Lead CCA
Aspire Cyber
Helps defense contractors achieve CMMC compliance through assessments, training, and consulting tailored to businesses of all sizes.
Aspire Cyber WebsiteRead transcript Hide transcript
Andrew Lynch: Thank you everyone for checking out the Virtru Compliance Champion Assessor Spotlight of this week. For this episode, we have Derrich Phillips from Aspire Cyber, someone that I've gotten to know and is extremely well accomplished in this field. So, Derrich, why don't you introduce yourself and tell us a little bit about Aspire Cyber?
Derrich Phillips: Sure. Thanks, Andrew. I really appreciate you having me. My name is Derrich Phillips. I'm the founder and president of Aspire Cyber, which specializes in CMMC readiness. We also are an approved training provider delivering the CMMC certification training for CMMC Certified Professionals and CMMC Certified Assessors. My wife and I started Aspire Cyber back in 2021. Prior to that, I was working for Bank of America doing third-party risk assessments. That was really my first introduction into the whole regulatory procurement compliance world, and here we are today. We are really focused on helping organizations navigate CMMC requirements and taking them from not even knowing what CUI or CMMC is to getting that Level 2 CMMC certification. To date, we've helped six organizations achieve CMMC Level 2 certification.
Andrew Lynch: That's great. Congratulations, and thanks for your help supporting the defense industrial base. Share with us a little bit more about what you are seeing right now with readiness assessments. How are organizations preparing for CMMC? What are some challenges they're seeing, and what advice would you give them?
Derrich Phillips: I would say I'm starting to see a lot more activity on the readiness side where organizations are biting the bullet and making that investment. Once the rule dropped in December, I was hoping that I was going to have relaxing holidays, and it was anything but. December was probably our busiest month of the year. So many organizations were looking to start their CMMC compliance journey before the year ended. It was just off to the races, and it's been that same way ever since. But it is encouraging to see organizations figuring out that CMMC is not going away and that it probably is going to be a good return on investment for them to consult with experts or solution providers like Virtru. They can help them streamline the process and, in return, save a lot of money, frustration, and heartache by partnering with people who know what they're doing. I always say CMMC is not a DIY project, especially for Levels 2 and 3, because there are so many nuances and areas where you really have to have specialized expertise to understand how to interpret those requirements and what they mean in plain English. That's what we pride ourselves on. We help our clients translate those requirements into practical, affordable solutions that are ultimately going to help them reach their goal of winning or keeping Department of Defense contracts. We do the heavy lifting on the compliance side. We don't expect our clients to be CMMC experts. That's our job. It's what they're paying us for. So we are just trying to help them navigate and align with affordable solutions that are going to be practical for their business operations.
Andrew Lynch: That's great. Tell us a little bit more about what it is like to work with Aspire Cyber. What are your processes, and what have you heard from customers as to what their experience has been working with you?
Derrich Phillips: Sure. So we coined what we call our CMMC acceleration system or compliance acceleration system. Basically, it consists of five phases. It starts with our pre-assessment. In that phase, we're walking our clients through scoping, understanding what information they have in scope, whether it's Federal Contract Information or Controlled Unclassified Information. From there, we identify what system is in scope, which means their people, facilities, and technology that process, store, or transmit that sensitive information. Once they have a grasp of that, we'll keep going down the list for a granular understanding of what those assets are and what opportunities exist for us to reduce that assessment scope. That really is the name of the game. If you can reduce that scope, whether you use an enclave or restrict who has access to that sensitive information, it can save you a lot of money and compliance burden. If you're an organization with a blank check, you might not have to worry about money, but you still have to worry about the compliance burden your team members are going to experience if they're in scope for that assessment. CMMC is not about convenience; it's essentially about safeguarding the confidentiality of CUI. Along those lines, it's going to be a real culture shift for organizations embarking on the CMMC journey because they're going to have to change the way they are doing business, at least in the context of handling FCI and CUI. That, I would say, is the biggest challenge for a lot of organizations—understanding that culture shift. It is no longer about doing business the way you've always done it. This is a new day. CMMC at Level 2 and Level 3 requires a C3PAO to come in and assess your compliance. You can't fake your way through it. You can't hope your way through it. You have to be able to produce the evidence to show that you're doing what those requirements outline. It really is crucial to make sure that you either have someone internally who is certified and understands the requirements, or you're partnering with someone who does, because they're going to help you navigate that process. So that's the pre-assessment. We spend a lot of time in the pre-assessment. That can be anywhere from a couple of weeks to a couple of months depending on how complex the organization is. I would say that's the area where we see organizations struggle the most because a lot of times they don't know what CUI is. They don't know what is not marked. There are just so many unknowns and gray areas. Unfortunately, a lot of times they're not getting much guidance from their contracting officer or prime contractors, so they're trying to figure this out for themselves for the first time in their history of doing business with the Department of Defense. But it's crucial to do that. I always equate the pre-assessment phase to building a house. You have to lay that foundation, and that's the pre-assessment. The next phase, the assessment phase, is building the walls. You need to understand what your current state is today against the requirements. And it is just that: you're looking to see if you have these controls in place. If you do, the requirement is met. If you don't, it's not met. For CMMC Level 2, there are 110 requirements, but you can't forget about the 320 assessment objectives that correspond to the requirements. For someone like myself as a lead assessor, when I'm doing a certification assessment under a C3PAO, I'm looking to see if they're meeting the requirements based on assessment objectives. For example, access control 3.1.1 has a requirement limiting access to the system, but it has six assessment objectives that correspond to it. If five of those assessment objectives are met out of six, that requirement is still not met. You need to meet all of the requirements and all the assessment objectives. So that's our gap assessment. During that phase, we're helping our clients identify their current state, documenting any deficiencies, and putting that on a Plan of Action and Milestones so they can remediate. Phase three is remediation. We're supporting them to whatever level of support they need, up to hands-on keyboard work, referring solution providers, or whatever else they need to remediate those deficiencies. Phase four is documentation. We are helping with the System Security Plan, policies, and procedures. CMMC is very documentation-heavy at Levels 2 and 3. That alone is a major undertaking because, as an assessor, we're not going to take your word for it. We want to confirm it. You have to show me and prove that you're actually doing what you say you're doing. Phase five is certification. We're getting them ready for game day, for the actual certification assessment. We're mapping all of the evidence to the assessment objectives. We are going to do a mock assessment. Think of that as a dry run where we're applying the same level of rigor they're going to experience during the certification assessment. We're leveraging the methods that assessors use to validate if a requirement is met, which include review, interview, and test. We're applying those same methods and following all the same processes outlined in the CMMC Assessment Process, or CAP. Once they complete that, if they score a perfect 110 during that mock assessment, they can have a relatively high level of assurance that they're going to pass the certification assessment. We can't guarantee it as a consulting company because some variables are out of our control, but they can know they're in good shape. What they don't want to do is go into a certification assessment never having done a mock assessment, never having done a gap assessment, and just hoping for the best. That's not going to go well. Those assessments are high stakes, they're expensive, and you don't want to go in without being prepared.
Andrew Lynch: That sounds extremely thorough. I'm not surprised to hear a thorough answer because for those who have not seen Derrich's social presence, he has a library of extremely helpful public documentation and resources outlining his process. I would recommend people check that out. I've personally learned a lot from Derrich even before speaking with him for the first time, just seeing him on the internet. I'm curious, what's your take? From what you just described, I could easily see the return is there. Getting prepared properly ahead of time is going to be an all-around better use of money than winging it and failing. So for those who are not opting for, or maybe on the fence about engaging with a consultant, what are the biggest reasons why you see that, and what advice would you give them?
Derrich Phillips: I would say the biggest reason is budget, and I understand this. A lot of defense contractors are small businesses, and they're not making millions of dollars. They have really tight margins. For them, ultimately, it's going to be a business decision whether they're going to continue doing business with the Department of Defense because CMMC is not optional. If you are receiving or producing sensitive information that's in scope for CMMC in the performance of your contract or subcontract, you're putting your organization at a big risk if you're not safeguarding it to the CMMC requirements. You have things like the False Claims Act and whistleblowers, where they have to be concerned about potential civil and criminal penalties. For small businesses, let's say they're making a twenty thousand dollar margin on that contract total. It may not be a good line of business for them to continue in because CMMC is going to cost money, and it is complex. Beyond the financial part, my advice to those really small micro-businesses is that if they can't afford to continue, that's just a business decision they have to make. But before they do that, they should speak with a consultant or someone who can guide them objectively in the right direction. Let's consider how we can reduce your scope as much as possible, and then look at available solutions where you can maybe inherit a lot of the requirements from a Virtru enclave or something similar. That can be more affordable than trying to go a different direction, bringing everything in-house, and hosting the systems themselves. Fortunately, at this point, there are affordable solutions out there that they can look into to hopefully keep them in the defense industrial base because we need more small businesses in the DIB. Beyond that, I've encountered challenges more so with larger organizations. We specialize in supporting research universities and manufacturers, and there can just be a lot of bureaucracy and red tape in terms of onboarding a new vendor. It's just a lot of cat herding, so to speak. That can be another challenge for organizations looking to engage consultants.
Andrew Lynch: That's helpful. If an organization was interested in evaluating if they wanted to partner with you and use your consultation services, could you walk us through what an average initial engagement looks like? Not financially, but more, do you give an initial consultation with a similar overview, or maybe in more detail? What does that look like for those who've never engaged with something like this before?
Derrich Phillips: Certainly. Typically, they would come in through our website, and they could schedule a free consultation, or they may have found me on YouTube and emailed me directly. I'm happy either way; whatever works best. We'll typically schedule a thirty-minute discovery call with them to get an understanding of what requirements they have. Do you currently have a defense contract, or are you anticipating one? Also, what type of information are you handling, and what is your system? Once we have a good feel for that, we talk them through some viable options. We really pride ourselves on being able to save our clients money and time. If there is a micro-business where they anticipate getting CUI at some point and maybe just need secure email and storage, we will point them in a direction to go with a Virtru enclave to keep that scope small and do it cost-effectively. By being vendor-agnostic, we're not just going to default to telling them to go to another solution provider, even though it may not be the most cost-effective or best solution for them, just because that's all we know. We have several clients who, after getting their certification, did interviews with us and explained how they've saved over six figures by engaging us. We were able to point them in a direction they otherwise never would have known about. Going another direction would have cost them a lot more money. I think it's really important for defense contractors to have that trusted resource, whether it's a consultant, the Apex Accelerators, or the MEPs. The DOD puts out a lot of content, like the Cyber AB town halls. Just really try to find those trusted resources and ask for referrals and reviews.
Andrew Lynch: That's really helpful. That's something that I've learned myself from getting to know you and talking with other consultants and assessors in the CMMC space. They typically have a vendor-agnostic approach. To your point, an organization that hasn't really done anything like CMMC before often just hears about the incumbents—the largest, most expensive options. Working and paying for consultation services with you is going to save them money because they don't know about all the alternative options. I assume you're regularly learning about technologies like Virtru and others, and are able to provide more options and an idea of what the cost of each would be, which is extremely valuable to these really small businesses. Let's switch gears a little bit because you also mentioned that you're a training provider. I would love to hear a little bit about what's going on with that line of the business, and who would be better suited to reach out to you to learn more about that.
Derrich Phillips: Certainly. We became an approved training provider in November, but I've been delivering the CCP and CCA training for other training providers as an instructor for a little over three years now. It's something I'm really passionate about: educating, mentoring, and coaching. So it only made sense for us to start this line of business and become an approved training provider. There's a lot of excitement on this side, especially now that ISACA has taken over the CAICO, and they're responsible for the overall certification of professionals, assessors, and instructors. It has given a lot more credibility to the certification pathway under CMMC. Almost daily, people are reaching out to me as they're learning about CMMC and exploring how they can make that transition from cybersecurity, IT, or other career fields into CMMC. As I mentioned, it is specialized. Just because someone has been doing cybersecurity and IT for twenty years doesn't mean they understand NIST and CMMC. There is a lot of activity on that side, where we take the same discovery-first approach. What are you trying to do in your CMMC career? Do you want to be an assessor, a consultant, or an instructor? We get a feel for that and then guide them in the right direction. Currently, there's a huge gap in the industry on the training side regarding hands-on experience. You have these professionals who are getting certified, but they haven't been on an assessment or done any consulting, and it's a steep learning curve. That distinguishes us as an approved training provider. We offer other training solutions in parallel that provide hands-on experience. We call it our CMMC Copilot. It's a twenty-four-week intensive, hands-on training for CMMC consultants and assessors. We view it as offering a holistic approach to CMMC training.
Andrew Lynch: That's great. Would any of those ever be appropriate or geared towards a professional managing the compliance program internally at an organization, or is this really more geared towards those looking to make it a career as a consultant or an assessor?
Derrich Phillips: Both. Typically, especially in our CCP class, you'll have more defense contractors or solution providers in that course so they can gain a foundational knowledge of CMMC while speaking to their clients or internally helping their organization prepare for a certification assessment. You have a good combination. With our CMMC Copilot hands-on training, it's the same. You have those who are looking to do it from a career standpoint, but you also have defense contractors going through the training led by myself and other certified professionals. They view that as a sounding board, an opportunity to make sure they're on the right path, almost like having a consultant. Through that training, they're learning to empower themselves to help their organization navigate it. In addition to that, we offer customized workshops for sales teams, senior leadership, and other stakeholders who don't need a wide breadth of understanding of CMMC. They just need a foundational knowledge as it pertains to their specific role. Being an approved training provider gives us a lot of flexibility. Obviously, we have to deliver the licensed training for the CCP and CCA, but we can supplement that and create workshops customized to various stakeholders. It gives us a lot of flexibility to make sure we're meeting people where they are.
Andrew Lynch: That's great. So it sounds like if someone checks out Aspire Cyber and sees some of your offerings, but feels what they're looking for isn't exactly listed there, when in doubt, they should reach out to you because you may be able to customize something to best suit their needs. Well, I think that wraps up this episode. I just wanted to say thanks again, Derrich. For those interested in learning more about Aspire Cyber and reaching out to Derrich, you'll see his contact information here. It sounds like, Derrich, you're a great resource for people to check out and work with.
Derrich Phillips: Sure. Thanks, Andrew. I really appreciate you having me. My name is Derrich Phillips. I'm the founder and president of Aspire Cyber, which specializes in CMMC readiness. We also are an approved training provider delivering the CMMC certification training for CMMC Certified Professionals and CMMC Certified Assessors. My wife and I started Aspire Cyber back in 2021. Prior to that, I was working for Bank of America doing third-party risk assessments. That was really my first introduction into the whole regulatory procurement compliance world, and here we are today. We are really focused on helping organizations navigate CMMC requirements and taking them from not even knowing what CUI or CMMC is to getting that Level 2 CMMC certification. To date, we've helped six organizations achieve CMMC Level 2 certification.
Andrew Lynch: That's great. Congratulations, and thanks for your help supporting the defense industrial base. Share with us a little bit more about what you are seeing right now with readiness assessments. How are organizations preparing for CMMC? What are some challenges they're seeing, and what advice would you give them?
Derrich Phillips: I would say I'm starting to see a lot more activity on the readiness side where organizations are biting the bullet and making that investment. Once the rule dropped in December, I was hoping that I was going to have relaxing holidays, and it was anything but. December was probably our busiest month of the year. So many organizations were looking to start their CMMC compliance journey before the year ended. It was just off to the races, and it's been that same way ever since. But it is encouraging to see organizations figuring out that CMMC is not going away and that it probably is going to be a good return on investment for them to consult with experts or solution providers like Virtru. They can help them streamline the process and, in return, save a lot of money, frustration, and heartache by partnering with people who know what they're doing. I always say CMMC is not a DIY project, especially for Levels 2 and 3, because there are so many nuances and areas where you really have to have specialized expertise to understand how to interpret those requirements and what they mean in plain English. That's what we pride ourselves on. We help our clients translate those requirements into practical, affordable solutions that are ultimately going to help them reach their goal of winning or keeping Department of Defense contracts. We do the heavy lifting on the compliance side. We don't expect our clients to be CMMC experts. That's our job. It's what they're paying us for. So we are just trying to help them navigate and align with affordable solutions that are going to be practical for their business operations.
Andrew Lynch: That's great. Tell us a little bit more about what it is like to work with Aspire Cyber. What are your processes, and what have you heard from customers as to what their experience has been working with you?
Derrich Phillips: Sure. So we coined what we call our CMMC acceleration system or compliance acceleration system. Basically, it consists of five phases. It starts with our pre-assessment. In that phase, we're walking our clients through scoping, understanding what information they have in scope, whether it's Federal Contract Information or Controlled Unclassified Information. From there, we identify what system is in scope, which means their people, facilities, and technology that process, store, or transmit that sensitive information. Once they have a grasp of that, we'll keep going down the list for a granular understanding of what those assets are and what opportunities exist for us to reduce that assessment scope. That really is the name of the game. If you can reduce that scope, whether you use an enclave or restrict who has access to that sensitive information, it can save you a lot of money and compliance burden. If you're an organization with a blank check, you might not have to worry about money, but you still have to worry about the compliance burden your team members are going to experience if they're in scope for that assessment. CMMC is not about convenience; it's essentially about safeguarding the confidentiality of CUI. Along those lines, it's going to be a real culture shift for organizations embarking on the CMMC journey because they're going to have to change the way they are doing business, at least in the context of handling FCI and CUI. That, I would say, is the biggest challenge for a lot of organizations—understanding that culture shift. It is no longer about doing business the way you've always done it. This is a new day. CMMC at Level 2 and Level 3 requires a C3PAO to come in and assess your compliance. You can't fake your way through it. You can't hope your way through it. You have to be able to produce the evidence to show that you're doing what those requirements outline. It really is crucial to make sure that you either have someone internally who is certified and understands the requirements, or you're partnering with someone who does, because they're going to help you navigate that process. So that's the pre-assessment. We spend a lot of time in the pre-assessment. That can be anywhere from a couple of weeks to a couple of months depending on how complex the organization is. I would say that's the area where we see organizations struggle the most because a lot of times they don't know what CUI is. They don't know what is not marked. There are just so many unknowns and gray areas. Unfortunately, a lot of times they're not getting much guidance from their contracting officer or prime contractors, so they're trying to figure this out for themselves for the first time in their history of doing business with the Department of Defense. But it's crucial to do that. I always equate the pre-assessment phase to building a house. You have to lay that foundation, and that's the pre-assessment. The next phase, the assessment phase, is building the walls. You need to understand what your current state is today against the requirements. And it is just that: you're looking to see if you have these controls in place. If you do, the requirement is met. If you don't, it's not met. For CMMC Level 2, there are 110 requirements, but you can't forget about the 320 assessment objectives that correspond to the requirements. For someone like myself as a lead assessor, when I'm doing a certification assessment under a C3PAO, I'm looking to see if they're meeting the requirements based on assessment objectives. For example, access control 3.1.1 has a requirement limiting access to the system, but it has six assessment objectives that correspond to it. If five of those assessment objectives are met out of six, that requirement is still not met. You need to meet all of the requirements and all the assessment objectives. So that's our gap assessment. During that phase, we're helping our clients identify their current state, documenting any deficiencies, and putting that on a Plan of Action and Milestones so they can remediate. Phase three is remediation. We're supporting them to whatever level of support they need, up to hands-on keyboard work, referring solution providers, or whatever else they need to remediate those deficiencies. Phase four is documentation. We are helping with the System Security Plan, policies, and procedures. CMMC is very documentation-heavy at Levels 2 and 3. That alone is a major undertaking because, as an assessor, we're not going to take your word for it. We want to confirm it. You have to show me and prove that you're actually doing what you say you're doing. Phase five is certification. We're getting them ready for game day, for the actual certification assessment. We're mapping all of the evidence to the assessment objectives. We are going to do a mock assessment. Think of that as a dry run where we're applying the same level of rigor they're going to experience during the certification assessment. We're leveraging the methods that assessors use to validate if a requirement is met, which include review, interview, and test. We're applying those same methods and following all the same processes outlined in the CMMC Assessment Process, or CAP. Once they complete that, if they score a perfect 110 during that mock assessment, they can have a relatively high level of assurance that they're going to pass the certification assessment. We can't guarantee it as a consulting company because some variables are out of our control, but they can know they're in good shape. What they don't want to do is go into a certification assessment never having done a mock assessment, never having done a gap assessment, and just hoping for the best. That's not going to go well. Those assessments are high stakes, they're expensive, and you don't want to go in without being prepared.
Andrew Lynch: That sounds extremely thorough. I'm not surprised to hear a thorough answer because for those who have not seen Derrich's social presence, he has a library of extremely helpful public documentation and resources outlining his process. I would recommend people check that out. I've personally learned a lot from Derrich even before speaking with him for the first time, just seeing him on the internet. I'm curious, what's your take? From what you just described, I could easily see the return is there. Getting prepared properly ahead of time is going to be an all-around better use of money than winging it and failing. So for those who are not opting for, or maybe on the fence about engaging with a consultant, what are the biggest reasons why you see that, and what advice would you give them?
Derrich Phillips: I would say the biggest reason is budget, and I understand this. A lot of defense contractors are small businesses, and they're not making millions of dollars. They have really tight margins. For them, ultimately, it's going to be a business decision whether they're going to continue doing business with the Department of Defense because CMMC is not optional. If you are receiving or producing sensitive information that's in scope for CMMC in the performance of your contract or subcontract, you're putting your organization at a big risk if you're not safeguarding it to the CMMC requirements. You have things like the False Claims Act and whistleblowers, where they have to be concerned about potential civil and criminal penalties. For small businesses, let's say they're making a twenty thousand dollar margin on that contract total. It may not be a good line of business for them to continue in because CMMC is going to cost money, and it is complex. Beyond the financial part, my advice to those really small micro-businesses is that if they can't afford to continue, that's just a business decision they have to make. But before they do that, they should speak with a consultant or someone who can guide them objectively in the right direction. Let's consider how we can reduce your scope as much as possible, and then look at available solutions where you can maybe inherit a lot of the requirements from a Virtru enclave or something similar. That can be more affordable than trying to go a different direction, bringing everything in-house, and hosting the systems themselves. Fortunately, at this point, there are affordable solutions out there that they can look into to hopefully keep them in the defense industrial base because we need more small businesses in the DIB. Beyond that, I've encountered challenges more so with larger organizations. We specialize in supporting research universities and manufacturers, and there can just be a lot of bureaucracy and red tape in terms of onboarding a new vendor. It's just a lot of cat herding, so to speak. That can be another challenge for organizations looking to engage consultants.
Andrew Lynch: That's helpful. If an organization was interested in evaluating if they wanted to partner with you and use your consultation services, could you walk us through what an average initial engagement looks like? Not financially, but more, do you give an initial consultation with a similar overview, or maybe in more detail? What does that look like for those who've never engaged with something like this before?
Derrich Phillips: Certainly. Typically, they would come in through our website, and they could schedule a free consultation, or they may have found me on YouTube and emailed me directly. I'm happy either way; whatever works best. We'll typically schedule a thirty-minute discovery call with them to get an understanding of what requirements they have. Do you currently have a defense contract, or are you anticipating one? Also, what type of information are you handling, and what is your system? Once we have a good feel for that, we talk them through some viable options. We really pride ourselves on being able to save our clients money and time. If there is a micro-business where they anticipate getting CUI at some point and maybe just need secure email and storage, we will point them in a direction to go with a Virtru enclave to keep that scope small and do it cost-effectively. By being vendor-agnostic, we're not just going to default to telling them to go to another solution provider, even though it may not be the most cost-effective or best solution for them, just because that's all we know. We have several clients who, after getting their certification, did interviews with us and explained how they've saved over six figures by engaging us. We were able to point them in a direction they otherwise never would have known about. Going another direction would have cost them a lot more money. I think it's really important for defense contractors to have that trusted resource, whether it's a consultant, the Apex Accelerators, or the MEPs. The DOD puts out a lot of content, like the Cyber AB town halls. Just really try to find those trusted resources and ask for referrals and reviews.
Andrew Lynch: That's really helpful. That's something that I've learned myself from getting to know you and talking with other consultants and assessors in the CMMC space. They typically have a vendor-agnostic approach. To your point, an organization that hasn't really done anything like CMMC before often just hears about the incumbents—the largest, most expensive options. Working and paying for consultation services with you is going to save them money because they don't know about all the alternative options. I assume you're regularly learning about technologies like Virtru and others, and are able to provide more options and an idea of what the cost of each would be, which is extremely valuable to these really small businesses. Let's switch gears a little bit because you also mentioned that you're a training provider. I would love to hear a little bit about what's going on with that line of the business, and who would be better suited to reach out to you to learn more about that.
Derrich Phillips: Certainly. We became an approved training provider in November, but I've been delivering the CCP and CCA training for other training providers as an instructor for a little over three years now. It's something I'm really passionate about: educating, mentoring, and coaching. So it only made sense for us to start this line of business and become an approved training provider. There's a lot of excitement on this side, especially now that ISACA has taken over the CAICO, and they're responsible for the overall certification of professionals, assessors, and instructors. It has given a lot more credibility to the certification pathway under CMMC. Almost daily, people are reaching out to me as they're learning about CMMC and exploring how they can make that transition from cybersecurity, IT, or other career fields into CMMC. As I mentioned, it is specialized. Just because someone has been doing cybersecurity and IT for twenty years doesn't mean they understand NIST and CMMC. There is a lot of activity on that side, where we take the same discovery-first approach. What are you trying to do in your CMMC career? Do you want to be an assessor, a consultant, or an instructor? We get a feel for that and then guide them in the right direction. Currently, there's a huge gap in the industry on the training side regarding hands-on experience. You have these professionals who are getting certified, but they haven't been on an assessment or done any consulting, and it's a steep learning curve. That distinguishes us as an approved training provider. We offer other training solutions in parallel that provide hands-on experience. We call it our CMMC Copilot. It's a twenty-four-week intensive, hands-on training for CMMC consultants and assessors. We view it as offering a holistic approach to CMMC training.
Andrew Lynch: That's great. Would any of those ever be appropriate or geared towards a professional managing the compliance program internally at an organization, or is this really more geared towards those looking to make it a career as a consultant or an assessor?
Derrich Phillips: Both. Typically, especially in our CCP class, you'll have more defense contractors or solution providers in that course so they can gain a foundational knowledge of CMMC while speaking to their clients or internally helping their organization prepare for a certification assessment. You have a good combination. With our CMMC Copilot hands-on training, it's the same. You have those who are looking to do it from a career standpoint, but you also have defense contractors going through the training led by myself and other certified professionals. They view that as a sounding board, an opportunity to make sure they're on the right path, almost like having a consultant. Through that training, they're learning to empower themselves to help their organization navigate it. In addition to that, we offer customized workshops for sales teams, senior leadership, and other stakeholders who don't need a wide breadth of understanding of CMMC. They just need a foundational knowledge as it pertains to their specific role. Being an approved training provider gives us a lot of flexibility. Obviously, we have to deliver the licensed training for the CCP and CCA, but we can supplement that and create workshops customized to various stakeholders. It gives us a lot of flexibility to make sure we're meeting people where they are.
Andrew Lynch: That's great. So it sounds like if someone checks out Aspire Cyber and sees some of your offerings, but feels what they're looking for isn't exactly listed there, when in doubt, they should reach out to you because you may be able to customize something to best suit their needs. Well, I think that wraps up this episode. I just wanted to say thanks again, Derrich. For those interested in learning more about Aspire Cyber and reaching out to Derrich, you'll see his contact information here. It sounds like, Derrich, you're a great resource for people to check out and work with.
Book a Demo
Become a Partner
Contact us to learn more about our partnership opportunities.
Become a Compliance Champion
Contact us to learn more about our partnership opportunities.