This article will be updated as the CMMC progresses. If you want to be a CMMC auditor or certifier, please subscribe to our newsletter for news as the CMMC rolls out.
This article was updated on November 18 2022.
CMMC Training – Instructors
The CMMC-AB has run at least 100 provisional instructors through their program at this point. The provisional instructors are authorized to teach Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA). There are huge differences between instructors, which really matters. Try to find instructors who have done real work with CMMC and 800-171 to get key insights.
CMMC Training – Course Materials
The CMMC-AB Marketplace shows 18 Licensed Partner Publishers in good standing. This listing does not verify whether their materials have been approved for use in courses.
This is relevant because the CMMC-AB has stated that the mandatory training for Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA) is only recognized if the course materials are approved.
The best way to tell that you are using approved course materials is by working with a Licensed Training Provider in good standing.
CMMC Training – Training Providers
To find a Licensed Training Provider (LTP), use the Cyber-AB Marketplace to search. Cyber-AB Marketplace search for LTPs.
These training providers are able to source materials from any of the LPPs that have approved curriculum. So they should be offering courses now, as long as they have at least one provisional instructor willing to work with them.
You should feel confident that if an LTP is listed in the Marketplace, that they are using authorized materials and having a Provisional Instructor teach the course.
If you want to take CCP training, there are courses available now. The training seems to average between $2,000 and $4,000 depending on the training provider and the course materials they select. There are huge differences in the quality of course materials. Some publishers have spent the effort to add additional clarification and nuance to topics, while others have essentially “copied-and-pasted” from the source materials put out by DoD. In addition, the individual provisional instructors teaching can really make or break a course.
What is in the CCP Training?
CCP training is based upon the below blueprint:
The CCP Training will cover the following basic topics:
- Defining CUI and FCI (and regulations)
- Contributing cybersecurity frameworks.
- How to read the CMMC model documentation
- How to perform CMMC Level 1 scoping
- The “CMMC Assessment Process”
- CMMC Level 1 practices
The CCP exam
Once you take the training, you will still need to pass a proctored exam.
If you haven’t been living and breathing CMMC for the last few years, you will probably need to self-study quite a bit before the exam.
As an instructor and as someone who took the CCP exam themselves, I recommend treating the CCP study as “trivia” – make sure you know the definition of each term related to CMMC and common statistics about CMMC.
The CCA Training
As of November 2022, the Certified CMMC Assessor training is just becoming available. We don’t know what it will be like yet. The training topics are based upon the CCA blueprint below.
The CCA Exam
The beta exam was released to a few key people (mostly Provisional Instructors and Provisional Assessors). I took the exam this week. It is much more intense than the CCP exam. Instead of single sentence questions, the typical CCA question is a paragraph which needs to be carefully parsed out and compared against several options to find the “best” answer – meaning that many answers are not obviously right or wrong.
This exam is heavily focused on the CMMC Model – practices, assessment objectives, and assessment objectives. It also spends a significant amount of time analyzing external service providers, boundaries, and scoping.
Working as a CMMC consultant?
The CCP course is an excellent source of information about CMMC, and almost seems designed for consultants and managed service providers.
Consultants, internal compliance officers, and Managed Services Providers need to know how assessors judge solutions, so that they can pick the correct implementation strategy for their companies. I strongly believe that consultants need to be more knowledgeable than assessors on the topic of CMMC because not only do they need to know “what right looks like”, they also need to know how to implement it and how to change a company’s culture to support compliance.
What is the benefit of the course? Assuming you’ve already been working on CMMC projects, the primary benefit is you get to learn what the assessors will think is acceptable or not acceptable.
Your class should have discussions about various practices which identify what the minimum expectation is for the practice. Ideally the class should also discuss commonly misunderstood practices, especially ones where assessors tend to introduce their own bias. The class should have in-depth discussions about policy, process, and plan expectations.
As a consultant, I would be more careful about who you choose as a CCP instructor. Try to find an instructor who was in charge of a CMMC Level 2 compliance project and passed. They can give key information about solutions were acceptable to the DoD.
Want to get on an assessment team?
Check this infographic from the Cyber-AB which shows the path to become a CMMC Assessor: https://cyberab.org/portals/0/CyberAB_infographic_V5.png
My students are having the most trouble with the concept that CCPs must “participate on three Level 2 assessments assessing only Level 1 practices” before they are eligible to become a CCA. This is frustrating because a C3PAO is not motivated to bring in a CCP for a handful of practices which aren’t even contained to a single domain. It is definitely not cost effective. Today (Nov 2022), there are no CMMC assessments occurring until the new DFARS rule is published in 2023 or 2024. So we are forcing CCPs to stay CCPs for 1-2 years, without giving them an opportunity to advance. When CMMC assessments are finally allowed, we will still be operating with a minimum pool of provisional assessors.
Here is the timeline to become an assessor
Pre-requisites for citizenship and experience can be found on the CMMC-AB Assessors page.
- Submit an application for Certified Assessor ($200) on the CMMC-AB website.
- Take a CCP course now. ($2000 – $4000)
- Begin self-studying (most people currently working with CMMC will have the trouble with the federal regulation language, reference cybersecurity frameworks, and the CMMC Assessment Process)
- Take the CCP exam
- Submit your paperwork to the CMMC-AB requesting CCP.
- Wait a ?month? for processing
- Get listed as a CCP on the Marketplace (it is possible that the Cyber-AB will not list you until you have a background check – see next item)
- Get sponsored for a Tier 3 background check (if you have a clearance already, this is <1 month. If not, this can take 8+ months)
- Wait for real CMMC assessments to be allowed (mid 2023 or 2024)
- Once CMMC assessments are allowed, apply to be part of a C3PAO’s assessment team for a few practices.
- Attend 3 assessments (typically 2-3 months), participating minimally
- Take the CCA training ($2000 – $4000)
- Take the CCA exam
- Submit your paperwork to the CMMC-AB requesting CCA.
- Wait a ?month? for processing
- Get listed as a CCA on the Marketplace
- Congratulations, now you can assess Level 2 practices as part of an assessment team.
- How to be a Lead Assessor? That is yet to be determined.
What about Provisional Assessors?
According to the CMMC-AB website, provisional assessors will be required to take and pass the CCP and CCA exams within 6 months of the release date. “If you are a Provisional Assessor or Provisional Instructor you are required to take the CCP Certification Exam within 6 months from the time it launches (tentatively Feb 2022)“
This means we might see Provisional Assessors going through the training themselves if they are not certain about the materials (or if they fail the exam on their first attempt).
This also mean that we could lose a significant number of Provisional Assessors (potentially 50%) who cannot pass the test for their own credential. This is significant in two ways: 1) it will improve quality by weeding out non-technical assessors. 2) it will reduce the pool of potential assessors even more, slowing down the rollout of CMMC certifications.
There you go. That is how to become a CMMC auditor. At least for now!
Please comment if you have ideas or news about the process. If you want to become a CMMC auditor, sign up for the newsletter (top right corner of website) so that I can send you news. Send me an email if you are an auditor or cybersecurity practitioner looking for referrals to C3PAOs or employment. Please connect with me on LinkedIn too!
Amira Armond is a CMMC Provisional Instructor, Provisional Assessor, CISSP, and CISA. She is the owner and Quality Manager for Kieri Solutions, an authorized C3PAO offering assessments, CMMC preparation services, and the Kieri Compliance Documentation package . Amira Armond is the chief editor for CMMCaudit.org and volunteers with the C3PAO Stakeholder Forum, an industry group striving for consistency of interpretation and successful rollout of the CMMC program.