How to become a CMMC assessor or auditor

Cybersecurity maturity model certification CMMC logo

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

This article was updated on November 2, 2021.

In the last month, we have finally seen progress for people who would like to become a CMMC assessor.

CMMC Training – Instructors

The CMMC-AB has run at least 40-60 provisional instructors through their program at this point. About 30 are listed on the Marketplace today. The provisional instructors are authorized to teach all topics through from Certified CMMC Professional to Certified CMMC Assessor for level 3.

CMMC Training – Course Materials

Per the CMMC-AB October 2021 Town Hall, three Licensed Partner Publishers (LPP) have had their curriculum for Certified CMMC Professional (CCP) approved. Specifically I have it on good authority that Edwards Performance Solutions was the first to get their curriculum approved. I heard (unconfirmed) that Logical Operations has also gotten their curriculum approved. No word on who the third LPP is.

As I write this, I discovered a problem. There is no easy way to tell if a LPP had their curriculum approved. The CMMC-AB Marketplace just shows the full pool of LPPs. Please comment if you know the other LPPs that have approved materials. I reached out to the CMMC-AB asking about this and got confirmation that the Marketplace does not indicate who has approved materials at this time. The Marketplace will show this in the future (after an update). In the meantime, the recommendation is to go to each LPP site to see what they offer.

This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.

CMMC Training – Training Providers

There are 53 approved training providers as I do a search today.

These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.

What is in the CCP Training?

The CCP Training will cover the following basic topics:

  • Defining CUI and FCI (and regulations)
  • Contributing cybersecurity frameworks.
  • How to read the CMMC model documentation
  • How to scope an assessment organizationally
  • The “CMMC Assessment Process”
  • The 181 practices and processes for CMMC Level 1-3.

Working as a CMMC consultant and want to know the answers?

The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.

What is the benefit of the course? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.

Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.

Want to get on an assessment team?

If you want to take CCP training, there are courses available. The training seems to average between $2,000 and $5,000 depending on the training provider. While the materials should be high quality if they are approved, I’m hearing reports that the individual provisional instructors teaching can really make or break a course.

Once you take the training, you will still need to pass a proctored exam. This exam is expected to be available in February 2022. If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.

There will probably be some sort of a vetting process to verify that you meet the pre-requisites for the certification. Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.

So if you are counting days, here is the timeline:

Submit an application for Certified Assessor ($200) on the CMMC-AB website.

Take a CCP course now. (Nov-Dec 2021)

Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)

Take the exam in February 2022

Submit your paperwork to the CMMC-AB requesting CCP.

Wait a ?month? for processing

Get listed as a CCP in March 2022.

Apply for a Tier 3 background check

If any C3PAOs are allowed to perform assessments at this time, you could apply to be part of their team.

What about Certified Assessor training?

The CMMC-AB and DoD have not yet provided final course outlines to LPPs. Several LPPs are building content for what they think will be required, but they can’t submit until the curriculum is released.

Perhaps around February or March 2022 we will have CCA courses available.

What about Provisional Assessors?

According to the CMMC-AB website, provisional assessors will be required to take and pass the CCP exam within 6 months of it’s release date. “If you are a Provisional Assessor or Provisional Instructor you are required to take the CCP Certification Exam within 6 months from the time it launches (tentatively Feb 2022)

This means we might see Provisional Assessors going through the training themselves if they are not certain about the materials (or if they fail the exam on their first attempt).

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!

31 thoughts on “How to become a CMMC assessor or auditor

  1. Scott Brady says:

    I have researched the internet, can you please share where we can get the training for move up the education ladder, to become an assessor. When you search the net, you just get companies trying to sell you a company assessment

  2. Don Kulp says:

    Please advise what agency is providing the CERTIFICATIONS FOR

    the CMMI AUDITORS AND ASSESERS – HOW DO YOU GET CERTIFIED TO CONDUCT THE AUDITS….

  3. John Masin says:

    I would like to determine the steps necessary for becoming a CMMC auditor or assessor. We are already a 3PAO, does that give us a head start on this process?

    • Tony Brunner says:

      How are you a 3PAO? I’m thinking you’re missing the A qualification there. So maybe you’re a C3PO?

  4. Wayne Salas says:

    Will they consider assessor companies that are already certified by other entities like PCI and or Hitrust.

    Experience is very important here. PCI ran into the same problem by having unqualified assessor/auditors certified, but not really understanding how to properly scope an environment and give good solid advise to remediate gaps. Experience and Certifications are always a great combinations. PCI now requires everyone certified to have at a minimum 5 years experience in any of the domains and a Security and Auditing certification just to apply for the PCI QSA certifications.

    Sincerely,

    Wayne Salas

    • Armando Seay says:

      I don’t speak for the CMMC AB, but from what I know because CMMC has additional domains and controls the CMMC AB will require training and accreditation. You can soon see webcasts that are being pre-recorded and once approved that may answer this question directly from a CMMC AB Board or working group lead. Stay tuned but monitor the CMMC AB and MISI websites for announcements.

  5. Wayne Salas says:

    Will they take into consideration Assessor Companies that are already certified by other entities like HiTrust and or PCI etc?

    Experience should be really considered when choosing a good Assessor Company and Auditor.

    Certifications are great, but from my experience certifications and experience are even better.

    Please let me know.

  6. Sean says:

    The issue I see early on is that the larger companies who provide training will continue to push pedestrian level training and stagnant off the shelf training labs and pass it off as cmmc compliant training.

    We don’t need novice professionals but seasoned Cyber Security professionals 5+ years to obtain the CMMC and this should be a requirement for assessors, trainers and proctoring.

  7. Samuel Jay Langham (CISSP) says:

    There should be a statement of Independence required for the Certifying organization. i.e. the person or even the company providing those Certifying actions must show their independence. This has been thorn to many large Auditing Firms. As after conducting the Audit they can not pick up the secondary work piece of corrections, and remain the auditor. Or work with that client in pre-assessment and aligning the target of test to requirements.
    On a more positive note this allows for more than one group to be involved and so the final certification has more weight to it.

  8. Greg Arnholt says:

    Will there be a conflict of interest constraing be placed on assessors and C3PAO’s? In other words, can an assessment be completed by an C3PAO that also provides any security services to the same entity that is being certified?

    • Tony Brunner says:

      This is a great question. The dual role could create a tempting trend for companies to “trade” services and compromise the integrity of the C3PAO model.

    • Ralph+DiCicco says:

      Greg,

      Exactly. There are firms who are currently performing to CUI requirements and have CISOs and staff.

      Yet these firms are not NIST 800-171 not DFARS compliant.

      Thus, I believe there would be a conflict of interest.

      Also, until these firms are adjudged to be CMMC ML3, they should recuse themselves.

    • Amira Armond says:

      Exciting times, thanks John!

      From the AB website:
      “Assessors will receive a license from the CMMC-AB after completing required training.
      Assessors will NOT work for the CMMC-AB but will work for C3PAO’s.
      Assessors will receive a license at a level that matches the assessments they are permitted to conduct. In the very near future, all contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. Experience requirements for higher-level assessors are not yet determined.
      Assessors are required to obtain a security clearance. The specific clearance levels are not yet determined.”

      • Melo says:

        Security clearance levels for CUI inspections… that’s interesting… but how are these security clearances supposed to be initially obtained or maintained?

        I wonder if the C3PAO’s have to maintain clearances for their assessors… I could be mistaken, but the C3PAO would then need to become a cleared contractor company tied to some gov. contract that has cleared work to be done. But from what I understand so far, a C3PAO wouldn’t really be tied to any contract… so, how would a C3PAO (or assessor) do this without being tied to a contract?

        I would think this would prevent many C3PAO’s from being formed for long if they can’t keep their assessors clearances going- so would the CMMC-AB have some kind of process/mechanism for C3PAO’s assessors or individual assessors to keep their clearances active?

  9. Michael Hammond says:

    Adavi,

    As of today, there is no way to be an auditor. The accreditation body is being formed and then will work to develop the training and accreditation requirements. Anyone who tells you they can do the “audit” or know exactly how become an auditor is not telling the truth. It is expected in Feb/Mar/Apr of 2020 for this info to be solidified.

    • Kazi Nazrul Islam says:

      Thanks for Information. I visited website and search google still I didn’t find the CMMC full framework documen. Can Any one help to find out the full framework document and share the Information How to be a assessor.

      Regards
      Kazi, Bangladesh
      Cybersecurity consultant

Leave a Reply

Your email address will not be published. Required fields are marked *