CMMC Bootcamp: Mastering the CMMC Requirements Implementation

  • Date: Wednesdays, August 28-September 25
  • Time: Registration-8 am & Workshops-8:30 am-12 noon
  • Location: CONNSTEP, 350 Church Street, Hartford, CT 06103

Program Description

The Defense Industrial Base (DIB) sector is the target of increasingly frequent and sophisticated cyberattacks.  In response, the DoD is installing the Cybersecurity Maturity Model Certification (CMMC) 2.0 program designed to safeguard American innovation and national security information.   

This initiative requires all contractors and subcontractors participating in DoD contracts at any tier of the supply chain to fully implement the CMMC practices by the beginning of 2025 to be eligible for DoD work. 

CONNSTEP, the NIST Manufacturing Extension Partnership (MEP) regional authority, will conduct five (5) consecutive half-day workshop training sessions that will guide participants in the implementation of NIST SP 800-171 practices to improve the Department of Defense Supplier Performance Risk System (SPRS) compliance score and drive preparedness for CMMC 2.0 Level 2 audit.   

We will discuss: 

  • Key elements of the CMMC 2.0 Published Rule requirements, rollout timeline, and impact on subcontractors. 
  • CUI/FCI identification, marking, and scoping documentation development. 
  • Basic and derived controls in each domain of NIST SP 800-171, both the requirements’ objectives and methods of complying. 
  • Hands-on exercises to develop customized Policies & Procedures, System Security Plans, and Incident Response Plan required documentation – customizable templates will be provided. 
  • Policies & Procedures implementation techniques and best practices. 
  • Building a culture of security within an organization. 
  • Risk Assessment and Risk Management methodologies and procedures. 
  • Additional free resources to support the implementation of required cybersecurity controls. 

Participants will become equipped with the knowledge to propel an organization toward CMMC 2.0 Level 1 & 2 full compliance and certification readiness. 

Intended Audience

Any company that currently holds, or anticipates obtaining, a contract with the DoD requiring compliance with DFARS 252.205-7012, or supplies products to the DoD, should attend this training.  It is intended for individuals responsible for overseeing the company’s cybersecurity compliance program, including Business Owners, Management Staff, and Senior Leadership. Whether your cybersecurity efforts are in the initial stages or well underway in implementing compliance requirements, this training is important for you and your organization.

Workshop Session Topics: 

August 28 – Session 1 

  • Understand the CMMC 2.0 Proposed Rule requirements, rollout timeline, and impact on subcontractors if not compliant. 
  • Learn how to identify and mark CUI/FCI. 
  • Hands-on exercises to map the CUI/FCI data flow through an organization and develop scoping documentation. 
  • Introduction to cybersecurity policies, procedures, best practices, and effective implementation throughout the organization 
  • 3.1 Access Control domain requirements discussion 

Policies and Procedures customizable templates will be provided. Learning exercises to modify the procedures will be conducted throughout the five sessions. 


September 4 – Session 2 

  • Learn CMMC Assessment methods and the role of compliance evidence documentation. 
  • Discuss the development of the Plan of Action & Milestones (POAM) and System Security Plan (SSP) documents. 
  • Requirements discussion for domains: 3.12 Security Assessment, 3.9 Personnel Security domain, 3.5 Identification & Authentication 

SSP and POAM customizable templates will be provided. 


September 11 – Session 3 

  • Learn the role of the Change Control Board (CCB) and authorizations 
  • Gain an understanding of the requirements in domains: 3.4 Configuration Management domain, 3.3 Audit & Accountability, 3.10 Physical Protection, 3.8 Media Protection domains 
  • Develop a schedule for continuous maintenance improvements and updates. 


September 18 – Session 4 

  • Understand the requirements of an Incident Response Plan (IRP) and reporting to authorities. 
  • Requirements discussion for domains: 3.6 Incident Response domains, 3.7 Maintenance, 3.11 Risk Assessment 
  • Discuss Risk Assessment and Risk Management methodologies and procedures. 

IRP and Risk Management customizable templates will be provided. 


September 25 – Session 5 

  • Learn about the implementation best practices of domains: 3.2 Awareness & Training domains, 3.13 System & Communications Protection domains, 3.14 System & Information domains 
  • Review customized cybersecurity procedures. 
  • Discuss employee training on company security policies, effective techniques, and implementation best practices.