CMMC Auditor or Assessor Training Resources

WARNING – THIS PAGE HAS NOT BEEN UPDATED SINCE NOVEMBER 2021. Some information has changed since then. Please check back in a few weeks for the latest.

Formal CMMC training is finally available!

The Certified CMMC Professional training is available now. Reach out to Licensed Training Providers (LTPs) on the CMMC-AB Marketplace to find their pricing and course dates.

The training materials should cover most information needed to pass the exam. It is a good idea to have an understanding of the basics of networking, systems, and cybersecurity before you take the training course.


Review of Certified CMMC Professional training

I went through an internal training for Certified CMMC Professional (CCP) at Edwards Performance Solutions in October 2021.  It was a 5 day boot camp format, 9am – 5pm, with two provisional instructors for each class.

Full disclaimer: that was a train-the-trainer event and I’m now an instructor for Edwards too.

The good parts of CCP training

The trainers were very knowledgeable about CMMC. Edwards has sought out instructors who have been focused on CMMC since its introduction and have experience working with companies to gap assess or to help them prepare (generally both). This gives the instructors perspective on the topics that are hardest for clients to understand or implement. The real world strategies for things like getting C-level buy in were invaluable.

The reference materials and slides were well done. Edwards provided a 660 page “Field guide and exam prep manual” which has the full content of the CMMC assessment guide, public versions of the CMMC Assessment Procedure, and a ton of extra content to supplement the training slides. Several students (including myself) have commented that they plan to bring this field guide with them on assessments because it is very easy to reference.

The discussion about policy and procedure was the most valuable part of the course for me. It helped the class not only understand the expectations around policies and procedures, but it also helped everyone reach a consensus on expectations by having the students and instructors discuss whether specific information should be, or should not be, in each document.

The CCP class was very intense. It was a tremendous amount of information to pack into 5 days. Edwards set up weekly exam prep working groups which will take place over the next months until the exam is available. This is their strategy to make sure that students have time to process all the information (such as the regulations around CUI and updates as they are released by the CMMC-AB and DoD).

The bad parts of CCP training

The frustrating parts of the course could all be traced back to the CMMC-AB and DoD provided materials.

The reference frameworks, legislation, CUI, and CMMC model documentation all made good sense. Scoping guidance and the CMMC Assessment Procedure had problems when analyzed closely.

Some of the course objectives were redundant or simply didn’t make sense. Redundant objectives caused deja vu during the course: “Didn’t we just review this an hour ago?” “Yes we did. But the course objectives listed it for this area too.”

Some of the provided materials had errors or didn’t make sense. For example, the scoping guidance from the DoD (provided for use in the CCP course) is perfect for assessing organizations and people, but doesn’t make sense for technical assessments. No definition of boundaries. No definition of segmentation. No definition of whether only FCI or CUI systems are reviewed, or if security-relevant systems are also reviewed, or if all systems with connectivity are reviewed. If we were assessing only process maturity as performed by people in a department, the scope guidance would make sense. Unfortunately, this is not the case with CMMC’s technical practices.

The CMMC Assessment Procedure provided by the CMMC-AB was a tough day of training. It needs significant changes to be usable for real assessments if you want the defense contractor to have a hope of passing.

The training tried to make this content more digestible, but couldn’t deviate too far from the DoD and CMMC-AB provided materials.

Who should take this course?

I’ve noticed that about half the students attending the CCP courses are from Managed Service Providers (MSPs). The MSPs typically said that they serve multiple defense contractors who will need CMMC Level 3 and want to make sure they are preparing for the assessment correctly. About one quarter of the students were internal staff for defense contractors, tasked to lead CMMC for the organization. The vast majority of CCP students in courses I’ve attended did not intend to perform assessments.

Of course, people who want to become a CMMC assessor are also taking the CCP course, but they shouldn’t consider it a magic bullet to fame and fortune. There are about two hundred people who have gone through provisional assessor training who are still sitting around waiting for assessments to start. As a CCP, you would join their ranks, except at a lower salary, and you would still need to get your background investigation started. On the positive side, if the DoD comes out and confirms that CMMC is for real and authorizes assessments to start, there should be plenty of work coming up in 2022.


Review of Registered Practitioner Training

I went through the CMMC Registered Practitioner training when it first released in mid-2020. Here is my review of the RP training.


Requirements to be a CMMC Auditor / Assessor

Before you start studying, the major prerequisites to get any CMMC assessor certification (specifically, the Certified Professional entry-level certification) are:

  • College degree in a technical field or other equivalent experience (including military)
  • 2+ years in cyber or other information field
  • Pass commercial background check
  • Pass either a Tier 1 background check (still not confirmed) or a Tier 3 (similar to a Secret Clearance) background check, depending on what type of assessments you perform.
  • No citizenship requirement for Certified Professional (unless you want to work in an assessment team)
  • If a Tier 3 background check is required, then this typically comes with a requirement for US Citizen like Secret Clearances do.
  • U.S. Person (green-card OK) for CMMC Level 1 Assessor
  • U.S. Citizen for CMMC Level 2+ Assessor or Certified Professional team-member

The prerequisite requirements increase as your CMMC Assessor level increases. Each CMMC assessment level will also require taking training, submitting to qualifications review, and passing exams.

This page has the detailed requirements for each level published by the CMMC Accreditation Body.


CMMC Licensed Publishers and CMMC Training

The CMMC Accreditation Body has approved the first  Licensed Partner Publisher and Licensed Training Provider organizations.

This means that these organizations have been provided CMMC curriculum materials and are able to start building training. The training is not available to the public yet.

Contact information for these companies can be found on the CMMC-AB website here.

Please email us if you would like your program to be reviewed, or if you have studied in a program and have feedback on it. We will put a review on this blog!

The CMMC-AB is currently (in April 2021) teaching “Provisional Instructors” who are intended to teach “Certified Instructors” who would be employed by Licensed Training Providers. 

CMMC Self Study Recommendations

Even if you take the Certified Practitioner or Registered Practitioner training, it is my opinion that you should still self-study as described below. I’ve heard from provisional assessors that this website has been helpful to supplement their enhanced training too. You absolutely need a STRONG BACKGROUND in cybersecurity, system administration, and IT architecture design to supplement the current CMMC training.

For example, you need to be able to understand the individual practice requirements and the clarifications as written in the CMMC Appendix. The Registered Practitioner training barely addresses individual practices (it describes how you would read the CMMC model to figure them out). Most of the practices (especially Level 2+) require technical knowledge to understand all the areas of an organization that they could apply to.

Background information technology and/or cyber knowledge

If you don’t have a college degree in a technology field or equivalent experience, you should start on that now. Information Systems auditors should be very familiar with current technology and best practices for implementing it.

IT Certifications that cover CMMC topics

Industry certifications are a great way to improve (and prove!) your skills in a focused manner. Certifications in the IT field are very valuable when seeking jobs or higher salary too. Finally, the DoD recognizes (and requires) certifications for their cyber security workforce – since the CMMC program is closely tied to the DoD, having some of the 8570 program certifications can open doors in your career.

Certifications that are closely related to the CMMC Assessor role are:

Certified Information Systems Auditor (CISA) – This certification is one of the most popular for IT auditors. It tests knowledge about conducting a professional assessment, the best practices for running an IT organization, and technical know-how.

ITIL Foundation – One of the simpler certifications to work on. It tests knowledge of IT service management best practices. Covers creation, delivery, and continual improvement of IT products and services.

Capability Maturity Model Integration (CMMI) – A process and behavioral model designed to help organizations improve their performance and produce better services and products. Defines how to build effective processes that are used (and considered useful) by the organization.

CERT RMM – “A maturity model that promotes the convergence of security, business continuity, and IT operations activities to help organizations actively direct, control, and manage operational resilience and risk.”  Offered by Carnegie Mellon University.

Understand key CMMC concepts and major players

Read through our CMMC Glossary of Terms and Definitions. It is a great summary of which companies the CMMC is for, the legal requirements around it, and the official organizations leading the implementation.

Read through the FAR and DFARS rules referenced in the glossary and memorize them. Then check back in December 2020 for the updated DFARS rule and memorize that.

Understand FCI and CUI.  This CUI training from the US Government is highly relevant. 

The CMMC-AB’s Registered Practitioner training covers the CMMC ecosystem in depth, but is very light on technical interpretations or how to get your client ready for assessment. You may want to register as a Registered Practitioner in addition to the assessor track. Review of Registered Practitioner training.

Study the CMMC Assessment Guide

The CMMC Assessment Guides have the most information about what the DoD expects for process maturity as well as security practices.

https://www.acq.osd.mil/cmmc/draft.html

Create your own CMMC System Security Plan and Plan of Action

Read through our How to get started with the CMMC article and FCI in CMMC article for tips on scope. Then, in whatever environment you have available (even your home network), try to actually document your CMMC Level 1 practices, then Level 2, etc.

For bonus points, try to implement anything you are missing. If you have email on your phone, it is now in scope. Fun times!

Evaluate your clouds. Would they be CMMC level 1 compliant? Are they FedRAMP approved? Do they meet DFARS 252.204-7012 requirements? (hopefully by this point you know that these are totally different levels of security)

If you do this you will gain a lot of sympathy for the Defense Contractors being told they need 100% compliance to pass an audit. And it will force you to really read the documentation and brainstorm ways to implement practices.

Gather evidence for your own CMMC audit

As a client, how would you gather this evidence and store it?

As a client, how would you demonstrate process maturity and continual improvement over time?

If you were an auditor reviewing each of the CMMC practices and maturity levels, what proofs of compliance would you want to see?

As an auditor, how would you check to make sure that the client didn’t “forget to mention” some insecure servers or services? How would you verify that work logs and policies weren’t created the week before the audit?

 


Additional training resources

I posed a question to LinkedIn asking for recommendations for a CMMC self-study program. Here were the responses.

ISO Standard 19011. This standard provides guidance on auditing management systems; including the principles of auditing, managing an audit program and conducting management system audits. These activities include the individual(s) managing the audit program, auditors and audit teams. – Ralph DiCicco, Senior VP Engineering Services Network, Inc.

Process guides for the CMMC version of EMASS – James Newman. Editor note: This doesn’t exist yet, but check back mid 2021.

Risk Management Framework and STIG (secure configurations) training courses.  Editor note: The Risk Management Framework is a compliance framework used for DoD networks and has security requirements roughly equivalent to CMMC Level 4-5. This is very relevant for CMMC level 3+ prep, especially for topics around inheritance.

NIST Cyber Security Professional (NCSP) training courses.  These courses focus on technical understanding of NIST control families, which are very relevant to CMMC since most of CMMC was inherited from NIST SP 800-171. 


I’d love to hear your thoughts and reviews for CMMC self-study and official training! Please send me a connection on LinkedIn or sign up for our newsletter for CMMC updates as they are published.

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.  Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.