CMMC Certified Professional (CCP): Requirements, exam & career path [2026]

With the Department of Defense's formal CMMC implementation beginning on November 10, 2025, the Defense Industrial Base needs qualified professionals who can assess and verify cybersecurity compliance. The CMMC Certified Professional (CCP) certification positions you at the entry level of this growing field, opening doors to assessment teams, consulting opportunities and internal compliance roles. 

This guide covers everything you need to earn your CCP certification, from prerequisites to exam passage and career building. 

Note: As of April 2026, all certification activities have moved to ISACA, which now serves as the CMMC Assessor & Instructor Certification Organization (CAICO). Learn how this affects the CCP certification in our webinar with ISACA. 

WATCH NOW

What is a CMMC Certified Professional? 

A CMMC Certified Professional holds the foundational certification within the CMMC ecosystem. CCPs understand the CMMC 2.0 framework (with three levels covering FCI protection through enhanced CUI security), assessment processes and how to evaluate organizational cybersecurity practices against NIST SP 800-171 requirements. 

CCPs serve as team members during assessments under CMMC Certified Assessor (CCA) supervision. They also support organizations preparing for certification through readiness assessments and control implementation. 

What does a CCP do? 

Primary responsibilities 

As a CCP, you may participate in CMMC Level 2 assessments as part of a C3PAO team. Your work may include evaluating evidence against requirements, conducting interviews, testing security controls, documenting findings and contributing to assessment reports. 

One critical distinction: CCPs cannot lead assessments independently. You work under Lead CCA supervision, who maintains ultimate responsibility for assessment conclusions. 

Work settings 

• C3PAO organizations: Assessment companies employ CCPs as team members for formal Level 2 assessments. 

• Defense contractors: Companies handling CUI need internal CCPs to manage ongoing compliance and prepare for assessments. 

• CMMC RPOs: Consulting firms employ CCPs to conduct gap analyses and readiness checks. 

• Independent consulting: Experienced CCPs provide compliance guidance and preparation services. 

CCP vs. RP vs. CCA 

Understanding the different CMMC roles helps clarify the CCP's position within the ecosystem:

Role	Can assess	Can lead assessments	Training required
Registered Practitioner (RP)	No	No	Basic CMMC training
CMMC Certified Professional (CCP)	Yes (with role limits)	No	40-hour ATP training + exam
CMMC Certified Assessor (CCA)	Yes	Yes	CCP + CCA training + exam

RPs provide implementation support and consulting but cannot participate in formal assessments. CCPs can participate in assessment activities within the limits of the CCP role but need CCA supervision. Lead CCAs lead official CMMC assessment teams. 

Compare the RP vs. CCP roles in more detail, or compare certifications to see all options. 

CCP requirements 

Education requirements 

You need ONE of the following: 

• A college degree in a cyber or information technical field 
• Two or more years of related education experience 
• Two or more years of related experience, including military experience, in a cyber, information technology or assessment field 

Experience requirements 

Minimum 2 years of professional experience in cybersecurity implementation, IT systems administration, CMMC-related compliance or audit/assessment work. This should demonstrate practical knowledge of security controls, risk management or compliance frameworks. Entry-level help desk roles typically don't qualify unless they include security responsibilities. 

Background investigation requirements 

CCP candidates must attain a positively adjudicated Tier 3 background investigation by the Department of Defense as part of the certification process. This Tier 3 determination is used to establish national security eligibility for participation in CMMC assessment activities and program requirements; it does not grant or authorize a security clearance. Candidates who are not eligible to obtain a Tier 3 background investigation must meet a DoD-determined equivalent for use with the CMMC Program. 

Recommended preparation 

While not required, CompTIA A+ or equivalent knowledge helps demonstrate foundational IT competency. DoD CUI Awareness Training is useful preparation for CCP candidates and may be required for industry personnel on contracts involving CUI, but ISACA’s current public CCP certification requirements do not list it as a standalone certification requirement. 

How to become a CCP: Step-by-step process 

Authorized Training Partners like Infosec Institute work closely with ISACA and can help guide you through the latest CCP certification and training process as part of your CCP training. The general process is documented below. 

Step 1: Verify your qualifications 

Confirm you meet the education and experience requirements. Document your 2+ years of qualifying experience and gather transcripts or degree documentation if needed. 

Timeline: Immediate

Step 2: Apply for your CPN 

Apply through ISACA, which now manages CCP certification activities as CAICO. Submit education verification, work experience details, any required identity or background-investigation information and pay the $200 application fee. 

Timeline: 1–2 weeks 

Step 3: Complete required training (40 hours) 

CCP training must come from an Approved Training Provider (ATP). The 40-hour curriculum covers: 

• CMMC Ecosystem (5%) 
• Code of Professional Conduct (5%) 
• CMMC Governance and Source Documents (15%) 
• CMMC Model Implementation (35%) 
• CMMC Assessment Process (25%) 
• Scoping (15%) 

Training is available as a 5-day intensive CCP Boot Camp through Infosec or via other training providers.

Timeline: 5 days (intensive) or 2–4 weeks (part-time) 

Cost: $2,000–$5,000, depending on the provider 

Infosec offers CCP boot camp training as an Approved Training Provider. 

Step 4: Schedule and pass the CCP exam 

After completing ATP training, register for the exam through ISACA. 

Exam details: 

• 170 multiple-choice questions 
• 3.5 hours, computer-based, closed-book 
• Passing score: 450 (scale of 200–800) 
• Test center or online proctoring 
• Application processing fee: $200 
• Exam: $575 for ISACA members, $760 for non-members 

You'll receive your preliminary passing status immediately after completing the exam. The official score will be emailed and available online within 10 working days. Test center exams require 48 hours' notice to reschedule. 

Failed attempts: Retake after 30 days. A second failure requires completing training again. Individuals have four attempts within a rolling 12-month period to pass the exam. Those who do not pass on their first attempt are allowed to retake the exam a total of three more times within 12 months from the date of the first attempt. 

Timeline: Schedule when ready after training

Step 5: Complete background investigation 

After you complete CCP training, pass the exam and apply for certification, ISACA validates your experience and sends your information to The Cyber AB, which continues to run point on Tier 3 investigations for CCPs and CCAs. 

Timeline: 4–6 weeks

Step 6: Receive your CCP credential 

Once the background investigation is completed and positively adjudicated, you receive your official CCP certification. You can download your digital credential, list yourself in the CMMC Marketplace, use the CCP acronym after your name and participate in assessments under CCA supervision. 

Timeline: 1–2 weeks after background clearance 

Total timeline: 3–4 months from application to credential 

CCP certification costs 

Budget for both initial certification and ongoing maintenance: 

Initial costs 

Item	Cost range
CCP application fee	$200
ATP training	$2,000–$5,000
Exam fee	$575/760 (member/non-member)
Total initial investment	$2,775–$5,960

Annual maintenance 

Item	Cost
Annual renewal fee	$45 for members, $85 for non-members
Continuing education	Varies by source
Estimated annual cost	$45–$85, plus any costs for CPE activities

Your CCP certification is valid for three years. You'll pay the annual renewal fee each year to maintain active status. 

Training costs vary significantly between providers. Shop around but verify that the provider is listed as an ATP in the CMMC Marketplace. Unauthorized training won't qualify you for the exam. 

Understanding the CCP exam 

Content breakdown 

The exam tests knowledge across six domains: 

• CMMC Ecosystem (5%): Organizational roles, responsibilities and how the CAICO, Cyber AB, C3PAOs and other entities interact. 
• Code of Professional Conduct (5%): Ethical principles, professional standards and appropriate responses to ethical dilemmas. 
• CMMC Governance and Source Documents (15%): Model architecture, levels and source documents, including NIST SP 800-171, FAR clauses and DFARS requirements. 
• CMMC Model Implementation (35%): Evaluating practices across the 14 CMMC domains, assessing evidence and determining compliance. 
• CMMC Assessment Process (25%): Assessment phases from planning through reporting and the CCP's role throughout. 
• Scoping (15%): Determining appropriate boundaries for FCI and CUI assets and establishing assessment scope. 

Question format 

All 170 questions use a multiple-choice format, with varying levels of complexity: straightforward knowledge recall, scenario-based application and multi-step analytical problems. Scenario questions test understanding rather than memorization. 

The exam uses scaled scoring from 200 to 800. A scaled score of 450 represents the minimum passing score. You don't need minimum scores in individual domains. 

Study strategies 

• Master the source documents: The CMMC Assessment Guide, NIST SP 800-171 and CMMC Model Overview form your foundation. 
• Use the blueprint: The official CCP exam blueprint on the ISACA website lists specific tested topics. Build your study plan around it. 
• Practice application: Work through scenarios applying CMMC practices to realistic situations. 
• Focus on weak areas: After ATP training, spend extra time on domains where you struggled. 
• Join study groups: Discussing difficult concepts with other candidates helps solidify understanding. 
• Take practice exams: Practice questions help identify areas needing more study. 

The exam tests your ability to apply CMMC knowledge in context, not just memorization.

CCP career opportunities 

Job roles 

• CMMC Assessment Team Member: Support Level 2 assessments as part of an authorized or accredited C3PAO team, within the limits of the CCP role. 
• Compliance Manager (Defense Contractor): Maintain CMMC compliance, prepare for assessments and manage ongoing security requirements for your employer. 
• CMMC Consultant (RPO): Provide readiness assessments, gap analyses and implementation guidance to organizations preparing for certification. 
• Internal Auditor: Conduct regular internal assessments to ensure continued compliance between official C3PAO assessments. 
• Security Analyst with CMMC Focus: Apply CMMC knowledge to security operations where compliance requirements enhance your value. 

Job market outlook 

CMMC is expected to affect hundreds of thousands of organizations domestically and internationally, creating sustained demand for qualified CMMC professionals. The CAICO transition to ISACA aims to significantly scale the certification program. Todd Gagnon, head of ISACA's CAICO program, noted in December 2025 that "the number of professionals is nowhere near adequate right now." 

C3PAOs continue receiving accreditation, expanding assessment capacity. Defense contractors increasingly staff internal compliance positions. The phased CMMC implementation through November 2028 creates sustained demand for qualified assessors.

Advancing from CCP to CCA 

The CCP serves as your entry point into CMMC assessment careers. CMMC Certified Assessor certification expands your opportunities and responsibilities. 

CCA requirements 

To pursue CCA certification: 

• Hold an active CCP credential 
• Complete CCA-specific training from an ATP 
• Pass the CCA exam (150 questions, 4 hours, 450+ scaled score) 
• Complete the application process and pay applicable fees
• Demonstrate required experience 
• Hold a Tier 3 determination 

The CCA exam focuses on evaluating organizations seeking certification (15%), CMMC Level 2 assessment scoping (20%), CMMC Assessment Process application (25%) and assessing CMMC Level 2 practices (40%). 

Most professionals spend 1–3 years as a CCP before advancing to CCA, depending on assessment opportunities, performance and employer support. 

Advance to CCA to understand the complete path to assessment leadership. 

Maintaining your CCP credential 

Annual requirements 

Your CCP certification requires ongoing maintenance: 

• Annual renewal fee: $45 for ISACA members and $85 for non-members to maintain active status in the CMMC Marketplace 
• Code of professional conduct: Annual attestation that you follow professional and ethical standards 
• Contact information: Keep your profile updated with current details

Continuing professional education 

ISACA requires a minimum of 20 CPE hours annually and 120 CPE hours over a three-year period for CCP maintenance. 

CPE sources: CAICO-sponsored webinars, CMMC conferences, updated CMMC documentation study, teaching or presenting on CMMC topics and advanced cybersecurity training. 

Infosec Skills offers ongoing training to support CPE requirements and keep your CMMC knowledge current. 

CMMC professional certifications follow a three-year cycle with annual renewals.  

Next steps to becoming a CCP 

Ready to start your CCP journey? 

1. Verify your qualifications: Review education and experience requirements. Gather documentation of your qualifying work history or degree credentials. 
2. Research training providers: Compare ATPs in the CMMC Marketplace. Consider training format, instructor credentials, price and reviews. 
3. Register for training: Apply through ISACA. Once approved, enroll in ATP training. 
4. Study the CMMC framework: Before training, familiarize yourself with CMMC basics. Read the CMMC Model Overview and browse NIST SP 800-171. 
5. Prepare for your exam: After ATP training, use practice questions, review weak areas and study source documents. Schedule your exam when you are confident. 

Organizations are preparing for CMMC assessments, C3PAOs are building teams and compliance roles are opening across the Defense Industrial Base. Your CCP certification positions you to meet this demand. 

Start your CCP training with the Infosec CCP Boot Camp, designed to prepare you for exam success. 

Frequently asked questions 

What's the difference between CCP and RP? 

Registered Practitioners (RPs) provide CMMC consulting and implementation guidance but cannot participate in formal assessments. CCPs complete more rigorous training, pass a certification exam and can serve on assessment teams under CCA supervision within the limits of the CCP role. CCPs cannot make final determinations. 

Do I need cybersecurity experience to become a CCP? 

Not necessarily in that exact form. ISACA’s current eligibility allows a qualifying technical college degree, two or more years of related education experience or two or more years of related experience, including military experience, in cyber, IT or assessment. 

How difficult is the CCP exam? 

The exam requires a solid understanding of CMMC 2.0, NIST SP 800-171 and assessment processes. Thorough preparation through ATP training and self-study leads to passing. The scoring is scaled (200-800) and you need at least 450 to pass. 

Can I work independently as a CCP? 

CCPs cannot lead CMMC assessments independently. You must work under CCA supervision during formal assessments. You can provide consulting, conduct readiness checks and support organizations preparing for certification on your own. 

How much can I earn as a CCP? 

Entry-level CCP positions typically range from $70,000 to $90,000. Experienced professionals earn $90,000–$120,000 or more, depending on role, location and additional qualifications. Treat these as estimates for related roles, not guaranteed CCP-specific compensation. Consult salary sites for the most up-to-date CMMC salary information. 

What's the path from CCP to CCA? 

After earning your CCP, you need additional CCA-specific training, must pass the CCA exam and complete supervised assessment work. Current ISACA requirements also include the application process, required experience, a Tier 3 determination and the applicable DoD 8140.03 pathway requirement. 

Do I need a security clearance to be a CCP? 

ISACA’s public CCP requirements include a positively adjudicated Tier 3 background investigation by the DoD. This isn't the same as a security clearance for accessing classified information. 

What happens after ISACA takes over from Cyber AB? 

The transition is complete. Use ISACA for CCP, CCA, Lead CCA/LCCA and CCI credentialing and maintenance. The Cyber AB remains the CMMC Accreditation Body and continues to oversee the broader CMMC ecosystem.