CMMC has a reputation for being a moving target; both in the how the program will apply to the Defense Industrial Base (DIB) and the timeline that we can expect it to start appearing in contracts.

With so much changing, most CMMC consultants, future assessors, and organizations that will need a CMMC Assessment Certification may feel like they want more alignment.

At a recent CS2 conference, Mr. John Ellis of the DIBCAC stated that only 25% of all companies they assessed over the last couple of years have met all the requirements. Well perhaps everybody preparing and/or consulting with those organizations wasn’t on the same page.

So, how do we get them all on the same page? Train them together! Train them on a common body of knowledge, consistent with what the assessors are looking for!

Recently several large consulting companies, both RPOs and C3PAOs, booked private Certified CMMC Professional (CCP) classes with us at Edwards. The popularity of private classes is growing. Perhaps these folks are seeing the challenges their clients face and want to properly guide their Defense Industrial Base (DIB) partners in a way that better assures their success. A common approach is best for making any team better!

At the 2022 National Defense Industrial Association (NDIA) conference, Stacy Bostjanick, Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD A&S) publicly stated that contracts are expected to contain the CMMC provision by May 2023.

And, how long will it take the average Organization Seeking Certification (OSC) to conduct a gap analysis, organize the remediation by prioritized project with proper funding and resources, implement all necessary controls, and call up a C3PAO to get in line for their assessment? Interestingly, the week before, Mr. Ellis stated the average time a company takes to close out a Plan of Action and Milestone (POA&M) item is nearly a year and a half! So, at that pace, it is not likely that companies will be ready when it hits their contracts unless they get quality advice now from those doing their consulting and gap assessments. That is why these large consulting companies are gearing up right now, as their phones are starting to ring.

While team training has clear benefits, we also understand most teams cannot “check out” for a full week (even if the training is instrumental). For a private group, we can separate the 5-day boot camp; two days in week one and three days in week two – allowing your team to stay abreast of their workload while reaping the full benefit of a group class.

There are many reasons to train your team together in a private class – but here’s our favorite: Alignment. When it comes to our CCP class, the level of collaboration on the topics discussed; strategy on how the learnings apply to immediate prospects and clients; and internal resource library buildout all becomes a shared responsibility instead of a gradual pile of mayhem. We know because we live that at Edwards, including the training we participated in to stand up our SOC2 consulting practice!

“Talent wins games, but teamwork and intelligence win championships.” – Michael Jordan

Interested? Let us know how we can support your team!


Joy was a former CMMC Program Manager for Edwards Performance Solutions, delivering live training for all areas of CMMC, as well as an active participant of the Commercial Cybersecurity Assessment Team. Before joining Edwards, Joy served the MSP community as a cybersecurity education instructor, educating 3,000+ on cybersecurity fundamentals from 2019-2020. In addition to her facilitation experience, Joy owned a successful MSP in Los Angeles for 21 years.