No, the current curriculum is based on CMMC 1.0, however, the changes are minimum. In addition, the CMMC-AB will provide free, computer-based training, to all CCP graduates that will address the differences between CMMC 2.0 and 1.0.  We anticipate the “Delta” training will be available in March 2022.

We anticipate the CCP exam will be available in the latter half of 2022.

There are several reasons why taking the class now could be of benefit to you:

• Students will gain a detailed understanding of CMMC fundamentals
• Having already taken the CCP course and subsequent “Delta” training, you will be ready to take the exam as soon as it is released
• There are a lot of people waiting until CMMC is mandated through rulemaking or are waiting until the Voluntary Certification period begins. We anticipate a rush of students beginning mid-2022 that will continue through 2023.  Avoid the rush!  Get a head start on your goals to be a CCP, CCA or as the primary responsible to build your organization’s CMMC Program

Yes. The removal of the maturity practices only meant that the organization does not have to demonstrate the maturity of their policies and procedures, simply that they have them in place at the time of the assessment. Documentation is still required.

Documentation is still required. If you need assistance with documentation, you can contact an RPO or C3PAO to assist.

Yes. The CCP is meant to assist Certified Third-Party Assessment Organization (C3PAO) with assessments. The Registered Practitioner (RP) is meant to assist Registered Provider Organizations (RPOs) with consulting to prepare organizations Seeking Certifications (OSCs) for their assessments.

The correct term is authorized. There are currently 6 authorized C3PAOs. Redspin was the first authorized C3PAO.

The bifurcation of Level 2 certifications has been removed, although there will be some special cases that can still self-attest. The DoD and the contracting office will determine which contracts that would apply to.

The bifurcation of Level 2 certifications has been removed, although there will be some special cases that can still self-attest. The DoD and the contracting office will determine which contracts that would apply to.

CMMC Level 1 will be a self-attestation for those OSCs dealing with Federal Contract Information (FCI). There are some OSCs that would like to have a C3PAO conduct there certification assessment, but the DoD has not decided if that will be allowed.

The DoD has set the timeline of the FAR regulation updates for 24 months. They plan on instituting an interim rule that should be in affect by the end of the calendar year 2022.

OSCs seeking a level 1 certification should prepare now. When ready, the OSC simply needs to upload their SPRS score. There will be a form that an executive from the OSC must sign, but that is still be designed. OSCs seeking Level 2 certification, should also seek certification now. Calendars are filling up with the C3PAOs as OSCs are wanting to secure their assessment window.

Yes, but the CMMC training is still required via an LTP.

Yes. A C3PAO can fail an OSC if documentation is not accurate or does not reflect CMMC 2.0 Language. However, the DoD is still drafting the Plan of Actions and Milestones (POA&M) policy, which may allow the OSC to include the failed practice. The OSC would then have up to 180 days to remediate the POA&M. The Certification Assessment Process (CAP) will cover this area for assessors. It is currently in draft form and should be released by the end of March 2022.

Assessors do not award the certificates, nor does the CMMC-AB. The C3PAO is the one who issues the certificate. Assessors complete the assessment, send the reports to the C3PAO, who then uploads them to the CMMC-AB with the result. This must be done by an Authorized C3PAO and can be executed prior to the ISO certification being in place.

The provisional portion of CMMC was killed with CMMC 1.0. Organizations that continue with the process, do so in the “Voluntary Phase” of the CMMC program. This assessment is the CMMC Level 2 Certification Assessment. Organizations who are certified now, by a C3PAO, will be good at the time of the certificate award until 3-years after the interim-rule is in place. Then they must re-certify.

There is no need to be concerned with the hiring of entry level assessors, as they will have experience and mentors to assist; they will not conduct assessments on their own. The training, outlined by the CMMC-AB, is built on a step methodology. All candidates seeking to be assessors must attend the CCP training. Once complete, they enroll in the CCA training and take part in three CMMC Level 2 Certification Assessments before they are awarded their title as an assessor. All entry level assessors are then partnered with lead assessors, with the C3PAOs, to mold and mentor them throughout their career. All PAs, at Redspin, are experienced with numerous assessments/audits and hold multiple industry certifications.

The DoD and CMMC-AB set a goal for C3PAOs to start certifications by the end of first quarter. In order to do so, several documents are required, which include the CAP, POA&M policy, and the Incentives policy.

The Certification Assessment Process (CAP) is one of the main document’s assessors will use to conduct the assessments. The CAP is based on NIST 800-171a and includes appendix E.

The DoD is partnering with NIST to ensure practices are in line with industry best practices and are optimal for protecting CUI data. Any changes to NIST 800-171 will automatically be incorporated into CMMC.

Contact us at Redspin. We are already assisting organizations in preparing for certifications.

Most of “what the organization is doing” should be captured in the System Security Plan (SSP) and reference out to various policies and procedures. If you are unsure of how to construct your documentation, contact us at Redspin to assist.

We are waiting on the POAM policy from the DoD. Until it is released, anything heard is rumor.

The DoD has not released that guidance yet. However, we do know that it will contain practices from NIST 800-172. We recommend starting there.

DHG became the 6^th C3PAO approved by the DoD and CMMC-AB and the first to be approved after the change to CMMC 2.0. However, they began the process under CMMC 1.0 and thus finished under that model.

Any MSPs receiving. Processing, or storing CUI data must have a CMMC Level 2 Certification. There are still decisions the DoD is making regarding this subject, so in the meantime It is recommended that you obtain the MSPs documentation and link it to yours.

Although the systems do not process or store CUI data, they are still in scope because they are providing protections to the network that does process or store CUI data. Therefore, their configurations must be reviewed to ensure they are functioning as expected.

No. There are no pure self-study options for CMMC-AB certification programs. The training must be completed with an approved Licensed Training Provider (LTP). However, there are some LTPs that offer a self-paced course.

Yes. The CCP course is available and going on now. Those who complete the CCP training course will be automatically enrolled in a 3-hour delta course. Exams should be available by summer 2022.

Delta training is currently available for CCPs and PAs. CCP Candidates will be enrolled in the course, once the main CCP course is complete, they will be enrolled in a delta course. Provisional Assessors (PAs) are automatically enrolled in the delta training. It is optional for PAs to attend the CCP training course. The only requirement for the PAs is to complete the CCP exam within 6-months of its release. If the PA fails the exam, they have to enroll in the CCP training course and retake the exam.

Exams should be available by summer 2022.

The RP training is available for all.

Currently, all courses will include the main course and a delta until all courses can be updated.

Yes, eventually, but it is not the priority right now. Priority is getting all of the delta courses in place, updating current curriculum, then a lead assessor course will be created. Currently, C3PAOs will determine who will be the lead assessors within their teams.

Yes. In fact, it is recommended that OSCs train either an RP or CCP to maintain their posture until the next certification. Contact us at Redspin to help you get started.

Yes! The vision of the CMMC program is that each organization will maintain experts to prepare their organization for CMMC Certification and then manage CMMC compliance for the duration of the certification period.

No. It is not a requirement to be a CCP, however, the vision of the CMMC program is that each organization will maintain experts to prepare their organization for CMMC Certification and then manage CMMC compliance for the duration of the certification period.

• Redspin was the first organization to become a C3PAO
• Redspin’s primary CCP instructor is Dr. Thomas Graham. Dr Graham is Redspin’s CISO and was primarily responsible for Redspin’s C3PAO certification.  He will provide first-hand knowledge of his experience to students in the course.
• As one of only a few organizations who are both a C3PAO and LTP, Redspin brings this unique perspective as an added value to the CCP curriculum

Yes, there are two payment options.

• Pay the full tuition upfront, or
• 50% when registering for the course and 50% when the course starts.

No. Provisional Assessors need to take the CCP exam within 6 months of the exam becoming available, but not the CCP course.  Only PAs that fail the CCP exam will be required to take the CCP course.

Yes. The CMMC-AB’s January 2022 Town Hall contains great information concerning the pathway to becoming a CCA.

Currently unknown.