Both today · CCP ½ off · $2,998Enroll now
CMMC CCP + CCA · Self-Paced Certificate Courses

200,000+ contractors must meet federal cybersecurity standards. The deadline is Nov 10, 2026.

CMMC is federal law — and it's already in the contracts. The clause went live November 10, 2025, and the whole defense supply chain now has to comply. The higher-stakes contractors can no longer just self-attest; they must prove it to a third-party assessor by November 10, 2026 — and there aren't enough qualified people for the work. Earn your CCP, your CCA, or both, self-paced and taught by a working assessor, and step in before the rush.

⏳ Enroll within 30 days · finish anytime before Dec 31, 2026 · before ISACA changes the format
200,000+ firms affected (GAO)$105K–118K per audit (DoW)Nov 10, 2026 mandate (32 CFR 170)Taught by a CCP · CCA · CCI
Accredited & recognizedAccredited Training Partner — CMMC / ISACAState-Certified Technical SchoolAccredited by the Office for Career & Technical Schools
Why this matters · the receipts

CMMC is federal law now. Here are the numbers — straight from the government.

No vendor hype. Every figure below comes from the Department of War rule in the Federal Register, the Code of Federal Regulations, or U.S. Department of Justice settlements. Tap any source to read it yourself.

200,000+

DIB companies affected by CMMC

The Government Accountability Office reports the Department of War relies on about 200,000 defense industrial base companies — and CMMC reaches across all of them, from Level 1 (companies handling FCI) to Level 2 (companies handling CUI).

Source: U.S. GAO (GAO-26-107955) ↗
110

Controls every CUI contractor must prove

Level 2 means implementing and documenting all 110 NIST SP 800-171 controls — then proving each one to an assessor. Nearly every affected contractor needs people who know them cold, and there aren't nearly enough.

Source: 32 CFR §170.14 / NIST 800-171 ↗

$8.4M

What Raytheon and Nightwing paid to resolve False Claims Act allegations of falsely certifying cybersecurity compliance. Getting this wrong is now a multimillion-dollar liability — which is why qualified help is in demand.

Source: U.S. Dept. of Justice ↗

$4.6M

What MORSECORP paid in a DOJ settlement over cybersecurity-compliance failures on Army and Air Force contracts. Enforcement isn't theoretical — it's already happening.

Source: U.S. Dept. of Justice ↗
● Live now

This isn't coming. It's already in the contracts.

CMMC requirements started appearing in Department of War solicitations and contracts on November 10, 2025 — Phase 1 of the rollout. The clause is real and active today: DFARS 252.204-7021 (NOV 2025) makes a CMMC status a condition of award. Contractors need help now, not next year.

  • Phase 1 — live now: contractors must already hold a CMMC status (self-assessed Level 1 or Level 2) to win applicable awards.
  • Phase 2 — Nov 10, 2026: third-party (C3PAO) Level 2 certification becomes a condition of award (32 CFR §170.3). That's the surge the supply chain is racing toward.
  • Primes are flowing it down to subs today, and DOJ is already settling False Claims Act cases. The cost of being unqualified is rising right now.

Sources: DFARS 252.204-7021 · Acquisition.gov ↗ · 32 CFR Part 170 (eCFR) ↗ · U.S. DOJ ↗

Get qualified before the rush
Phase 2 surge in
000
Days

until Nov 10, 2026 — but the clause is already live today

Best deal in the market

Both credentials for less than most providers charge for one.

We priced every Approved Training Partner that publishes CCP and CCA rates (June 2026). Here's the full CCP + CCA path across the market — next to what you'll pay today.

Where you'd buy itTheir priceYou saveVs. Lionfish
National brand (e.g. Infosec)$3,499 per course, instructor-led$6,998$4,00057% less
Market averageacross CCP + CCA providers~$5,000~$2,00040% less
Lowest priced competitorcheapest CCP + cheapest CCA found~$3,690$69219% less
Lionfish — regular self-paced$1,999 each$3,998$1,00025% less
Lionfish CCP + CCA bundle$2,9982nd credential ½ offToday's price

Training only. Market figures from a June 2026 scan of published ATP pricing (Redspin, Infosec, Edwards, CyberDI, Space Coast Cyber and others). ISACA exam & application fees are paid separately, the same as with any provider.

Why hold both

You don't have to want to be an auditor for the CCA to pay you back.

The CCP teaches you the model. The CCA teaches you how it's actually judged. Together, they make you the person clients trust to get them through — and the person C3PAOs trust when they walk in the door.

The real edge

Know exactly what the assessor looks for.

The CCA puts you on the other side of the table. You stop guessing whether an objective is "met" and start preparing clients against the same evidence and scoring an assessor will use. That insider lens is priceless when your whole job is getting a company assessment-ready — even if you never run an assessment yourself.

On the ground

A far stronger practitioner.

CCP gives you the framework fluency to advise and implement. CCA layers on assessment judgment, so your gap analyses, SSPs, and POA&Ms hold up under real scrutiny. You become the consultant who fixes problems before they become findings.

Credibility

C3PAOs take you seriously.

When the assessment team sees the person who prepared the client holds a CCA, it changes the conversation. You speak their language, your evidence is organized the way they expect, and the whole engagement runs smoother — which is exactly what your client is paying you for.

Your career

Two credentials, one sitting.

CCP is the required prerequisite for CCA — so doing them back-to-back while the material is fresh is the fastest, cheapest path to both. Finish the bundle and you hold the two credentials the DIB is hiring for, not just one.

What's included

Self-paced — but you're never on your own.

Learn on your schedule, then show up live whenever you want a human in the loop.

40+40

80 hours, two certificate courses.

40 hours of CCP and 40 hours of CCA — each a complete Approved Training Partner certificate course, with video instruction, slides, exercises, and exam prep for both exams.

👤

3+ hours of live instructor time per course.

Each course includes 3+ hours of group or one-on-one time with the instructor — so take both and that's 6+ hours. Bring your real questions and work through them live.

Months of office hours & study sessions.

Recurring live group sessions run for months. Drop in to ask questions, review tough domains, and study alongside other professionals on the same path.

No lost billable hours.

No week off work, no travel, no classroom. Study nights and weekends and keep producing — the flexible format is built around busy practitioners.

📅

Finish by year-end.

Enroll in the next 30 days and complete both courses on your timeline before December 31, 2026 — while self-paced is still on the table.

Both credentials, one bundle.

CCP and CCA together at the lowest combined price we offer — the complete path to the two credentials the DIB actually wants.

Your instructor
Chris Haigh, CMMC CCA · CCP · CCI instructor
CCA · CCP · CCI

Learn from Chris Haigh.

Certified CMMC Assessor (CCA)Certified CMMC Professional (CCP)Certified Provisional CMMC Instructor (CCI)

Chris is the CEO of Meerkat Cyber and one of roughly 42 people in the world authorized to perform certified CMMC assessments. A trained aeronautical and astronautical engineer who added a law degree to his undergraduate work, he holds the highest credentials the DoD CMMC program offers — CCA, CCP, and CCI. Across a three-decade career he's served as a Senate policy analyst and as CTO of a cybersecurity firm, and as a technical writer he has authored hundreds of patent applications, is a named inventor on numerous patents, has written for Nobel laureates and universities, and was recently engaged by Microsoft to write the CMMC implementation guide. He doesn't just teach the framework — he explains how it's interpreted, argued, and assessed.

Included when you take both · a $3,500–$5,000 head start

A free GRC platform — a $3,500–$5,000 value — to land and run your first client.

A credential gets you in the door. The Cyber Tackle Box is how you actually do the work — and get paid for it. Take both courses and we give you a full year of our GRC platform for one client company (up to 50 employees), free. The day you finish, you're not job-hunting — you're delivering.

$3,500–$5,000
value — yours free
One year of the Cyber Tackle Box for one client company (up to 50 employees) — all 15 frameworks, unlimited users.
What a CMMC platform costs per year
Comparable CMMC GRC platforms — average$7,500–$15,000
Cyber Tackle Box for your client$0
Average annual cost, based on published 2026 pricing for CMMC compliance platforms.
WHY IT MATTERS 01

The tool you need to do the job — not a spreadsheet.

A CCP or CCA without a platform means running gap assessments, 50+ policies, evidence, and reports by hand. The Cyber Tackle Box does it for you: pre-built policy library, guided gap assessment, evidence collection, and audit-ready reports a C3PAO will accept.

WHY IT MATTERS 02

Turn your training into a paid engagement.

Bring in one real client (up to 50 employees), put them in the platform, and bill the readiness work — gap analysis, SSP, POA&Ms, evidence. You finish certified and already earning, instead of starting from zero.

WHY IT MATTERS 03

15 frameworks, not just CMMC.

The same client seat covers NIST 800-171, CMMC, SOC 2, HIPAA, FedRAMP and more — "map once, comply many." One relationship, many ways to help them and grow the engagement.

WHY IT MATTERS 04

Control-by-control training built in.

The platform's embedded training walks every control — reinforcing the coursework and giving you a repeatable system to take any client from gap analysis to assessment-ready.

Covers: NIST 800-171 · CMMC · SOC 2 · HIPAA · PCI DSS · FedRAMP · FISMA · NIST CSF · CIS Controls · GDPR · CCPA · HITRUST · NIST AI Framework · State privacy laws · custom frameworks.
Why now

This is the last easy way in.

When the program moves fully to ISACA at year-end, the course changes — and self-paced is expected to go away with it.

  • Asynchronous, self-paced learning is expected to be discontinued.
  • Expect scheduled, instructor-led seat time on someone else's calendar.
  • That means days away from billable work — lost income you don't get back.
  • Lock in the self-paced format now — built around your schedule, not a classroom's.
Get in while you still can
Enrollment closes in
00
Days
00
Hrs
00
Min
Built for

Made for the people doing the CMMC work.

MSPs & MSSPs

Add CMMC readiness to your service line and keep clients in the DIB winning contracts.

vCISOs & CISOs

Speak the assessor's language and stand behind your programs with credentialed authority.

Consultants & RPOs

Deliver gap analyses and SSPs that hold up — and win trust with the C3PAOs you work beside.

In-house compliance

Own CMMC from the inside and prepare your organization to pass the first time.

Why Lionfish · why this price
Accreditation

Recognized, not improvised.

Lionfish Cyber Security is an Accredited Training Partner for CMMC (CyberAB / ISACA-CAICO) and a state-certified technical school. We're accredited by the Office for Career and Technical Schools — so this training meets established standards of quality and relevance, and aligns with both industry needs and regulatory requirements.

Patriot Pricing

Priced for the mission, not the markup.

We're a veteran-built company, and this isn't about being the cheapest for its own sake. Every defender we train is one more qualified person helping a Department of War contractor actually meet the NIST SP 800-171 / CMMC Level 2 standard — so the warfighter gets reliable, secure products from a supply chain that's hardened against our adversaries. We priced it to put more capable people into that fight, fast. That's why it's the best deal you'll find.

Questions

Straight answers

Can I buy just one course, or do I have to take both?

Your choice. One credential — CCP or CCA — is $1,999. But here's the move most people make: take both today and your CCP drops to half price ($999), so the complete CCP + CCA path is $2,998 instead of $3,998 — you save $1,000. Taking both also unlocks the headline bonus: a full year of the Cyber Tackle Box GRC for one client company (up to 50 employees) — a $3,500–$5,000 value, free — plus the control-by-control training inside it. It's the platform you use to run a real client engagement and start billing the day you finish. Each course is a full Approved Training Partner certificate course — 40 hours of CCP and 40 hours of CCA (80 hours total) — with 3+ hours of live instructor time each (6+ hours if you take both) and months of live office hours and study sessions.

How do I know the market numbers on this page are real?

Because we cite them. The 200,000+ affected companies, the 110 NIST 800-171 controls required for Level 2, the $105K–$118K assessment cost, and the $4B/year figure all come from the federal CMMC rule in the Federal Register and its Regulatory Impact Analysis. The November 10, 2026 phase-in is in the Code of Federal Regulations (32 CFR §170.3). The enforcement settlements come from U.S. Department of Justice press releases. Every stat on this page links to its source — read them yourself.

Do I have to want to be an auditor to benefit from the CCA?

No. The CCA's biggest payoff for consultants and MSPs is knowing exactly how assessors judge each objective. That makes you dramatically better at getting clients assessment-ready, and it gives you instant credibility with the C3PAOs who come in to assess — even if you never sit on an assessment team.

Is Lionfish actually accredited to teach this?

Yes. Lionfish Cyber Security is an Accredited Training Partner for CMMC (CyberAB / ISACA-CAICO) and a state-certified technical school accredited by the Office for Career and Technical Schools. Our courses are recognized certificate programs — 40 hours of CCP and 40 hours of CCA — built to meet the standards the credentialing bodies and the regulation require.

Why is it called Patriot Pricing?

Because the discount has a purpose. We're a veteran-built company, and every person we train is one more qualified defender helping a Department of War contractor genuinely meet the NIST SP 800-171 / CMMC Level 2 standard. A stronger, better-trained supply chain means the warfighter gets reliable, secure products. We priced this to get more capable people into that work quickly — during the 30-day enrollment window.

How "self-paced" is it really?

The core training is fully on-demand — start and finish on your own schedule. On top of that, you get live instructor time and recurring group office hours and study sessions for months, so you can get help from a real person whenever you want it.

Why is there a deadline?

When the program transitions to ISACA at the end of the year, the course is changing and self-paced learning is expected to be discontinued in favor of scheduled, instructor-led seat time. Enroll within 30 days and complete both courses before December 31, 2026 to learn this flexible way while it's still available.

Are the exam fees included?

This price covers the training. The ISACA exam and application fees are paid separately to the credentialing body — the same as with any Approved Training Provider. We'll point you to the current figures so there are no surprises.

Last chance for self-paced

One credential is $1,999. Both, today, and the second is half off.

One credential proves you know the standard. Both make you the person the assessor trusts — and the contractor can't replace. You're already investing $1,999 to get here; for half that, complete the path today. Finish before year-end, before ISACA changes the format.

Taking both? Enroll in your first credential now, then book a quick call and we'll apply the half-off second credential so the complete path is $2,998.

00
Days
00
Hrs
00
Min
00
Sec