Most Frequently Asked Questions About CMMC


Firewater Advisors asked nationally-renowned cybersecurity expert Wayne Shaw some of the most commonly-asked questions about CMMC certification and the Awareness and Training Domain.

Q:  Why Does My Organization Want CMMC Certification?

A:  You organization needs to pass either the CMMC self-assessment or assessment by an auditor, or you don’t go after DOD contracts. That simple.

If not, the DOD or the big subcontractors you work with are going to move on to your competitor. And like any business, if they move on to your competitor and they have the certification and you don’t, you’re out and they’re not going to come back.

So from the business perspective, getting CMMC certification is a competitor-crushing, business-increasing opportunity.


Q:  How Do I Determine What Level of Assessment My Organization Needs?   

A:  That will be determined by the RFP. Now, if I don’t think they’ve changed it, the RFP will talk about what level of CMMC certification or assessment that you need.

If you handle UI controlled unclassified information, you will be level two or three. If you only handle FCI or Federal Contract Information, then you only need to be level one.

At this time the level three determination has yet to be finalized, because that’s where the big boys are. That’s Boeing, that’s Northrop Grumman. That’s those guys.

Most of the defense industry base will fall into level two. So our recommendation is go for it and complete the level two assessment now. You’re supposed to be there anyway. Do it.


Q:  Should My Organization Request A CMMC Auditor or Assessor?

A:  I’ve consulted with many companies on getting fully certified, and this is what we advise all our customers to do:

Yes, go ahead and get assessed because there’s going to be fewer and fewer companies out there that are assessed. Most of them are going to take the self-assessment.

Since the Interim Rule said that organizations can be self-assessed, there are fewer assessors available to hit the ground running. So we say go ahead and be prepared to be assessed. Get all of your ducks in a row, make sure you have all of the artifacts, make sure you have all the training and all the policies and procedures.

When an RFP comes in that says you have to be certified level 2 for this particular RFP, it becomes a business decision.   Because the cost of getting certified, having an assessor come to your location or locations for a week or two weeks—you’re going to have to pay for all of that.

And then it’s going to take two or three months for you and for them to go through all their procedures and elements of an audit. 

But if you’re ready for it, then you can hop on that bid—when your competitors can’t.


Q:   Where Should We Begin Toward CMMC Certification?

A:  Get the training up front. We highly recommend that everybody finish the training right at the beginning of starting what we call “The CMMC Journey” because it is a journey to get this thing done.

We find it a whole lot easier if people are trained first and then we moved down such a complex compliance requirement. Then you have a lot of questions already answered for you.

This also makes it less expensive for you to run the new controls or the new requirements through your company because everybody goes, “Oh yeah, I understand that.”


Q:  Why Take Any Cyber Security Training?

A:  Basically, it comes down to if you don’t have the training, you don’t have one of the integral parts of the CMMC.

The downside is you can’t bid on the CMC or the Department of Defense contracts or the RFI, and your competitor probably will. So you not only have missed out on that RFP, but all the others that are coming out on it because they’re going to go to your competitor.

We have companies we’re helping with right now, their business is 100% DOD. If they don’t have the training, they don’t have a company.


Q:   Can My Organization Run The CMMC Training Ourselves?

A:  Yes, you can. It would be very expensive. First you have to get a Learning Management System in your environment. They’re not cheap.  Then you would need a consultant to make sure you hit all the requirements.

It’s so much easier to go out and get the points you can as simply as possible.  And then spend your time, money, energy and effort on the hard parts—because there are some hard parts in the journey to becoming CMMC compliant.


Q:   What Makes The Firewater Advisors CMMC Training Different?

A:  I grew up in the military, my father was career Air Force. He would always say “if you don’t have a solution to the problem, you don’t have a problem, you’re just …complaining.” He didn’t use the word complaining.

I’ve helped enough companies through compliance to understand that building and delivering and tracking a training every year for every employee is extremely difficult—especially to meet governmental requirements and pass an audit.

There was no other training out there for the CMMC specifically, and we had the knowledge and the experience to put it together. Could we make it inexpensive? Can we make it plug and play?

So this is the solution to the problem. This is easy. It’s inexpensive, it tracks who is certified each year. We help you through it.

Another reason we created the training was we’re patriots. We understand that the country is in dire straits right now for cybersecurity and the CMMC.

And now I can tell dad, “I solved the problem.”

Learn More About Our Training

Q:   Is The Training Kept Up With CMMC Changes?

A:  Yes. Once a year, we update all the training to meet all the new requirements from the DOD.  We know the Department of Defense will be changing things because they always do.

it’s also required by the CMMC that you retrain all your people once year. So yes, we make updates every year.


Q:   How Long Does CMMC AT Training Take?

A:  For each employee, the training and quiz will take about 20 minutes.

We focus on what employees need to know, what’s required in the CMMC guidelines, and what will actually help protect your organization. 


Q:   Is Each Training License Locked To One Person?

A:  No. Things change.  You buy a group of licenses for your employees. And if those people go away and somebody new comes in, you just change the name to protect the guilty.


Q:   How Do I See My Group’s Progress Toward CMMC Training Compliance?

A:  It’s important to keep track of who’s been trained and who has not been trained and where they are within the training.

That’s part of the “Dashboard” web page. You get an administrative log on to web portal and it lists everybody, where they’re at, and if they’ve completed the training or not.

And then at the beginning of the next year, all of that is kept because it is archival evidence of assessment. You can download the evidence also as a spreadsheet.  Each year it just clocks over and you’re ready to have everybody else complete the training again.


Q:   How Do I Get New Staff CMMC Trained?

A:  Obviously people change all the time. If you have licenses from people who have left the organization, you simply re-assign that license and then in one click you can send them the link to get started. 

If you’re out of licenses and you’ve increased your staff, great!  Businesses increasing!  You simply go to the portal, pay for those additional licenses, and they’re ready to go.


Q:   Are My Employees Required To Pass A Quiz on CMMC Cyber Security?

A:  Yes, passing a quiz is a CMMC requirement.  We’ve set it up so you can review the material and answer the question correctly.  

So everybody who gets a license, everybody who goes to the training will have the time to get the right answer and get certified.


Q:   What Does The CMMC Training Cost?

A:  Of course, the CFO is going to want to know how much is going to cost. It’ll be under $20 per person per year.  Not per month, per year.


Q:   Why Is Your Training Offered At This Value?

A:  People say, Wayne, you’re crazy, you can sell this for a whole lot more. We created this training because we think the government and the people of America need it.

Our businesses and our defense contractors need to improve cybersecurity much, much more. And to be honest with you, I’ve already retired once.


Q:  Why Choose the Firewater Advisors Training Program Toward CMMC Compliance?

A:  When introducing anything new to an organization or any changes in an organization, training and change management are some of the most important elements to success.

We put a training program together. It’s easy to use. It’s inexpensive. We provide all the elements there to help you meet the CMMC requirements.

And it’s taken care of, year after year.  Annual renewal of cyber security training is required by the CMMC Awareness and Training (AT) Domain.

So if you’re interested in our training, just click through, find out more about it. And if you have any questions, you can always email us.


Q:  What Do You Say To The CIO or CFO about CMMC Certification?

A:  It’s easy for them to say “there’s no more budget for compliance.”

Completing CMMC certification now and scheduling your assessment right away is a smart business decision because it’s a competitor-crushing, business-increasing opportunity.

If you don’t have the training, you don’t have one of the integral parts of the CMMC.  There are some hard parts in the journey to compliance.

Firewater Advisors offers a solution. It’s inexpensive. It meets your requirements, and most organizations can’t do it at this cost on their own.  Go get certified to bid on contracts your competitors can’t.

We Are Here To Help

Ask Our Experts Your C.M.M.C. Questions

Our team specializes in assisting businesses of all kinds prepare for and pass their C.M.M.C. Certification Assessments.  If you have questions, we probably have answers.  Ask your questions here and a member of our team will be in touch!

Leave a Comment

Your email address will not be published. Required fields are marked *