How to become a CMMC assessor or auditor

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

This article was updated on April 11 2024.

Want to hire a CMMC assessor instead?

This site is sponsored by Kieri Solutions, an Authorized C3PAO. They have a great reputation in the CMMC space for having top talent that is knowledgeable, fair, and reasonable. They offer CMMC assessments as well as beginner-friendly CMMC Gap Analysis.

The progression plan to become a CMMC assessor

1. Have some experience in IT or cybersecurity
2. Take at least two CMMC training courses from a licensed CMMC trainer
3. Pass proctored exams
4. Pass a background suitability investigation (similar to a secret clearance, requires US Citizenship)
5. Pass a required cybersecurity certification like CISM, CISSP
6. Get hired by a C3PAO to perform assessments

This process normally takes between four months and two years, depending on your starting qualifications. The background suitability investigation can take a full year to complete if you’ve never held a government clearance before.

CMMC Training – Instructors

The CMMC-AB has run at least 100 provisional instructors through their program at this point. The provisional instructors are authorized to teach Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA). There are huge differences between instructors, which really matters. Try to find instructors who have done real work with CMMC and 800-171 to get key insights.

Some great CMMC instructors in the industry are:

• Matthew Hoeper (Edwards Performance Solutions)
• Chris Silvers (Edwards Performance Solutions, other training orgs)
• Vincent Scott ( Cyber DI)
• Jeff Baldwin (Space Coast Cybersecurity)
• Katherine Adams (Edwards Performance Solutions)
• Amira Armond (Edwards Performance Solutions)
• Joy Beland (Edwards Performance Solutions)

Thinking of becoming a CMMC instructor yourself?

At this time, the CAICO (CMMC Assessors & Instructors Certification Organization) is working on plans to create training and examinations for Certified CMMC Instructors. The current CMMC trainers are all provisional instructors. We haven’t heard of any recent graduates of the provisional instructor program, so we suspect it may be shut down to new applicants, but you can still apply here.

CMMC Training – Course Materials

The CMMC-AB Marketplace shows 18 Licensed Partner Publishers in good standing. This listing does not verify whether their materials have been approved for use in courses.

This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.

The best way to tell that you are using approved course materials is by working with a Licensed Training Provider in good standing.

CMMC Training – Training Providers

To find a Licensed Training Provider (LTP), use the Cyber-AB Marketplace to search. Cyber-AB Marketplace search for LTPs.

These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.

You should feel confident that if an LTP is listed in the Marketplace, that they are using authorized materials and having a Provisional Instructor teach the course.

If you want to take CCP training, there are courses available now. The training seems to average between $1,500 and $3,000 depending on the training provider and the course materials they select. There are huge differences in the quality of course materials. Some publishers have spent the effort to add additional clarification and nuance to topics, while others have essentially “copied-and-pasted” from the source materials put out by DoD. But most importantly, the individual instructors teaching can really make or break a course.

Individual instructors really matter for CMMC training

Try to select a training provider that uses instructors who have experience doing CMMC assessments, or at least CMMC consulting, in the real world. You might be focused on passing the test today, but their insights on what the job is like will be more valuable over time. A good place to get peer recommendations for instructors and training providers is the Cooey Center of Excellence Forum on Discord. (this is also a great place to talk with experts about CMMC informally)

Most training providers offer 3 or 5 day boot camps for each course. Virtual or in-person options. This style of learning is intense, typically requiring you to miss several days of work. If your employer is sponsoring CMMC training, these are convenient, otherwise you would need to take vacation time. Some providers offer courses that run across multiple weeks, scheduled for evenings. These are often better option for self-funded students. Recently, we are seeing some options for fully recorded self-service courses. Not sure the quality on those yet.

What is in the CCP Training?

The Certified CMMC Professional training is designed to ensure that you understand key CMMC terms and qualifies you to perform a CMMC Level 1 Self-Assessment. Currently, CCPs are allowed to participate on a CMMC Level 2 assessment team under the supervision of a lead assessor, but it seems likely that the CAICO will make CCA the minimum soon. During a CMMC Level 2 assessment, as a CCP, you are not supposed to make decisions about whether the company being assessed is meeting requirements.

The CCP is based upon the below blueprint: Cyber-AB CCP Test Blueprint

The CCP Training will cover the following basic topics:

• Defining CUI and FCI (and regulations)
• Contributing cybersecurity frameworks.
• How to read the CMMC model documentation
• How to perform CMMC Level 1 scoping
• The “CMMC Assessment Process”
• CMMC Level 1 practices

Originally the CCP training included both CMMC Level 1 and Level 2. Then the CAICO decided to add a second required training course in order to be qualified to assess CMMC Level 2. So most of the CMMC Level 2 content was removed from the CCP.

The CCP exam

Once you take the training, you will still need to pass a proctored exam. The exam is either available virtually (you will need to have a closed room and install proctoring software on a computer) or at a testing center.

Once you finish your CCP training, the Cyber-AB will send you instructions to register for the exam. You can’t self-register without these instructions.

If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.

As an instructor and as someone who took the CCP exam themselves, I recommend treating the CCP study as “trivia” – make sure you know the definition of each term related to CMMC and common statistics about CMMC. The CCP exam does not require in-depth knowledge of cybersecurity or ability to analyze tough situations. You just need to know information that fits onto a flash card.

Want a CCP practice test?

A quick Google search shows a few results for CCP practice exams. We haven’t heard good or bad about any, so we won’t recommend them here.

The CCA Training

The Certified CMMC Assessor training is designed to make you a full fledged member of the assessment team. Right now, that means you can CMMC Level 2 lead assessments or be a team member. You are allowed to make decisions about whether the company being assessed is meeting requirements.

The training topics are based upon the CCA blueprint: Exam blueprint for CCA – version April 5 2022

The CCA Training will cover the following topics:

• Another review of the “CMMC Assessment Process”
• Discussion of physical and logical boundaries
• CMMC Level 2 scoping
• CMMC Level 2 practices
• Safety and coordination for assessments

The CCA Exam

The CCA exam is much more intense than the CCP exam. Instead of single sentence questions, the typical CCA question is a paragraph which needs to be carefully parsed out and compared against several options to find the “best” answer – meaning that many answers are not obviously right or wrong.

This exam is heavily focused on the CMMC Model – practices, assessment objectives, and assessment objectives. It also spends a significant amount of time analyzing external service providers, boundaries, and scoping.

Working as a CMMC consultant?

The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.

Consultants, internal compliance officers, and Managed Services Providers need to know how assessors judge solutions, so that they can pick the correct implementation strategy for their companies. I strongly believe that consultants need to be more knowledgeable than assessors on the topic of CMMC because not only do they need to know “what right looks like”, they also need to know how to implement it and how to change a company’s culture to support compliance.

What is the benefit of the courses? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.

Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.

As a consultant, I would be more careful about who you choose as a instructor. Try to find an instructor who was in charge of a CMMC Level 2 compliance project and passed. They can give key information about solutions were acceptable to the DoD.

Want to get on an assessment team?

Check this infographic from the Cyber-AB which shows the path to become a CMMC Assessor: https://cyberab.org/portals/0/CyberAB_infographic_V5.png

The Cyber-AB has said that CCPs must “participate on three Level 2 assessments assessing only Level 1 practices” before they are eligible to become a CCA. This is incredibly confusing and frustrating for student assessors. They are having trouble getting C3PAOs to invite them to participate on the three assessments.

Here is the truth: C3PAOs are not looking for CCPs who just want three assessments. The bother isn’t worth the benefit. Level 1 is a handful of practices which aren’t even contained to a single domain. Even if that CCP is working for free. Why would a C3PAO take the risk with one of their clients unless they are building up their long term staff’s competencies?

I hope you can find a way to get this experience, but it will be much harder to get a sponsor if you don’t commit to being available for more than those three assessments.

Here is the timeline to become an assessor

Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.

• Submit an application for Certified Assessor ($200) on the CMMC-AB website.
• Take a CCP course now. ($1500 – $3000)
• Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)
• Take the CCP exam
• Wait a few days for processing
• Get listed as a CCP on the Marketplace
• Take the CCA course ($1500-$3000)
• Begin self-studying (for CCA, you need a solid IT foundation, it is harder to study for this one)
• Take the CCA exam
• Wait a few days for processing
• Get listed as a CCA without suitability and without 3 assessments on the Marketplace
• Start the Tier 3 suitability background check process with the Cyber-AB (if you have a clearance already, this is <1 month. If not, this can take 12+ months)
• Once you have suitability (the “S” on your CCA profile in the Marketplace), you can participate in assessment teams.
• Have a C3PAO invite you to work on a Joint Surveillance Voluntary Assessment
• Have the C3PAO send records to the Cyber-AB showing that you participated in assessments with them
• Future: You will need to have a cybersecurity certification from DoDi 8570 such as CISSP, CISM, CISA.
• How to be a Lead Assessor? That is yet to be determined.

What about Provisional Assessors?

As of late 2023, there are no more Provisional Assessors. We lost about 50% of them when they were forced to pass the CCP and CCA exams and renew their registrations in order to keep their credentials. The pool of CCAs has built to a similar size as of today – 203 on the marketplace. Most of those CCAs do not have the three assessment experience, nor the suitability. But they do show a high level of knowledge and ability by taking the training and passing two examinations.

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!

Amira Armond is a CMMC Provisional Instructor, Certified CMMC Assessor, CISSP, and CISA. She is the owner and Quality Manager for Kieri Solutions, an authorized C3PAO offering assessments, CMMC preparation services, and the Kieri Compliance Documentation package . Amira Armond is the chief editor for CMMCaudit.org and volunteers with the C3PAO Stakeholder Forum, an industry group striving for consistency of interpretation and successful rollout of the CMMC program.