The Cybersecurity Maturity Model Certification (CMMC) framework is a new and evolving compliance standard for contractors working with agencies under the Department of War (DoW) or select Executive Branch functions.
Much of this framework focuses on the readiness of a contractor to manage risk and security in their IT systems, and the capabilities they have to handle Controlled Unclassified Information (CUI). Since this is such a new framework, however, there is a push to train cybersecurity auditors and managed service providers who can successfully audit contractors in the upcoming years. Accordingly, there are plenty of companies out there advertising that they can provide training for CMMC audits and implementation.
You must vet any organization that claims they can provide authorized instruction or assessments for CMMC authorization.
What is CMMC Assessment?
CMMC derives much of its ground rules and recommendations from other security documents, namely NIST Special Publications 800-171 and 800-53 as well as ISO/IEC 17020. The latter is most important when it comes to Certified Third-Party Assessment Organizations, or C3PAOs.
C3PAOs are responsible primarily for preparing and assessing contractors in the Defense Industrial Base (DIB) for CMMC certification. These organizations are a necessary part of the compliance process and navigate their partner contractors through areas like certification and continuous maintenance.
The assessors within a C3PAO fall under two general categories:
- Registered Practitioner: A Registered Practitioner is trained in CMMC rules and regulations, and often has experience in other areas of government cybersecurity compliance. They are not, however, certified to actually perform audits. They can only provide non-certified consulting services and advice to their clients.
- Certified Assessor: A Certified Assessor is someone who has undergone the required training, operating under the supervision of the CMMC Accreditation Body (CMMC-AB). Only a certified assessor can provide certified assessments for CMMC certification.
Under the “Certified Assessor” umbrella, there are an additional set of levels that determine what a certified assessor can do:
- Certified Professional: Professionals aren’t assessors in and of themselves. Instead, they are authorized to perform assessments under an established assessor running their team, somewhat like an apprenticeship. Certified Professionals are eligible to become Certified Assessors once they complete examinations.
- Certified CMMC Assessor Level 1: Level 1 assessors can complete Maturity Level 1 (ML-1) assessments and can manage teams conducting ML-1 assessments.
- Certified CMMC Assessor Level 2: Level 2 assessors can complete Maturity Level 1, 2 and 3 assessments and manage teams conducting these assessments. After 15 completed assessments, Level 2 assessors can complete examinations to become Level 3 assessors.
- Certified CMMC Assessor Level 3: Can conduct and direct assessments at any maturity level.
Each stage of assessment requires a specific examination and accreditation by the CMC-AB.
What is the Problem with Unauthorized Trainers?
Currently, the CMMC-AB is finalizing its series of training exams for each training level, called CCA-1, CCA-2 and CCA 3 (for Assessor Levels 1, 2 and 3, respectively). Registered Professionals likewise complete basic CMMC-AB training and registration before becoming fully registered professionals.
That being said, many fly-by-night “security” operations are claiming that they provide both assessment services and training for CMMC assessors. This raises significant problems, both for potential 3PAOs (and their assessors) and the firms relying on those C3PAOs for certification.
Understandably, the problems begin to trickle down to the contractor:
- An unauthorized trainer provides “instruction” to a security company that wants to become a C3PAO and get listed on the marketplace. Most likely this occurs because the security firm doesn’t understand the process (since it is so new) or the fraudulent trainer represents themselves as something they are not.
- This same company might advertise itself as capable of conducting CMMC assessments to DIB contractors. Again, through misunderstanding and misrepresentation, this agency pushes their clients through unauthorized assessments.
- A contractor, either through an unauthorized C3PAO or unauthorized CMMC trainer and assessor is out thousands of dollars.
Cost is a major issue. One of the stated goals of the CMMC framework is to make it accessible to enterprise companies and SMBs alike. Since CMMC is relatively new, it’s hard to determine just how much it will cost to get an assessment with a remediation plan. Prepared agencies familiar with, and adhering to, NIST 800-171 regulations might see their consultation and gap analysis range between $25,000 and $45,000. If your company isn’t as mature, costs can rise to $100,000 for a complete overhaul. And that doesn’t include further consulting and implementation costs for technologies like compliant cloud platforms or office suites (like moving to a 100% compliant Office 356 or Google Workplace setup).
Working with an unauthorized organization can set your company back severely if you are paying these costs with nothing to show for it. An organization that conducts an assessment or training without the proper credentials isn’t licensed to do so, and any further application for CMMC certification will ultimately be rejected on these grounds.
Work with Lazarus Alliance for Proactive Audits and Consulting
Lazarus Alliance is currently undergoing CMMC ML-3 examination and will shortly be one of the first agencies in the country to provide critical CMMC assessments for IT companies in the DoD supply chain.
More importantly, we are a veteran-owned and operated cybersecurity company with decades of collective experience in several regulated industries, including serving as a certified 3PAO guiding CSPs to their ATO status under FedRAMP guidelines.
If you are a company that wants to enter the federal or DoD contracting space, call 1-888-896-7580 to discuss your organization’s compliance needs.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts