Training
Featured CourseView All Courses

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
View course detailsRegister
Get a Free Hour of SANS Training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
NEW - AI Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

AI Risk & Readiness

Explore expert-driven guidance, training, and tools to help defend against AI-powered threats and adopt AI securely.

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors handling DoD-sensitive data follow established cybersecurity standards. The goal of CMMC—achieved through third-party assessments—is to provide the DoD with assurance that its industry partners are properly safeguarding Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). This helps strengthen the overall security of the Defense Industrial Base (DIB) and supports the mission of protecting U.S. warfighters.

Soldiers

CMMC 2.0 Framework Levels

Under CMMC 2.0, announced in 2021, the model consists of three levels:

Level 1 – Foundational

- Focus: Basic cyber hygiene to protect FCI - Requirements: 17 practices from FAR 52.204-21 - Assessment: Annual self-assessment

Level 2 – Advanced

- Focus: Protection of CUI using NIST SP 800-171 controls (110 requirements) - Assessment: Third-party assessment for prioritized contractors or annual self-assessment with executive affirmation for non-prioritized contractors

Level 3 – Expert

- Focus: Advanced protection for high-value assets using NIST SP 800-172 controls - Assessment: Government-led assessment

The CMMC 2.0 rulemaking process is currently ongoing, with the final rule expected soon. Once finalized, CMMC requirements will begin appearing in new and renewed DoD contracts.

Steps to Prepare for CMMC Compliance

  • Determine Which CMMC Level Applies
    • Review your contracts and DFARS clauses to identify the required level.
    • If uncertain, confirm with your program manager or prime contractor.
  • Perform a Gap Analysis
    • Compare your current cybersecurity posture to the applicable framework:
      • Level 1: FAR 52.204-21 (17 controls)
      • Level 2: NIST SP 800-171 Rev. 2 (110 controls)
      • Level 3: NIST SP 800-172 (subset)Identify and document gaps requiring remediation.
  • Develop Key Compliance Documentation
    • Implement Security Practices: Describe each NIST and CMMC control.
    • Build Gap Plan: Outline remediation steps, ownership, and timelines.
    • Policies Planning: Such as access control, configuration management, and system monitoring.
    • Have Incident Response Plan: How will you report cyber incidents to the DoD within 72 hours.
  • Maintain Continuous Compliance
    • Stay current with evolving CMMC 2.0 requirements.
    • Review and update your plans annually.
    • Undergo recertification every three years (for applicable levels).

SANS Resources to Support CMMC Compliance

SANS offers a range of resources and training programs aligned with the NIST Cybersecurity Framework and CIS Critical Security Controls, including:

  • Executive Cyber Exercises: Practical simulations to strengthen organizational incident response planning.
  • Leadership Curriculum: Courses designed to build governance, strategy, and leadership skills necessary for maintaining cybersecurity compliance.
  • Technical Training: Courses built and taught by top practitioners in such topics such as incident response, cyber defense, and pen testing.

These resources help organizations develop the policies, governance, and response capabilities needed to meet CMMC and broader cybersecurity requirements.

People at a team meeting

Get CMMC-Ready with SANS Training

SANS offers a comprehensive series of training courses and hands-on exercises designed to help your security team and leadership meet CMMC domain requirements using this suggested mapping tool. Learn directly from top industry experts through continuously updated course content and give auditors confidence in your team’s capabilities with skills validation backed by GIAC certifications.

View Mapping
DORA

Resource Highlights

What You Need to Know About The Cybersecurity Maturity Model Certification (CMMC)

View Webinar

SANS Compliance Countdown: Hear from CMMC (10 Minutes In)

View Webinar

CMMC Website

View Website

NIST 800-171 Checklist

View Website

Cyber AB - CMMC Accreditation

View Website