How to become a CMMC assessor or auditor

Cybersecurity maturity model certification CMMC logo

This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.

This article was updated on July 3, 2024.

Want to hire a CMMC assessor instead?

This site is sponsored by Kieri Solutions, an Authorized C3PAO. They have a great reputation in the CMMC space for having top talent that is knowledgeable, fair, and reasonable. They offer CMMC assessments, CMMC policy and procedures, and beginner-friendly CMMC Gap Analysis.

Requirements to be an CMMC assessor according to the Federal Government

The below text about CMMC assessor requirements is from the CMMC Proposed Rule. If you want to be a CMMC Assessor, you need to meet these requirements. The Audit and Management years of experience are probably the hardest for most folks.

(b) Requirements.
CCAs shall:
(1) Obtain and maintain certification from the CAICO in accordance with the requirements set forth in § 170.10. Certification is valid for 3 years from the date of issuance.
(2) Comply with the Accreditation Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17).
(3) Complete a Tier 3 background investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) 86. These positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with title 5 CFR 1400.201(b) and (d) and the investigative requirements of title 5 CFR 731.106(c)(2).
(4) Meet the equivalent of a favorably adjudicated Tier 3 background investigation when not eligible for a Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.
(5) Provide all documentation and records in English.
(6) Be a CCP who has at least 3 years of cybersecurity experience, 1 year of assessment or audit experience, and at least one baseline certification aligned to either paragraph (b)(6)(i) or (ii) of this section through 15 February 2025 and aligned to paragraph (b)(6)(ii) of this section only beginning 16 February 2025. (i) IAT Level II from DoD Manual 8570 Information Assurance Workforce Improvement Program. (ii) Intermediate Proficiency Level for Career Pathway Certified Assessor 612 from DoD Manual 8140.03 Cyberspace Workforce Qualification & Management Program.
(7) Qualify as a Lead CCA by having at least 5 years of cybersecurity experience, 5 years of management experience, 3 years of assessment or audit experience, and at least one baseline certification aligned to either paragraph (b)(7)(i) or (ii) of this section through 15 February 2025 and aligned to paragraph (b)(7)(ii) of this section only beginning 16 February 2025. (i) IAM Level II from DoD Manual 8570 Information Assurance Workforce Improvement Program. (ii) Advanced Proficiency Level for Career Pathway Certified Assessor 612 from DoD Manual 8140.03 Cyberspace Workforce Qualification & Management Program.
(8) Only use IT, cloud, cybersecurity services, and end-point devices provided by the authorized/accredited C3PAO that they support and has received a CMMC Level 2 Certification Assessment or higher for all assessment activities. Individual assessors are prohibited from using any other IT, including IT that is personally owned, to include internal and external cloud services and end-point devices, to store, process, handle, or transmit CMMC assessment reports or any other CMMC assessment-related information.
(9) Immediately notify the responsible C3PAO of any breach or potential breach of security to any CMMC-related assessment materials under the assessors’ purview.
(10) Not share any CMMC assessment related outcomes or advance information with any person not assigned to that specific assessment, except as otherwise required by law.

The progression plan to become a CMMC assessor

  1. Have some experience in IT or cybersecurity
  2. Take at least two CMMC training courses from a licensed CMMC trainer
  3. Pass proctored exams
  4. Pass a background suitability investigation (similar to a secret clearance, requires US Citizenship)
  5. Pass a required cybersecurity certification like CISM, CISSP
  6. Get hired by a C3PAO to perform assessments

This process normally takes between four months and two years, depending on your starting qualifications. The background suitability investigation can take a full year to complete if you’ve never held a government clearance before.

CMMC Training – Instructors

The CMMC-AB has run at least 100 provisional instructors through their program at this point. The provisional instructors are authorized to teach Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA). There are huge differences between instructors, which really matters. Try to find instructors who have done real work with CMMC and 800-171 to get key insights.

Some great CMMC instructors in the industry are:

Thinking of becoming a CMMC instructor yourself?

At this time, the CAICO (CMMC Assessors & Instructors Certification Organization) is working on plans to create training and examinations for Certified CMMC Instructors. The current CMMC trainers are all provisional instructors. We haven’t heard of any recent graduates of the provisional instructor program, so we suspect it may be shut down to new applicants, but you can still apply here.

CMMC Training – Course Materials

The CMMC-AB Marketplace shows 18 Licensed Partner Publishers in good standing. This listing does not verify whether their materials have been approved for use in courses.

This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.

The best way to tell that you are using approved course materials is by working with a Licensed Training Provider in good standing.

CMMC Training – Training Providers

To find a Licensed Training Provider (LTP), use the Cyber-AB Marketplace to search. Cyber-AB Marketplace search for LTPs.

These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.

You should feel confident that if an LTP is listed in the Marketplace, that they are using authorized materials and having a Provisional Instructor teach the course.

If you want to take CCP training, there are courses available now. The training seems to average between $1,500 and $3,000 depending on the training provider and the course materials they select. There are huge differences in the quality of course materials. Some publishers have spent the effort to add additional clarification and nuance to topics, while others have essentially “copied-and-pasted” from the source materials put out by DoD. But most importantly, the individual instructors teaching can really make or break a course.

Individual instructors really matter for CMMC training

Try to select a training provider that uses instructors who have experience doing CMMC assessments, or at least CMMC consulting, in the real world. You might be focused on passing the test today, but their insights on what the job is like will be more valuable over time. A good place to get peer recommendations for instructors and training providers is the Cooey Center of Excellence Forum on Discord. (this is also a great place to talk with experts about CMMC informally)

Most training providers offer 3 or 5 day boot camps for each course. Virtual or in-person options. This style of learning is intense, typically requiring you to miss several days of work. If your employer is sponsoring CMMC training, these are convenient, otherwise you would need to take vacation time. Some providers offer courses that run across multiple weeks, scheduled for evenings. These are often better option for self-funded students. Recently, we are seeing some options for fully recorded self-service courses. Not sure the quality on those yet.

What is in the CCP Training?

The Certified CMMC Professional training is designed to ensure that you understand key CMMC terms and qualifies you to perform a CMMC Level 1 Self-Assessment. Currently, CCPs are allowed to participate on a CMMC Level 2 assessment team under the supervision of a lead assessor, but it seems likely that the CAICO will make CCA the minimum soon. During a CMMC Level 2 assessment, as a CCP, you are not supposed to make decisions about whether the company being assessed is meeting requirements.

The CCP is based upon the below blueprint: Cyber-AB CCP Test Blueprint

The CCP Training will cover the following basic topics:

  • Defining CUI and FCI (and regulations)
  • Contributing cybersecurity frameworks.
  • How to read the CMMC model documentation
  • How to perform CMMC Level 1 scoping
  • The “CMMC Assessment Process”
  • CMMC Level 1 practices

Originally the CCP training included both CMMC Level 1 and Level 2. Then the CAICO decided to add a second required training course in order to be qualified to assess CMMC Level 2. So most of the CMMC Level 2 content was removed from the CCP.

The CCP exam

Once you take the training, you will still need to pass a proctored exam. The exam is either available virtually (you will need to have a closed room and install proctoring software on a computer) or at a testing center.

Once you finish your CCP training, the Cyber-AB will send you instructions to register for the exam. You can’t self-register without these instructions.

If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.

As an instructor and as someone who took the CCP exam themselves, I recommend treating the CCP study as “trivia” – make sure you know the definition of each term related to CMMC and common statistics about CMMC. The CCP exam does not require in-depth knowledge of cybersecurity or ability to analyze tough situations. You just need to know information that fits onto a flash card.

Want a CCP practice test?

Edwards Performance Solutions offers CCP and CCA practice tests to their students.

To purchase the practice CCP or CCA exam:

  1. Visit the CMMC Section of the Edwards LMS Catalog | Edwards Performance Solutions – LMS (edwps-learn.com)
  1. If you’d like the CCP practice exam, click CMMC02E Exam Practice Questions for Certified CMMC Professional (CCP 2.0). For the CCA practice exam, choose CMMC03E Exam Practice Questions for Certified CMMC Assessor (CCA).
  2. Click Add to Cart and the proceed through the checkout process. You will be prompted to create an account during the checkout process.

A quick Google search shows a few other results for CCP practice exams. We haven’t heard good or bad about them, so we won’t recommend them here.

The CCA Training

The Certified CMMC Assessor training is designed to make you a full fledged member of the assessment team. Right now, that means you can CMMC Level 2 lead assessments or be a team member. You are allowed to make decisions about whether the company being assessed is meeting requirements.

The training topics are based upon the CCA blueprint: Exam blueprint for CCA – version April 5 2022

The CCA Training will cover the following topics:

  • Another review of the “CMMC Assessment Process”
  • Discussion of physical and logical boundaries
  • CMMC Level 2 scoping
  • CMMC Level 2 practices
  • Safety and coordination for assessments

The CCA Exam

The CCA exam is much more intense than the CCP exam. Instead of single sentence questions, the typical CCA question is a paragraph which needs to be carefully parsed out and compared against several options to find the “best” answer – meaning that many answers are not obviously right or wrong.

This exam is heavily focused on the CMMC Model – practices, assessment objectives, and assessment objectives. It also spends a significant amount of time analyzing external service providers, boundaries, and scoping.

Working as a CMMC consultant?

The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.

Consultants, internal compliance officers, and Managed Services Providers need to know how assessors judge solutions, so that they can pick the correct implementation strategy for their companies. I strongly believe that consultants need to be more knowledgeable than assessors on the topic of CMMC because not only do they need to know “what right looks like”, they also need to know how to implement it and how to change a company’s culture to support compliance.

What is the benefit of the courses? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.

Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.

As a consultant, I would be more careful about who you choose as a instructor. Try to find an instructor who was in charge of a CMMC Level 2 compliance project and passed. They can give key information about solutions were acceptable to the DoD.

Want to get on an assessment team?

Check this infographic from the Cyber-AB which shows the path to become a CMMC Assessor: https://cyberab.org/portals/0/CyberAB_infographic_V5.png

The Cyber-AB has said that CCPs must “participate on three Level 2 assessments assessing only Level 1 practices” before they are eligible to become a CCA. This is incredibly confusing and frustrating for student assessors. They are having trouble getting C3PAOs to invite them to participate on the three assessments.

Here is the truth: C3PAOs are not looking for CCPs who just want three assessments. The bother isn’t worth the benefit. Level 1 is a handful of practices which aren’t even contained to a single domain. Even if that CCP is working for free. Why would a C3PAO take the risk with one of their clients unless they are building up their long term staff’s competencies?

I hope you can find a way to get this experience, but it will be much harder to get a sponsor if you don’t commit to being available for more than those three assessments.

Kieri Solutions, our sponsor, is gradually hiring assessors to meet demand. If you’re interested in working for one of the leaders in CMMC and 800-171 compliance, check their career page here: https://www.kieri.com/careers

Here is the timeline to become an assessor

Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.

  • Submit an application for Certified Assessor ($200) on the CMMC-AB website.
  • Take a CCP course now. ($1500 – $3000)
  • Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)
  • Take the CCP exam
  • Wait a few days for processing
  • Get listed as a CCP on the Marketplace
  • Take the CCA course ($1500-$3000)
  • Begin self-studying (for CCA, you need a solid IT foundation, it is harder to study for this one)
  • Take the CCA exam
  • Wait a few days for processing
  • Get listed as a CCA without suitability and without 3 assessments on the Marketplace
  • Start the Tier 3 suitability background check process with the Cyber-AB (if you have a clearance already, this is <1 month. If not, this can take 12+ months)
  • Once you have suitability (the “S” on your CCA profile in the Marketplace), you can participate in assessment teams.
  • Have a C3PAO invite you to work on a Joint Surveillance Voluntary Assessment
  • Have the C3PAO send records to the Cyber-AB showing that you participated in assessments with them
  • Future: You will need to have a cybersecurity certification from DoDi 8570 such as CISSP, CISM, CISA.
  • How to be a Lead Assessor? That is yet to be determined.

What about Provisional Assessors?

As of late 2023, there are no more Provisional Assessors. We lost about 50% of them when they were forced to pass the CCP and CCA exams and renew their registrations in order to keep their credentials. The pool of CCAs has built to a similar size as of today – 203 on the marketplace. Most of those CCAs do not have the three assessment experience, nor the suitability. But they do show a high level of knowledge and ability by taking the training and passing two examinations.

There you go. That is how to become a CMMC auditor. At least for now!

Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!

Amira Armond is a CMMC Provisional Instructor, Certified CMMC Assessor, CISSP, and CISA. She is the owner and Quality Manager for Kieri Solutions, an authorized C3PAO offering assessments, CMMC preparation services, and the Kieri Compliance Documentation package . Amira Armond is the chief editor for CMMCaudit.org and volunteers with the C3PAO Stakeholder Forum, an industry group striving for consistency of interpretation and successful rollout of the CMMC program.

34 thoughts on “How to become a CMMC assessor or auditor

  1. Ingo Vasen says:

    I would like to qualify myself as an CMMC auditor. Would you please inform me about personal requirements and training offerings as soon as available. In advance many thanks.

  2. Ken Rodgers says:

    I sorta lost interest at “ The training seems to average between $2,000 and $5,000”. I was hoping to get in on the front end of this to start my own auditing team but I can’t afford all that plus the time to study to pass everything too. If the Government is requiring this it would be nice to provide the training for free and maybe pay $250 to take a proctored test.

  3. Scott Brady says:

    I have researched the internet, can you please share where we can get the training for move up the education ladder, to become an assessor. When you search the net, you just get companies trying to sell you a company assessment

  4. Don Kulp says:

    Please advise what agency is providing the CERTIFICATIONS FOR

    the CMMI AUDITORS AND ASSESERS – HOW DO YOU GET CERTIFIED TO CONDUCT THE AUDITS….

  5. John Masin says:

    I would like to determine the steps necessary for becoming a CMMC auditor or assessor. We are already a 3PAO, does that give us a head start on this process?

    • Tony Brunner says:

      How are you a 3PAO? I’m thinking you’re missing the A qualification there. So maybe you’re a C3PO?

  6. Wayne Salas says:

    Will they consider assessor companies that are already certified by other entities like PCI and or Hitrust.

    Experience is very important here. PCI ran into the same problem by having unqualified assessor/auditors certified, but not really understanding how to properly scope an environment and give good solid advise to remediate gaps. Experience and Certifications are always a great combinations. PCI now requires everyone certified to have at a minimum 5 years experience in any of the domains and a Security and Auditing certification just to apply for the PCI QSA certifications.

    Sincerely,

    Wayne Salas

    • Armando Seay says:

      I don’t speak for the CMMC AB, but from what I know because CMMC has additional domains and controls the CMMC AB will require training and accreditation. You can soon see webcasts that are being pre-recorded and once approved that may answer this question directly from a CMMC AB Board or working group lead. Stay tuned but monitor the CMMC AB and MISI websites for announcements.

  7. Wayne Salas says:

    Will they take into consideration Assessor Companies that are already certified by other entities like HiTrust and or PCI etc?

    Experience should be really considered when choosing a good Assessor Company and Auditor.

    Certifications are great, but from my experience certifications and experience are even better.

    Please let me know.

  8. Sean says:

    The issue I see early on is that the larger companies who provide training will continue to push pedestrian level training and stagnant off the shelf training labs and pass it off as cmmc compliant training.

    We don’t need novice professionals but seasoned Cyber Security professionals 5+ years to obtain the CMMC and this should be a requirement for assessors, trainers and proctoring.

  9. Samuel Jay Langham (CISSP) says:

    There should be a statement of Independence required for the Certifying organization. i.e. the person or even the company providing those Certifying actions must show their independence. This has been thorn to many large Auditing Firms. As after conducting the Audit they can not pick up the secondary work piece of corrections, and remain the auditor. Or work with that client in pre-assessment and aligning the target of test to requirements.
    On a more positive note this allows for more than one group to be involved and so the final certification has more weight to it.

  10. Greg Arnholt says:

    Will there be a conflict of interest constraing be placed on assessors and C3PAO’s? In other words, can an assessment be completed by an C3PAO that also provides any security services to the same entity that is being certified?

    • Tony Brunner says:

      This is a great question. The dual role could create a tempting trend for companies to “trade” services and compromise the integrity of the C3PAO model.

    • Ralph+DiCicco says:

      Greg,

      Exactly. There are firms who are currently performing to CUI requirements and have CISOs and staff.

      Yet these firms are not NIST 800-171 not DFARS compliant.

      Thus, I believe there would be a conflict of interest.

      Also, until these firms are adjudged to be CMMC ML3, they should recuse themselves.

    • Amira Armond says:

      Exciting times, thanks John!

      From the AB website:
      “Assessors will receive a license from the CMMC-AB after completing required training.
      Assessors will NOT work for the CMMC-AB but will work for C3PAO’s.
      Assessors will receive a license at a level that matches the assessments they are permitted to conduct. In the very near future, all contractors that do business with the DoD will need to meet at least Level 1 CMMC requirements. Experience requirements for higher-level assessors are not yet determined.
      Assessors are required to obtain a security clearance. The specific clearance levels are not yet determined.”

      • Melo says:

        Security clearance levels for CUI inspections… that’s interesting… but how are these security clearances supposed to be initially obtained or maintained?

        I wonder if the C3PAO’s have to maintain clearances for their assessors… I could be mistaken, but the C3PAO would then need to become a cleared contractor company tied to some gov. contract that has cleared work to be done. But from what I understand so far, a C3PAO wouldn’t really be tied to any contract… so, how would a C3PAO (or assessor) do this without being tied to a contract?

        I would think this would prevent many C3PAO’s from being formed for long if they can’t keep their assessors clearances going- so would the CMMC-AB have some kind of process/mechanism for C3PAO’s assessors or individual assessors to keep their clearances active?

  11. Michael Hammond says:

    Adavi,

    As of today, there is no way to be an auditor. The accreditation body is being formed and then will work to develop the training and accreditation requirements. Anyone who tells you they can do the “audit” or know exactly how become an auditor is not telling the truth. It is expected in Feb/Mar/Apr of 2020 for this info to be solidified.

    • Kazi Nazrul Islam says:

      Thanks for Information. I visited website and search google still I didn’t find the CMMC full framework documen. Can Any one help to find out the full framework document and share the Information How to be a assessor.

      Regards
      Kazi, Bangladesh
      Cybersecurity consultant

Leave a Reply

Your email address will not be published. Required fields are marked *