This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.
This article was updated on June 5, 2022.
In the last month, we have finally seen progress for people who would like to become a CMMC assessor.
CMMC Training – Instructors
The CMMC-AB has run at least 100 provisional instructors through their program at this point. About 70 are listed on the Marketplace today. The provisional instructors are authorized to teach Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA)
CMMC Training – Course Materials
The CMMC-AB Marketplace shows 18 Licensed Partner Publishers in good standing. This listing does not verify whether their materials have been approved for use in courses.
This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.
The best way to tell that you are using approved course materials is by working with a Licensed Training Provider in good standing.
Note – the training materials put out by the LPPs really matter. Pick a high quality publisher if you want to get the most out of your course. At this time, Edwards Performance Solutions has the best reputation for quality. They are also consistently the first LPP to have their materials approved.
CMMC Training – Training Providers
There are 53 approved training providers as I do a search today.
These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.
What is in the CCP Training?
The CCP Training will cover the following basic topics:
- Defining CUI and FCI (and regulations)
- Contributing cybersecurity frameworks.
- How to read the CMMC model documentation
- How to perform CMMC Level 1 scoping
- The “CMMC Assessment Process”
- CMMC Level 1 practices
Working as a CMMC consultant and want to know the answers?
The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.
What is the benefit of the course? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.
Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.
Want to get on an assessment team?
If you want to take CCP training, there are courses available. The training seems to average between $2,000 and $5,000 depending on the training provider. While the materials should be high quality if they are approved, I’m hearing reports that the individual provisional instructors teaching can really make or break a course.
Once you take the training, you will still need to pass a proctored exam. This exam is expected to be available in
February 2022. Update June 2022: Well that didn’t happen. Maybe October 2022? If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.
There will probably be some sort of a vetting process to verify that you meet the pre-requisites for the certification. Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.
So if you are counting days, here is the timeline:
Submit an application for Certified Assessor ($200) on the CMMC-AB website.
Take a CCP course now.
Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)
Take the exam in ???? 2022
Submit your paperwork to the CMMC-AB requesting CCP.
Wait a ?month? for processing
Get listed as a CCP in ??? 2023
Apply for a Tier 3 background check (if you have a clearance already, this is <1 month. If not, this can take 8+ months)
If any C3PAOs are allowed to perform assessments at this time, you could apply to be part of their team.
What about Certified Assessor training?
The CMMC-AB and DoD have not yet provided final course outlines to LPPs. Several LPPs are building content for what they think will be required, but they can’t submit until the curriculum is released.
Perhaps around February or March
2022 2023 we will have CCA courses available.
What about Provisional Assessors?
According to the CMMC-AB website, provisional assessors will be required to take and pass the CCP exam within 6 months of it’s release date. “If you are a Provisional Assessor or Provisional Instructor you are required to take the CCP Certification Exam within 6 months from the time it launches (tentatively Feb 2022)“
This means we might see Provisional Assessors going through the training themselves if they are not certain about the materials (or if they fail the exam on their first attempt).
There you go. That is how to become a CMMC auditor. At least for now!
Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!