This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.
This article was updated on November 2, 2021.
In the last month, we have finally seen progress for people who would like to become a CMMC assessor.
CMMC Training – Instructors
The CMMC-AB has run at least 40-60 provisional instructors through their program at this point. About 30 are listed on the Marketplace today. The provisional instructors are authorized to teach all topics through from Certified CMMC Professional to Certified CMMC Assessor for level 3.
CMMC Training – Course Materials
Per the CMMC-AB October 2021 Town Hall, three Licensed Partner Publishers (LPP) have had their curriculum for Certified CMMC Professional (CCP) approved. Specifically I have it on good authority that Edwards Performance Solutions was the first to get their curriculum approved. I heard (unconfirmed) that Logical Operations has also gotten their curriculum approved. No word on who the third LPP is.
As I write this, I discovered a problem. There is no easy way to tell if a LPP had their curriculum approved. The CMMC-AB Marketplace just shows the full pool of LPPs. Please comment if you know the other LPPs that have approved materials. I reached out to the CMMC-AB asking about this and got confirmation that the Marketplace does not indicate who has approved materials at this time. The Marketplace will show this in the future (after an update). In the meantime, the recommendation is to go to each LPP site to see what they offer.
This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.
CMMC Training – Training Providers
There are 53 approved training providers as I do a search today.
These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.
What is in the CCP Training?
The CCP Training will cover the following basic topics:
- Defining CUI and FCI (and regulations)
- Contributing cybersecurity frameworks.
- How to read the CMMC model documentation
- How to scope an assessment organizationally
- The “CMMC Assessment Process”
- The 181 practices and processes for CMMC Level 1-3.
Working as a CMMC consultant and want to know the answers?
The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.
What is the benefit of the course? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.
Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.
Want to get on an assessment team?
If you want to take CCP training, there are courses available. The training seems to average between $2,000 and $5,000 depending on the training provider. While the materials should be high quality if they are approved, I’m hearing reports that the individual provisional instructors teaching can really make or break a course.
Once you take the training, you will still need to pass a proctored exam. This exam is expected to be available in February 2022. If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.
There will probably be some sort of a vetting process to verify that you meet the pre-requisites for the certification. Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.
So if you are counting days, here is the timeline:
Submit an application for Certified Assessor ($200) on the CMMC-AB website.
Take a CCP course now. (Nov-Dec 2021)
Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)
Take the exam in February 2022
Submit your paperwork to the CMMC-AB requesting CCP.
Wait a ?month? for processing
Get listed as a CCP in March 2022.
Apply for a Tier 3 background check
If any C3PAOs are allowed to perform assessments at this time, you could apply to be part of their team.
What about Certified Assessor training?
The CMMC-AB and DoD have not yet provided final course outlines to LPPs. Several LPPs are building content for what they think will be required, but they can’t submit until the curriculum is released.
Perhaps around February or March 2022 we will have CCA courses available.
What about Provisional Assessors?
According to the CMMC-AB website, provisional assessors will be required to take and pass the CCP exam within 6 months of it’s release date. “If you are a Provisional Assessor or Provisional Instructor you are required to take the CCP Certification Exam within 6 months from the time it launches (tentatively Feb 2022)“
This means we might see Provisional Assessors going through the training themselves if they are not certain about the materials (or if they fail the exam on their first attempt).
There you go. That is how to become a CMMC auditor. At least for now!
Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!