top of page
  • What is the CMMC?
    The CMMC is designed to "protect American ingenuity and national security information, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) 2.0 program to reinforce the importance of DIB (Defense Industrial Base) cybersecurity for safeguarding the information that supports and enables our warfighters." Source: DoD CIO CMMC Website
  • What is a CTF?
    Traditional Capture the Flag (CTF) events focus on allowing individuals and organizations to practice cyberattack (Red Team) skills in search of vulnerabilities while defenders (Blue Team) identify the attacks and protect the organization. Players and teams are awarded points as they identify the vulnerabilities or fend off attacks.
  • What is the CMMC CTF?
    The Cybersecurity Maturity Model Certification (CMMC) Capture the Flag (CTF) event provides a means for individual Certified CMMC Professional (CCPs) and assessment teams comprised of a CMMC Lead Assessor, Certified CMMC Assessors (CCAs) and CCPs to test (and prove) their skills as CMMC experts. The CMMC CTF is intended to be a fun and friendly competitive event. Regardless of individual and team performance, the event promises to entertain and inform both participants and spectators.
  • Who is the crazy person who came up with the idea for a CMMC CTF?
    The CMMC CTF is the brainchild of Jeffrey Crump (CMMC CCA and Instructor) of the CMMC Training Academy, a service of Cyber Security Training and Consulting LLC. Cyber Security Training and Consulting is a Cyber AB/CAICO approved Licensed Training Provider (LTP).
  • What is Continuum GRC and why is it being used?
    Continuum GRC is the ONLY FedRAMP and StateRAMP Authorized Risk Management and Assessment solution on the market so it seemed like a natural fit for a place to put all the evidence. Plus, we know them and they're a good group of folks. Full disclosure: Cyber Security Training and Consulting LLC is a Continuum GRC reseller.
  • Who the %$#&^* does the CMMC CTF think they are by challenging my CMMC knowledge and abilities?
    Whoa, whoa, whoa there, killa'. Instead of thinking your god-like knowledge, skills, and abilities are being challenged, perhaps instead think of it as an opportunity to prove to the world that you are indeed the best-of-the-best. It's designed as a fun and challenging experience, not a questioning-your-authority event. If you win, then you can share your Champion status with the world. If not, just lie and say you couldn't find time to participate. No harm, no foul.
  • When is the CMMC CTF?
    The CMMC CTF will include three rounds, with top individuals and teams moving on to the next round. Round 1: July 3, 2024 10 a.m. - 5 p.m. Eastern Round 2: August 7, 2024 10 a.m. - 5 p.m. Eastern Championship: September 11, 2024 10 a.m. - 5 p.m. Eastern
  • When does CMMC CTF registration close?
    CMMC CTF registration closes June 28, 2024 @ 5 p.m. Eastern Time.
  • Which version of the CMMC will be used?
    As you may be aware, the CMMC program is currently in the midst of the rulemaking process. The CMMC CTF will emulate the program in effect at the time of the event, which may be the CMMC 2.0 material used during CCP and CCA training or an updated version (2.0 post-rulemaking). Since the CMMC Assessment Process (CAP) will unlikely be modified in time for the event, CAP v5.6.1 will be used. A slightly modified (and completely unofficial) version will be provided that reflects any changes needed. Regardless, the spirit of the CAP and its relationship will be our goal. Participants will need to be patient, flexible, understanding, and forgiving as we strike a balance during these changing times.
  • Where will the CMMC CTF be held?
    The CMMC CTF will be a 100% virtual event. The event will be livestreamed across LinkedIn and YouTube and the CMMC CTF website.
  • How will the CMMC CTF rounds work?
    There are three rounds in the CMMC CTF. Round 1 (July 3, 2024) is open to all registered and qualified individual CCPs and 5-member Assessment Teams. The Top 50% will advance to Round 2. Round 2 (August 7, 2024) is limited to the Top 50% from Round 1. The Top Two (2) individuals and teams will advance to the final Championship round. Championship (September 11, 2024) will feature a face off of the Top 2 individual CCPs for the final CMMC Level 1 assessment and Top 2 Assessment Teams for the final CMMC Level 2 assessment.
  • What the flags that will need to be captured?
    The details of this are still being worked out. However, the number and complexity of the flags and environments will become increasing difficult within and across rounds. Practice implementation will vary and include a mix of administrative, technical, and physical means. Evidence will include artifacts to be examined, simulated interviews, and observed simulated tests (videos). Participants should expect a variety of mainstream and not-so-mainstream technologies. Details will be announced prior to the CTF to ensure the participants are prepared.
  • Will we be assessing the same company across the rounds?
    No. Each round will include a new pseudo company with new scope, evidence, and flags.
  • When will we find out about the pseudo companies to be assessed?
    High-level information about each pseudo company will be posted one (1) week prior to the start of each round.
  • What information will be provided about the pseudo company one week prior to each round?
    You will be given a single page of information about the organization, its role in the DIB, product(s) it manufactures, contract history, key personnel, and core technologies.
  • When will participants be granted access to the actual evidence?
    At the start of each round, participants will be given the login credentials to the respective entity within predefined Continuum GRC environments. Evidence will be attached to each practice. Participants will be given read-only access.
  • Can you pick your individual or team name?
    We put this at the top because we know how important it is to you. The short answer is no. Don't worry, we used the brightest minds that ChatGPT has absorbed to generate the lists; we're pretty pleased. Check out the Scoreboard for a current list. They are assigned in a top-down order so you can try to strategically plan your registration to snag the one you want but it's on a first come, first assigned basis so you might get the next one on the list, maybe not. You never know when the person or team ahead of you registers. No whining; you get what you get. No "but, but, but we have a really cool name I/we want to use." Sorry.
  • What are the requirements to participate in the CMMC CTF?
    All participants must be listed on the Cyber AB Marketplace with the appropriate certification PRIOR to the CTF (not at time of registration). Any participants who are not listed on the Cyber AB Marketplace by 8 p.m. Eastern Time on July 2, 2024 will be disqualified. Assessment Team members must meet these same requirements. Disqualification of an Assessment Team Member could mean disqualification of the entire team if the non-conforming team member isn't replaced prior to 8 p.m. Eastern Time on July 2, 2024. Individual CCP Participants will be tasked with assessing a variety of evidence for a pseudo CMMC Level 1 organization. Points will be awarded for speed and accuracy as they rate the evidence and the organization's conformity to CMMC practices and objectives. Assessment Teams are comprised of a team-selected Lead Assessor (must be a CCA) and four Assessment Team Members. Two of the Assessment Team Members must be CCPs (not CCAs) and two may be CCAs and/or CCPs. Assessment Teams will be tasked with assessing a variety of evidence for a pseudo CMMC Level 2 organization; this will be a completely different organization from the one being assessed at CMMC Level 1. The CMMC CTF will align to the CMMC Assessment Process (CAP) v5.6.1. Although the CAP is designed to be used for CMMC Level 2 assessments, the process will be expected to be followed (as appropriate) for both CMMC Level 1 and Level 2 (e.g., scope validation, scoring, etc.), however, uniquely CMMC Level 2 activities will only be performed by the Assessment Teams.
  • Can an assessment team have less than five members?
    No. The 5-preson assessment team must include: One (1) CCA serving as Lead Assessor Two (2) CCAs or CCPs Two (2) CCPs
  • Can a person participate in both the individual CCP CMMC Level 1 CTF and serve as an Assessment Team Member for CMMC Level 2 CTF?
    No. Ain't nobody got time for that.
  • Can our Assessment Team be a mix of CCAs and CCPs from different companies or self-employed independent contractors?
    Sure. Build the best team you can.
  • Can I participate if I work for a DIB contractor?
    Absolutely. A DIB contractor may form their own team or its employees may participate by themselves or as members of other teams.
  • We are competing as an Assessment Team and have lost a team member, can we replace the team member?
    Yes, as long as that person has not participated in the current CMMC CTF in any capacity or role. Any changes to the Assessment Team must be reported to the CMMC CTF 24 hours ahead of the round via email to Note: You'll be given the opportunity to swap out up to two (2) Assessment Team Members between the rounds in order to meet the unique environment of each mock company for each round.
  • Can we change team members between rounds?
    Teams are permitted to change up to two (2) Assessment Team Members within the following terms: - You cannot replace the Lead Assessor; this must be the same person across all rounds. - Any new/replacement team members must meet the same basic CCP/CCA participation qualifications. - Team member changes must be reported to the CMMC CTF 24 hours ahead of the round. Send changes to
  • How much does it cost to participate in the CMMC CTF?
    Observers: Free but requires registration. Individual CCPs competing at CMMC Level 1: $25.00 Assessment Teams competing at CMMC Level 2: $125.00
  • What are the prizes?
    Custom Challenge Coins are being designed for the following. Individual CCP (CMMC Level 1): Champion (1st Place) Individual CCP (CMMC Level 1): Runner-Up (2nd Place) Individual CCP (CMMC Level 1): Fastest First Flag Individual CCP (CMMC Level 1): Fastest Total Flags Individual CCP (CMMC Level 1): Top Score (Points: Fastest time is tie-breaker) Assessment Team (CMMC Level 2): Champion (1st Place) Assessment Team (CMMC Level 2): Runner-Up (2nd Place) Assessment Team (CMMC Level 2): Fastest First Flag Assessment Team (CMMC Level 2): Fastest Total Flags Assessment Team (CMMC Level 2): Top Score (Points: Fastest time is tie-breaker) NOTE: Each Assessment Team Member will receive a Challenge Coin for team awards. Both Champions and Runners-Up will be able to carry their assigned name into the next CTF. No, we don't know when that will be.
bottom of page