Current CMMC Certified Professionals (CCPs): (Note: Active CCP status is a strict prerequisite for this course and the CCA exam).

Cybersecurity Auditors & Assessors looking to lead official DoD C3PAO assessment teams.

Senior Compliance Officers who want an insider’s understanding of exactly how their organization will be scored during a Level 2 audit.

MSP/MSSP Leaders aiming to build advanced, audit-proof architectures for defense contractors.

Advanced Assessment & Auditing

• Level 2 Evaluation: Master the methodology to rigorously assess all 110 practices of NIST SP 800-171, definitively ruling them as MET, NOT MET, or N/A based on objective evidence.
• CMMC Scoring Methodology: Apply the official DoD scoring rules to an organization's security posture, translating technical findings into official assessment scores.
• Evidence Validation: Learn to critically cross-reference artifact reviews, personnel interviews, and technical system tests to uncover hidden compliance gaps.

Complex Scoping & Architecture

• Advanced Scoping: Navigate complex network architectures, including Virtual Desktop Infrastructure (VDI), enclave environments, and cloud service providers (CSPs/FedRAMP requirements).
• External Service Provider (ESP) Risk: Evaluate how Managed Service Providers (MSPs) and external IT teams impact the assessment boundary and compliance status.

Leadership & Reporting

• Leading the CAP: Manage the CMMC Assessment Process (CAP) from phase 1 to phase 4, acting as the lead liaison between the C3PAO and the client.
• Dispute Resolution: Handle pushback from OSCs professionally and authoritatively, backing up your findings with exact model references.
• Final Reporting: Package assessment findings for submission into the DoD’s Enterprise Mission Assurance Support Service (eMASS) system.

Module 1: CCA Role, Ethics, and The CMMC Ecosystem Review

• The Assessor's Mandate: Responsibilities, boundaries, and the step-up from CCP.
• Advanced Ethics: Navigating complex Conflict of Interest (COI) scenarios in the field.
• Ecosystem Updates: The latest guidance from the DoD, Cyber AB, and CAICO affecting Level 2 assessments.

Module 2: Advanced Scoping for Level 2

• Architectural Complexities: Scoping physically and logically separated enclaves.
• Cloud Environments: Assessing CUI in the cloud, understanding FedRAMP Moderate equivalency, and the Shared Responsibility Model.
• IoT, OT, and Specialized Assets: How to handle test equipment, manufacturing floor systems, and Government Furnished Equipment (GFE).

Module 3: Deep Dive: Assessing the 14 CMMC Domains (NIST SP 800-171)

• This is the core of the course. Students will walk through the 110 practices, learning exactly what evidence is required to prove compliance for each.
• Access Control & Identity Management: Evaluating MFA, least privilege, and session locks.
• System & Communications Protection: Assessing cryptography (FIPS 140-2/3), boundary protection, and secure data transmission.
• Incident Response & Audit: Validating log management, SIEM deployments, and tested IR plans.
• Physical Security & Media Protection: Evaluating physical access controls and the lifecycle of CUI media.

Module 4: The CMMC Assessment Process (CAP) Execution

• Phase 1: Plan and Prepare: Conducting the kickoff meeting, establishing the rules of engagement, and reviewing the SSP (System Security Plan).
• Phase 2: Conduct the Assessment: Executing the daily assessment plan, managing the assessment team, and gathering EIT (Examine, Interview, Test) evidence.
• Phase 3: Report Assessment Results: Finalizing the scoring, conducting the outbrief, and managing the initial assessment report.
• Phase 4: Close-Out and POA&Ms: Evaluating Plans of Action and Milestones, assessing time-bound remediation, and conducting the final close-out assessment.

Module 5: Scenario-Based Mock Assessment (Lab)

• Practical Application: Working through a simulated, multi-day assessment of a fictional defense contractor.
• Evidence Review: Students are given mock SSPs, network diagrams, and logs to evaluate.
• Scoring Defense: Students must present their findings and defend their "MET" or "NOT MET" rulings to the instructor.