AI-Guided CMMC Compliance Training

Welcome to Your
Personalized Learning Path

This AI-guided module covers CMMC compliance fundamentals. Before we begin, tell us your role so the AI can tailor examples, depth, and focus areas to what matters most for you.

🤖

AI Training Engine

Hello. I'll be guiding you through this module. Select your role below and I'll personalize the content, scenario examples, and quiz questions to match your day-to-day responsibilities within the CMMC compliance framework.

🖥️

IT / System Administrator

Manages networks, systems, and access controls within a federal contracting environment

📋

Compliance Officer / GRC

Responsible for documentation, SSP maintenance, and audit preparation

🏢

Executive / Senior Leadership

C-suite or director-level — accountable for organizational risk and contract eligibility

⚙️

Operations / Program Staff

Works with CUI data, systems, or processes within a DoD-related contract

Module 1 of 3 · Foundations

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is a DoD framework requiring federal contractors to demonstrate specific cybersecurity practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

🤖

AI — Personalized for Your Role

Loading personalized context…

🏛️ The Three Maturity Levels

Level	Name	Controls	Target Audience
Level 1	Foundational	15 practices	Companies handling Federal Contract Information (FCI). Annual self-assessment.
Level 2	Advanced	110 practices	Companies handling Controlled Unclassified Information (CUI). Aligned to NIST SP 800-171. C3PAO assessment required.
Level 3	Expert	130+ practices	High-priority programs. All Level 2 controls + 24 enhanced requirements from NIST SP 800-172.

📌 Why CMMC Matters Now

CMMC Phase 1 enforcement is active across all new DoD contracts as of November 2025
Federal contractors without a current SPRS score or documented SSP risk losing contract eligibility
The Senior Company Official must now formally affirm the organization's compliance posture
Third-party assessments (C3PAOs) are required for Level 2 and above — self-attestation is no longer sufficient

⚠ Key Risk

A company that cannot demonstrate CMMC compliance at the required level cannot be awarded a new DoD contract or have an existing contract renewed — regardless of technical capability or past performance.

📄 The System Security Plan (SSP)

The SSP is the cornerstone document of CMMC compliance. It describes your system boundary, the controls in place, how they are implemented, and any gaps (documented as Plans of Action & Milestones — POA&Ms).

Every organization handling FCI or CUI must maintain a current SSP
The SSP maps each of the 110 NIST SP 800-171 controls to your specific environment
POA&Ms document gaps — but Level 1 organizations cannot use POA&Ms; all controls must be implemented
The SSP score is entered into the DoD Supplier Performance Risk System (SPRS) portal

Module 2 of 3 · Key Control Domains

The Controls That Matter Most

NIST SP 800-171 organizes its 110 controls into 14 domains. The AI has highlighted the domains most relevant to your role.

🤖

AI — Role-Prioritized Domains

Loading personalized domain focus…

🔐 Access Control (AC) — 22 Controls

Limit system access to authorized users, processes, and devices
Enforce least-privilege — users receive only the access required for their job
Control remote access sessions and encrypt all remote connections
Separate the duties of individuals to reduce risk of malevolent activity

🪪 Identification & Authentication (IA) — 11 Controls

Authenticate the identity of users, processes, and devices before granting access
Enforce Multi-Factor Authentication (MFA) for all local and network access to CUI systems
Use replay-resistant authentication mechanisms for privileged accounts
Employ password management tools and enforce complexity requirements

🤖 AI Insight

MFA enforcement (IA.3.083) is one of the most commonly failed controls during C3PAO assessments — and one of the fastest to remediate. If MFA is not yet enforced for all privileged access, this should be your first action item.

⚠️ Incident Response (IR) — 3 Controls

Establish an operational incident-handling capability — includes preparation, detection, containment, and recovery
Track, document, and report incidents to designated officials
Test the incident response capability at least annually

🔒 Configuration Management (CM) — 9 Controls

Establish and maintain baseline configurations for all systems processing CUI
Restrict, disable, or prevent the use of nonessential programs, functions, ports, and protocols
Control and monitor user-installed software
Apply security configuration settings — use the principle of least functionality

📦 What is CUI?

Controlled Unclassified Information (CUI) is government-created or government-owned information that requires safeguarding per law, regulation, or policy — but is not classified. Examples include:

Technical data, engineering drawings, and specifications for federal programs
Personally Identifiable Information (PII) related to federal employees or contractors
Law enforcement sensitive information
Procurement & acquisition sensitive data

📌 Key Obligation

You must identify all locations where CUI resides — endpoints, shared drives, email, cloud storage — and ensure each is covered by your SSP and access controls. Unidentified CUI is a significant audit finding.

Module 3 of 3 · Knowledge Check

AI-Adaptive Quiz

5 questions generated by the AI based on your role and the content covered. Select the best answer — instant AI feedback is provided after each response.

🤖

AI Training Engine

Loading role-adapted questions…

Module Complete

Your Results & AI Recommendations

— Score

—

— Correct

— Incorrect

5 Questions

🤖 AI Learning Recommendations

Ready to deploy the full AI-guided CMMC training program for your team?

Request Full Program →

Welcome to YourPersonalized Learning Path