The Importance of choosing an LTP for CMMC Training

February 16, 2022 Thomas Graham

Training: something everyone talks about when you are discussing cybersecurity, and now when you are discussing CMMC as well.

CMMC has identified training as a cornerstone of its process with a layered approach. To become a Certified CMMC Assessor (CCA), one must first become a Certified CMMC Professional (CCP). However, there has been confusion around some of the requirements that candidates for CMMC certification must go through. One of these requirements has been whether CCPs will have to sit in on CMMC Level 2 assessments before becoming CCAs.  

Training Breakdown

The CMMC-AB has limited organizations that can provide CMMC training under the established, Licensed Training Provider (LTP) program. These LTPs are listed in the CMMC marketplace and had to meet very stringent requirements to become approved. This included providing specific information and attestation to their prior training ability before being authorized to provide CMMC training. Currently, LTP training is provided by a Certified CMMC Provisional Instructor (PI). Similar to the LTP requirements, the PI has attended training over and above even the Provisional Assessors (PAs) to become a PI. In the provisional model, all PI candidates have to pass PA training first, before taking the PI training.

Training Requirement

Currently, the requirement is that CCA candidates must participate in a minimum of three CMMC Level 2 assessments before becoming a CCA. This requirement speaks to the certification not simply being a “paper” certification, but that the assessor candidates demonstrate, practically, that they understand the CMMC assessment procedures. This is different than other well-known certifications in that It requires demonstration of a specific assessment model rather than an overall “experience” requirement.  

What This Means to You

Currently, there are only six Certified Third-Party Assessment Organizations (C3PAOs) with which CCA candidates can participate on assessments. Meaning any CCPs seeking to become CCAs should go through training now, as opposed to when the final CMMC v2.0 training comes out. The reasoning is that there will be limited CMMC Level 2 assessment spots available for candidate CCAs to sit in on once the assessments are approved to begin. By completing training now, candidate CCAs will be better postured to capture one of these spots before the backlog begins.

If you are one of the numerous candidates waiting to take the current training because of the delta training or are waiting on the exams that won’t be available until later in 2022, you may want to re-think your strategy. Due to the anticipated backlog of candidate CCAs trying to complete the requirement, it is highly recommended that candidates begin their training now to avoid sitting on a list. 

Other Considerations

As more LTPs are registered in the Marketplace, the decision of whom to utilize for training becomes an important decision. As mentioned earlier, there are several LTPs offering training classes in a variety of formats, but currently, there are only six C3PAOs. Out of the six C3PAOs, only two of them are currently LTPs! So, it will take collaboration amongst all the C3PAOs to assist the CMMC-AB to achieve this requirement.

There are many reasons why one should partner with Redspin for their training goals. Redspin was the first authorized C3PAO to hit the CMMC ecosystem and Redspin offers innate knowledge of what it takes to understand the CMMC requirements, put the requirements into practice, and ensure the practices continue to meet the requirements under CMMC. Additionally, candidates who train with Redspin will gain valuable experience and knowledge from Redspin’s CMMC PI, Dr. Thomas Graham, who was the chief architect of Redspin and played a vital role in Redspin becoming the first Authorized C3PAO. 

At Redspin, we are proud of our achievements, and we are excited about working closely with the CMMC-AB to assist with the nuances this training requirement will bring. To us, the main “take-away” to this training requirement is whether candidate CCAs take training with us, or another LTP, the time to wait is over.

For information on Redspin’s CMMC training classes, or to reserve your spot at a CMMC assessment class, please go to Classes currently offered are virtual, in-person; or if you have enough candidates, we can come to you! For questions surrounding Redspin’s training, please see our FAQ at [insert FAQ link here] or reach out to us directly.

About the Author

Thomas Graham

Dr. Thomas Graham serves as the CISO for CynergisTek, a top healthcare cybersecurity company based in Austin, TX. Prior to CynergisTek, he supported the Defense Health Agency in a variety of roles, where his team received a FedHealthIT award for innovation presented at the National Press Club in Washington, DC. He currently holds a PhD in Information Assurance and Security, and an MBA. Thomas has received CISSP and HCISPP designations, along with other industry-recognized certifications. Thomas also serves on the MIS advisory board for East Carolina University, was part of an IoT panel discussion at the 2016 National Cyber Conference in Birmingham, AL, and has recently presented at the 2019 ISC2 Security Congress and was part of another panel discussion at the 2019 QSC conference.

Follow on Twitter Follow on Linkedin More Content by Thomas Graham
Previous Article
CMMC Level 2 Bifurcation Rule
CMMC Level 2 Bifurcation Rule

Certain changes to the CMMC model caused some controversy, but made sense in the larger picture of Cybersec...

Next Article
FAQs about MSPs & CMMC
FAQs about MSPs & CMMC

We break down MSPs in relation to CMMC assessments when most companies rely on some form of third-party ass...