Cybersecurity Maturity Model Certification (CMMC) Preparation

This course prepares your teams and organization for the upcoming requirements associated with the Cybersecurity Maturity Model (CMMC) standards which will become increasingly more stringent over the next few years.

The U.S. Department of Defense (DoD) developed the Cybersecurity Maturity Model to outline various cybersecurity standards among its contractors and subcontractors. With this model, organizations can assess their maturity level in protecting sensitive information—in other words, how skilled they are at keeping different types of private information private. 

In 2025, the Cybersecurity Maturity Model Certification (CMMC) will become required for all contractors that do business with the federal government. For these companies and any mature organization that needs to maintain effective cybersecurity, it makes sense to learn about CMMC ahead of time. If you're aware of the maturity of your own organization, then you'll know what to work on to become CMMC compliant. And this will lead to significant business advantages. Forewarned is forearmed! 

This class, from Cprime, will go over the most recent National Institute of Standards and Technology (NIST) security guidance and requirements. You'll find out what you need for CMMC compliance. You'll learn about each requirement, step by step, using the framework presented in NIST Special Publication 800-101, revision 2. 

4 days/32 hours of instruction
Public Classroom Pricing

Starting at: $2295(USD)

GSA Price: $2185

Group Rate: $2195

Private Group Pricing

Have a group of 5 or more students? Request special pricing for private group training today.

Download the Course Brochure

Part 1: Introduction

  1. Target audience
    1. Federal and non-federal perspective
  2. Types of unclassified information
    1. What is Controlled Unclassified Information (CUI)?
    2. What is Federal Contract Information (FCI)?
  3. NIST 800-101, revision 2 overview
    1. Fundamental assumptions the requirements are based on
    2. Short introduction of the 14 families of security requirements
  4. CMMC Overview
    1. Benefits of CMMC (allows you to bid on DoD contracts beginning in 2025)
    2. Introductory overview of the five CMMC levels, with a special focus on level 3 before moving on to part 2 (see below)
  5. Other standards federal agencies should comply with

Additional material:

  • Cybersecurity Maturity Model Certification (CMMC) document by the Office of the Under Secretary of Defense for Acquisition & Sustainment
  • NIST Special Publication 800-171, revision 2 document

Part 2: Understanding the Requirements

To reach CMMC compliance, organizations must meet certain security requirements. The federal regulations in this section are formally introduced in NIST Special Publication 800-171, revision 2. There are 14 families of recommended security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations.

Each requirement has two categories:

  • Basic: These are fundamental security requirements for federal information and systems.
  • Derived: These supplement the basic requirements.

For each requirement, you'll learn about the basic and derived security requirements and see examples.

  1. Access Control
  2. Basic Security Requirements
    1. Limit system access to three categories: authorized users, processes acting on behalf of authorized users, and devices (including other systems).
      1. Limit system access to the types of transactions and functions that authorized users are allowed to execute.
      2. 20 Derived Security Requirements
  3. Awareness and Training
  4. Basic Security Requirements
    1. Make certain that managers, systems administrators, and users of organizational systems know the security risks associated with their activities. Also, make sure they know the policies, standards, and procedures related to the security of those systems.
      1. Be sure that personnel have the training to carry out their assigned information, especially their security-related duties and responsibilities.
  5. One Derived Security Requirement:
    1. Provide security awareness training so participants can recognize and report potential indicators of insider threat.
  6. Audit and Accountability
  7. Basic Security Requirements
    1. Create and keep system audit logs and records to the extent needed to allow monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
      1. Make certain that the actions of individual system users can be uniquely traced to those users. That way, they can be held accountable for their actions.
      2. 7 Derived Security Requirements
  8. Configuration Management
  9. Basic Security Requirements
    1. Set and maintain baseline configurations and inventories of organizational systems. This includes hardware, software, firmware, and documentation. These precautions are necessary throughout the respective system development life cycles.
      1. Create and enforce security configuration settings for information technology products used in organizational systems.
      2. 7 Derived Security Requirements
  10. Identification and Authentication
  11. Basic Security Requirements
    1. Identify system users, processes acting on behalf of users, and devices.
      1. Authenticate (or verify) the identities of users, processes, or devices. This must be a prerequisite to allowing access to organizational systems.
      2. 9 Derived Security Requirements
  12. Incident Response
  13. Basic Security Requirements
    1. Figure out how the team will handle incidents. This must include preparation, detection, analysis, containment, recovery, and user response activities.
      1. Track, document, and report incidents to the right officials and/or authorities, whether they're inside or outside the organization.
  14. One Derived Security Requirement:
    1. Test the response capability for an organizational incident.
  15. Maintenance
  16. Basic Security Requirements
    1. Maintain organizational systems.
      1. Control the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
      2. Four Derived Security Requirements
  17. Media Protection
  18. Basic Security Requirements
    1. Oversee activities of maintenance personnel who don't have the required access authorization.
      1. Sanitize or destroy system media containing CUI before disposal or release for reuse.
      2. 6 Derived Security Requirements
    2. Restrict access to CUI on system media to authorized users.
  19. Personnel Security
  20. Basic Security Requirements
    1. Screen individuals before giving them access to organizational systems containing CUI.
      1. Make certain that organizational systems containing CUI are protected during and after people's job terminations and transfers.
      2. No Derived Security Requirements
  21. Physical Protection
  22. Basic Security Requirements
    1. Limit physical access to organizational systems, equipment, and the related operating environments to authorized people.
      1. Protect and keep track of the physical facility and support infrastructure for organizational systems.
      2. Four Derived Security Requirements
  23. Risk Assessment
  24. Basic Security Requirements
    1. From time to time, assess the risk to organizational operations, including mission, functions, image, or reputation. Also, assess the risk to organizational assets and individuals. These risks can come from operating organizational systems and processing, storing, or transmitting CUI.
    2. Two Derived Security Requirements
  25. Security Assessment
  26. Basic Security Requirements
    1. Regularly check the security controls in organizational systems to determine if they're effective.
      1. Develop, document, and periodically update system security plans. These plans should describe system boundaries and system environments of operation. Also, they should describe how to implement security requirements and explain the relationships with or connections to other systems.
      2. No Derived Security Requirements
    2. Create and implement action plans to fix deficiencies and lessen or get rid of vulnerabilities in organizational systems.
    3. Monitor security controls over time to ensure they're still effective.
  27. System and Communications Protection
  28. Basic Security Requirements
    1. Monitor, control, and protect communications (that is, information that organizational systems send or receive) at the external boundaries and key internal boundaries of organizational systems.
      1. Use architectural designs, software development techniques, and systems engineering principles that maintain a high level of information security within organizational systems.
      2. 14 Derived Security Requirements
  29. System and Information Integrity
  30. Basic Security Requirements
    1. Identify, report, and correct system flaws as soon as possible.
      1. Keep track of system security alerts and advisories. Take action when needed.
      2. Four Derived Security Requirements
    2. Protect users from malicious code at designated locations within organizational systems.

Part 3: Five CMMC Levels of Maturity

You can't achieve a level until you've completed the preceding levels. We'll look at the associated domain, capabilities, processes, and practices for each level, so you'll have a good idea of what you need to do.

  1. CMMC detailed overview
    1. How do CMMC levels work?
  2. CMMC domains The CMMC model has 17 domains, and each domain has capabilities, processes, and practices associated with it. The domains are:
    1. Access Control (AC)
      1. System and Information Integrity (SI)
      2. CMMC capabilities
      3. CMMC processes
      4. CMMC practices
    2. Asset Management (AM)
    3. Audit and Accountability (AU)
    4. Awareness and Training (AT)
    5. Configuration Management (CM)
    6. Identification and Authentication (IA)
    7. Incident Response (IR)
    8. Maintenance (MA)
    9. Media Protection (MP)
    10. Personnel Security (PS)
    11. Physical Protection (PE)
    12. Recovery (RE)
    13. Risk Management (RM)
    14. Security Assessment (abbreviated CA instead of SA)
    15. Situational Awareness (again, abbreviated CA instead of SA)
    16. System and Communications Protection (SC)
  3. CMMC Level 1: Basic Cyber Hygiene
    1. Focus: Safeguard Federal Contract Information (FCI)
    2. Additional material: Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC Assessment Guide, Level 1
  4. CMMC Level 2: Intermediate Cyber Hygiene
    1. Focus: Progress in cybersecurity maturity and protect CUI
    2. Covered in the level 3 assessment guide
  5. CMMC Level 3: Good Cyber Hygiene
    1. This level includes all requirements of NIST 800-171 (covered in part 2). It also includes other standards and references.
    2. Focus: Protect CUI
    3. Additional material: Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC Assessment Guide Level 3
  6. CMMC Level 4: Proactive
    1. Focus: Not only protect CUI but also reduce risk of Advanced Persistent Threats (APTs) Within this level, organizations must regularly review their processes and correct them when necessary.
  7. CMMC Level 5: Advanced/Progressive
    1. Focus: Protect CUI and reduce risk of APTs Level 4 and level 5 have the same focus. But to reach level 5, in addition to regularly performing self-assessments, the organization must also fully standardize and optimize the cybersecurity measures for the entire organization.

Part 4: Becoming Certified

The CMMC Accreditation Body (CMMC-AB) recommends that you start preparing at least six months before the assessment. Here's the general process outline by the CMMC-AB for an organization to become certified under the CMMC:

  1. Understand the CMMC requirements.
  2. Identify your scope and desired maturity level.
  3. Optional: Do a pre-assessment with a Registered Provider Organization (RPO) or Third-Party Assessment Organization (C3PAO).
    1. Close any gaps you find during the pre-assessment.
  4. Find a C3PAO on the CMMC-AB Marketplace.
  5. Conduct the assessment with a Certified Assessment Team (a Certified Assessor from CMMC-AB or a C3PAO).
    1. You have up to 90 days to resolve any findings.
  6. Get your three-year certification upon approval.

  • Information security managers
  • Information security practitioners
  • Security auditors
  • Security consultants
  • Chief Information Security Officers (CISOs)
  • Chief Security Officers (CSOs)
  • Privacy officers
  • Security administrators
  • IT managers
  • Individuals pursuing CISM® Certification
  • CTOs and their teams
  • CIOs and their teams

Cybersecurity Maturity Model Certification (CMMC) Preparation Schedule

Filter by region
Filter by region
There are currently no scheduled classes for this course. Please contact us if you would like more information or to schedule this course for you or your company.

Request Private Group Training