*Update September 14, 2020*
11 Licensed Partner Publishers have been approved to start writing training programs. I’ve spoken to five LPPs and they are just starting to create the training materials, which would be provided to training providers in a few months (December 2020?). Scroll down for the list of companies and more information.
There is currently only one active training program for the CMMC – the provisional auditor training. Only the ~70 very experienced provisional auditor selects have access to it. The first cohort of ~25 has completed the in-person training and needs to pass an exam to continue. Per my conversation with provisional selects, there are still unknowns about whether the initial audits will be official or tests, whether the DoD will select all targets of audits or if the open market is available.
For right now, the best thing most of us can do is self-study. Scroll down for links and recommendations on a self-study program.
Requirements to be a CMMC Auditor / Assessor
Before you start studying, the major prerequisites to get any CMMC assessor certification (specifically, the Certified Professional entry-level certification) are:
- College degree in a technical field or other equivalent experience (including military)
- 2+ years in cyber or other information field
- Pass commercial background check
- No citizenship requirement for Certified Professional
- U.S. Person (green-card OK) for CMMC Level 1 Assessor
- U.S. Citizen for CMMC Level 2+ Assessor or Certified Professional team-member
The prerequisite requirements increase as your CMMC Assessor level increases. Each CMMC assessment level will also require taking training, submitting to qualifications review, and passing exams.
CMMC Licensed Publishers and CMMC Training
*Update September 11, 2020*
The CMMC Accreditation Body has approved the first 11 Licensed Partner Publisher organizations.
This means that these publishers have been provided CMMC curriculum materials and are able to start building training. The training is not available to the public yet.
The list of publishers are:
- Captiva Solutions, LLC
- Celerium, Inc
- Community Colleges of Spokane, Corporate & Continuing Education
- Cyber Soldier, Inc
- Data Intelligence Technologies, Inc
- Edwards Performance Solutions
- Holistic Information Security Practitioner Institute (HISPI)
- Infosec Institute, Inc
- Logical Operations
- Precision Execution LLC
Contact information for these companies can be found on the CMMC-AB website here.
Please email us if you would like your program to be reviewed, or if you have studied in a program and have feedback on it. We will put a review on this blog!
CMMC Self Study Recommendations
Background information technology and/or cyber knowledge
If you don’t have a college degree in a technology field or equivalent experience, you should start on that now. Information Systems auditors should be very familiar with current technology and best practices for implementing it.
IT Certifications that cover CMMC topics
Industry certifications are a great way to improve (and prove!) your skills in a focused manner. Certifications in the IT field are very valuable when seeking jobs or higher salary too. Finally, the DoD recognizes (and requires) certifications for their cyber security workforce – since the CMMC program is closely tied to the DoD, having some of the 8570 program certifications can open doors in your career.
Certifications that are closely related to the CMMC Assessor role are:
Certified Information Systems Auditor (CISA) – This certification is one of the most popular for IT auditors. It tests knowledge about conducting a professional assessment, the best practices for running an IT organization, and technical know-how.
ITIL Foundation – One of the simpler certifications to work on. It tests knowledge of IT service management best practices. Covers creation, delivery, and continual improvement of IT products and services.
Capability Maturity Model Integration (CMMI) – A process and behavioral model designed to help organizations improve their performance and produce better services and products. Defines how to build effective processes that are used (and considered useful) by the organization.
Understand key CMMC concepts and major players
Read through our CMMC Glossary of Terms and Definitions. It is a great summary of which companies the CMMC is for, the legal requirements around it, and the official organizations leading the implementation.
Read through the FAR and DFARS rules referenced in the glossary and memorize them. Then check back in December 2020 for the updated DFARS rule and memorize that.
Study the CMMC Model
The CMMC Appendix document has the most information about what the DoD expects for process maturity as well as security practices.
Create your own CMMC System Security Plan and Plan of Action
Read through our How to get started with the CMMC article and FCI in CMMC article for tips on scope. Then, in whatever environment you have available (even your home network), try to actually document your CMMC Level 1 practices, then Level 2, etc.
For bonus points, try to implement anything you are missing. If you have email on your phone, it is now in scope. Fun times!
Evaluate your clouds. Would they be CMMC level 1 compliant? Are they FedRAMP approved? Do they meet DFARS 252.204-7014 requirements? (hopefully by this point you know that these are totally different levels of security)
If you do this you will gain a lot of sympathy for the Defense Contractors being told they need 100% compliance to pass an audit. And it will force you to really read the documentation and brainstorm ways to implement practices.
Gather evidence for your own CMMC audit
As a client, how would you gather this evidence and store it?
As a client, how would you demonstrate process maturity and continual improvement over time?
If you were an auditor reviewing each of the CMMC practices and maturity levels, what proofs of compliance would you want to see?
As an auditor, how would you check to make sure that the client didn’t “forget to mention” some insecure servers or services? How would you verify that work logs and policies weren’t created the week before the audit?
(Future) CMMC Assessment Methodology
At some point in the future, the CMMC Assessment Methodology will be published. This document should provide in-depth guidance for conducting CMMC audits and criteria for determining pass-fail.
Additional training resources
I posed a question to LinkedIn asking for recommendations for a CMMC self-study program. Here were the responses.
ISO Standard 19011. This standard provides guidance on auditing management systems; including the principles of auditing, managing an audit program and conducting management system audits. These activities include the individual(s) managing the audit program, auditors and audit teams. – Ralph DiCicco, Senior VP Engineering Services Network, Inc.
Controlled Unclassified Information (CUI) Training courses available from CMMC Consulting LLC and Sidechannel – Leslie Weinstein.
Process guides for the CMMC version of EMASS – James Newman. Editor note: This doesn’t exist yet, but check back early 2021.
Risk Management Framework and STIG (secure configurations) training course available from BAI – Philip Schall, E.D. Training Services at BAI Information Security. Editor note: The Risk Management Framework is a compliance framework used for DoD networks and has security requirements roughly equivalent to CMMC Level 4-5. This is overkill for most CMMC prep, but it will certainly prepare you well.
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.