Five-day bootcamp on the CMMC 2.0 Final Rule (32 CFR Part 170) implementation requirements for defense contractors. Covers the rolling phase-in, level determination, scope and inheritance, the assessment ecosystem, and operational considerations including ESPs, FedRAMP equivalency, and external service provider risk. Reflects the most current DoD CIO guidance.
This five-day bootcamp delivers an intensive, practitioner-focused walk through the CMMC 2.0 Final Rule codified in 32 CFR Part 170. Instructor Carl B. Johnson, President and CISO of Cleared Systems, translates the regulatory text and the most current DoD CIO guidance into implementation steps your organization can act on immediately. Each day builds on the last, moving from regulatory foundation to operational readiness.
Participants begin with a structured read of 32 CFR Part 170, focusing on how the final rule differs from earlier proposed versions and what those differences mean for contract compliance timelines. The rolling phase-in schedule is mapped against contract action types so attendees understand when CMMC requirements become contractually enforceable for their specific business lines.
Accurate level determination is the single decision that shapes every downstream cost and effort. This session covers the criteria that distinguish CMMC Level 1, Level 2, and Level 3 requirements, with extended focus on Level 2 as the tier affecting the largest share of the defense industrial base. Scope definition receives equal attention: participants work through the six asset categories defined in the rule — including CUI assets, security protection assets, contractor risk-managed assets, specialized assets, out-of-scope assets, and government property — and practice drawing defensible assessment boundaries.
The 110 security requirements of NIST SP 800-171 form the technical backbone of CMMC Level 2. Day three moves domain by domain, identifying the controls that most frequently generate findings, the system security plan (SSP) language assessors scrutinize, and the plan of action and milestones (POA&M) constraints imposed by the final rule. Participants learn to align existing policies, procedures, and technical configurations to the control language assessors will evaluate.
This session maps the full assessment ecosystem: self-assessments, affirmations, C3PAO-conducted third-party assessments, and DCSA-led government assessments. Inheritance rules are examined in detail, including what can and cannot be inherited from a cloud service provider or managed service provider, and how inheritance claims must be documented. The SPRS score submission process and its relationship to contract eligibility are covered in practical terms.
The final day addresses the operational considerations that most organizations underestimate. External Service Providers (ESPs) — including cloud service offerings that process, store, or transmit CUI — must meet specific requirements under the rule. Participants work through the FedRAMP equivalency pathway and its documentation demands, evaluate ESP risk using the frameworks provided in the rule, and draft the contractual and technical controls needed to manage external service provider risk. The day closes with a readiness checklist and a discussion of ongoing compliance maintenance obligations.
This bootcamp is built for the people doing the work: compliance managers, IT security analysts, system owners, and program managers at defense contractors and federal contractors who hold or pursue contracts containing DFARS 252.204-7012 or who anticipate CMMC requirements in future solicitations. It is equally relevant for GRC analysts and vCISOs supporting multiple contractor clients. If your team is responsible for maintaining an SSP, managing a C3PAO relationship, or advising leadership on CMMC readiness, this is the course that closes the knowledge gap.
Managers approving this training should note that participants return with reusable templates and a structured implementation methodology — not just awareness-level knowledge. Organizations that want to continue building on bootcamp outcomes can explore Cleared Systems' CMMC, CUI & DFARS Compliance services or discuss a tailored engagement through our Regulatory vCISO Services.
CMMC 2.0 enforcement is accelerating. The contractors who invest in structured, implementation-level training now will spend less time and money on remediation later. This bootcamp, led by an instructor with direct experience advising defense contractors through the compliance process, gives your team the regulatory fluency and practical tools to move from uncertainty to a defensible, assessor-ready posture.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
