How to become a Certified CMMC Assessor (CCA)

Patrick Mallory
June 29, 2021 by
Patrick Mallory

If there wasn’t already enough evidence for the need for a cybersecurity maturity model certification (CMMC), recent security events like the SolarWinds supply chain exploitation and the Colonial Pipeline ransomware demonstrate how important it is to implement proactive information systems defenses. 

The U.S. Department of Defense (DoD) already began the process of bolstering its information security practices and capabilities and paired that initiative with the implementation of the CMMC Standard. The CMMC Standard introduced new controls to the DoD’s procurement process, requiring the over 300,000 companies that provide goods and services as part of the overall defense industrial base supply chain to integrate new methods and standards “to protect sensitive defense information on their information systems.” These standards were developed with the support of the private sector, University-affiliated research centers and federally funded research and development organizations.

While the CMMC was first announced in January 2020,  it wasn’t until the last few months that more information was published to provide companies with the specifics on how they can meet the CMMC standard. While there are many key roles, levels and standards, the most prominent step is each supplier having their information systems independently evaluated as meeting the CMMC standard’s security requirements. 

And that’s the role of a certified CMMC assessor (CCA).

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

Overview of CMMC CCA responsibilities

Prior to the introduction of the CMMC standard, DoD contractors, suppliers and other members of the defense supply chain had to self-certify that they were implementing and maintaining the necessary information security controls, tools and capabilities needed to protect their DoD-related projects and data. 

With the introduction of the CMMC standard, however, DoD suppliers are now required to have an independent, third-party evaluation of their security controls, overseen and conducted by trained professionals who are certified by the CMMC Accreditation Body (CMMC-AB). These independent groups are more officially known as CMMC third-party assessor teams or CMMC third-party assessor organizations (C3PAOs). 

C3PAOs are led by CCAs who work with certified CMMC professionals to perform CMMC standards evaluations from start to finish. At the end of their evaluation, each DoD supplier will have the maturity, reliability and strength of their cybersecurity protocols rated on a scale of five levels. Each of the five levels builds upon the others’ “technical, security competencies and cybersecurity best practices.”

How to become a certified CMMC assessor

The CMMC accreditation body outlines a number of initial requirements and steps a security professional must satisfy in order to become a certified CMMC assessor level one, CMMC CCA-1.

According to the official CMMC CCA guidance, an individual is required to possess either of the following: a college degree in a technical field or other equivalent experience (including military) OR two or more years in cyber or other information technology fields

Other requirements include:

  • Hold the CMMC professional certification in good standing
  • Meet the respective citizenship requirements, based on the country of performance and the type of assessments (also known as maturity level one) performed
  • Have their application approved by the CMMC-AB, confirming their education and experience requirements
  • Pay the necessary application, observations and maintenance fees
  • Complete certified CMMC assessor level one class
  • Pass the CMMC CCA-1 exam
  • Activate their certification post-application acceptance, exam completion and successful assessment supervision
  • Maintain their CMMC CCA status, including annual maintenance fees

Finally, and most importantly, the security professional is then required to conduct their first assessment under contract with a C3PAO, under the supervision of a senior observer, known as a CMMC-AB quality assurance approval, who ultimately reports their satisfactory performance to the CMMC-AB.

Once all of these steps are completed, according to the CMMC accreditation body, then the security professional is:

  • Authorized to led CMMC assessment teams 
  • Eligible to continue their training and growth to become a CCA level two assessor
  • Able to present their credential as an employee with the training to understand the requirements of CMMC for a DoD supplier
  • Authorized to use the certified CMMC professional logo
  • Listed in the CMMC-AB marketplace of certified professionals

The CCA certification level progression

After completing the CCA-1 certification, security professionals can decide to continue their training to earn the certified CMMC assessor level three (CMMC CCA-3) and the certified CMMC assessor level five (CMMC CCA-5)designations.

While the training and applications to achieve the CCA-1, CCA-3 and CCA-5 levels are not yet officially released, the additional levels are based on:

  • The completion of their respective exams
  • Favorable suitability determinations or an active clearance
  • Additional years of experience in cybersecurity or information technology
  • Completing a requisite number of CMMC assessments

Once the security professional achieves these CCA-3 and CCA-5 levels, they are then able to lead up to maturity level three and up to maturity level five assessments, respectively.

The future of the CMMC CCA profession

With recent cyberattacks, prominent supply chain breaches, and ransomware threats catching the attention of security professionals and the public alike, the requirement of DoD suppliers to meet the CMMC standards has never been more important. And, for those that possess the Certified CMMC Professional (CCP) and CMMC CCA credentials, their experience and knowledge of the CMMC standards will only grow in importance.

Given the estimated 300,000-plus organizations currently doing business with the DoD, those companies looking to form third-party assessment organizations will be actively on the lookout for security professionals who are also trained, experienced and certified CMMC CCA experts at all levels to fulfill their vital role. Add in the fact that there are DoD offices, bases and stations located around the world and in every state, there will be a lot of flexibility and wide opportunities for CMMC professionals to work.

In the future, CCAs can choose to continue their growth in the CMMC field by achieving the certified CMMC instructor designation, which allows them to teach those growing in the field and pass on their experience and training.

Finally, those with CMMC certifications can also be directly employed by DoD suppliers themselves, assisting with evolving their security controls, protocols, tools and procedures before an assessment or after, helping to remediate deficiencies that were found during the assessment process. 

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

Begin your CCA journey

The launch of the CMMC standard in 2020 was a big step toward improving the security of the DoD’s supply chain, requiring the strengthening of the security standards of those organizations that support their mission and independently certifying their progress. However, to have each supplier achieve the CMMC standard at the requisite maturity level is going to take a lot of work, time and trained CMMC professionals with the necessary experience to get them there. 

If you are ready to continue your growth as a security professional and begin the process to achieve the CMMC CCP and CMMC CCA certifications, we welcome you to learn more by clicking here.



Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.