*Update November 11, 2020*
11 Licensed Partner Publishers have been approved to start writing training programs. I’ve spoken to five LPPs and they are just starting to create the training materials, which would be provided to training providers in a few months (December 2020?). Scroll down for the list of companies and more information about their offerings.
The only publicly-accessible training for the CMMC right now is the Registered Practitioner training. This training is meant for people who want to help organizations get ready for the CMMC.
The other active training program for the CMMC is the provisional auditor training. Only the ~70 very experienced provisional auditor selects have access to it, and group classes are staggered over the next few months (the first ~25 finished the September class). Per my conversation with provisional selects, there are still unknowns about whether the initial audits will be official or tests, whether the DoD will select all targets of audits or if the open market is available.
For right now, the best thing most of us can do is self-study. This article includes links and recommendations on a self-study program.
Review of Registered Practitioner Training
I recently went through the CMMC Registered Practitioner training. Here is my review of the RP training.
Requirements to be a CMMC Auditor / Assessor
Before you start studying, the major prerequisites to get any CMMC assessor certification (specifically, the Certified Professional entry-level certification) are:
- College degree in a technical field or other equivalent experience (including military)
- 2+ years in cyber or other information field
- Pass commercial background check
- No citizenship requirement for Certified Professional
- U.S. Person (green-card OK) for CMMC Level 1 Assessor
- U.S. Citizen for CMMC Level 2+ Assessor or Certified Professional team-member
The prerequisite requirements increase as your CMMC Assessor level increases. Each CMMC assessment level will also require taking training, submitting to qualifications review, and passing exams.
CMMC Licensed Publishers and CMMC Training
Update November 11, 2020
The CMMC Accreditation Body has approved the first 11 Licensed Partner Publisher organizations.
This means that these publishers have been provided CMMC curriculum materials and are able to start building training. The training is not available to the public yet.
The list of publishers are:
Captiva Solutions, LLC
Captiva Solutions provided this information about their CMMC-AB Certification Training Courses:
- A 5-day course, of approximately 40-hours for the CMMC-AB Certified Professional prep course
- Follow on courses will include 3 to 4-day training for the Certified Assessor Level 1 and Certified Assessor Level 3 courses.
- More information on Captiva’s training paths can be found here: https://captivasolutions.com/training/cmmc-training-services
- Training will be offered in various formats to include in-person, virtual instructor led, and self-paced.
- Once approved as a Licensed Training Provider (LTP), Captiva Solutions, plans to have the Certified Professional training available in January 2021.
- Captiva Solutions has partnered with other training entities and plans to publish their training courses through these entities.
Infosec Institute, Inc – LPP
The Infosec Institute gave the following answers to our questions about their CMMC course development.
- Infosec is working on a 5-day (40+ hours) CMMC Certified Professional boot camp first, followed by Certified Assessor Level 1 and Certified Assessor Level 3 training boot camps. This Infosec CMMC page has information and links to each of their training tracks.
- The format of the training is in-person or live-streamed.
- They have not determined whether the training will be published to other training providers or kept in-house yet (Infosec has applied to be an Licensed Training Provider as well)
- They hope to have the Certified Professional training available as an LTP in January 2021.
- Infosec has their registration page for Certified Professional Boot Camp available now.
Community Colleges of Spokane, Corporate & Continuing Education
Cyber Soldier, Inc
Security Practitioner Institute (HISPI)
Precision Execution LLC
Contact information for these companies can be found on the CMMC-AB website here.
Please email us if you would like your program to be reviewed, or if you have studied in a program and have feedback on it. We will put a review on this blog!
CMMC Self Study Recommendations
*** Update September 27, 2020: Even if you take the Registered Practitioner training, it is my opinion that you should still self-study as described below. I’ve heard from provisional assessors that this website has been helpful to supplement their enhanced training too. You absolutely need a STRONG BACKGROUND in cybersecurity, system administration, and IT architecture design to supplement the current CMMC training.
For example, you need to be able to understand the individual practice requirements and the clarifications as written in the CMMC Appendix. The Registered Practitioner training barely addresses individual practices (it describes how you would read the CMMC model to figure them out). Most of the practices (especially Level 2+) require technical knowledge to understand all the areas of an organization that they could apply to. /***
Background information technology and/or cyber knowledge
If you don’t have a college degree in a technology field or equivalent experience, you should start on that now. Information Systems auditors should be very familiar with current technology and best practices for implementing it.
IT Certifications that cover CMMC topics
Industry certifications are a great way to improve (and prove!) your skills in a focused manner. Certifications in the IT field are very valuable when seeking jobs or higher salary too. Finally, the DoD recognizes (and requires) certifications for their cyber security workforce – since the CMMC program is closely tied to the DoD, having some of the 8570 program certifications can open doors in your career.
Certifications that are closely related to the CMMC Assessor role are:
Certified Information Systems Auditor (CISA) – This certification is one of the most popular for IT auditors. It tests knowledge about conducting a professional assessment, the best practices for running an IT organization, and technical know-how.
ITIL Foundation – One of the simpler certifications to work on. It tests knowledge of IT service management best practices. Covers creation, delivery, and continual improvement of IT products and services.
Capability Maturity Model Integration (CMMI) – A process and behavioral model designed to help organizations improve their performance and produce better services and products. Defines how to build effective processes that are used (and considered useful) by the organization.
Understand key CMMC concepts and major players
Read through our CMMC Glossary of Terms and Definitions. It is a great summary of which companies the CMMC is for, the legal requirements around it, and the official organizations leading the implementation.
Read through the FAR and DFARS rules referenced in the glossary and memorize them. Then check back in December 2020 for the updated DFARS rule and memorize that.
The CMMC-AB’s Registered Practitioner training covers this topic in depth. You may want to register as a Registered Practitioner in addition to the assessor track. Review of Registered Practitioner training.
Study the CMMC Model
The CMMC Appendix document has the most information about what the DoD expects for process maturity as well as security practices.
Create your own CMMC System Security Plan and Plan of Action
Read through our How to get started with the CMMC article and FCI in CMMC article for tips on scope. Then, in whatever environment you have available (even your home network), try to actually document your CMMC Level 1 practices, then Level 2, etc.
For bonus points, try to implement anything you are missing. If you have email on your phone, it is now in scope. Fun times!
Evaluate your clouds. Would they be CMMC level 1 compliant? Are they FedRAMP approved? Do they meet DFARS 252.204-7014 requirements? (hopefully by this point you know that these are totally different levels of security)
If you do this you will gain a lot of sympathy for the Defense Contractors being told they need 100% compliance to pass an audit. And it will force you to really read the documentation and brainstorm ways to implement practices.
Gather evidence for your own CMMC audit
As a client, how would you gather this evidence and store it?
As a client, how would you demonstrate process maturity and continual improvement over time?
If you were an auditor reviewing each of the CMMC practices and maturity levels, what proofs of compliance would you want to see?
As an auditor, how would you check to make sure that the client didn’t “forget to mention” some insecure servers or services? How would you verify that work logs and policies weren’t created the week before the audit?
(Future) CMMC Assessment Methodology
At some point in the future, the CMMC Assessment Methodology will be published. This document should provide in-depth guidance for conducting CMMC audits and criteria for determining pass-fail.
Additional training resources
I posed a question to LinkedIn asking for recommendations for a CMMC self-study program. Here were the responses.
ISO Standard 19011. This standard provides guidance on auditing management systems; including the principles of auditing, managing an audit program and conducting management system audits. These activities include the individual(s) managing the audit program, auditors and audit teams. – Ralph DiCicco, Senior VP Engineering Services Network, Inc.
Controlled Unclassified Information (CUI) Training courses available from CMMC Consulting LLC and Sidechannel – Leslie Weinstein.
Process guides for the CMMC version of EMASS – James Newman. Editor note: This doesn’t exist yet, but check back early 2021.
Risk Management Framework and STIG (secure configurations) training course available from BAI – Philip Schall, E.D. Training Services at BAI Information Security. Editor note: The Risk Management Framework is a compliance framework used for DoD networks and has security requirements roughly equivalent to CMMC Level 4-5. This is overkill for most CMMC prep, but it will certainly prepare you well.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.