CMMC Auditor Training Resources

*Update November 11, 2020*

11 Licensed Partner Publishers have been approved to start writing training programs. I’ve spoken to five LPPs and they are just starting to create the training materials, which would be provided to training providers in a few months (December 2020?). Scroll down for the list of companies and more information about their offerings.

The only publicly-accessible training for the CMMC right now is the Registered Practitioner training. This training is meant for people who want to help organizations get ready for the CMMC.

The other active training program for the CMMC is the provisional auditor training. Only the ~70 very experienced provisional auditor selects have access to it, and group classes are staggered over the next few months (the first ~25 finished the September class). Per my conversation with provisional selects, there are still unknowns about whether the initial audits will be official or tests, whether the DoD will select all targets of audits or if the open market is available.

For right now, the best thing most of us can do is self-study. This article includes links and recommendations on a self-study program.


Review of Registered Practitioner Training

I recently went through the CMMC Registered Practitioner training. Here is my review of the RP training.


Requirements to be a CMMC Auditor / Assessor

Before you start studying, the major prerequisites to get any CMMC assessor certification (specifically, the Certified Professional entry-level certification) are:

  • College degree in a technical field or other equivalent experience (including military)
  • 2+ years in cyber or other information field
  • Pass commercial background check
  • No citizenship requirement for Certified Professional
  • U.S. Person (green-card OK) for CMMC Level 1 Assessor
  • U.S. Citizen for CMMC Level 2+ Assessor or Certified Professional team-member

The prerequisite requirements increase as your CMMC Assessor level increases. Each CMMC assessment level will also require taking training, submitting to qualifications review, and passing exams.

This page has the detailed requirements for each level published by the CMMC Accreditation Body.


CMMC Licensed Publishers and CMMC Training

Update November 11, 2020

The CMMC Accreditation Body has approved the first 11 Licensed Partner Publisher organizations.

This means that these publishers have been provided CMMC curriculum materials and are able to start building training. The training is not available to the public yet.

The list of publishers are:

Captiva Solutions, LLC

Captiva Solutions provided this information about their CMMC-AB Certification Training Courses:

Infosec Institute, Inc – LPP

The Infosec Institute gave the following answers to our questions about their CMMC course development. 

  • Infosec is working on a 5-day (40+ hours) CMMC Certified Professional boot camp first, followed by Certified Assessor Level 1 and Certified Assessor Level 3 training boot camps.  This Infosec CMMC page has information and links to each of their training tracks.
  • The format of the training is in-person or live-streamed.
  • They have not determined whether the training will be published to other training providers or kept in-house yet (Infosec has applied to be an Licensed Training Provider as well)
  • They hope to have the Certified Professional training available as an LTP in January 2021.
  • Infosec has their registration page for Certified Professional Boot Camp available now.


Celerium, Inc
Community Colleges of Spokane, Corporate & Continuing Education
Cyber Soldier, Inc
Data Intelligence
Technologies, Inc

Edwards Performance
Solutions

Holistic Information
Security Practitioner Institute (HISPI)

Logical Operations
Precision Execution LLC
SecureXperts

Contact information for these companies can be found on the CMMC-AB website here.

Please email us if you would like your program to be reviewed, or if you have studied in a program and have feedback on it. We will put a review on this blog!

 

CMMC Self Study Recommendations

*** Update September 27, 2020: Even if you take the Registered Practitioner training, it is my opinion that you should still self-study as described below. I’ve heard from provisional assessors that this website has been helpful to supplement their enhanced training too. You absolutely need a STRONG BACKGROUND in cybersecurity, system administration, and IT architecture design to supplement the current CMMC training.

For example, you need to be able to understand the individual practice requirements and the clarifications as written in the CMMC Appendix. The Registered Practitioner training barely addresses individual practices (it describes how you would read the CMMC model to figure them out). Most of the practices (especially Level 2+) require technical knowledge to understand all the areas of an organization that they could apply to. /***

Background information technology and/or cyber knowledge

If you don’t have a college degree in a technology field or equivalent experience, you should start on that now. Information Systems auditors should be very familiar with current technology and best practices for implementing it.

IT Certifications that cover CMMC topics

Industry certifications are a great way to improve (and prove!) your skills in a focused manner. Certifications in the IT field are very valuable when seeking jobs or higher salary too. Finally, the DoD recognizes (and requires) certifications for their cyber security workforce – since the CMMC program is closely tied to the DoD, having some of the 8570 program certifications can open doors in your career.

Certifications that are closely related to the CMMC Assessor role are:

Certified Information Systems Auditor (CISA) – This certification is one of the most popular for IT auditors. It tests knowledge about conducting a professional assessment, the best practices for running an IT organization, and technical know-how.

ITIL Foundation – One of the simpler certifications to work on. It tests knowledge of IT service management best practices. Covers creation, delivery, and continual improvement of IT products and services.

Capability Maturity Model Integration (CMMI) – A process and behavioral model designed to help organizations improve their performance and produce better services and products. Defines how to build effective processes that are used (and considered useful) by the organization.

Understand key CMMC concepts and major players

Read through our CMMC Glossary of Terms and Definitions. It is a great summary of which companies the CMMC is for, the legal requirements around it, and the official organizations leading the implementation.

Read through the FAR and DFARS rules referenced in the glossary and memorize them. Then check back in December 2020 for the updated DFARS rule and memorize that.

Understand FCI and CUI.  This CUI training from the US Government is highly relevant. 

The CMMC-AB’s Registered Practitioner training covers this topic in depth. You may want to register as a Registered Practitioner in addition to the assessor track. Review of Registered Practitioner training.

Study the CMMC Model

The CMMC Appendix document has the most information about what the DoD expects for process maturity as well as security practices.

https://www.acq.osd.mil/cmmc/draft.html

Create your own CMMC System Security Plan and Plan of Action

Read through our How to get started with the CMMC article and FCI in CMMC article for tips on scope. Then, in whatever environment you have available (even your home network), try to actually document your CMMC Level 1 practices, then Level 2, etc.

For bonus points, try to implement anything you are missing. If you have email on your phone, it is now in scope. Fun times!

Evaluate your clouds. Would they be CMMC level 1 compliant? Are they FedRAMP approved? Do they meet DFARS 252.204-7014 requirements? (hopefully by this point you know that these are totally different levels of security)

If you do this you will gain a lot of sympathy for the Defense Contractors being told they need 100% compliance to pass an audit. And it will force you to really read the documentation and brainstorm ways to implement practices.

Gather evidence for your own CMMC audit

As a client, how would you gather this evidence and store it?

As a client, how would you demonstrate process maturity and continual improvement over time?

If you were an auditor reviewing each of the CMMC practices and maturity levels, what proofs of compliance would you want to see?

As an auditor, how would you check to make sure that the client didn’t “forget to mention” some insecure servers or services? How would you verify that work logs and policies weren’t created the week before the audit?

(Future) CMMC Assessment Methodology

At some point in the future, the CMMC Assessment Methodology will be published. This document should provide in-depth guidance for conducting CMMC audits and criteria for determining pass-fail.


 

Additional training resources

I posed a question to LinkedIn asking for recommendations for a CMMC self-study program. Here were the responses.

ISO Standard 19011. This standard provides guidance on auditing management systems; including the principles of auditing, managing an audit program and conducting management system audits. These activities include the individual(s) managing the audit program, auditors and audit teams. – Ralph DiCicco, Senior VP Engineering Services Network, Inc.

Controlled Unclassified Information (CUI) Training courses available from CMMC Consulting LLC and Sidechannel – Leslie Weinstein.

Process guides for the CMMC version of EMASS – James Newman. Editor note: This doesn’t exist yet, but check back early 2021.

Risk Management Framework and STIG (secure configurations) training course available from BAI – Philip Schall, E.D. Training Services at BAI Information Security. Editor note: The Risk Management Framework is a compliance framework used for DoD networks and has security requirements roughly equivalent to CMMC Level 4-5. This is overkill for most CMMC prep, but it will certainly prepare you well.


 

I’d love to hear your thoughts and reviews for CMMC self-study and official training! Please send me a connection on LinkedIn or sign up for our newsletter for CMMC updates as they are published.

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.  Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.