How to become a CMMC assessor or auditor

Cybersecurity maturity model certification CMMC logo

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

This article was updated on November 18 2022.

CMMC Training – Instructors

The CMMC-AB has run at least 100 provisional instructors through their program at this point. The provisional instructors are authorized to teach Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA). There are huge differences between instructors, which really matters. Try to find instructors who have done real work with CMMC and 800-171 to get key insights.

CMMC Training – Course Materials

The CMMC-AB Marketplace shows 18 Licensed Partner Publishers in good standing. This listing does not verify whether their materials have been approved for use in courses.

This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.

The best way to tell that you are using approved course materials is by working with a Licensed Training Provider in good standing.

CMMC Training – Training Providers

To find a Licensed Training Provider (LTP), use the Cyber-AB Marketplace to search. Cyber-AB Marketplace search for LTPs.

These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.

You should feel confident that if an LTP is listed in the Marketplace, that they are using authorized materials and having a Provisional Instructor teach the course.

If you want to take CCP training, there are courses available now. The training seems to average between $2,000 and $4,000 depending on the training provider and the course materials they select. There are huge differences in the quality of course materials. Some publishers have spent the effort to add additional clarification and nuance to topics, while others have essentially “copied-and-pasted” from the source materials put out by DoD. In addition, the individual provisional instructors teaching can really make or break a course.

What is in the CCP Training?

CCP training is based upon the below blueprint:

Cyber-AB CCP Test Blueprint

The CCP Training will cover the following basic topics:

  • Defining CUI and FCI (and regulations)
  • Contributing cybersecurity frameworks.
  • How to read the CMMC model documentation
  • How to perform CMMC Level 1 scoping
  • The “CMMC Assessment Process”
  • CMMC Level 1 practices

The CCP exam

Once you take the training, you will still need to pass a proctored exam.

If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.

As an instructor and as someone who took the CCP exam themselves, I recommend treating the CCP study as “trivia” – make sure you know the definition of each term related to CMMC and common statistics about CMMC.

The CCA Training

As of November 2022, the Certified CMMC Assessor training is just becoming available. We don’t know what it will be like yet. The training topics are based upon the CCA blueprint below.

Exam blueprint for CCA – version April 5 2022

The CCA Exam

The beta exam was released to a few key people (mostly Provisional Instructors and Provisional Assessors). I took the exam this week. It is much more intense than the CCP exam. Instead of single sentence questions, the typical CCA question is a paragraph which needs to be carefully parsed out and compared against several options to find the “best” answer – meaning that many answers are not obviously right or wrong.

This exam is heavily focused on the CMMC Model – practices, assessment objectives, and assessment objectives. It also spends a significant amount of time analyzing external service providers, boundaries, and scoping.

Working as a CMMC consultant?

The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.

Consultants, internal compliance officers, and Managed Services Providers need to know how assessors judge solutions, so that they can pick the correct implementation strategy for their companies. I strongly believe that consultants need to be more knowledgeable than assessors on the topic of CMMC because not only do they need to know “what right looks like”, they also need to know how to implement it and how to change a company’s culture to support compliance.

What is the benefit of the course? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.

Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.

As a consultant, I would be more careful about who you choose as a CCP instructor. Try to find an instructor who was in charge of a CMMC Level 2 compliance project and passed. They can give key information about solutions were acceptable to the DoD.

Want to get on an assessment team?

Check this infographic from the Cyber-AB which shows the path to become a CMMC Assessor: https://cyberab.org/portals/0/CyberAB_infographic_V5.png

My students are having the most trouble with the concept that CCPs must “participate on three Level 2 assessments assessing only Level 1 practices” before they are eligible to become a CCA. This is frustrating because a C3PAO is not motivated to bring in a CCP for a handful of practices which aren’t even contained to a single domain. It is definitely not cost effective. Today (Nov 2022), there are no CMMC assessments occurring until the new DFARS rule is published in 2023 or 2024. So we are forcing CCPs to stay CCPs for 1-2 years, without giving them an opportunity to advance. When CMMC assessments are finally allowed, we will still be operating with a minimum pool of provisional assessors.

Here is the timeline to become an assessor

Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.

  • Submit an application for Certified Assessor ($200) on the CMMC-AB website.
  • Take a CCP course now. ($2000 – $4000)
  • Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)
  • Take the CCP exam
  • Submit your paperwork to the CMMC-AB requesting CCP.
  • Wait a ?month? for processing
  • Get listed as a CCP on the Marketplace (it is possible that the Cyber-AB will not list you until you have a background check – see next item)
  • Get sponsored for a Tier 3 background check (if you have a clearance already, this is <1 month. If not, this can take 8+ months)
  • Wait for real CMMC assessments to be allowed (mid 2023 or 2024)
  • Once CMMC assessments are allowed, apply to be part of a C3PAO’s assessment team for a few practices.
  • Attend 3 assessments (typically 2-3 months), participating minimally
  • Take the CCA training ($2000 – $4000)
  • Take the CCA exam
  • Submit your paperwork to the CMMC-AB requesting CCA.
  • Wait a ?month? for processing
  • Get listed as a CCA on the Marketplace
  • Congratulations, now you can assess Level 2 practices as part of an assessment team.
  • How to be a Lead Assessor? That is yet to be determined.

What about Provisional Assessors?

According to the CMMC-AB website, provisional assessors will be required to take and pass the CCP and CCA exams within 6 months of the release date. “If you are a Provisional Assessor or Provisional Instructor you are required to take the CCP Certification Exam within 6 months from the time it launches (tentatively Feb 2022)

This means we might see Provisional Assessors going through the training themselves if they are not certain about the materials (or if they fail the exam on their first attempt).

This also mean that we could lose a significant number of Provisional Assessors (potentially 50%) who cannot pass the test for their own credential. This is significant in two ways: 1) it will improve quality by weeding out non-technical assessors. 2) it will reduce the pool of potential assessors even more, slowing down the rollout of CMMC certifications.

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!

Amira Armond is a CMMC Provisional Instructor, Provisional Assessor, CISSP, and CISA. She is the owner and Quality Manager for Kieri Solutions, an authorized C3PAO offering assessments, CMMC preparation services, and the Kieri Compliance Documentation package . Amira Armond is the chief editor for CMMCaudit.org and volunteers with the C3PAO Stakeholder Forum, an industry group striving for consistency of interpretation and successful rollout of the CMMC program.

34 thoughts on “How to become a CMMC assessor or auditor

  1. Ingo Vasen says:

    I would like to qualify myself as an CMMC auditor. Would you please inform me about personal requirements and training offerings as soon as available. In advance many thanks.

  2. Ken Rodgers says:

    I sorta lost interest at “ The training seems to average between $2,000 and $5,000”. I was hoping to get in on the front end of this to start my own auditing team but I can’t afford all that plus the time to study to pass everything too. If the Government is requiring this it would be nice to provide the training for free and maybe pay $250 to take a proctored test.

  3. Scott Brady says:

    I have researched the internet, can you please share where we can get the training for move up the education ladder, to become an assessor. When you search the net, you just get companies trying to sell you a company assessment

  4. Don Kulp says:

    Please advise what agency is providing the CERTIFICATIONS FOR

    the CMMI AUDITORS AND ASSESERS – HOW DO YOU GET CERTIFIED TO CONDUCT THE AUDITS….

  5. John Masin says:

    I would like to determine the steps necessary for becoming a CMMC auditor or assessor. We are already a 3PAO, does that give us a head start on this process?

    • Tony Brunner says:

      How are you a 3PAO? I’m thinking you’re missing the A qualification there. So maybe you’re a C3PO?

  6. Wayne Salas says:

    Will they consider assessor companies that are already certified by other entities like PCI and or Hitrust.

    Experience is very important here. PCI ran into the same problem by having unqualified assessor/auditors certified, but not really understanding how to properly scope an environment and give good solid advise to remediate gaps. Experience and Certifications are always a great combinations. PCI now requires everyone certified to have at a minimum 5 years experience in any of the domains and a Security and Auditing certification just to apply for the PCI QSA certifications.

    Sincerely,

    Wayne Salas

    • Armando Seay says:

      I don’t speak for the CMMC AB, but from what I know because CMMC has additional domains and controls the CMMC AB will require training and accreditation. You can soon see webcasts that are being pre-recorded and once approved that may answer this question directly from a CMMC AB Board or working group lead. Stay tuned but monitor the CMMC AB and MISI websites for announcements.

  7. Wayne Salas says:

    Will they take into consideration Assessor Companies that are already certified by other entities like HiTrust and or PCI etc?

    Experience should be really considered when choosing a good Assessor Company and Auditor.

    Certifications are great, but from my experience certifications and experience are even better.

    Please let me know.

  8. Sean says:

    The issue I see early on is that the larger companies who provide training will continue to push pedestrian level training and stagnant off the shelf training labs and pass it off as cmmc compliant training.

    We don’t need novice professionals but seasoned Cyber Security professionals 5+ years to obtain the CMMC and this should be a requirement for assessors, trainers and proctoring.

  9. Samuel Jay Langham (CISSP) says:

    There should be a statement of Independence required for the Certifying organization. i.e. the person or even the company providing those Certifying actions must show their independence. This has been thorn to many large Auditing Firms. As after conducting the Audit they can not pick up the secondary work piece of corrections, and remain the auditor. Or work with that client in pre-assessment and aligning the target of test to requirements.
    On a more positive note this allows for more than one group to be involved and so the final certification has more weight to it.

  10. Greg Arnholt says:

    Will there be a conflict of interest constraing be placed on assessors and C3PAO’s? In other words, can an assessment be completed by an C3PAO that also provides any security services to the same entity that is being certified?

    • Tony Brunner says:

      This is a great question. The dual role could create a tempting trend for companies to “trade” services and compromise the integrity of the C3PAO model.

    • Ralph+DiCicco says:

      Greg,

      Exactly. There are firms who are currently performing to CUI requirements and have CISOs and staff.

      Yet these firms are not NIST 800-171 not DFARS compliant.

      Thus, I believe there would be a conflict of interest.

      Also, until these firms are adjudged to be CMMC ML3, they should recuse themselves.

    • Amira Armond says:

      Exciting times, thanks John!

      From the AB website:
      “Assessors will receive a license from the CMMC-AB after completing required training.
      Assessors will NOT work for the CMMC-AB but will work for C3PAO’s.
      Assessors will receive a license at a level that matches the assessments they are permitted to conduct. In the very near future, all contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. Experience requirements for higher-level assessors are not yet determined.
      Assessors are required to obtain a security clearance. The specific clearance levels are not yet determined.”

      • Melo says:

        Security clearance levels for CUI inspections… that’s interesting… but how are these security clearances supposed to be initially obtained or maintained?

        I wonder if the C3PAO’s have to maintain clearances for their assessors… I could be mistaken, but the C3PAO would then need to become a cleared contractor company tied to some gov. contract that has cleared work to be done. But from what I understand so far, a C3PAO wouldn’t really be tied to any contract… so, how would a C3PAO (or assessor) do this without being tied to a contract?

        I would think this would prevent many C3PAO’s from being formed for long if they can’t keep their assessors clearances going- so would the CMMC-AB have some kind of process/mechanism for C3PAO’s assessors or individual assessors to keep their clearances active?

  11. Michael Hammond says:

    Adavi,

    As of today, there is no way to be an auditor. The accreditation body is being formed and then will work to develop the training and accreditation requirements. Anyone who tells you they can do the “audit” or know exactly how become an auditor is not telling the truth. It is expected in Feb/Mar/Apr of 2020 for this info to be solidified.

    • Kazi Nazrul Islam says:

      Thanks for Information. I visited website and search google still I didn’t find the CMMC full framework documen. Can Any one help to find out the full framework document and share the Information How to be a assessor.

      Regards
      Kazi, Bangladesh
      Cybersecurity consultant

Leave a Reply

Your email address will not be published. Required fields are marked *