CyberSecurity Maturity Model Certification (CMMC): Certified CMMC Professional (CCP)

Course 2072

  • Duration: 5 days
  • Exam Voucher: Yes
  • Language: English
  • 29 NASBA CPE Credits
  • Level: Foundation
Get This Course $3,495
  • 5-day instructor led training course
  • After-course instructor coaching included
  • Tuition fee can be paid later by invoice -OR- at the time of checkout by credit card
  • Exam Vouchers are only available throught CMMC-AB.
#2072
  • Guaranteed to Run - you can rest assured that the class will not be cancelled.
    Jun 13 - 17 9:00 AM - 4:30 PM EDT
    AnyWare
  • Guaranteed to Run - you can rest assured that the class will not be cancelled.
    Jul 25 - 29 9:00 AM - 4:30 PM EDT
    AnyWare
  • Guaranteed to Run - you can rest assured that the class will not be cancelled.
    Aug 22 - 26 9:00 AM - 4:30 PM EDT
    AnyWare
  • Guaranteed to Run - you can rest assured that the class will not be cancelled.
    Sep 12 - 16 9:00 AM - 4:30 PM EDT
    AnyWare
  • Oct 24 - 28 9:00 AM - 4:30 PM EDT
    AnyWare
  • Nov 14 - 18 9:00 AM - 4:30 PM EST
    AnyWare
  • Dec 19 - 23 9:00 AM - 4:30 PM EST
    AnyWare
  • Jan 23 - 27 9:00 AM - 4:30 PM EST
    AnyWare
  • Feb 13 - 17 9:00 AM - 4:30 PM EST
    AnyWare
  • Mar 27 - 31 9:00 AM - 4:30 PM EDT
    AnyWare

Scroll to view additional course dates

The Cybersecurity Maturity Model Certification (CMMC), managed by the CMMC Accreditation Body (CMMC-AB), is a program through which an organization's cybersecurity program is measured by their initial and ongoing compliance with applicable cybersecurity practices as well as their integration of corresponding policies and plans into their overall business operations. By Fiscal Year 2026, all organizations providing products or services to the US DoD must obtain at least a Maturity Level 1 certification under this program.

This course prepares students for the CMMC-AB Certified Professional (CP) certification, which authorizes the holder to use the CMMC-AB Certified Professional logo, to participate as an assessment team member under the supervision of a Certified Assessor, and to be listed in the CMMC-AB Marketplace. The CP certification is also prerequisite for the other certifications (CCA-1, CCA-3, and CCA-5).

To ensure your success in this course you should have some foundational education or experience in cybersecurity.

The CMMC-AB has established prerequisites for those who wish to apply for CP Certification, such as:

  • Favorable background checks. Additional citizenship and clearance credentials also required to perform higher level duties, such as participating as ML-2 assessment team member.
  • A college degree in a cyber or information technical field with 2+ years of experience or 3+ years of equivalent experience (including military) in a cyber, information technology, or assessment field.
  • At least two years of experience in cybersecurity or another information technology field.
  • CMMC-AB approval of your application.

This is an unofficial summary provided for your convenience. Always refer to the CMMC-AB website (https://www.cmmcab.org) for official requirements and be aware that CMMC requirements are subject to change.

Note: Students will have completed the above certification requirements prior to enrolling in the course through the CMMCAB website, this step is independent of their classroom participation.

CyberSecurity Maturity Model Certification (CMMC): Certified CMMC Professional (CCP) Delivery Methods

  • This course is a prerequisite for the Certified Professional program, and it prepares students for the CMMC Certified Profession (CP) certification exam.
  • The CP certification is also a step toward becoming a certified assessor (CA), so students might take his course to begin down the path toward CA certification.

CyberSecurity Maturity Model Certification (CMMC): Certified CMMC Professional (CCP) Course Benefits

  • Identify risks within the federal supply chain and the established standards for managing them.
  • Describe how the CMMC model ensures compliance with federal acquisitions regulation.
  • Identify responsibilities of the CMMC Certified Professional, including appropriate ethics and behavior.
  • Identify regulated information and establish the Certification and, Assessment scope boundaries for evaluating the systems that protect that regulated information.
  • Evaluate OSC readiness and determine the objective evidence you intend to present to the assessor.
  • Use the NIST 800-171A and CMMC Assessment Guide to assess objective evidence for processes and practices.
  • Implement and evaluate practices required to meet CMMC maturity level 1.
  • Implement and evaluate processes and practices required to meet CMMC maturity level 2.
  • Implement and evaluate processes and practices required to meet CMMC maturity level 3.
  • Identify processes and practices required to meet CMMC maturity levels 4 and 5.
  • As a Certified Professional, work through the logistics of a CMMC assessment, including planning for and conducting the assessment, as well as any follow-up processes, such as remediation and adjudication.
  • Perform the role of a Certified Professional.

CMMC Training Outline

Topic A: Identify Limitations of Self-Certification

Identify ways in which self-certification is insufficient to ensure protection against threats to the federal supply chain.

  • Accountability
  • Contracts Involving Multiple Contractors
  • Self-Certification of Cybersecurity
  • Drawbacks and Limitations of Self-Certification
  • The False Claims Act
  • Consequences of Self-Certification
  • The Christian Doctrine
  • L. Christian & Associates v. United States, 312 F.2d 418 (Ct. Cl. 1963)
  • Legal Obligations of Contractors and Subcontractors
  • Guidelines for Identifying Your Legal Obligations
  • Identifying Where Things Went Wrong Due to Self-Certification

Topic A: Identify Benefits of CMMC

Describe how the Cybersecurity Maturity Model Certification is designed to ensure that suppliers comply with federal cybersecurity standards, providing benefits over the self-certification model.

  • Rationale for the Introduction of the CMMC Model
  • Process through which the CMMC Model was Developed
  • CMMC Reference/Source Documents (High Level)
  • CMMC’s Basis in Cybersecurity Standards and Best Practices
  • The CMMC Accreditation Body (CMMC-AB)
  • Roles and Responsibilities – DoD and CMMC-AB
  • How the CMMC-AB Is Funded
  • The CMMC-AB Marketplace
  • The CMMC Ecosystem
  • CMMC-AB affiliated people and organizations
  • Client or Credentialed Organizations
  • Registered or Certified Individuals
  • Roles and Responsibilities – Assessment
  • Third-Party Review
  • Scalability
  • Decentralization
  • Assessments
  • Cost Effectiveness for All
  • Identifying How CMMC Would Have Prevented Problems

Topic B: Describe the CMMC Model Architecture

Describe the general architecture of the CMMC Model.

  • Maturity Model
  • The CMMC Maturity Model
  • The CMMC Model Taxonomy
  • Domains of the CMMC Model
  • Capabilities of the CMMC Model
  • Practices of the CMMC Model
  • Distribution of Practices Across Maturity Levels
  • Accumulation of Practices Through Five Levels
  • Distribution of Practices Per Level Across Domains
  • Sources of CMMC Practices
  • Processes in the CMMC Model
  • Cumulative Practices and Processes
  • Practice and Process Numbering System
  • The Path to CMMC Certification
  • Transitioning from Level to Level
  • CMMC Documentation
  • Guidelines for CMMC Success
  • Describing the CMMC Model Architecture

Topic A: Identify Responsibilities of the CMMC CP

Identify responsibilities of a Certified Professional.

  • CP Responsibilities – In-house or Consultant
  • CP Responsibilities – Assessment Team
  • Various Roles Performed by a CP
  • Technical Opportunities
  • External Consulting
  • Assisting in Assessments
  • How Contractors Are Expected to Administer Self-Assessments
  • Separation of Duties
  • Guidelines for Maintaining an Appropriate Separation of Duties
  • Identifying Responsibilities of the CMMC Certified Professional

Topic B: Demonstrate Appropriate Ethics and Behavior

Demonstrate ethics and behavior that are appropriate for a CMMC Certified Professional, as outlined in the Code of Professional Conduct.

  • Code of Professional Conduct (CoPC)
  • Guidelines for Professional Conduct
  • Demonstrating Appropriate Ethics and Behavior

Topic A: Identify Regulated Information

Define types of regulated information.

  • Federal Contract Information (FCI)
  • 48 CFR § 52.204-21 - Basic Safeguarding of Covered Contractor Information Systems
  • Understanding CUI
  • DFARS Clause 252.204-7012 -- Safeguarding Covered Defense Information and Cyber Incident Reporting
  • NARA CUI Registry: CUI Types
  • NARA CUI Registry: CUI Groupings
  • NARA CUI Registry: CUI Defense Categories
  • NARA CUI Registry: CUI Defense Covered Technical Information
  • WORKING Covered Defense Information Definition
  • DODI 8582.1 (FCI/CUI)
  • Controlled Unclassified Information (CUI)
  • Controlling Authorities
  • DODI 5200.48 (CUI)
  • 32 CFR Part 2002, Controlled Unclassified Information (CUI)
  • Rules and Regulations Applying to CUI
  • FCI vs CUI
  • Controlled Technical Information (CTI)
  • Guidelines for Identifying CTI
  • Export Controlled Information (ECI)
  • Guidelines for Protecting and Restricting ITAR and Export Controlled Data
  • Guidelines for Determining the Type of Protected Information
  • Guidelines for Protecting FCI
  • Guidelines for Protecting CUI
  • Guidelines for Protecting CTI
  • Guidelines for Protecting ECI
  • Identifying Regulated Information

Topic B: Establish the Certification and Assessment Scope Boundaries

Establish appropriate scope boundaries for a CMMC Assessment.

  • Scoping
  • Scope Boundaries
  • How Does Scoping Affect Your Role as a CP?
  • Scoping: Roles & Responsibilities During Assessments
  • Scoping: Data-Centric Methodology
  • Guidelines for Establishing the Certification and Assessment Scope Boundaries
  • CMMC Level 1 Category A – In Scope
  • CMMC Level 1 Category B – Out of Scope
  • CMMC Level 1 Category C – Enabling Asset
  • Excluded Assets
  • Separation Techniques – Isolation
  • Separation Technique – Controlled Access
  • Separation Example: Guest Wireless – Logical Isolation
  • Separation Example: Access Control – Logical Isolation
  • Separation Example: Extended Untrusted User/System Access
  • Evolution of Artifacts and Evaluation Methods in Relation to Maturity Level
  • Identifying Appropriate Certification and Assessment Scope Boundaries

Topic A: Evaluate Readiness

Evaluate the readiness of an organization seeking to undergo the CMMC assessment process.

  • Assessment as Partnership
  • The Path to CMMC Certification
  • Guidelines for Identifying the Scope of the Assessment
  • Identify Desired Maturity Level
  • Ways to Evaluate How Prepared You Are Before the Assessment
  • Gap Analysis
  • Closing Gaps
  • Benefits of an Evidence Validation
  • Guidelines for Evaluating Readiness
  • Evaluating Readiness

Topic B: Determine Objective Evidence

Determine what objective evidence you intend to present in the assessment.

  • Effective Assessments
  • Objective Evidence
  • CMMC Assessment Reference Documents
  • Methods Assessors Will Use to Make Their Evaluation
  • Limits on Assessors' Access to the Organization's CUI and FCI
  • Evidence Collection, Preparation, and Generation
  • Stakeholder Interviews
  • Organization of Documents and Other Evidence to Prepare for an Assessment
  • Guidelines for Determining Objective Evidence
  • Determining Objective Evidence Categories

Topic A: Assess the NIST 800-171 Practices Using the 800-171A Methodology

Implement the NIST SP 800-171 requirements using the NIST SP 800-171A Assessment methodology.

  • CMMC Assessment Requirements Map
  • CMMC Source Documents
  • NARA ISOO (Information Security Oversight Office)
  • The Role of the Information Security Oversight Office (ISOO)
  • ISOO CUI Notice 2020-04: Assessing Security Requirements for CUI in Non-Federal Information Systems (dated 16 June 2020) (4 slides)
  • NIST SP 800-171A Assessment Depth & Coverage
  • NIST SP 800-171A Assessment Procedure
  • NIST SP 800-171A Assessment Methods (3 slides)
  • Multi-Factor Authentication: Requirement
  • Multi-Factor Authentication: Objectives
  • Multi-Factor Authentication: Methods & Objects
  • Requirement to Objectives to Systems
  • CMMC Assessment Procedures
  • Pass with Inheritance: Shared Service Responsibility Model
  • How the Assessment Procedures Affect Your Role as a CP
  • Guidelines for Assessing the NIST 800-171 Practices Using the 800-171A Methodology
  • Assessing the NIST 800-171 Practices Using the 800-171A Methodology

Topic B: Assess Delta Practices

Use the CMMC Assessment Guide to assess practices not covered in NIST 800-171.

  • The CMMC Delta Practices
  • The CMMC Assessment Guide
  • The CMMC Appendices
  • Supplemental Resources
  • Guidelines for Assessing Delta Practices
  • Assessing Delta Practices

Topic C: Assess Processes

Use the CMMC Assessment Guide to assess processes.

  • Processes in the Appendices
  • Processes in the CMMC Assessment Guide
  • CERT RMM v1.2 (Resilience Management Model)
  • Guidelines for Assessing Processes
  • Assessing a Process

Topic A: Maturity Level 1 Domains and Practices

Identify the domains and practices for basic cyber hygiene at ML1.

  • Maturity Level 1 Processes
  • CMMC vs FAR 52.204-21
  • Maturity Level 1 Domains
  • Maturity Level 1 Practices (Part 1)
  • Maturity Level 1 Practices (Part 2)
  • Identifying Maturity Level 1 Domains and Practices

Topic B: Determine Scope Boundaries at Maturity Level 1

Determine the scope boundaries at ML1.

  • CMMC ML1 Assessment Preparation Steps
  • Scenario: GrandMegaCorp
  • Step 1: Identify the FCI and CUI
  • Step 2.1: Determine the way FCI/CUI moves within the organization (5 slides)
  • Step 2.2: Will FCI be generated by GrandMegaCorp?
  • Step 2.3: Will FCI be shared with, or accessible by, others?
  • Step 2.4 Who in GrandMegaCorp has Access to it?
  • Step 2.5: Will FCI be sent to the government?
  • Step 3: Identify the Systems with FCI
  • Step 3: FCI and GrandMegaCorp End-user Devices
  • Step 4: Evaluate the In-scope Systems Against the CMMC Model Requirements
  • GrandMegaCorp Scope Boundaries
  • Determining Scope Boundaries at CMMC Level 1

Topic C: Perform a Maturity Level 1 Gap Analysis

Perform a maturity level 1 gap analysis.

  • NIST SP 800-171A – Assessments
  • NIST SP 800-171A – Assessment Attributes
  • CMMC ML1 Assessment Preparation Steps
  • GrandMegaCorp
  • Maturity Level 1 Practices we will Discuss
  • Creating and Evaluating an ML1 Environment
  • 1.001
  • 1.002
  • 1.131
  • 1.132—PE.1.134
  • 1.175
  • 1.176
  • Guidelines for Performing a Maturity Level 1 Gap Analysis
  • Performing a Maturity Level 1 Gap Analysis

Topic D: Perform a Maturity Level 1 Evidence Validation

Perform a ML1 evidence validation.

  • KB
  • Guidelines for Performing a Maturity Level 1 Evidence Validation
  • Performing a Maturity Level 1 Evidence Validation

Topic E: Perform a Maturity Level 1 Pre-Assessment Readiness Review

Perform a ML 1 pre-assessment readiness review.

  • KB
  • Guidelines for Performing a Maturity Level 1 Pre-Assessment Readiness Review
  • Performing a Maturity Level 1 Pre-Assessment Readiness Review

Topic A: Maturity Level 2 Process Maturity Requirement

Identify the processes for intermediate cyber hygiene at ML2.

  • Level 2 Processes
  • Process Maturity
  • Identifying Processes That Should Be Performed at CMMC Level 2

Topic B: Maturity Level 2 Practices

Identify the practices for intermediate cyber hygiene at ML2.

  • CMMC Level 2 Scoping
  • Level 2 Practices
  • Level 2 Delta Practices
  • Identifying Practices That Should Be Performed at CMMC Level 2

Topic C: Perform a Maturity Level 2 Gap Analysis

Perform a ML2 gap analysis.

  • KB
  • Guidelines for Performing a Maturity Level 2 Gap Analysis
  • Performing a Maturity Level 2 Gap Analysis

Topic D: Perform a Maturity Level 2 Evidence Validation and a Pre-Assessment Readiness Review

Perform ML2 evidence validation and pre-assessment readiness review.

  • KB
  • Guidelines for Performing a Maturity Level 2 Evidence Validation and a Pre-Assessment Readiness Review
  • Performing a Maturity Level 2 Evidence Validation and Pre-Assessment Readiness Review

Topic A: Maturity Level 3 Processes

Identify the processes for good cyber hygiene at ML3.

  • Level 3 Processes
  • Maintenance
  • Resourcing
  • Identifying Processes That Should Be Performed at CMMC Level 3

Topic B: Maturity Level 3 Practices

Identify the practices for good cyber hygiene at ML3.

  • Level 3 Practices
  • Level 3 Delta Practices
  • Identifying Practices That Should Be Performed at CMMC Level 3

Topic C: Determine Scope Boundaries at Maturity Level 3

Determine the scope boundaries at ML3.

  • CMMC Level 3 Scoping (5 slides)
  • KB
  • Guidelines for Determining Scope Boundaries at Maturity Level 3
  • Determining Scope Boundaries at Maturity Level 3

Topic D: Perform a Maturity Level 3 Gap Analysis

Perform a ML3 gap analysis.

  • KB
  • Guidelines for Performing a Maturity Level 3 Gap Analysis
  • Performing a Maturity Level 3 Gap Analysis
Topic E: Perform a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
  • KB
  • Guidelines for Performing a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review
  • Performing a Maturity Level 3 Evidence Validation and a Pre-Assessment Readiness Review

Topic A: Maturity Level 4 Processes and Practices

Identify the processes and practices for proactive cyber hygiene at ML4.

  • CMMC Level 4Scoping
  • Level 4 Processes
  • Review and Measurement
  • Level 4 Practices
  • Level 4 Delta Practices
  • Identifying Processes and Practices That Should Be Performed at CMMC Level 4

Topic B: Maturity Level 5 Processes and Practices

Identify the processes and practices for advanced/progressive cyber hygiene at ML5.

  • CMMC Level 5 Scoping
  • Level 5 Processes
  • Standardization and Optimization
  • Level 5 Practices
  • Level 5 Delta Practices
  • Identifying Processes and Practices That Should Be Performed at CMMC Level 5

Topic A: Define the Assessment Logistics

Define the logistics required to schedule, complete, and finalize a CMMC assessment as required to receive CMMC-AB certification.

  • The Assessment Process
  • Prep Work
  • On-Site Work
  • Pre-assessment Readiness Review
  • Responsibilities of the OSC and the OSC Point of Contact (POC)
  • Responsibilities of the Certified Assessor and the Assessment Team Members
  • Access to Facilities and Resources Required by the Assessment Team
  • Opening or Kick Off Briefing
  • Daily Checkpoints
  • Final Recommended Findings Briefing
  • Post Assessment
  • Guidelines for Defining the Assessment Logistics
  • Defining the Assessment Logistics

Topic B: Resolve Assessment Related Issues

Describe the process for resolving assessment related issues.

  • Assessment Related Issues
  • Assessment Related Conflicts
  • Post Assessment When Remediation is Required
  • Remediation
  • Assessor’s Withdrawal Due to Ethical or Other Violations
  • Adjudication
  • Process to Dispute CMMC-AB Decisions
  • CMMC-AB Adjudication Process
  • Guidelines for Resolving Assessment Related Issues
  • Resolving Assessment Related Issues
Topic A: Best Practices for Certified Professionals
  • Perform the roles and characteristics of a good CP.
  • Roles for a CP
  • Characteristics of a Good Consultant
  • Guidelines for Being a Professional Consultant
  • CP on an Assessment Team
  • Guidelines for Participating on an Assessment Team
  • Following Best Practices

Topic B: Cybersecurity Beyond CMMC

Discuss security risks that go beyond the CMMC Model framework and professional resources and communities to help continued learning.

  • Cybersecurity Culture Change
  • Awareness of Evolving Risks
  • Ways to Stay Informed

Need Help Finding The Right Training Solution?

Our training advisors are here for you.

Course FAQs

The CP is a “gateway” certification and proves out your knowledge of CMMC - not just cybersecurity.

While CMMC is based on much of NIST 800-171, there are additional practices and content for developing processes that are institutionalized. So all Certified Assessor candidates will need to first become CPs.

For more information on the CMMC certification, go here.

Chat With Us