Description

A focused course, tailored for you

DOD CMMC Level 2 Certification Build for Defense Contractor IT

Build the CMMC Level 2 certification package from scratch in 16 weeks. 110 NIST SP 800-171 Rev 2 controls + C3PAO assessment + DOD CIO acceptance.

CMMC 2.0 is now in DFARS contracts. Defense contractors handling Controlled Unclassified Information must achieve CMMC Level 2 certification through C3PAO assessment to compete for DOD work. Contractors without certification are losing capture today. Here's the 16-week build.

$199 one-time

Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

CMMC (Cybersecurity Maturity Model Certification) 2.0 is the DOD framework that determines defense contractor cybersecurity posture. CMMC Level 2 is required for any contractor handling Controlled Unclassified Information (CUI), which covers most prime and subcontractor work on DOD contracts. CMMC Level 2 maps to NIST SP 800-171 Rev 2 (110 controls) with assessment via accredited C3PAO (CMMC Third-Party Assessor Organization) and certification managed by the CMMC Accreditation Body and DOD CIO.

The 32 CFR rule made CMMC enforceable in late 2024. DFARS 252.204-7021 now appears in covered DOD contracts. Prime contractors are flowing down CMMC requirements to subcontractors. Defense IT services firms without certification are losing capture and recompete opportunities.

This course teaches the 16-week build of a CMMC Level 2 certification package: scope determination, 110 NIST SP 800-171 control implementation, System Security Plan, Plan of Action and Milestones, C3PAO selection and engagement, assessment preparation, and post-assessment certification management. Twelve modules, each ending with a deliverable artefact. Plus a hand-built implementation playbook for your specific defense IT environment.

What you walk away with

A documented CMMC Level 2 scope determination.
Control-implementation plans for all 110 NIST SP 800-171 Rev 2 controls.
A System Security Plan (SSP) for the CMMC enclave.
A Plan of Action and Milestones (POA&M).
A C3PAO selection and engagement model.
An assessment-preparation pack.
A 16-week build plan with weekly deliverables.

The 12 modules

Module 1. CMMC 2.0 landscape and DFARS implementation

Detailed walkthrough of CMMC 2.0 (Level 1 self-attestation, Level 2 C3PAO assessment, Level 3 DIBCAC assessment), DFARS 252.204-7012 (NIST SP 800-171 self-attestation, predecessor), DFARS 252.204-7019 (basic assessment), DFARS 252.204-7020 (NIST SP 800-171 DOD Assessment), and DFARS 252.204-7021 (CMMC requirement). 32 CFR Part 170 rule and 48 CFR rule (DFARS amendment). Flow-down to subcontractors.

Module 2. Scope determination and CUI boundary

Build the CMMC Level 2 scope determination: CUI boundary definition (what systems process, store, transmit CUI), enclave-vs-enterprise decision, CUI-asset inventory, security-protection-asset inventory (SPA), specialised-asset inventory (SA), and the out-of-scope determination. The scope determines assessment difficulty and cost. Deliverable: scope determination document.

Module 3. NIST SP 800-171 Access Control (AC) family

AC family (22 controls): account management, account-creation/modification/deletion workflow, separation of duties, least privilege, unsuccessful logon attempts, system-use notification, session lock, session termination, remote access, wireless access, mobile-device control, and the publicly-accessible-content control. Build implementation statements meeting CMMC Level 2 assessment criteria. Deliverable: AC control implementation statements.

Module 4. NIST SP 800-171 Audit and Accountability (AU) family + Configuration Management (CM)

AU family (9 controls): audit-log generation and retention, audit-review/analysis/reporting, audit-record-content. CM family (9 controls): baseline configurations, configuration-change-control, security-impact analysis, access restrictions for change, configuration-settings, least functionality, user-installed software. Build implementation statements. Deliverable: AU and CM control implementation statements. Three worked examples drawn from real implementation packages plus the conversation-script for the next sponsor meeting that lands the artefact for review.

Module 5. NIST SP 800-171 Identification & Authentication (IA) + System & Communications Protection (SC)

IA family (11 controls): unique-user identification, multifactor authentication for privileged/network access, replay-resistant authentication, password-management, authenticator-management, and the identifier-management. SC family (16 controls): boundary protection, transmission-confidentiality, network-disconnect, cryptographic key establishment and management, FIPS 140-2/140-3 cryptography, and split-tunnel-prevention. Deliverable: IA and SC control implementation statements.

Module 6. NIST SP 800-171 remaining families

Remaining families: AT (Awareness and Training, 3 controls), IR (Incident Response, 3 controls), MA (Maintenance, 6 controls), MP (Media Protection, 9 controls), PE (Physical Protection, 6 controls), PS (Personnel Security, 2 controls), RA (Risk Assessment, 3 controls), CA (Security Assessment, 4 controls), SI (System and Information Integrity, 7 controls). Build implementation statements for all. Deliverable: complete control implementation statements.

Module 7. System Security Plan (SSP) assembly

CMMC SSP is the central artefact. Build the SSP: system identification (per FIPS 199), control implementation statements aggregated, architecture diagrams, data-flow diagrams (CUI-flow), inventory, and attachments. The SSP must support C3PAO assessment with traceable evidence. Three worked examples from real CMMC Level 2 SSPs. Deliverable: SSP draft.

Module 8. Plan of Action and Milestones (POA&M)

POA&M tracks unmet controls and remediation. Build the POA&M: control-by-control gap analysis, remediation plan, milestone-tracking, dependency-management, and the CMMC POA&M-allowed scope (limited subset of controls). The POA&M strategy that minimises assessment risk. Deliverable: POA&M template. Three worked examples drawn from real implementation packages plus the conversation-script for the next sponsor meeting that lands the artefact for review.

Module 9. C3PAO selection and engagement

C3PAO selection determines assessment-quality and cost. Build the C3PAO selection: accreditation verification (CyberAB authorized C3PAOs), capability assessment, cost-and-timeline negotiation, statement-of-work, and the assessment-readiness pre-engagement. Examples of C3PAO selection at peer firms. Deliverable: C3PAO selection and engagement document. Three worked examples drawn from real implementation packages plus the conversation-script for the next sponsor meeting that lands the artefact for review.

Module 10. Pre-assessment readiness

Build the pre-assessment readiness: gap-assessment by independent reviewer, mock-assessment, evidence-pack assembly per control, interview-preparation for SMEs, and the documentation-tour for assessor. Pre-assessment readiness determines first-time pass rate. Deliverable: readiness assessment pack. Three worked examples drawn from real implementation packages plus the conversation-script for the next sponsor meeting that lands the artefact for review.

Module 11. Assessment execution and certification

Build the assessment-execution playbook: kickoff meeting, on-site or remote interview cadence, evidence-presentation cadence, finding-clarification process, assessment-report review, and the certification-pursuit (CMMC Accreditation Body / DOD CIO acceptance). The assessment is intensive; the playbook keeps the team coordinated. Deliverable: assessment execution playbook.

Module 12. Your 16-week build plan

Week-by-week plan with weekly deliverables. Weeks 1-2: scope determination + CUI boundary. Weeks 3-6: control-implementation plan for AC, AU, IA, SC, CM families. Weeks 7-9: control-implementation plan for remaining families. Weeks 10-11: SSP assembly + POA&M. Weeks 12-13: C3PAO selection + pre-assessment readiness. Weeks 14-16: assessment execution + certification pursuit. Deliverable: full CMMC Level 2 certification package.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Modules 1 and 2 cover the regulatory landscape and scope determination.

Modules 3 to 7 produce the control-implementation plan for all 110 NIST SP 800-171 Rev 2 controls plus the SSP.

Modules 8 to 11 cover POA&M, C3PAO selection, pre-assessment readiness, and assessment execution.

Module 12 covers the 16-week build plan.

What you get with this course

The 12-module course delivered as text plus downloadable templates.
Templates for scope determination, control-implementation statements for all 110 NIST SP 800-171 Rev 2 controls, SSP, POA&M, C3PAO selection, readiness assessment, assessment execution.
A hand-built implementation playbook generated for your specific defense IT environment.
Three worked examples of CMMC Level 2 certification packages from peer defense contractors.
Scripted talking points for C3PAO engagement.

What you will have in hand by Day 1, Week 1, Month 1

Day 1: Scope determination drafted.

Week 6: Control-implementation plan for AC, AU, IA, SC, CM families completed.

Week 11: SSP + POA&M ready for C3PAO.

Week 13: C3PAO selected, pre-assessment readiness completed.

Week 16: Assessment executed, certification pursuit underway.

Before and after

Before

Your firm holds DOD contracts requiring CMMC. Certification is not in place. Capture and recompete are at risk. Prime contractors are flowing down CMMC requirements with deadlines.

After

CMMC Level 2 certification package is built. C3PAO assessment is in progress. Certification pursuit is active. DOD contract retention and capture are protected.

What happens if you do not address this

CMMC 2.0 is now in DFARS contracts. Contractors without certification lose capture and renewals. Prime contractors flow down CMMC requirements with deadlines.

Who it is for

For defense IT services engineers, security engineers, technical leads, CMMC programme owners, and IT-services prime/subcontractor architects.

Who this is NOT for. Firms with no DOD customer base. Firms that already have CMMC Level 2 certification. Pure commercial-customer firms.

How it arrives

Text-based course via LMS, plus downloadable templates and the hand-built implementation playbook.

Time investment. Roughly 22 hours of reading and 250+ hours of team effort across the 16-week build for a full CMMC Level 2 package.

Why $199 is the right number

External CMMC consultants charge $400K-$1.5M for Level 2 readiness and certification support. C3PAO assessment alone runs $100K-$300K. Big4 defense advisory CMMC engagement runs $500K-$2M. $199 buys the focused playbook plus the implementation document for your specific defense IT environment.

FAQ

Will this replace hiring a CMMC consultant?

Partially. It teaches you the package build. You still need a C3PAO for assessment (regulatory requirement). You may also want specialist support for complex enclave architectures.

What if I only handle FCI (not CUI), so Level 1 is enough?

Module 1 covers Level 1 vs Level 2 scoping. Course focus is Level 2 but Level 1 self-attestation is covered.

Does this cover DOD CC SRG IL4/IL5 (cloud-specific)?

Module 5 covers CUI-cloud overlap with DOD CC SRG. Course focus is on-prem and hybrid Level 2.

What about CMMC Level 3?

Module 1 covers Level 3 (DIBCAC-assessed) for highest-sensitivity programs.

What is in the implementation playbook for me specifically?

A scope-determination template for your environment; control-implementation guidance tailored to your IT; a 16-week build plan with milestones.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.