Cybersecurity Maturity Model Certification (CMMC)


2023 Course Dates

  • Aug 1, 2023 (Lunch)
  • September 5, 2023 (Evening)
  • October 2, 2023 (Lunch)
  • November 6, 2023 (Evening)
  • December 4, 2023 (Lunch)
  • January 8, 2024 (Evening)
  • February 5, 2024 (Lunch)
  • March 4, 2024 (Evening)
  • April 1, 2024 (Lunch)
  • May 6, 2024 (Evening)
  • June 3, 2024 (Lunch)

Take Your Pick

Our course classes meet for 75 minutes, two (2) days each week

Course duration: Five (5) weeks, for a total of Ten (10) classes

Classes commence at either 12 noon “Lunch Class”, or 6 pm “Evening Class”, to suit your busy schedule

In addition, your instructor will hold office hours twice per week to answer questions and allow further collaboration between attendees.

All Course Material is developed by Southern Connecticut State University (SCSU) and is Authorized and Approved by The Cyber AB (formerly called CMMC-AB) which is the official accreditation body and non-governmental partner of the US Department of Defense.


Approved for use by Licensed Training Providers (LTPs).

What is CMMC?

In 2019 the Department of Defense (DoD) announced the creation of the Cybersecurity Maturity Model Certification (CMMC) program to govern the Defense Industrial Base (DIB). CMMC relies on self-assessments and requires Third-Party Assessment Organizations (C3PAO) to certify a company’s compliance.

CMMC builds from DFARS/NIST 800-171 (earlier cyber protocols) but also includes controls from other cybersecurity frameworks. Where CMMC differs is in the maturity model, the required certification of participants, and the added role of third-party assessors. The Maturity Model essentially expresses a framework of added protocols for increasingly sensitive information.

On November 4, 2021 the Department of Defense unveiled an update to the Cybersecurity Maturity Model Certification framework – CMMC 2.0 – to streamline compliance, increase flexibility, and lower the cost for manufacturers and IT providers within the DIB. Essentially, the Maturity Levels were consolidated from five (5) to just three (3) levels. CMMC 2.0 supersedes 1.0 and allows Level 1 and some Level 2 companies to self-assess and forgo the cost of third-party assessments.


of our approved course material:

In 2019 the Department of Defense announced the creation of the Cybersecurity Maturity Model Certification (CMMC) to replace the self-reporting of cyber hygiene that used to govern the DIB.  CMMC puts an end to self-assessment and requires a third-party assessor to verify the cybersecurity maturation level.
The CMMC builds from NIST 800-171 but also includes controls from other cybersecurity frameworks. Where CMMC differs is in both the maturation model and the role of third-party assessors.

The CMMC defines 17 domains of cyber hygiene that are comprised of hundreds of objectives. In fact you need to meet 705 objectives at CMMC Level Three. Many of these objectives, up to 70% do not rely on or require a technical solution.
In this module we will learn and explore the aspects and elements of CMMC and explain its overall importance to different stakeholders by asking:

  • What kind of sensitive data does CMMC seek to protect?
  • How did CMMC become federal policies?
  • What foundational documents and regulations spell out the requirements for CMMC?

On February 24th, 2021, President Biden signed an Executive Order to protect our supply chains. CMMC seeks to protect the global Defense supply chain by creating a baseline of cybersecurity.

This baseline began to unfold in the Federal Information Management Security Act passed in 2002. In this module we will trace the history of CMMC, from the regulations to the players in the ecosystem from FISMA to today.

Compliance with CMMC requires the protection of two types of data: Federal Contract Information and Controlled Unclassified Information. Understanding how these data work help ensure CMMC compliance.

In this module we will learn the differences between types of data and the legal responsibilities of authorized holders. You will write sample policies and examine procedures to protect CUI.

View Reading Chapter Sample

Cybersecurity Maturity Model Certification will have massive impacts on businesses. Millions of dollars in contracting can vanish if a company fails an assessment. This makes ethics an utmost concern of the CMMC-AB.

In this module we will trace the roots of cybersecurity ethics. We will then review specific policies of the CMMC-AB and consider malicious and accidental internal threats around Conflict of Interest.

A Certified CMMC Professional will need to provide scoping guidance to Organizations Seeking Certification. Understanding data flow diagrams and how sensitive data transverse your people, processes, and technologies will impact the bottom line.

In this module we will define three levels of scoping, we will then discuss elements of network diagramming, and scoping using a segmented zone approach.

As a CCP you will want to coach an Organization Seeking Certification on the CMMC Assessment Process. This involves four phases designed to assess an OSC over a period of six to eight weeks.

In this module we will go through the four phases, identify key levers at each phase and then build a fictional assessment team.

The Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) is the latest step in the DoD’s program to protect controlled unclassified information (CUI), the defense industrial base (DIB), and the DoD’s supply chain.

Controlling access to your network is an essential foundation for security. The domains in this chapter are all intended to help you control access to your networked environment. Controlling access is fundamental to ensuring CUI and other information is appropriately protected.
In this module we’ll examine:

  • WHO has access to your network?
  • WHAT systems can be access?
  • HOW is access to information controlled?
  • WHERE can you confirm your control measures are being effective?

Technology changes and evolves constantly; the specific security measures taken to protect any given technology must also evolve with it. One element in the security equation, however, remains constant: the human element. As humans, we have the ability to make mistakes or do something unexpected.

A number of studies have shown that between 50% and 80% of all cybersecurity breaches are caused by human error. This number includes cases where a human was tricked into engaging with a malicious actor without realizing it. Training, awareness, and proper understanding of the risks associated with an activity are all important parts of protecting sensitive information.
In this module we’ll examine:

  • What is the difference between awareness and training?
  • What elements make up a good personnel security plan?
  • How can you apply the findings of security and risk assessments to building a solid security program?

Protecting data isn’t just preventing unauthorized access; protecting data also requires making that data available to the people and processes that need it. Indeed, two of the three elements of the CIA triad, Integrity and Availability, are both descriptive of the timely usefulness of that data.

The domains discussed in this module are all focused on ensuring that the data you have is accessible and useful when it is needed.

In this module we’ll examine:

  • How do you plan for the unexpected, such as a natural disaster?
  • What are the best practices to ensure you can bring backup data online within your own time requirements?
  • What are your options in backing up and recovering stored data?

Into every life a little rain must fall. In the cybersecurity world, it is really a matter of WHEN a breach will occur rather than IF a breach will occur. Indeed, three of the five functions of the NIST Cybersecurity Framework deal with a breach which is already occurring: Detect, Respond, and Recover.

The domains discussed in this module prepare you to respond to an incident, and to quickly detect and quantify any events that could indicate an incident is in progress.

In this module we’ll examine:

  • What are the key elements of an incident response plan?
  • What systems and processes need to be in place prior to an incident occurring?
  • How do you maintain situational awareness so that an incident is caught as early as possible?

Southern Connecticut State University, through our partnership with Cyber DI (One of the first approved Licensed Training Providers), should be your first choice to ensure compliance with this critical step in your company’s future.

Enroll for the Certified CMMC Professional (CCP) Certification. Be compliant with the new regulations by learning from the experts.