Loading color scheme

Additional Workshops about the CMMC and the Defense Supply Chain

CMMC 2-day Workshop graphicWhat is CMMC? What cybersecurity educators need to know

The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the companies included in the defense industrial base. Significant compromises of sensitive U.S. defense information on vendor computer networks have prompted new rules and requirements. Soon over 300,000 new and existing Department of Defense (DoD) contractors seeking new contracts with the DoD must meet requirements announced January 1, 2020. The model is design to protect our national DoD supply chain from cyber criminals and state-sponsored attacks.

Contractors continue to be responsible for implementing critical cybersecurity requirements, but the CMMC also requires third-party assessments. Community colleges, technical colleges, and universities across the nation can help contractors prepare for these sweeping changes.

Upcoming CMMC Workshops

NCyTE's February 11-12 CMMC workshop has filled to capacity. Those interested in attending future workshops should join our waitlist on NCyTE's Wild Apricot site. The next workshop has not been scheduled for April 1; that is a placeholder date only. Future workshops will be scheduled based on demand. 

Join waitlist

Those who have already attended the workshop may find it helpful to watch recordings of a previous workshop, now available in our Resources section under Workshops.


Please Note: Workshops are limited to 25 attendees per session

Exploring the Cybersecurity Maturity Model Certificate (CMMC)

The timely 2-day virtual workshop introduces CMMC requirements to college faculty for inclusion in their courses and to small business IT personnel for application to their business. This workshop provides an overview of how to prepare for future certification, including its requirements, impact and importance for contractors working with the DoD. Funded by a grant from the National Science Foundation, the course is free.   

John Sands, PI and Director of the Center for Systems Security and Information Assurance (CSSIA) and professor at Moraine Valley Community College in Chicago will present the course. An Instructor Guidebook, Student Guidebook, training resources, and a Canvas course package will be available to attendees.

For more information, contact Trina Bol at [email protected].

Who should attend?

  • Full-time cybersecurity faculty at community colleges, technical colleges, and universities seeking to better prepare students for the workforce with CMMC certification.
  • Small business IT and cybersecurity personnel at DIB businesses pursuing CMMC certification to compete for DoD contracts. (Acceptance of participants on a space-available basis.)

Who must comply?

  • Contractors, Suppliers, Small Businesses, Vendors: CMMC certification will eventually be required of all DOD contractors including suppliers at all tiers of the supply chain.
  • Third-Party Assessors: The CMMC Accreditation Body (CMMC-AB) developed procedures to certify third party assessment organizations (CP3AO) to evaluate companies' CMMC levels.

Maturity Levels addressed as part of NCyTE workshop:

The Office of the Under Secretary of Defense combined several cybersecurity standards and best practices and mapped these controls and processes across several maturity levels. Each level will progressively mandate higher technical requirements and assessment—Level 1 through Level 5. Each Maturity Level will be covered in this workshop.

Level 1:A company must perform "basic cyber hygiene" practices, such as using antivirus software or ensuring employees change passwords regularly to protect Federal Contract Information (FCI). FCI is "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government." It does not include public information or certain transactional information.

Level 2:A company must document certain "intermediate cyber hygiene" practices to begin to protect any Controlled Unclassified Information (CUI) through implementation of some of the US Department of Commerce National Institute of Standards and Technology's (NIST’s) Special Publication 800-171 Revision 2 (NIST 800-171 r2) security requirements. CUI is "any information that law, regulation, or government-wide policy requires to have safeguarding or disseminating controls," but does not include certain classified information.

Level 3: A company must have an institutionalized management plan to implement "good cyber hygiene" practices to safeguard CUI, including all the NIST 800-171 r2 security requirements as well as additional standards.

Level 4: A company must have implemented processes for reviewing and measuring the effectiveness of practices as well as established additional enhanced practices detect and respond to changing tactics, techniques and procedures of advanced persistent threats (APTs). An APT is defined as an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors.

Level 5: A company must have standardized and optimized processes in place across the organization and additional enhanced practices that provide more sophisticated capabilities to detect and respond to APTs.


The National Cybersecurity Training & Education Center (NCyTE) advances cybersecurity education in the U.S. by investing in technological innovation, resources, professional development and tools to support faculty, community colleges and the workforce pipeline of tomorrow. Currently funded as a national resource center by a National Science Foundation Advanced Technological Education (NSF-ATE) grant, NCyTE is administered by Whatcom Community College in Bellingham, WA.