The Cybersecurity Maturity Model Certification is top of mind for many U.S. defense contractors as we gear up for a new year and a new administration. Originally developed under the Trump presidency, it is now solidified in its second version, CMMC 2.0, and will form the backbone of tiered cybersecurity requirements for those working with – and hoping to work with – the U.S. Department of Defense.
Designed to secure DoD data on contractor systems against exposure to malicious nation-state actors and other external forces, the CMMC sets forth certain guidelines based on data sensitivity to be followed by defense contractors working with controlled unclassified information (CUI) and federal contract information (FCI).
In anticipation of the new policies and initiatives that always accompany a new presidency, many organizations are readying themselves to comply with its mandates. Here are some training resources to help your organization comply with the framework and stay competitive among other defense contractor bidders.
But first, a few basics.
FAQs
Before jumping headlong into training, here are some frequently asked questions regarding the CMMC and what it means for defense contractor hopefuls.
Has the CMMC been finalized?
Yes, the U.S. Department of Defense (DoD) published the final rule for the program on October 15, 2024. Find the details in the Federal Register.
Is the CMMC replacing the NIST Framework?
No. The two frameworks are related, and while the DoD does require all its defense contractors and subcontractors to comply with NIST CSF, the two requirements are not the same.
Who audits the CMMC?
A Certified Third-Party Assessment Organization (C3PAO) conducts all official assessments. These organizations are accredited by the CMMC Accreditation Body (Cyber AB) to issue certifications and perform audits.
Does the CMMC only apply to the DoD?
Yes, the mandates apply to all cases in which a DoD contractor or subcontractor processes, stores, or transmits FCI or CUI on unclassified contractor information systems.
Additionally, “any security requirements by a prime contractor will flow to any subcontractor that interacts with the prime contractor’s FCI or CUI.”
How does the CMMC differ from FedRAMP?
While both are federal frameworks that protect sensitive data within the U.S. federal government, the CMMC centers on securing the data-handling practices of third parties while FedRAMP (Federal Risk and Authorization Management Program) imposes cloud-specific data security measures on cloud service providers.
Training Resources
1. Get to know the CMMC
Get a crash course in all things cybersecurity maturity model certification, from its fundamental importance and scope to specific requirements and how to prepare for compliance. What Is the Cybersecurity Maturity Model Certification? explains each of the certification levels:
- Level 1: Foundational | Basic cyber hygiene principles for contractors handling FCI only – not CUI. Provides protection against low-level threats.
- Level 2: Advanced | This stage requires full adherence to all 110 security practices of NIST 800-171, plus 20 more from other frameworks. This is for contractors that handle CUI.
- Level 3: Expert | Advanced protection against advanced persistent threats (APTs) for contractors who can already protect CUI. This includes stringent security practices that go beyond the requirements of NIST 800-171 and more proactive policies.
2. What is CUI and FCI?
The types of data being protected are at the core of the Department of Defense’s CMMC requirements. It is important for organizations seeking certification (OSCs) to understand what defines those data types (CUI and FCI), as well as which technologies on the market can help find, classify, and protect them. Explore the blog, Cybersecurity Maturity Model Certification and CUI, to gain a deeper understanding of essential CUI marking standards, including:
Basic CUI marking requirements | How to label CUI documents by page and portion, including what to do when the CUI status changes.
- Category marking | How to mark CUI documents when they fall under more than one CUI category.
- Handling instructions CUI decontrol | Be aware of additional tags indicating special requirements, even for documents already classified as CUI.
- Transmission and storage marking | How to mark electronic CUI files and CUI files in transit.
3. Learn About CMMC 2.0 — and the deadline!
If your organization is already certified, there are a few additional requirements you must meet before the 2.0 compliance deadline. Find out what those additional requirements are, as well as the difference between the original and 2.0.
4. Plan for certification
Preparing for CMMC certification involves understanding the framework’s various sections, known as domains. Unlike other cybersecurity standards, such as the CIS Controls, the CMMC is more intricate, encompassing 17 distinct domains, including:
- Access control
- Access management
- Audit and accountability
- Awareness and training
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
Find out all 17, plus the inspiration behind the CMMC framework, in What is the CMMC and How Can You Prepare for It?
5. Fast track: Prepare for the CMMC in 45 days
Got a lot on your plate? You’re not the only one. CMMC compliance can be complex and costly, not to mention time-consuming, especially with new CMMC 2.0 requirements to adhere to. In this webinar, learn about Fortra’s “easy button” template-based strategy to achieving CMMC certification in only 45 days.
6. The NICCS course
The National Institute for Cybersecurity Careers and Study (NICCS) developed a bespoke CMMC training course to prepare security professionals to receive the CMMC-AB Certified Professional (CP) certification. Find out what it takes to:
- Participate as a member of the assessment team under the supervision of a certified assessor
- Be listed in the CMMC-AB marketplace
- Use the certified professional logo
And how to identify federal supply chain risks, evaluate OSC readiness, implement and/or identify practices necessary to achieve all CMMC compliance levels, and more. Discover more in the NICCS CMMC Training: Certified Professional course.
7. Check out LinkedIn Learning training
Become invaluable to your team as CMMC compliance deadlines approach. With this Cyware-created LinkedIn Learning course, security professionals can become familiar not only with the certification itself, but the process of CMMC certification.
8. Take an interactive deep dive into all CMMC controls
A picture is worth a thousand words, a video can be worth even more, and an in-depth summary of CMMC controls can be invaluable. GRC Academy, an organization offering free GRC education online, offers several highly useful resources including a YouTube overview video and a self-paced overview course.
9. In-person training
If you thrive in a classroom learning environment, the CMMC Certified Professional (CP) course may be the right fit for you. This paid course can be taken over three-to-five days or two weeks and also provides information on NIST SP 800-171, FAR 52.204-21, and DFARS clauses.
Take the Next Step
Preparing for the CMMC is a necessary door through which all DoD contractors and subcontractors must pass to be eligible to bid on any Department of Defense projects in the coming year and beyond. As malicious external threat actors continue to penetrate federal agencies through ongoing supply chain attacks, the federal government continues to raise its bar for cybersecurity.
By arming themselves with comprehensive CMMC training – and leveraging Fortra’s easy-to-use CMMC compliance template and solutions – organizations can meet the requirements of this federal framework and stay competitive in an ever-more-rigorous security climate.
Organizations that take the time to educate themselves now can align with the requirements of this federal framework and remain competitive in an increasingly stringent security landscape. If your organization chooses a collaborative approach to comply with CMMC, Fortra’s data classification solutions or Alert Logic’s managed security services are ideal options.
