The Certified CMMC Professional (CCP) Certification Guide (2024)

What is CCP certification? 

The Certified Cybersecurity Maturity Model Certification (CMMC) Professional (CCP) is the first step in the journey to becoming a Certified CMMC Assessor (CCA). For those working closely with the Department of Defense (DoD) across the defense supply chain, the CMMC framework is the latest cybersecurity model to identify, assess and mitigate cyber risk. 

    • Learn the specific set of compliance requirements to comply with CMMC 
    • Understand the different CMMC maturity levels and how they apply to organizations 
    • Ideal for IT auditors, security engineers, compliance officers, risk managers and more
The Certified CMMC Professional (CCP) Certification Guide (2024)

Key facts

  • Average information risk analyst salary: $112,398
  • Experience needed: College degree, equivalent experience or 2+ years in IT or cybersecurity
  • Full CMMC implementation: Expected by Fall 2025 

Start your journey to earning your Certified CMMC Professional certification with Infosec.

CMMC CCP exam overview

The CCP exam tests your knowledge of the CMMC framework and the CMMC ecosystem. Passing the exam, which covers six domains, is part of your journey to becoming a Certified CMMC Professional. 

Domain 1: CMMC Ecosystem (5%)

In this domain, you'll need to identify and compare roles, responsibilities and requirements of different authorities across the CMMC ecosystem. These organizational bodies include the Office of the Undersecretary Of Defense, the Cyber Security Maturity Model Certification Accreditation Body, CMMC assessors, Licensed Training Providers and more. You'll need to recognize the responsibilities of these individuals while also understanding how they function together. 

Domain 2: CMMC-AB Code of Professional Conduct (Ethics) (5%)

This domain covers the guiding principles and practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements. You'll be required to understand general ethics topics around professionalism, objectivity, confidentiality and proper use of materials, as these are critical skills in maintaining high-quality defense standards. 

Domain 3: CMMC Governance and Sources Documents (15%)

As you receive and transmit FCI and CUI, you'll need to understand the rules and regulations around each type of controlled information. The CMMC v.20 program requirements focus on streamlined models, reliable assessments and flexible information. You'll also need to identify Foundational/Level 1 and Level 2 CMMC assessments and requirements, as well as the consequences of non-compliance. 

Domain 4: CMMC Model Construct and Implementation Evaluation (35%)

This domain evaluates your ability to apply the appropriate CMMC Source Documents as an aid to evaluate the implementation and review of CMMC practices. This includes the model architecture, model levels, practices and domains. You'll also need to display adequate knowledge of using evidence in different scenarios. 

Domain 5: CMMC Assessment Process (CAP) (25%)

This domain covers choosing the appropriate roles of the CCP in the CMMC Assessment Process and applying those process requirements that pertain to the role of a CCP team member on the assessment team. You'll also need to demonstrate comprehension of the CCP role in the preparation of the assessment report and the evaluation of outstanding assessment issues. You'll also need to determine the appropriate phases/steps to assist in the preparation/conducting/reporting on a CMMC Level 2 Assessment.

Domain 6: Scoping (15%)

For the final domain, you'll need to understand organizational scope at a high level and analyze the organization environment to generate an appropriate scope for FCI assets.

CMMC CCP exam details

Two common questions are "Is CCP certification worth it?" and "How long does it take to get CCP certification?" Passing the CCP exam is required if you want to work as a CMMC Assessor, but the time it takes to officially become a CCP varies. Once enrolled in training from a Licensed Training Provider (LTP), the training is only five days followed by the exam. However, the full CCP application process can take 2-6 months. For more information, see the timeline from the Cyber AB. 

Launch date:  2022 Last update 2022
Number of questions:


Type of questions: Multiple-choice
Length of test: 3.5 hours Passing score: 500 points
Recommended experience: College degree or 2+ years of related experience; CCP training from an LPT; pass DoD CUI Awareness training (see full details) Languages: English
Duration (how long it's valid): 1 year (annual renewal fee required) CPE requirements:  To be determined

Speak to an Infosec rep for the most up-to-date information on CCP certification costs.

Additional CCP resources

Taking a training course is required to earn your CCP, which is the only and best certified CMMC Professional certification available. As part of the CMMC ecosystem, Infosec is both an LPP and an LTP, so you can rest assured the training meets the requirements and high standards set by the Cyber AB. 

CMMC Licensed Publishing Partners

The Cybersecurity Assessor and Instructor Certification Organization (CAICO) approves Licensed Publishing Partners (LPP) like Infosec to develop a curriculum that aligns with the certification exam objectives blueprint. The DOD limits LPPs to a maximum of 20. 

CMMC Licensed Training Provider

LTP is an established training organization that CAICO has approved. Like Infosec, those in the CMMC marketplace have been vetted and are responsible for delivering CMMC training using LPP materials. 

Other free CMMC training resources 

There are a number of free resources available to help understand the CMMC framework and ecosystem:

  • The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) ecosystem and a great resource for additional information.
  • The DoD CIO website contains official CMMC documents, including the model overview, scoping guidance, assessment guides and more.
  • Infosec's CMMC ebook (coming soon) is designed to get you up to speed quickly on the CCP and CCA certification process and includes answers to students' most common CMMC questions.

CCP jobs and careers

Certified CMMC Professionals have valuable skills that can apply to careers in CMMC compliance and beyond. Your CCP certification salary will likely vary depending on your job title, location and experience. 


Common CCP job titles 

  • IT auditor

  • Security engineer

  • CMMC compliance manager/officer

  • Compliance analyst

  • Risk and compliance manager

  • Consultant 

CCP training and exam prep

You have two primary options when exploring CCP exam prep and other CMMC-related training: live, instructor-led boot camps and self-paced training courses.

CCP certification comparisons and alternatives

CCP is an excellent certification, but there are other options you should be aware of — both inside and outside the CMMC ecosystem.

CMMC CCP vs. CMMC Registered Practitioner

A Registered Practitioner can provide CMMC implementation consulting services and guidance to organizations as they prepare before an assessment. This is a critical role in identifying gaps and mitigation strategies before a CCP evaluates. On the other side of the assessment, CCPs provide specialized expertise in maintaining a robust security posture as part of the CMMC assessment process.


The Certified CMMC Assessor (CCA) is the next step on your journey to become a DOD Certified CMMC Assessor — after you earn your CCP. CCAs can take on additional responsibility, such as the ability to work as an assessor on Level 2 assessments if they work for a Certified Third-Party Assessor Organization (C3PAO).


CCP is specific to CMMC controls, while the Certified Information Systems Audit (CISA) is a aimed at broader IT auditing and controls. The CCP designation helps navigate the intricacies of the CMMC framework. CISA is a globally recognized certification focused on auditing, controlling, monitoring and assessing information systems across the entire infrastructure.

Explore Infosec certifications to find the best fit for your career goals.