by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
CMMC certification training is on the minds of many small organizations who do business with the government. You may not have the huge training budget of a larger business but you know you need to bone up on CMMC before it becomes a requirement (most likely) in early 2025.
Many businesses are surprised to learn that achieving CMMC compliance can take more than a year. So if you started tomorrow, you will still be hustling to reach compliance.
So what can you do to start today?
The first step is to get educated. Here is a small but powerful list of mostly free training resources that can help you get a grip on CMMC.
I’ve come across these over my time as president of a managed IT services provider in Virginia, a state second only to California for number of businesses that work with the government. I’ve also been certified as a registered CMMC practitioner by The Cyber AB and my MSP, E-N Computers, is a registered practitioner organization.
QUICK ANSWER:
Where can I find free training for CMMC certification?
The government offers several classes, guides, and bulletins that can introduce you to CMMC compliance requirements, train you on recognizing and handling controlled unclassified information (CUI), and keep you up to date on cybersecurity threats – all are free. Some other low-cost resources include training by The Cyber AB.
The Cyber AB
Cost: $600
Time required: 8 hours or more
Topics covered: CUI, FCI, the CMMC framework, scoping, etc.
The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) ecosystem. The Cyber AB both accredits and offers training.
The Cyber AB ecosystem can be a little confusing at first, particularly if you’re looking for training. The Cyber AB accredits consultants and auditors to work with businesses and also accredits businesses as CMMC compliant. Most likely you don’t want to become a CMMC auditor, so you don’t need that training. You are looking for training to become CMMC compliant as a business so that when the auditor comes (to assess you for CMMC Level 2), you are ready.
One option is to take the training for becoming a Registered Practitioner (RP) – the consultant role in the CMMC ecosystem. First you must join the Cyber AB. You’ll have to pass a background check and pay $600 for the training and assessment. Topics include an introduction to the CMMC model, the CMMC accreditation body and ecosystem, Federal Contract Information (FCI), prime and subcontract information flow, CMMC tools and templates, scoping and contract agreement and fulfillment.
The Registered Practitioner training took me about eight hours over two weekends. It wasn’t bad for someone with a background in IT, cybersecurity and compliance.
Center for Development of Security Excellence
Cost: Free
Time required: Training must be completed in one sitting
Topics covered: Controlled Unclassified Information (CUI)
The DoD Mandatory Controlled Unclassified Information (CUI) Training provided by the Center for Development of Security Excellence is mandatory for all DoD personnel with access to CUI. This is a relatively quick and basic training but useful.
Project Spectrum
Cost: Free account
Time required: Each class is about an hour
Topics covered: Access control; CUI, System Security Plans; Plans of Action & Milestones; system and communication protection, foreign ownership, control or influence
Project Spectrum is a not-for-profit platform created to educate small businesses on CMMC and offers cybersecurity information, resources, tools, and training. Most of the training is fairly high level. They also offer a number of self-assessment tools.
Department of Defense self-assessment guides
Cost: Free
Time required: The audiobooks offer nine hours of content
Topics covered: Many details of CMMC Level 1 and 2
Self-assessment guides are available directly from the Department of Defense website. The guides, which were created by Carnegie Mellon University, provide an overview of the CMMC self-assessment process, how to document compliance, clarification of terms, and practice descriptions.
As a service to the IT community, E-N Computers created audiobooks of the guides. As I was preparing for CMMC, I found myself wishing for an audio version so I could review on the go. So our director of technology Thomas Kinsinger jumped to put together a professionally recorded series of audiobooks for our clients and others.
CMMC Level 1 (FCI)
CMMC Self-Assessment Guide Level 1 (PDF)
CMMC Self-Assessment Guide Level 1 (Audiobook)
CMMC Level 2 (CUI)
CMMC Self-Assessment Guide Level 2 (PDF)
CMMC Self-Assessment Guide Level 2 (Audiobook)
Defense Industrial Base Cybersecurity Program
Cost: Free
Topics covered: Current cybersecurity threats
The DIB Cybersecurity Program is a voluntary program to help businesses keep DoD information safe. Cybersecurity threats and remediation are shared between the DoD and cleared defense contractors. This program can help you keep up with security threats and get some coaching around security.
The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
Cost: Free
Time required: 1 hour
Topics covered: A control-by-control review of NIST 800-171 with examples of application
Our plain English explanation of the 110 NIST controls and actionable steps.
The state of NIST-CMMC compliance today
Last but not least, a lot of these training options are included in my presentation to the Richmond, Virginia-based cybersecurity conference RVAsec. This is a thorough introduction to the complexities of government compliance, but also (I hope) in fairly plain English
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
