by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
Updated November 6, 2025
CMMC certification training is on the minds of many small organizations who do business with the government. You may not have the huge training budget of a larger business, but you know you need to bone up on CMMC especially now that it is being included as a requirement in new DoD contracts, with a phased rollout that runs through November 2028.
Many businesses are surprised to learn that achieving CMMC compliance can take more than a year. So, if you started tomorrow, you will still be hustling to reach compliance.
So, what can you do to start today?
The first step is to get educated. Here is a small but powerful list of mostly free training resources that can help you get a grip on CMMC.
I’ve come across these over my time as president of a managed IT services provider in Virginia, a state second only to California for number of businesses that work with the government. I’ve also been certified as a registered CMMC practitioner by The Cyber AB and my MSP, E-N Computers, is a registered practitioner organization.
QUICK ANSWER:
Where can I find free training for CMMC certification?
The government offers several classes, guides, and bulletins that can introduce you to CMMC compliance requirements, train you on recognizing and handling controlled unclassified information (CUI), and keep you up to date on cybersecurity threats – all are free. Some other low-cost resources include training by The Cyber AB.
The Cyber AB
Cost: $600 (Application, Training & Testing) plus a $500 annual renewal fee
Time required: 8 hours or more
Topics covered: CUI, FCI, the CMMC framework, scoping, etc.
The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) ecosystem. The Cyber AB both accredits and offers training.
The Cyber AB ecosystem can be a little confusing at first, particularly if you’re looking for training. The Cyber AB accredits consultants and auditors to work with businesses and also accredits businesses as CMMC compliant. Most likely you don’t want to become a CMMC auditor, so you don’t need that training. You are looking for training to become CMMC compliant as a business so that when the auditor comes (to assess you for CMMC Level 2), you are ready.
One option is to take the training for becoming a Registered Practitioner (RP) – the consultant role in the CMMC ecosystem. First you must join the Cyber AB. You’ll have to pass a background check and pay $600 for the training and assessment. Topics include an introduction to the CMMC model, the CMMC accreditation body and ecosystem, Federal Contract Information (FCI), prime and subcontract information flow, CMMC tools and templates, scoping and contract agreement and fulfillment.
There is an annual renewal fee of $500 for the RP designation. The Registered Practitioner training took me about eight hours over two weekends. It wasn’t bad for someone with a background in IT, cybersecurity and compliance.
Center for Development of Security Excellence
Cost: Free
Time required: Training must be completed in one sitting
Topics covered: Controlled Unclassified Information (CUI)
The DoD Mandatory Controlled Unclassified Information (CUI) Training provided by the Center for Development of Security Excellence is mandatory for all DoD personnel with access to CUI. This is a relatively quick and basic training but useful.
Project Spectrum
Cost: Free account
Time required: Each class is about an hour
Topics covered: Access control; CUI, System Security Plans; Plans of Action & Milestones; system and communication protection, foreign ownership, control or influence
Project Spectrum is a not-for-profit platform created to educate small businesses on CMMC and offers cybersecurity information, resources, tools, and training. Most of the training is fairly high level. They also offer a number of self-assessment tools.
Department of Defense self-assessment guides
Cost: Free
Time required: The audiobooks offer nine hours of content
Topics covered: Many details of CMMC Level 1 and 2
The official CMMC Assessment Guides are available directly from the Department of Defense website. These guides, developed in collaboration with organizations like Carnegie Mellon University, detail the practices and assessment objectives for each CMMC Level, helping organizations prepare for their official CMMC assessment.
As a service to the IT community, E-N Computers created audiobooks of the guides. As I was preparing for CMMC, I found myself wishing for an audio version so I could review on the go. So our director of technology Thomas Kinsinger jumped to put together a professionally recorded series of audiobooks for our clients and others.
CMMC Level 1 (FCI)
CMMC Self-Assessment Guide Level 1 (PDF)
CMMC Self-Assessment Guide Level 1 (Audiobook)
CMMC Level 2 (CUI)
CMMC Self-Assessment Guide Level 2 (PDF)
CMMC Self-Assessment Guide Level 2 (Audiobook)
Defense Industrial Base Cybersecurity Program
Cost: Free
Topics covered: Current cybersecurity threats
The DIB Cybersecurity Program is a voluntary program to help businesses keep DoD information safe. Cybersecurity threats and remediation are shared between the DoD and cleared defense contractors. This program can help you keep up with security threats and get some coaching around security.
The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
Cost: Free
Time required: 1 hour
Topics covered: A control-by-control review of NIST 800-171 with examples of application
Our plain English explanation of the 110 NIST controls and actionable steps.
The state of NIST-CMMC compliance today
Last but not least, a lot of these training options are included in my presentation to the Richmond, Virginia-based cybersecurity conference RVAsec. This is a thorough introduction to the complexities of government compliance, but also (I hope) in fairly plain English
Next steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Paid training resources
While the official CMMC Assessment Guides are the authoritative source, many organizations, particularly small and medium-sized businesses (SMBs), are helped by structured training and expert consulting services. These paid resources offer accelerated learning and professional guidance.
1- Official CMMC Ecosystem Training (Certification Path)
For organizations that plan to have in-house IT, security, or compliance staff deeply involved in implementation and assessment preparation, investing in official CMMC certification training provides the most accurate and reliable foundation. These courses are delivered by CMMC Approved Training Providers (ATPs) who are licensed by the Cyber AB.
| Course name | Purpose | Estimated cost (course only) |
|---|---|---|
| Certified CMMC Professional (CCP) | Provides a foundational and comprehensive understanding of the CMMC 2.0 model, assessment process, and NIST SP 800-171 requirements. | $1,995 – $3,000 (typically 4-5 days) |
| Certified CMMC Assessor (CCA) | Trains professionals to execute CMMC Level 2 assessments. Highly valuable for internal staff who will conduct pre-assessments. | $2,995 – $3,300 (typically 5 days) |
Note: These costs cover the ATP training course only. The organization must also pay a separate, smaller fee directly to the Cyber AB/CAICO for the CMMC Professional Number (CPN) and the certification exam itself.
2- Specialized Compliance Workshops and Courses
Many training providers and consulting firms offer targeted courses designed specifically for contractors, not for professional certification. Here are some general categories
- CMMC Readiness/Compliance Workshops: These workshops, offered by various CMMC consultants and training providers, focus on the practical application of CMMC Level 2 requirements, often including gap analysis against NIST SP 800-171, System Security Plan (SSP) guidance, and developing a Plan of Action & Milestones (POA&M).
- CMMC for Business Professionals/Executives: Shorter courses (often 1-day or half-day) designed for senior leaders to understand the contractual, financial, and strategic implications of CMMC, to better allocate budget and resources.
- End-User Security Awareness Training: Necessary for all personnel; many providers offer CMMC-aligned security awareness training to meet the Awareness and Training (AT) practice domain requirements.
3- Professional Implementation Services (Consulting)
Beyond professional certifications, companies can utilize specialized consulting services from a Registered Provider Organization (RPO): a Gap Assessment reviews systems against CMMC practices to provide a clear, prioritized roadmap of deficiencies; and Implementation Support offers hands-on help in remediating those gaps, accelerating compliance and reducing the risk of failure during the official assessment.
Complimentary review with an experienced engineer
Are you ready for CMMC?
Get a free strategic consultation to start or streamline your journey toward CMMC compliance.
Related articles
If you need CMMC managed IT services
If you need to better understand CMMC requirements:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
- CMMC compliance deadlines: Key dates and what they mean
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
- CUI enclaves in CMMC compliance: Are they right for your business?
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
- Case Study: Virginia Government Contractor Nears CMMC Compliance
- CMMC Gap Analysis
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:
