As the defense industrial base (DIB) looks ahead to the rollout of the CMMC (Cybersecurity Maturity Model Certification) program, a common question may be: What type of training or courses should we pursue to help with CMMC preparation?
There are many different types of training and courses available. Which course is suitable for a given organization depends on the company's objective. For example, if a company needs to get CMMC certified to continue doing business with the government, that company could benefit from CMMC Insights Courses for government suppliers. But CCP or other courses may not be the best fit as those are intended for companies that want to be CMMC assessors (meaning they would conduct assessments of companies pursuing CMMC certification).
Please note: The CMMC Accreditation Body recently put out a statement warning against companies that are "misrepresenting their ability to train individuals in preparation for the CMMC assessor and CMMC instructor certification exams developed by the CMMC-AB in support of the Department of Defense’s (DoD) CMMC initiative." The CMMC Academy/Celerium is an official Licensed Partner Publisher (LPP) and Licensed Training Provider (LTP) with the CMMC AB.
If you are wondering what type of training or course may help your organization, the CMMC Academy team put together a simple flow chart. 
To get started, here are some questions to ask:
- Are you a company that does business with the DoD or other U.S. government agency (GSA or DHS)?
- Are you a company with customers that do business with the DoD or other U.S. government agency (GSA or DHS)?
If you answer yes to either of these questions, then your organization likely will need to undergo an official CMMC assessment. As such, your company would be classified as an "organization seeking certification" in the CMMC ecosystem.
Once a company has decided that it needs to be CMMC certified, the question becomes: At what level does the company need to be assessed?
Here are some questions to ask to determine which CMMC level is right for your company:
- Look at the contracts you currently have or want to bid on -- do they specify, or are they expected to specify, a specific CMMC level?
- Do you contract with a prime contractor? What CMMC level would the prime want you to meet?
Knowing at which level to certify can be confusing, but it doesn’t have to be. If you are doing business with the federal government, you are probably store or transmit Federal Contract Information (FCI), so you need to be certified at Level 1. For 75% of you, that likely will be enough.
If you’re looking to achieve CMMC Level 1 certification for your company, the CMMC Insights: Foundations & Level 1 Course is right for you. This course provides comprehensive instructional material on the foundations of CMMC and all 17 of the Level 1 practices. It also comes with advanced tools, including an advanced online Level 1 reference guide and an advanced online Level 1 self-assessment tool.
Thinking about Level 2 certification? Here are some things to consider:
- Are you receiving and storing Controlled Unclassified Information (CUI)?
- Is there a DFARS clause in your contract?
If the answer is yes, then you may need a Level 2 certification. If the answer is no, you probably only need a Level 1 certification.
If you determine that your company should seek CMMC Level 2 certification, the CMMC Insights: Level 2 Course could be right for you.
Don’t mislead yourself into thinking you need a higher, more cumbersome certification than you actually need. If you are not storing or transmitting CUI, you probably don't need a CMMC Level 3 certification. We've heard from sources at the DoD that a vast majority of contractors will likely only need a Level 1 certification.
What if I certify at Level 1, and then later, I want to bid on a contract requiring Level 3 certification?
A Level 1 certification will not allow companies to receive CUI from the government, but that doesn’t mean you won’t be able to bid. There are scenarios in which you may be able to access the CUI and bid on the contract even without the Level 2 certification. The CMMC Insights: Foundations & Level 1 Course provides some example scenarios.
Who needs CCP/CCA/RPO/RP certifications?
The CCP and CCA certifications are for CMMC assessors that will conduct assessments of companies seeking certification. Unless your goal is to become a CMMC assessor, you do not need those certifications.
The RP and RPO certifications are for consultants. If you want to provide advice and consultation to clients to aid in their assessments, these may be for you. If this is not a goal, you do not need them.
What about Level 3? Could I need that?
CMMC 2.o Level 3 require compliance with an enhanced subset of requirements and a focus on increased depth and sophistication of your cybersecurity capabilities. It is expected that relatively few organizations will need to reach this level of CMMC compliance.
The best place to start might be to look at the contracts you now hold or may want to bid on. What level do they specify? Do your current contracts require you to receive and store CUI, or do you only need to receive the FCI? The contracts you have now may be the best guide.
Have more questions?
Feel free to contact us with additional questions. We'll be happy to answer them if we can.