify Regulated Information

    Define types of regulated information.

    • Federal Contract Information (FCI)
    • 48 CFR § 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems
    • Understanding CUI
    • DFARS Clause 252.204-7012 -- Safeguarding Covered Defense Information and Cyber Incident Reporting
    • NARA CUI Registry: CUI Types
    • NARA CUI Registry: CUI Groupings
    • NARA CUI Registry: CUI Defense Categories
    • NARA CUI Registry: CUI Defense Covered Technical Information
    • WORKING Covered Defense Information Definition
    • DODI 8582.1 (FCI/CUI)
    • Controlled Unclassified Information (CUI)
    • Controlling Authorities
    • DODI 5200.48 (CUI)
    • 32 CFR Part 2002, Controlled Unclassified Information (CUI)
    • Rules and Regulations Applying to CUI
    • FCI vs CUI
    • Controlled Technical Information (CTI)
    • Guidelines for Identifying CTI
    • Export Controlled Information (ECI)
    • Guidelines for Protecting and Restricting ITAR and Export Controlled Data
    • Guidelines for Determining the Type of Protected Information
    • Guidelines for Protecting FCI
    • Guidelines for Protecting CUI
    • Guidelines for Protecting CTI
    • Guidelines for Protecting ECI
    • Identifying Regulated Information
       

    Topic B: Establish the Certification and Assessment Scope Boundaries

    Establish appropriate scope boundaries for a CMMC Assessment.

    • Scoping
    • Scope Boundaries
    • How Does Scoping Affect Your Role as a CP?
    • Scoping: Roles & Responsibilities During Assessments
    • Scoping: Data-Centric Methodology
    • Guidelines for Establishing the Certification and Assessment Scope Boundaries
    • CMMC Level 1 Category A – In Scope
    • CMMC Level 1 Category B – Out of Scope
    • CMMC Level 1 Category C – Enabling Asset
    • Excluded Assets
    • Separation Techniques – Isolation
    • Separation Technique – Controlled Access
    • Separation Example: Guest Wireless – Logical Isolation
    • Separation Example: Access Control – Logical Isolation
    • Separation Example: Extended Untrusted User/System Access
    • Evolution of Artifacts and Evaluation Methods in Relation to Maturity Level
    • Identifying Appropriate Certification and Assessment Scope Boundaries
  • Lesson 4: Initiating the Assessment Process

    Topic A: Evaluate Readiness

    Evaluate the readiness of an organization seeking to undergo the CMMC assessment process.

    • Assessment as Partnership
    • The Path to CMMC Certification
    • Guidelines for Identifying the Scope of the Assessment
    • Identify Desired Maturity Level
    • Ways to Evaluate How Prepared You Are Before the Assessment
    • Gap Analysis
    • Closing Gaps
    • Benefits of an Evidence Validation
    • Guidelines for Evaluating Readiness
    • Evaluating Readiness
       

    Topic B: Determine Objective Evidence

    Determine what objective evidence you intend to present in the assessment.

    • Effective Assessments
    • Objective Evidence
    • CMMC Assessment Reference Documents
    • Methods Assessors Will Use to Make Their Evaluation
    • Limits on Assessors' Access to the Organization's CUI and FCI
    • Evidence Collection, Preparation, and Generation
    • Stakeholder Interviews
    • Organization of Documents and Other Evidence to Prepare for an Assessment
    • Guidelines for Determining Objective Evidence
    • Determining Objective Evidence Categories
  • Lesson 5: Assessing Objective Evidence

    Topic A: Assess the NIST 800-171 Practices Using the 800-171A Methodology

    Implement the NIST SP 800-171 requirements using the NIST SP 800-171A Assessment methodology.

    • CMMC Assessment Requirements Map
    • CMMC Source Documents
    • NARA ISOO (Information Security Oversight Office)
    • The Role of the Information Security Oversight Office (ISOO)
    • ISOO CUI Notice 2020-04: Assessing Security Requirements for CUI in Non-Federal Information Systems (dated 16 June 2020) (4 slides)
    • NIST SP 800-171A Assessment Depth & Coverage
    • NIST SP 800-171A Assessment Procedure
    • NIST SP 800-171A Assessment Methods (3 slides)
    • Multi-Factor Authentication: Requirement
    • Multi-Factor Authentication: Objectives
    • Multi-Factor Authentication: Methods & Objects
    • Requirement to Objectives to Systems
    • CMMC Assessment Procedures
    • Pass with Inheritance: Shared Service Responsibility Model
    • How the Assessment Procedures Affect Your Role as a CP
    • Guidelines for Assessing the NIST 800-171 Practices Using the 800-171A Methodology
    • Assessing the NIST 800-171 Practices Using the 800-171A Methodology
       

    Topic B: Assess Delta Practices

    Use the CMMC Assessment Guide to assess practices not covered in NIST 800-171.

    • The CMMC Delta Practices
    • The CMMC Assessment Guide
    • The CMMC Appendices
    • Supplemental Resources
    • Guidelines for Assessing Delta Practices
    • Assessing Delta Practices
       

    Topic C: Assess Processes

    Use the CMMC Assessment Guide to assess processes.

    • Processes in the Appendices
    • Processes in the CMMC Assessment Guide
    • CERT RMM v1.2 (Resilience Management Model)
    • Guidelines for Assessing Processes
    • Assessing a Process
  • Lesson 6: Implementing and Evaluating CMMC Level 1

    Topic A: Maturity Level 1 Domains and Practices

    Identify the domains and practices for basic cyber hygiene at ML1.

    • Maturity Level 1 Processes
    • CMMC vs FAR 52.204-21
    • Maturity Level 1 Domains
    • Maturity Level 1 Practices (Part 1)
    • Maturity Level 1 Practices (Part 2)
    • Identifying Maturity Level 1 Domains and Practices
       

    Topic B: Determine Scope Boundaries at Maturity Level 1

    Determine the scope boundaries at ML1.

    • CMMC ML1 Assessment Preparation Steps
    • Scenario: GrandMegaCorp
    • Step 1: Identify the FCI and CUI
    • Step 2.1: Determine the way FCI/CUI moves within the organization (5 slides)
    • Step 2.2: Will FCI be generated by GrandMegaCorp?
    • Step 2.3: Will FCI be shared with, or accessible by, others?
    • Step 2.4 Who in GrandMegaCorp has Access to it?
    • Step 2.5: Will FCI be sent to the government?
    • Step 3: Identify the Systems with FCI
    • Step 3: FCI and GrandMegaCorp End-user Devices
    • Step 4: Evaluate the In-scope Systems Against the CMMC Model Requirements
    • GrandMegaCorp Scope Boundaries
    • Determining Scope Boundaries at CMMC Level 1
       

    Topic C: Perform a Maturity Level 1 Gap Analysis

    Perform a maturity level 1 gap analysis.

    • NIST SP 800-171A – Assessments
    • NIST SP 800-171A – Assessment Attributes
    • CMMC ML1 Assessment Preparation Steps
    • GrandMegaCorp
    • Maturity Level 1 Practices we will Discuss
    • Creating and Evaluating an ML1 Environment
    • 1.001
    • 1.002
    • 1.131
    • 1.132—PE.1.134
    • 1.175
    • 1.176
    • Guidelines for Performing a Maturity Level 1 Gap Analysis
    • Performing a Maturity Level 1 Gap Analysis

    Topic D: Perform a Maturity Level 1 Evidence Validation

    Perform a ML1 evidence validation.

    • KB
    • Guidelines for Performing a Maturity Level 1 Evidence Validation
    • Performing a Maturity Level 1 Evidence Validation

    Topic E: Perform a Maturity Level 1 Pre-Assessment Readiness Review

    Perform a ML 1 pre-assessment readiness review.

    • KB
    • Guidelines for Performing a Maturity Level 1 Pre-Assessment Readiness Review
    • Performing a Maturity Level 1 Pre-Assessment Readiness Review
  • Lesson 7: Implementing and Evaluating CMMC Level 2

    Topic A: Maturity Level 2 Process Maturity Requirement

    Identify the processes for intermediate cyber hygiene at ML2.

    • Level 2 Processes
    • Process Maturity
    • Identifying Processes That Should Be Performed at CMMC Level 2

    Topic B: Maturity Level 2 Practices

    Identify the practices for intermediate cyber hygiene at ML2.

    • CMMC Level 2 Scoping
    • Level 2 Practices
    • Level 2 Delta Practices
    • Identifying Practices That Should Be Performed at CMMC Level 2

    Topic C: Perform a Maturity Level 2 Gap Analysis

    Perform a ML2 gap analysis.

    • KB
    • Guidelines for Performing a Maturity Level 2 Gap Analysis
    • Performing a Maturity Level 2 Gap Analysis

    Topic D: Perform a Maturity Level 2 Evidence Validation and a Pre-Assessment Readiness Review

    Perform ML2 evidence validation and pre-assessment readiness review.

    • KB
    • Guidelines for Performing a Maturity Level 2 Evidence Validation and a Pre-Assessment Readiness Review
    • Performing a Maturity Level 2 Evidence Validation and Pre-Assessment Readiness Review
  • Lesson 8: Implementing and Evaluating CMMC Level 3

    Topic A: Maturity Level 3 Processes

    Identify the processes for good cyber hygiene at ML3.

    • Level 3 Processes
    • Maintenance
    • Resourcing
    • Identifying Processes That Should Be Performed at CMMC Level 3

    Topic B: Maturity Level 3 Practices

    Identify the practices for good cyber hygiene at ML3.

    • Level 3 Practices
    • Level 3 Delta Practices
    • Identifying Practices That Should Be Performed at CMMC Level 3

    Topic C: Determine Scope Boundaries at Maturity Level 3

    Determine the scope boundaries at ML3.

    • CMMC Level 3 Scoping (5 slides)
    • KB
    • Guidelines for Determining Scope Boundaries at Maturity Level 3
    • Determining Scope Boundaries at Maturity Level 3

    Topic D: Perform a Maturity Level 3 Gap Analysis

    Perform a ML3 gap analysis.

    • KB
    • Guidelines for Performing a Maturity Level 3 Gap Analysis
    • Performing a Maturity Level 3 Gap Analysis
       
    Topic E: Perform a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
    • KB
    • Guidelines for Performing a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
    • Performing a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
  • Lesson 9: Identifying CMMC Levels 4 and 5

    Topic A: Maturity Level 4 Processes and Practices

    Identify the processes and practices for proactive cyber hygiene at ML4.

    • CMMC Level 4Scoping
    • Level 4 Processes
    • Review and Measurement
    • Level 4 Practices
    • Level 4 Delta Practices
    • Identifying Processes and Practices That Should Be Performed at CMMC Level 4

    Topic B: Maturity Level 5 Processes and Practices

    Identify the processes and practices for advanced/progressive cyber hygiene at ML5.

    • CMMC Level 5 Scoping
    • Level 5 Processes
    • Standardization and Optimization
    • Level 5 Practices
    • Level 5 Delta Practices
    • Identifying Processes and Practices That Should Be Performed at CMMC Level 5
  • Lesson 10: Working Through a CMMC Assessment

    Topic A: Define the Assessment Logistics

    Define the logistics required to schedule, complete, and finalize a CMMC assessment as required to receive CMMC-AB certification.

    • The Assessment Process
    • Prep Work
    • On-Site Work
    • Pre-assessment Readiness Review
    • Responsibilities of the OSC and the OSC Point of Contact (POC)
    • Responsibilities of the Certified Assessor and the Assessment Team Members
    • Access to Facilities and Resources Required by the Assessment Team
    • Opening or Kick Off Briefing
    • Daily Checkpoints
    • Final Recommended Findings Briefing
    • Post Assessment
    • Guidelines for Defining the Assessment Logistics
    • Defining the Assessment Logistics

    Topic B: Resolve Assessment Related Issues

    Describe the process for resolving assessment related issues.

    • Assessment Related Issues
    • Assessment Related Conflicts
    • Post Assessment When Remediation is Required
    • Remediation
    • Assessor’s Withdrawal Due to Ethical or Other Violations
    • Adjudication
    • Process to Dispute CMMC-AB Decisions
    • CMMC-AB Adjudication Process
    • Guidelines for Resolving Assessment Related Issues
    • Resolving Assessment Related Issues
  • Lesson 11: Performing the Role of a Certified Professional

    Topic A: Best Practices for Certified Professionals
    • Perform the roles and characteristics of a good CP.
    • Roles for a CP
    • Characteristics of a Good Consultant
    • Guidelines for Being a Professional Consultant
    • CP on an Assessment Team
    • Guidelines for Participating on an Assessment Team
    • Following Best Practices

    Topic B: Cybersecurity Beyond CMMC

    Discuss security risks that go beyond the CMMC Model framework and professional resources and communities to help continued learning.

    • Cybersecurity Culture Change
    • Awareness of Evolving Risks
    • Ways to Stay Informed

Team Training

CMMC Training FAQs

  • If someone has several active Cybersecurity related certifications such as CISSP, CISM, or CISA, do they still have to start with the CMMC Certified Professional level? Is there a credit level applied for being certified and practicing Cybersecurity for several years?

    The CP is a “gateway” certification and proves out your knowledge of CMMC - not just cybersecurity.

    While CMMC is based on much of NIST 800-171, there are additional practices and content for developing processes that are institutionalized. So all Certified Assessor candidates will need to first become CPs.

  • If I would like additional information on this new certification, where is the best place for me to go online?

    For more information on the CMMC certification, go here.

Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Online (AnyWare)
Why do we require your location?

It allows us to direct your request to the appropriate Customer Care team.

Preferred method of contact:
Chat Now

Please Choose a Language

Canada - English

Canada - Français