CMMC Provisional Auditor program opt-ins

On August 9th 2020, the CMMC Accreditation Body sent this email to me (and presumably others who registered for CMMC certified assessor).

To opt-in, you must attest that you meet experience requirements

  • 10+ years experience conducting evidence-based assessments in cyber or other information technology field.


  • 20+ years experience as a “consultant or proven leader” in Cybersecurity and qualify for DOD 8570 IAM Level III.

There is no additional application fee (other than what you already paid when signing up to become an assessor), but a $1000 training fee would apply when registering for training.

Here is the link to the CMMC AB page for the program:

The website states “The Provisional Program will provide Level 1 assessments initially, and may expand up to Level 3 over time”

If you click the apply link, you are only asked for your name and contact information (I assume this means that they will look at your assessor application for the rest). There is no opportunity to provide more information, such as an updated resume.

The small print in the opt-in page says Those that are selected will be notified by email on or before 17 August 2020. So if you want to apply, you’ve got only a few days to do it.

Here are my thoughts

20+ years as a proven leader or consultant in cybersecurity?

I didn’t gain the skills to be a consultant or leader until I was in my mid 30’s, and I was pretty fast. This puts the age of that cohort at 55+. And very non-diverse… (there were even less minorities and women in cybersecurity in the 90’s). Hopefully they are able to represent the rest of us as they provide feedback.

Not to mention those who have 20+ years in cybersecurity or 10+ years in audits (which is itself a senior IT position), are probably senior managers who haven’t been hands-on with current technology. Zero Trust… what???

No degrees?

I’m really surprised there is no degree requirement or ability to use degrees to count toward experience. For example, the Certified Information Systems Auditor (CISA) certification gives 2 year experience waivers for bachelors degrees, or 3-year waivers for a master’s degree in IS.

In cybersecurity audits, reading and writing skills have to be top notch. It is a disaster if you can’t communicate on paper. One of the major benefits of degree programs is they force the graduate to get better at writing. I didn’t see any criteria for this skill.

No ability to update our applications or even add a note?

Last month I submitted for certified assessor first, then put in my company’s C3PAO application. Since I did it in that order, my assessor application does not have a “C3PAO affiliation”. There hasn’t been any portal to fix this, nor anyone from the AB reaching out to discuss. I’m betting that other applicants also would really like to update their information or add a note with their C3PAO affiliation.

First audits = CMMC level 1???

The statement that provisional assessors will only perform Level 1 assessments initially is huge.

I’ve been figuring the first group of contracts would be CMMC Level 3 to check the high-risk companies that should already be DFARS 252.204-7012 compliant. Very surprised that assessments are starting at level 1.

By auditing Level 1, it is likely that the first companies will pass their audits, so regulators and the business community should be reassured. This is a cautious strategy but wise.

This also sets the scope for initial audits to be Federal Contract Information (FCI), which is “non-public” information provided by the government. So if the initial audits are against DFARS 252.204-7012 companies, those companies will need to consider their FCI scope, not just their CUI scope.

That’s all I’ve got folks. Good luck to those who are opting in!

Good luck! Please send me a connection on LinkedIn (Amira Armond) and comment with your thoughts. I expect this news is frustrating for many, but let’s try to remember that we weren’t expecting to get in anyways.

Venus Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. She specializes in designing secure and resilient enterprise systems for private sector and the DoD. She is the chief editor for, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.

3 thoughts on “CMMC Provisional Auditor program opt-ins

  1. Loretta Lemon says:

    Amira, I agree with some of your points, as degrees for many certifications in specific areas are granted some sort of waiver. This will make this certification, more attractive to apply and train for amongst Assessors. There should be a user profile for each account that is created within the website, especially since there are fees and/or payments being applied. The profile would allow an user or Assessor the opportunity to add, delete, or update their C3PAO affiliation and/or personal information when needed.

    This is where, I disagree with the Senior/Managing Assessors comment that you made. An Assessor with 12 years or more and qualify for DOD 8570 IAM Level III should have the opportunity to grandfather into this certification and/or Program. Many Senior roles today focus so much more on managing teams, meeting client demands, and the day to day operations that they are hands on in many functions of governance, risk, and compliance. Not to mention, they are preparing for retirement as well, and if you want the knowledge, wisdom, work ethic, skills, and experience that Senior roles bring to the table, then this certification would have to be made more attractive for the Senior roles/requirements to be interested in pursing this certification. As we are aware that book smarts are great and many people are good test takers, but there isn’t anything like good ole experience and great skills.

    Unlike your thoughts of getting in, I am expecting to get in.

    Good luck to you!!!

    • Ralph DiCicco says:

      First best to all who have applied !

      I agree with Loretta regarding qualifications regarding experience requirements and education criteria regarding being a provisional auditor.

      I believe the 10+ years conducting evidenced based assessments in IT is very fair. One can gain this in auditing ISO 20000 / 27001 / COBIT5, SOX 404, etc.

      Also auditing for FISMA compliance exposes one to excellent guidance publications such as FIPS 199, 200, and NIST SPs 800-53, 800-59, and 800-171.

      Regarding the dialogue stating surprise that there was no degree requirement, I have employed many non-degreed system administrators, network engineers, etc. that are active members of ISACA and have also earned SANS GIAC certifications. They are excellent oral and written communicators.

      The one comment I do agree with is updating the C3PAO list. For purposes of affiliation (and choice of a firm), it would be informative to know which certified firms will be on the published C3PAO listing in the CMMC-AB marketplace. In lieu of that the choice would be to independent.


      Ralph P. DiCicco, PhD, PMP, ITIL, COBIT 5 Assessor, CISM, CGEIT, CGEIT (retired)

      • Amira Armond says:

        I appreciate your thoughts and comment on the blog! Everyone comes at this from a different direction. It seems like those who don’t have 20 years experience are disappointed by that being the criteria, while those who do have the years of experience are pretty happy with the requirement.

Leave a Reply

Your email address will not be published. Required fields are marked *