This is the main content of the page.

 
 

Ecosystem ProfessionsAssessors and Assessment Organizations

CMMC Assessors

To become a CMMC assessor requires the development of skills and knowledge through both training, testing, and assessment experience.

Please review the information below to begin the process.

To become a Certified CMMC Professional (CCP):

If you plan to pursue the Certified CMMC Assessor (CCA) certification, to participate on Level 2 assessments, and you are a US citizen and have successfully completed your CCP training you will be notified about completing the Tier 3 Investigation process.

To become a DoD certified Level 2 assessor, beyond the CCA training and certification, also requires the participation on three (3) Level 2 assessments as a team member. These three (3) assessments must be completed prior to becoming an “official” DoD certified assessor.

To become a Certified CMMC Assessor (CCA):

  • Review the CCP Blueprint to understand if you are ready to pursue becoming a CMMC assessor.
  • Complete the CCP application process to obtain your CMMC Professional Number (CPN).
    • Note: You are not required to complete the application process and have a CPN before pursuing training with an LTP, however, if you want to take the CCP exam, you must provide a CPN to your selected Licensed Training Provider (LTP) by the completion of your training so they can upload your successful training completion into the CAICO tracking system.
  • Take CCP training with an LTP. LTPs can be found through the CMMC Central Marketplace.
    • Note: Only individuals successfully trained by an LTP will have access to register to take the CCP exam. A candidate cannot pursue becoming a Certified CMMC Assessor (CCA) without earning their CCP certification first.
  • Sign the Professional Code of Conduct (CoPC)
  • Complete the training survey provided by the CAICO
    • Note: Date of survey release TBD, but if you have successfully completed training and your LTP has submitted your information with CPN, you will receive a notification once the survey goes live. To check if your training has been marked as complete, log into your account to view your profile status.
  • Pay exam fee, register for exam, and take and pass CCP certification exam
    • Review, complete and submit your Tier 3 Investigation application.
      • Note: The Tier 3 Investigation process is a DoD process and the staff at the CAICO have no visibility into the status of the application once it has been submitted. The CAICO is notified of the findings at the same time as the candidate. Therefore, we cannot respond to suitability status update requests. The process does take a significant amount of time and could take up to six (6) months or more to complete.
    • Note: There is a waiver process and requirements, and restrictions for a CCP to participate on these assessments. The waiver process is currently being finalized by the DoD, once it has been approved this page will be updated with the process and details regarding the waiver process.
    • Review the CCA Blueprint prerequisites.
    • Take CCA training with a Licensed Training Provider (LTP). LTPs can be found through the CMMC Central Marketplace.
      • Note: Only individuals successfully trained by an LTP will have access to register to take the CCA exam
    • Complete the training survey provided by the CAICO
      • Note: Date of survey release TBD, but if you have successfully completed training and your LTP has submitted your information with CPN you will receive a notification once the survey goes live. To check if your training has been marked as complete log into your account to view your profile status.
    • Pay exam fee, register for exam, and take and pass CCA certification exam
    • Achieve a favorable Tier 3 Investigation

CMMC Third-Party Assessment Organizations

To become a CMMC Third-Party Assessment Organization (C3PAO):

  • Requirements for Authorization
    • Complete Application
    • Pay application fee
    • Pass Organizational Background Check via data provided to the CMMC-AB by Experian
    • Be U.S. Citizen business owned and successfully pass a FOCI and SF-328 review
    • Complete interview with Cyber AB
    • Sign the C3PAO Agreement and Code of Professional Conduct (CoPC)
    • Pay activation fee (valid for one year following your Authorization date)
    • Maintain an association with at least one CMMC Certified Assessor (CCA), and one quality assurance individual who is also a CCA.
    • Pass DoD automated organizational background check
    • Pass a CMMC Level 2 assessment conducted by DCMA DIBCAC
    • Provide verification of insurance
      • General Liability with CMMC Accreditation Body as an Additional Insured ($1M minimum)
      • Errors and Omissions Policy ($1M minimum)
      • Cybersecurity Liability Policy ($1M minimum)
    • Possess Assessment Appeals Process approved by the CyberAB
  • ISO 17020 Accreditation
    • ISO 17020 accreditation will be conducted by the CMMC-AB. The timing regarding the enforcement of this requirement is being finalized.

Certified CMMC Professional (CCP)

an individual


CCP Enroll Here
 

A CCP is a person seeking to become responsible for the assessment, examination, verification, and review of an organization for compliance to a respective level of CMMC standards. They will utilize compliance checklists prescribed by the CMMC standard to control scope and ensure fairness in applied criteria. Assessors may work for a C3PAO or be independent.

A CCP is eligible to become CMMC Certified Assessor (CCA), participates up to CMMC Level 2 assessments, and holds a valuable credential reflecting the training to understand the CMMC requirements for a Defense supplier.

Certified CMMC Assessor (CCA)

an individual


Coming Soon
 

Upon completion of the CCP certification program, and if the individual has met the pre-requisites for the CCA program, they can begin their training with a Licensed Training Provider (LTP). Preparing to become a CCA not only requires training and passing a high-stakes certification exam, but it also requires participation on three (3) level 2 assessments to gain the hands-on experience to become a Certified Level 2 Assessor.

An individual who becomes a CCA to work in an assessor capacity on Level 2 assessments must work for a Certified Third-Party Assessor Organization (C3PAO).

Individuals holding multiple designations RP/PRA and Assessor Certifications cannot assess a company if they have previously assisted with an implementation consultation for that same company.


CCAs are required to take training from a Licensed Training Providers (LTP) found on the CMMC Central Marketplace. Only training with an approved LTP will qualify the candidate for access to the Certified CMMC Assessor examination.

CMMC Third-Party Assessment Organization (C3PAO)

an organization

C3PAO Enroll Here

A C3PAO is an organization that has successfully passed a rigorous series of requirements to become acknowledged by the CMMC Accreditation Body, on behalf of the DoD, as being objective and competent to perform assessments of OSCs. C3PAOs adhere to assessment criteria that must be consistent, unbiased, and follows a prescribed approach that is utilized similarly across all C3PAOs. They are certified to assess based on the CMMC standard; only Cyber-AB recognized assessors utilized by the C3PAO may conduct authorized assessments.

Want to become a Member?

Membership into the CMMC-AB community, and visibility within the CMMC marketplace, is reserved for those organizations and individuals which successfully complete and pass their respective application and onboarding process, which includes formal review and authorization by the CMMC-AB.

Please click on the appropriate enrollment button above to start the process.