CMMC Auditor Training Resources

*Update March 8, 2021*

Several Licensed Partner Publishers have been approved to start writing training programs. The CMMC Body of Knowledge seems to keep changing (this is between the DoD and the CMMC-AB) so none of the LPPs have been able to release their materials yet.

See this interview with Ben Tchoubineh for current status of Assessor training: CAICO and current state of CMMC training – Ben Tchoubineh (CMMC-AB)

The only publicly-accessible training for the CMMC right now is the Registered Practitioner training. This training is meant for people who want to help organizations get ready for the CMMC.

The other active training program for the CMMC is the provisional auditor training. Only the ~140 very experienced provisional auditor selects have access to it. Per my conversation with provisional selects, there are still unknowns about whether the initial audits will be official or tests, whether the DoD will select all targets of audits or if the open market is available.

For right now, the best thing most of us can do is self-study. This article includes links and recommendations on a self-study program.


Review of Registered Practitioner Training

I went through the CMMC Registered Practitioner training when it first released in mid-2020. Here is my review of the RP training.


Requirements to be a CMMC Auditor / Assessor

Before you start studying, the major prerequisites to get any CMMC assessor certification (specifically, the Certified Professional entry-level certification) are:

  • College degree in a technical field or other equivalent experience (including military)
  • 2+ years in cyber or other information field
  • Pass commercial background check
  • Pass either a Tier 1 background check (still not confirmed) or a Tier 3 (similar to a Secret Clearance) background check, depending on what type of assessments you perform.
  • No citizenship requirement for Certified Professional
  • If a Tier 3 background check is required, then this typically comes with a requirement for US Citizen like Secret Clearances do.
  • U.S. Person (green-card OK) for CMMC Level 1 Assessor
  • U.S. Citizen for CMMC Level 2+ Assessor or Certified Professional team-member

The prerequisite requirements increase as your CMMC Assessor level increases. Each CMMC assessment level will also require taking training, submitting to qualifications review, and passing exams.

This page has the detailed requirements for each level published by the CMMC Accreditation Body.


CMMC Licensed Publishers and CMMC Training

 

The CMMC Accreditation Body has approved the first  Licensed Partner Publisher and Licensed Training Provider organizations.

This means that these organizations have been provided CMMC curriculum materials and are able to start building training. The training is not available to the public yet.

Contact information for these companies can be found on the CMMC-AB website here.

Please email us if you would like your program to be reviewed, or if you have studied in a program and have feedback on it. We will put a review on this blog!

The CMMC-AB is currently (in April 2021) teaching “Provisional Instructors” who are intended to teach “Certified Instructors” who would be employed by Licensed Training Providers. 

 

CMMC Self Study Recommendations

Even if you take the Registered Practitioner training, it is my opinion that you should still self-study as described below. I’ve heard from provisional assessors that this website has been helpful to supplement their enhanced training too. You absolutely need a STRONG BACKGROUND in cybersecurity, system administration, and IT architecture design to supplement the current CMMC training.

For example, you need to be able to understand the individual practice requirements and the clarifications as written in the CMMC Appendix. The Registered Practitioner training barely addresses individual practices (it describes how you would read the CMMC model to figure them out). Most of the practices (especially Level 2+) require technical knowledge to understand all the areas of an organization that they could apply to.

Background information technology and/or cyber knowledge

If you don’t have a college degree in a technology field or equivalent experience, you should start on that now. Information Systems auditors should be very familiar with current technology and best practices for implementing it.

IT Certifications that cover CMMC topics

Industry certifications are a great way to improve (and prove!) your skills in a focused manner. Certifications in the IT field are very valuable when seeking jobs or higher salary too. Finally, the DoD recognizes (and requires) certifications for their cyber security workforce – since the CMMC program is closely tied to the DoD, having some of the 8570 program certifications can open doors in your career.

Certifications that are closely related to the CMMC Assessor role are:

Certified Information Systems Auditor (CISA) – This certification is one of the most popular for IT auditors. It tests knowledge about conducting a professional assessment, the best practices for running an IT organization, and technical know-how.

ITIL Foundation – One of the simpler certifications to work on. It tests knowledge of IT service management best practices. Covers creation, delivery, and continual improvement of IT products and services.

Capability Maturity Model Integration (CMMI) – A process and behavioral model designed to help organizations improve their performance and produce better services and products. Defines how to build effective processes that are used (and considered useful) by the organization.

Understand key CMMC concepts and major players

Read through our CMMC Glossary of Terms and Definitions. It is a great summary of which companies the CMMC is for, the legal requirements around it, and the official organizations leading the implementation.

Read through the FAR and DFARS rules referenced in the glossary and memorize them. Then check back in December 2020 for the updated DFARS rule and memorize that.

Understand FCI and CUI.  This CUI training from the US Government is highly relevant. 

The CMMC-AB’s Registered Practitioner training covers the CMMC ecosystem in depth, but is very light on technical interpretations or how to get your client ready for assessment. You may want to register as a Registered Practitioner in addition to the assessor track. Review of Registered Practitioner training.

Study the CMMC Assessment Guide

The CMMC Assessment Guides have the most information about what the DoD expects for process maturity as well as security practices.

https://www.acq.osd.mil/cmmc/draft.html

Create your own CMMC System Security Plan and Plan of Action

Read through our How to get started with the CMMC article and FCI in CMMC article for tips on scope. Then, in whatever environment you have available (even your home network), try to actually document your CMMC Level 1 practices, then Level 2, etc.

For bonus points, try to implement anything you are missing. If you have email on your phone, it is now in scope. Fun times!

Evaluate your clouds. Would they be CMMC level 1 compliant? Are they FedRAMP approved? Do they meet DFARS 252.204-7014 requirements? (hopefully by this point you know that these are totally different levels of security)

If you do this you will gain a lot of sympathy for the Defense Contractors being told they need 100% compliance to pass an audit. And it will force you to really read the documentation and brainstorm ways to implement practices.

Gather evidence for your own CMMC audit

As a client, how would you gather this evidence and store it?

As a client, how would you demonstrate process maturity and continual improvement over time?

If you were an auditor reviewing each of the CMMC practices and maturity levels, what proofs of compliance would you want to see?

As an auditor, how would you check to make sure that the client didn’t “forget to mention” some insecure servers or services? How would you verify that work logs and policies weren’t created the week before the audit?

 


 

Additional training resources

I posed a question to LinkedIn asking for recommendations for a CMMC self-study program. Here were the responses.

ISO Standard 19011. This standard provides guidance on auditing management systems; including the principles of auditing, managing an audit program and conducting management system audits. These activities include the individual(s) managing the audit program, auditors and audit teams. – Ralph DiCicco, Senior VP Engineering Services Network, Inc.

Process guides for the CMMC version of EMASS – James Newman. Editor note: This doesn’t exist yet, but check back mid 2021.

Risk Management Framework and STIG (secure configurations) training courses.  Editor note: The Risk Management Framework is a compliance framework used for DoD networks and has security requirements roughly equivalent to CMMC Level 4-5. This is very relevant for CMMC level 3+ prep, especially for topics around inheritance.

NIST Cyber Security Professional (NCSP) training courses.  These courses focus on technical understanding of NIST control families, which are very relevant to CMMC since most of CMMC was inherited from NIST SP 800-171. 


 

I’d love to hear your thoughts and reviews for CMMC self-study and official training! Please send me a connection on LinkedIn or sign up for our newsletter for CMMC updates as they are published.

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.  Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.