Navigating CMMC (Cybersecurity Maturity Model) Requirements Training

Level: Foundation

The Cybersecurity Maturity Model Certification (CMMC), managed by the CMMC Accreditation Body (CMMC-AB), is a Department of Defense (DoD) program through which an organization's cybersecurity program is measured by their initial and ongoing compliance with applicable cybersecurity practices as well as their integration of corresponding policies and plans into their overall business operations. By Fiscal Year 2026, all organizations providing products or services to the U.S. DoD must obtain at least a Maturity Level 1 certification under this program. This course will help you and your organization understand and plan for the impact of CMMC.

This course provides an overview of the CMMC program for organizational decision makers. Business and IT leaders and IT staff might consider taking this course to learn about the CMMC Model to get a sense of what's required for a successful assessment, and the various ways they can start preparing.

Key Features of this Navigating CMMC Training:

  • After-course instructor coaching benefit

You Will Learn How To:

  • Identify the crucial elements that are driving the CMMC initiative.
  • Describe the architecture of the CMMC Model and the rationale behind it.
  • Use the Assessment Guides to prepare your organization for a successful CMMC assessment.
  • Identify the roles and responsibilities in the CMMC ecosystem and during an Assessment.


CMMC Certification CMMC Registered Provider CMMC Licensed Provider

Choose the Training Solution That Best Fits Your Individual Needs or Organizational Goals


In Class & Live, Online Training

  • 1-day instructor led training course
  • After-course instructor coaching included
  • Tuition fee can be paid later by invoice -OR- at the time of checkout by credit card
View Course Details & Schedule

Standard $690 USD

Government $520 USD




Team Training

  • Bring this or any training to your organization
  • Full - scale program development
  • Delivered when, where, and how you want it
  • Blended learning models
  • Tailored content
  • Expert team coaching

Customize Your Team Training Experience


Save More On Training with FlexVouchers – A Unique Training Savings Account

Our FlexVouchers help you lock in your training budgets without having to commit to a traditional 1 voucher = 1 course classroom-only attendance. FlexVouchers expand your purchasing power to modern blended solutions and services that are completely customizable. For details, please call 888-843-8733 or chat live.

In Class & Live, Online Training

Time Zone Legend:
Eastern Time Zone Central Time Zone
Mountain Time Zone Pacific Time Zone

Note: This course runs for 1 Day

  • Jan 10 9:00 AM - 4:30 PM EST Washington, DC / Online (AnyWare) Washington, DC / Online (AnyWare) Reserve Your Seat

  • Feb 7 9:00 AM - 4:30 PM EST Herndon, VA / Online (AnyWare) Herndon, VA / Online (AnyWare) Reserve Your Seat

  • Mar 14 9:00 AM - 4:30 PM EDT New York / Online (AnyWare) New York / Online (AnyWare) Reserve Your Seat

  • Apr 11 9:00 AM - 4:30 PM EDT Washington, DC / Online (AnyWare) Washington, DC / Online (AnyWare) Reserve Your Seat

  • May 9 9:00 AM - 4:30 PM EDT Herndon, VA / Online (AnyWare) Herndon, VA / Online (AnyWare) Reserve Your Seat

  • Jun 13 9:00 AM - 4:30 PM EDT New York / Online (AnyWare) New York / Online (AnyWare) Reserve Your Seat

  • Jul 5 9:00 AM - 4:30 PM EDT Washington, DC / Online (AnyWare) Washington, DC / Online (AnyWare) Reserve Your Seat

  • Aug 2 9:00 AM - 4:30 PM EDT Herndon, VA / Online (AnyWare) Herndon, VA / Online (AnyWare) Reserve Your Seat

  • Sep 6 9:00 AM - 4:30 PM EDT New York / Online (AnyWare) New York / Online (AnyWare) Reserve Your Seat

Guaranteed to Run

When you see the "Guaranteed to Run" icon next to a course event, you can rest assured that your course event — date, time — will run. Guaranteed.

Important Navigating CMMC Training Information:

  • Important Information

    The Department of Defense new mandate through the CMMC-AB, requires certification for all current and future contractors doing business with DoD, including prime contractors as well as sub-contractors that sell commercial products and/or services to DoD.

  • Who Should Attend This Course

    All stakeholders who need to understand and implement the new mandate, as well as anyone who will be pursuing Certification to become a Certified Professional or Certified Assessor (these certifications are covered in Learning Tree courses, CyberSecurity Maturity Model Certification (CMMC): Certified CMMC Professional (CCP) and Certified CMMC Assessor Level 1 Training (CCA-1).)

Top 10 Things You Need to Know About CMMC

  • 1) What is CMMC?

    The US Department of Defense (DoD) recognizes risk of loss via their supply chain, the contracts making up the Defense Industrial Base (DIB) supplying our military. The Cybersecurity Maturity Model Certification is designed to assess the security posture of DIB companies to verify that appropriate practices and procedures are implemented prior to granting contracts.
  • 2) Who must be certified?

    All entities bidding on and awarded contracts must be CMMC certified to the level specified in the requirements document or statement of work, except for those contracts acquiring solely commercial off-the-shelf (COTS) products, according to Defense Federal Acquisition Regulations (DFARS) 7021. This also includes subcontractors. In other words, ANY entity directly or indirectly working DoD contracts containing Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) must comply or risk losing those contracts!
  • 3) What is FCI and CUI?

    FCI is Federal Contract Information. FCI is information provided by or generated for the federal government under contract not intended for public release. So, for example, information published as part of the bidding process or available on the DoD public website is not FCI, but companies should assume everything else pertaining to the contract is FCI. FCI has no specific handling or legal requirements beyond the contract and DFARS rules, but nonetheless must be protected at a basic, foundational level. CMMC requirements specific that companies handling FCI must minimally meet Level 1 (Performed – Basic Cyber Hygiene) certification. CUI is Controlled Unclassified Information. CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. In other words, CUI has legal and policy requirements that must be met, but it doesn’t fall under the DoD classification scheme. It’s not that classified information doesn’t have to be protected. Of course, classified information must be protected, but classified information already has protection schemes and requirements surrounding it. CMMC is for everything else that has legal/policy requirements that falls outside that scope of DoD classification schemes. CMMC requirements specific that companies storing/processing/transporting CUI must minimally meet Level 3 (Managed – Good Cyber Hygiene) certification.
  • 4) How soon do we have to obtain certification?

    October 1, 2025. DoD states that contracts awarded on that date or after can only go to fully certified entities meeting the compliance requirements. Companies not certified as meeting those requirements risk losing their existing contracts. Even prior to that date, the DFARS Interim Rule applies. This rule went into effect November, 2020 in an attempt to phase in the CMMC program, and even now, some companies risk losing their contracts. Contract companies that have met the certification requirements have a huge competitive advantage over other contractors.
  • 5) What is the DFARS Interim Rule?

    The CMMC program is meant to be phased in. Effective November 20, 2020, DFARS 2019 Interim Rule went into effect. Contractors continue to be required to self-assess and enter themselves into the Supplier Performance Risk System (SPRS) database. However, some contracts will also need to take it all the way to CMMC certification. It is at the discretion of the Office of Undersecretary of Defense (OUSD) to state which new contract awards must be CMMC certified as of right now. The goal/requirement is to award an increasing number of prime contracts each year to CMMC certified companies. In fiscal year 2021, DoD is only requiring a minimum of 15 prime contracts be awarded with the new CMMC requirements met, and that includes those primes subcontractors. If you are one of the few certified entities, you have a tremendous advantage outpacing your competition as more and more contracts are required to be awarded to CMMC certified companies. By 2025, all companies must be CMMC certified to successfully win contract awards.
  • 6) How is CMMC different from 800-53 or 800-171?

    National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 is for all US federal agencies and any entity housing US federal information or information systems. 800-171 is meant for protecting CUI stored/processed/disseminated in nonfederal systems. CMMC is not about auditing to ensure a set of specific boxes are checked. CMMC is about ascribing the overall cybersecurity posture of the organization as it pertains to CUI/FCI. It is not an audit, but rather an assessment. CMMC would say it is about the institutionalization of good cybersecurity practices throughout the organization. Much trust and faith is placed in the opinions of the assessment team to make those judgements. All CMMC requirements must be fully satisfied at that level of the Organization Seeking Certification (OSC) in order to be certified. The requirements for CMMC extend beyond those of 800-171. While many of the practices and assessment guidance is ripped straight from 800-171, CMMC extended these requirements to add an additional 46 practices designed to enhance the security posture of an organization, such as actually reviewing the audit logs as part of an organization’s regular practices.
  • 7) Will my 800-171 assessment count (or my ISO 27000… or SOC… or RMF)?

    The CMMC assessment is separate from the 800-171 and other assessments. While some work is being done to within the realm of model reciprocity to ensure that efforts are not continuously duplicated, right now the CMMC System Security Plan (SSP) is not the same document as the 800-53 SSP, the CCMC Plan of Action and Milestones (POA&M) is not the same as an ordinary system POA&M, and the CMMC certification is not the same as any other certification. These are separate certifications and must be treated as such, despite any overlap. It is ultimately up to the lead CMMC Certified Assessor (CCA) to determine when a CMMC control is met by an equivalent third party certification, including which controls were met, whether any gaps exist between the two control programs, if the third party assessment meets CMMC standards, etc… Regardless if some controls have been met, the OSC is not CMMC compliant until the assessment team evaluates their organization.
  • 8) What are the CMMC certification levels?

    There are 5 levels of CMMC certifications

    • Level 1 – Performed – Basic Cyber Hygiene
      • Foundational level indicating that 17 basic practices are performed
      • Documentation is not required at this level
    • Level 2 – Documented – Intermediate Cyber Hygiene
      • Practices and procedures are documented
      • Practices and procedures are cumulative – all level 1 must be met to achieve level 2
    • Level 3 – Managed – Good Cyber Hygiene
      • 130 practices and 3 procedures must be met
      • Planning and maintaining the security posture must be undertaken
      • Practices and procedures are cumulative – all level 2 must be met to achieve level 3
    • Level 4 – Reviewed – Proactive
      • Measurements must be taken and reviewed for effectiveness
      • Practices and procedures are cumulative – all level 3 must be met to achieve level 4
    • Level 5 – Optimizing – Progressive/Advanced
      • The organization attempts to standardize and optimize cybersecurity across the organization
      • Practices and procedures are cumulative – all level 4 must be met to achieve level 5

      Currently, organizations are only seeking provisional certifications because the requirements are not yet finalized, and the assessor organizations have not been approved as of yet. Currently, only Level 1 and Level 3 provisional requirements are fully defined, documented, and described. Level 2 isn’t defined as it is only the interim between Level 1 and Level 3. If this organization must comply with CMMC as per the contract, Level 2 is not good enough to handle CUI.

  • 9) My organization didn’t bid on a contract but we assist one that did. Do we need to be certified?

    If the organization handles CUI or FCI, even as a subcontractor, then that organization needs to be certified just as the prime contract owner is. This should be stated in the contract between the subcontractor and the prime contractor, but even if it is not explicitly stated, the subcontractor still needs to be certified or they need to inform the DoD and seek advice for how to remove/destroy the information appropriately from the systems. This does not mean that you will need to obtain the same assessment level as the prime contract. It depends upon the type of information that is handled. If the subcontract only handles FCI, then Level 1 is the highest level of certification they will need to achieve. It is possible that the prime achieves a lower level than the subcontract as well, such as a Level 1 certified organization awarded the prime contract while the subcontract has a Level 3 certification. If CUI needs to be processed, then it must transit directly to the subcontract and not be handled by the prime. As long as no organization handles information outside the realm of the level they are certified to, all involved are still fully compliant.
  • 10) My organization doesn’t handle CUI. Do we still need to be certified?

    Even if the organization is only handling FCI, the organization still needs to be certified at level 1. Pretty much any organization with a contract with the US DoD needs to be certified because the contract alone likely constitutes FCI. The few exceptions are payment information necessary to process a transaction and contracts dealing with pure COTS products.

Navigating CMMC Training Outline

  • Lesson 1: Identifying What's at Stake

    Topic A: Identify the Threats and Regulatory Responses
    • Identify the threats to the Defense Industrial Base and the established regulations that protect the defense supply chain.
    Topic B: Identify Sensitive Information
    • Identify the main categories of sensitive information--FCI and CUI.
  • Lesson 2: Describing the CMMC Program

    Topic A: Describe the Rationale for CMMC
    • Describe why the CMMC program was created.
    Topic B: Describe the CMMC Model Architecture
    • Describe the components of the CMMC Model.
  • Lesson 3: Getting Ready for a CMMC Assessment

    Topic A: Scope Your Environment
    • Identify the people, systems and processes in your environment that will be evaluated in a CMMC assessment.
    Topic B: Analyze the CMMC Assessment Guides
    • Analyze the Assessment Guides to be able to align your practices and processes to the CMMC requirements.
    Topic C: Evaluate Your Readiness
    • Explore methods of validating your compliance with the CMMC requirements.
  • Lesson 4: Interacting with the CMMC Ecosystem

    Topic A: Identify the CMMC Ecosystem
    • Identify the roles and responsibilities of the organizations and individuals involved in the CMMC program.
    Topic B: Describe a CMMC Assessment
    • Describe the interactions between your organization and the assessor during a CMMC assessment.

Team Training

Navigating CMMC Training FAQs

  • Does this course lead to CMMC-AB certification?

    No, this is not a certification course and has not been endorsed by CMMC-AB. This course is intended to provide information and direction for organization seeking certification (OSC).

  • If I take this course, does it make me eligible to sit for the CMMC-AB Certified Professional exam?

    No, CyberSecurity Maturity Model Certification (CMMC): Certified CMMC Professional (CCP) is the required training for you to take the CMMC-AB CP exam.

  • If I plan to become an assessor is this course right for me?

    Yes, you will be exposed to information relating to all five levels of the CMMC-AB maturity models.

Washington, DC / Online (AnyWare)
Herndon, VA / Online (AnyWare)
New York / Online (AnyWare)
Washington, DC / Online (AnyWare)
Herndon, VA / Online (AnyWare)
New York / Online (AnyWare)
Washington, DC / Online (AnyWare)
Herndon, VA / Online (AnyWare)
New York / Online (AnyWare)
Why do we require your location?

It allows us to direct your request to the appropriate Customer Care team.

Preferred method of contact:
Chat Now

Please Choose a Language

Canada - English

Canada - Français