How to become a CMMC auditor or certifier

Cybersecurity maturity model certification CMMC logo

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

As I update this article in late April 2021, almost nothing has changed since the last update in September 2020. No CMMC Certified Professionals training is available yet. No C3PAOs have been fully approved to perform assessments. We still don’t know what a successful CMMC audit looks like.

This is discouraging, but there has been progress at the sub-milestone level. C3PAOs are starting to be audited by the DCMA for their information system (very slowly). Background checks have been submitted for some staff, and are working through the 6-12+ month process. Licensed Training Providers have most of their curriculum written, but haven’t gotten the final version from DoD so they can’t release.

I am hopeful that we will see these milestones met within 2021, at least for a few people / companies.

How to become an accredited CMMC certifier or auditor?

The CMMC Accreditation Body has opened registration for CMMC assessors!

Don’t get too excited though. Right now, it is literally just a questionnaire and a $200 non-refundable registration fee. There is no guarantee of any response to the application for quite a while.

As of today (late April 2021), there has been no progress for assessor candidates, except for the August 2020 “provisional assessor opt-in” which is no longer taking entries.

If you weren’t chosen to be part of the provisional class, then you will need to wait for 1) CMMC training to be released (and take it) 2) CMMC exams to be available (and pass them), 3) background check or clearance to complete, 4) companies (C3PAOs) to be authorized to perform audits.

This breaking news article gives more details about the registration process and requirements for CMMC auditor / assessor and to become a C3PAO.

^^^ Seriously, if you want to apply for auditor / assessor, C3PAO, etc, this article is what you need to read next.

CMMC Training and Certification update

The CMMC Accreditation Body has released an update about their training and auditor certification plans. The webinar and summary notes can be found here.

Q. Where can I find training to be a CMMC auditor?

A. At this point (April 24, 2021), no training vendors have been approved by the CMMC Accreditation Body yet. I wouldn’t expect to see any recognized training to be released until at least September 2021 or later. But if you want to become an auditor, you can get started self-studying now.

See our article “CMMC Auditor Training Resources” for latest training program reviews and recommendations for ways to self-study to prepare.

Here is the summary of training (self study) resources available now:

Read through the glossary of terms and who’s who in CMMC:

Read the CMMC Appendix document, especially the sections prior to B.2.

Check each of the resources at our CMMC templates and tools page:

Understand DFARS 7012 and related documents:

Understand How to Read and Use the CMMC:

Roadmap to full CMMC roll-out

Below you will find descriptions for the major milestones that are necessary before CMMC auditors can perform work. When this article was originally written, every item was “in-progress” or “future”. Now we are more than halfway through the progression.

RFI for CMMC Accreditation Body (complete)

The DoD released Request for Information (RFI) HQ0034SS10032019 seeking information on how to define the long-term implementation, execution, sustainment and growth of the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body.

The solicitation was released October 3, 2019. There was a Kick Off Meeting on November 19, 2019. The RFI is now inactive.

The focus of this RFI was to get advice from stakeholders about the role, duties, and form of a CMMC Accreditation Body. In other words, should it be for-profit, non-profit, a partnership of multiple organizations, a single existing organization, a single new organization, who should be on the board of directors, etc.

Selection of CMMC Accreditation Body (completed)

The accreditation body is not fully functional yet. It is in the working group stage, where interested parties are collaborating to define and form it. Officers have been selected, but the base of full time employees has not been finalized yet.

They are solidifying their role as the private-sector organizing body for the CMMC. The DoD recognized the CMMC Accreditation Body formally in March 2020, with a memorandum of understanding which sets out each party’s roles and responsibilities. In general, the DoD is responsible for setting security requirements via writing the CMMC document and appendices. The CMMC Accreditation body is responsible for building the process to audit all DoD contractors (such as selecting C3PAOs, training auditors, and setting standards for the audit process).

The accreditation body has a website: (Thanks to Chris Golden in the comments).

The AB website is being updated daily and has a newsletter sign up. Go check it out!

I will update this article as new information becomes available. Also please sign up to our newsletter on the right for email notification when we release a new blog or things change.

The CMMC requirements need to stabilize (complete)

(Update 2/4/2020) The CMMC Model version 1.0 document and appendices have been released by the DoD. This is the first final version of the CMMC.

More information and links to version 1.0 can be found here: CMMC Version 1.0 Released – Analysis for DoD contractors

This document gives the requirements for levels 1-5, as well as clarifying descriptions and examples for each control. It also describes the expected maturity of processes for each level.

Auditors will use this document for guidance when reviewing each company’s cybersecurity program.

Requirements for C3PAOs need to be created (complete)

The CMMC Accreditation Body has identified initial requirements for C3PAOs

C3PAOs (the companies which are authorized to contract to perform assessments) are allowed to apply starting June 23, 2020.

They need to have at least one registered practitioner, assessor, or other CMMC-certified person on staff.

The C3PAOs need to be owned by U.S. citizens. Higher levels of assessment capabilities (such as CMMC Level 3) will require clearances for staff and CMMC Level 3 compliant information systems.

This breaking news article gives more details about the registration process and requirements for CMMC auditor / assessor and to become a C3PAO.

C3PAOs need to be authorized (future)

As of April 2021, it seems likely that the first C3PAOs will be recognized in August-September 2021.

C3PAOs are currently bottlenecked at 1) The requirement for a CMMC Level 3 Certified Information System of their own, and 2) Background checks for their staff.

The first CMMC auditors need to be authorized (future)

The first CMMC assessors were recognized in late September 2020, as part of the provisional class.

Normal assessors are pending training, exams, background checks, and C3PAOs. The first training for “certified professional” is expected around September 2021… see our CMMC Auditor Training Resources page for more information on this.

Expectations for a successful audit need to be set (future)

The Accrediting Body and/or DoD need to set expectations for what a successful audit looks like. This is a huge unknown, at least to me. The precedent set by NIST SP 800-171 is to have a system security plan, to meet minimum security requirements in Federal Acquisition Regulation (FAR) Clause 52.204-21, and to have a plan of action for the rest.

The intent of the CMMC is to get contractor networks to be fully secured, without exceptions, to the security level specified.

In practice, there will be problems with requiring full cybersecurity best practices.

A simple example is multi-factor authentication (MFA). Sure, you can set up MFA to trigger when you log on and when you open email, but what about the non-compliant manufacturing program that is required to perform the contract?

A more worrisome (because it happens to all of us) example is patching. If you can’t patch system X because it crashes, does that mean you can’t be certified? What about timeliness? How up-to-date do your systems need to be? Can your patch process include time for testing?

There will need to be an exception process. This could take the form of a temporary exception for X months or years, or an interim approval with new audits required every 6 months. To be determined.

Another huge question is whether contractors with Controlled Unclassified Information (CUI) in a secure enclave will need multiple CMMC audits. For example, for CMMC level 3, many contractors will use a highly secure network and computers just for the CUI contracts. This would be the scope for a CMMC level 3 audit, and let’s assume they pass. Will the contractor also need a CMMC level 1-2 audit for the rest of their network due to lower sensitivity DoD information (known as Federal Contract Information, FCI)? Or do we just ignore it?

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!

31 thoughts on “How to become a CMMC auditor or certifier

  1. Scott Brady says:

    I have researched the internet, can you please share where we can get the training for move up the education ladder, to become an assessor. When you search the net, you just get companies trying to sell you a company assessment

  2. Don Kulp says:

    Please advise what agency is providing the CERTIFICATIONS FOR


  3. John Masin says:

    I would like to determine the steps necessary for becoming a CMMC auditor or assessor. We are already a 3PAO, does that give us a head start on this process?

    • Tony Brunner says:

      How are you a 3PAO? I’m thinking you’re missing the A qualification there. So maybe you’re a C3PO?

  4. Wayne Salas says:

    Will they consider assessor companies that are already certified by other entities like PCI and or Hitrust.

    Experience is very important here. PCI ran into the same problem by having unqualified assessor/auditors certified, but not really understanding how to properly scope an environment and give good solid advise to remediate gaps. Experience and Certifications are always a great combinations. PCI now requires everyone certified to have at a minimum 5 years experience in any of the domains and a Security and Auditing certification just to apply for the PCI QSA certifications.


    Wayne Salas

    • Armando Seay says:

      I don’t speak for the CMMC AB, but from what I know because CMMC has additional domains and controls the CMMC AB will require training and accreditation. You can soon see webcasts that are being pre-recorded and once approved that may answer this question directly from a CMMC AB Board or working group lead. Stay tuned but monitor the CMMC AB and MISI websites for announcements.

  5. Wayne Salas says:

    Will they take into consideration Assessor Companies that are already certified by other entities like HiTrust and or PCI etc?

    Experience should be really considered when choosing a good Assessor Company and Auditor.

    Certifications are great, but from my experience certifications and experience are even better.

    Please let me know.

  6. Sean says:

    The issue I see early on is that the larger companies who provide training will continue to push pedestrian level training and stagnant off the shelf training labs and pass it off as cmmc compliant training.

    We don’t need novice professionals but seasoned Cyber Security professionals 5+ years to obtain the CMMC and this should be a requirement for assessors, trainers and proctoring.

  7. Samuel Jay Langham (CISSP) says:

    There should be a statement of Independence required for the Certifying organization. i.e. the person or even the company providing those Certifying actions must show their independence. This has been thorn to many large Auditing Firms. As after conducting the Audit they can not pick up the secondary work piece of corrections, and remain the auditor. Or work with that client in pre-assessment and aligning the target of test to requirements.
    On a more positive note this allows for more than one group to be involved and so the final certification has more weight to it.

  8. Greg Arnholt says:

    Will there be a conflict of interest constraing be placed on assessors and C3PAO’s? In other words, can an assessment be completed by an C3PAO that also provides any security services to the same entity that is being certified?

    • Tony Brunner says:

      This is a great question. The dual role could create a tempting trend for companies to “trade” services and compromise the integrity of the C3PAO model.

    • Ralph+DiCicco says:


      Exactly. There are firms who are currently performing to CUI requirements and have CISOs and staff.

      Yet these firms are not NIST 800-171 not DFARS compliant.

      Thus, I believe there would be a conflict of interest.

      Also, until these firms are adjudged to be CMMC ML3, they should recuse themselves.

    • Amira Armond says:

      Exciting times, thanks John!

      From the AB website:
      “Assessors will receive a license from the CMMC-AB after completing required training.
      Assessors will NOT work for the CMMC-AB but will work for C3PAO’s.
      Assessors will receive a license at a level that matches the assessments they are permitted to conduct. In the very near future, all contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. Experience requirements for higher-level assessors are not yet determined.
      Assessors are required to obtain a security clearance. The specific clearance levels are not yet determined.”

      • Melo says:

        Security clearance levels for CUI inspections… that’s interesting… but how are these security clearances supposed to be initially obtained or maintained?

        I wonder if the C3PAO’s have to maintain clearances for their assessors… I could be mistaken, but the C3PAO would then need to become a cleared contractor company tied to some gov. contract that has cleared work to be done. But from what I understand so far, a C3PAO wouldn’t really be tied to any contract… so, how would a C3PAO (or assessor) do this without being tied to a contract?

        I would think this would prevent many C3PAO’s from being formed for long if they can’t keep their assessors clearances going- so would the CMMC-AB have some kind of process/mechanism for C3PAO’s assessors or individual assessors to keep their clearances active?

  9. Michael Hammond says:


    As of today, there is no way to be an auditor. The accreditation body is being formed and then will work to develop the training and accreditation requirements. Anyone who tells you they can do the “audit” or know exactly how become an auditor is not telling the truth. It is expected in Feb/Mar/Apr of 2020 for this info to be solidified.

    • Kazi Nazrul Islam says:

      Thanks for Information. I visited website and search google still I didn’t find the CMMC full framework documen. Can Any one help to find out the full framework document and share the Information How to be a assessor.

      Kazi, Bangladesh
      Cybersecurity consultant

Leave a Reply

Your email address will not be published. Required fields are marked *