Best CMMC Training Providers for CCP and CCA Certification (2026)
By The Defense Compliance Report Editorial Team · Last reviewed:
If you searched for the best CMMC training providers for CCP and CCA certification, here’s the honest version before you spend a dollar: there is no single “best” provider, and any page handing you a ranked “top 10” is either guessing or selling you a seat in its own class. The useful answer is narrower. As of April 2026, ISACA — operating as the CAICO — runs all CCP and CCA training, exams, and certification, and the only training that qualifies you to sit the exam comes from a provider currently listed on the CyberAB Marketplace as an Approved Training Provider (ATP).
We’ll show you how to tell those providers apart, what each credential actually costs in 2026, the prerequisite that quietly disqualifies most CCA candidates — and the exact email to send a provider before you pay. First, the quick answer.
Which CMMC training path fits you?
| Your situation | Best-fit path | Verify before you pay |
|---|---|---|
| New to CMMC credentials | CCP first | Provider is a current ATP; the course is official CCP training; exam-fee handling is in writing |
| Already hold CCP, pursuing assessor work | CCA | Active CCP, CCA course eligibility, a DoD 8140 Work Role 612 baseline cert, Tier 3 process |
| Can’t leave your desk for a week | Self-paced or live-online CCP | Confirm the self-paced course still satisfies current exam eligibility |
| Employer is buying seats for a team | Live online / private cohort | Written invoice, seat-transfer terms, recordings, completion reporting |
| Want CCP and CCA fast | Bundle — only if experienced | Pacing, prerequisites, refund terms, exam-voucher rules |
| You’re a company trying to get your business CMMC-ready | You’re on the wrong page | Use Find My CMMC Path instead of buying individual training (see below) |
What we verified for this guide — last verified . We confirmed ISACA’s role as the CAICO and the April 2026 transition against ISACA’s own announcement and program pages; the CCP and CCA fees, exam logistics, and process order against ISACA’s published certification pages; the CCA and Lead CCA requirements against 32 CFR §170.11 on the federal eCFR; the DoD 8140.03 Work Role 612requirement against ISACA’s CMMC page and the DoD Cyber Exchange; and the “three supervised assessments” clarification against the Cyber AB’s own FAQ.
Everyone else — individuals, consultants, MSP and MSSP staff, veterans moving into compliance, and DIB employees told to “go get certified” — keep reading. Before you compare a single course, run the provider check below so you don’t pay for training that can’t unlock the exam.
→ Before you pay: the 7-point provider check (no signup — jump to the checklist)
What changed in 2026: ISACA is now the CAICO for CCP and CCA
As of April 2026, ISACA operates as the CAICO — the CMMC Assessor and Instructor Certification Organization — and manages all training, examinations, and professional certification for the CCP, CCA, Lead CCA, and CCI credentials. The Cyber AB (the program’s accreditation body) authorized ISACA in December 2025 and remains responsible for the Tier 3 background investigations. If a guide still calls the Cyber AB the certifier, or mentions “Meazure Learning” exams, it’s describing the old system.
This is the single biggest reason most of what’s ranking for this search is out of date. The handoff was real and recent: ISACA announced the authorization on December 17, 2025, said services would fully transition by April 1, 2026, and confirmed the transition complete in an April 2026 update. We read all three. Three things changed that affect your wallet and your timeline:
- Where you register and certifymoved to ISACA’s credentialing system. People who had Cyber AB accounts now manage everything inside ISACA’s platform.
- The exam vendor is now PSI (computer-based at authorized PSI test centers worldwide, or remotely proctored), not Meazure Learning. Registration is continuous — you can schedule as soon as 48 hours after paying.
- The fee structure changed. ISACA states that exam prices rose but annual renewal fees dropped, and that the three-year cost of holding both CCP and CCA is now lower than before the transition. We break the real numbers down below.
One naming note so you’re not thrown: ISACA’s newer materials refer to the “Department of War (DoW),” a secondary name now used for the Department of Defense. The binding regulations — 32 CFR Part 170 and the DFARS clauses — still say “Department of Defense.” We use DoD throughout.
Why this matters if you’re weighing the path.ISACA describes CMMC as affecting hundreds of thousands of organizations across the Defense Industrial Base, and the certified-workforce side is the bottleneck. ISACA’s own CAICO director, Todd Gagnon, told DefenseScoop in December 2025 that the number of qualified professionals was “nowhere near adequate,” and that scaling the pipeline was the entire reason ISACA took over from the smaller Cyber AB. Demand is not the question. Whether youqualify, which course unlocks which exam, and whether the provider you’re looking at is still current — those are the questions.
CCP vs CCA vs Lead CCA vs CCI: which CMMC credential do you actually need?
CCP (CMMC Certified Professional) is the foundational credential — it lets you support readiness work and serve on a Level 2 assessment team under a CCA’s supervision, and it is the mandatory prerequisite for CCA. CCA (CMMC Certified Assessor) lets you perform Level 2 assessments and make determinations inside a C3PAO. Lead CCA lets you run the engagement and issue the final determination; CCI is the instructor credential. Almost everyone starts with CCP, regardless of where they eventually want to go.
Here’s the part the sales pages blur. A CCP is not a junior CCA — it’s a different role with different authority. And a CCA is not a C3PAO; a C3PAO (Certified Third-Party Assessment Organization) is the company that holds the assessment authorization, while CCAs are the certified people who do the assessing on its behalf. We put the four credentials side by side:
| CCP | CCA | Lead CCA (LCCA) | CCI | |
|---|---|---|---|---|
| What it authorizes | Verify Level 1 practices; serve on a Level 2 assessment team under CCA supervision; readiness and consulting support. Cannot make compliance determinations. | Perform official Level 2 certification assessments on a C3PAO team and make determinations on requirements. | Plan, direct, and oversee a full Level 2 assessment and issue the final determination for the C3PAO. | Deliver official CMMC training (teach CCP/CCA courses). |
| Prerequisite credential | None required | Active CCP | Active CCA experience | Per CAICO instructor requirements |
| Experience | Recommended: degree in cyber/IT or ~2 years related experience (military counts) | ≥3 yrs cybersecurity + ≥1 yr assessment/audit | ≥5 yrs cybersecurity + ≥5 yrs management + ≥3 yrs assessment/audit | SME + teaching experience |
| DoD 8140 cert | Not required | One baseline cert at Intermediate+ for DoD 8140.03 Work Role 612 | One qualification at Advanced for Work Role 612 | — |
| Background check | Favorable Tier 3 (or DoD-determined equivalent) to participate in assessments | Favorable Tier 3 (or equivalent) — not required before the exam | Favorable Tier 3 (or equivalent) | Per program |
| Training | Mandatory ATP course (no self-study) | Mandatory ATP CCA course | Per program | — |
| Exam | CCP exam via PSI (170 questions; scaled 200–800; pass 450) | CCA exam via PSI | Per program | Per program |
| Renewal | 3-yr cycle; $45/yr member, $85/yr non-member; 20 CPE/yr, 120 over 3 yrs | Annual renewal + CPE | Per program | Per program |
| Best for | Consultants, readiness/MSP staff, anyone starting the path, or anyone who wants deep CMMC knowledge | Experienced security/audit pros who want to perform assessments | Senior assessors ready to lead engagements | Experienced practitioners who want to teach |
The practical takeaway: start with CCP.It’s required for CCA, the exam is optional if your only goal is the training and the knowledge, and it’s the lowest-risk way to find out whether this field is for you before you commit to the much heavier CCA path.
What are the best CMMC training providers for CCP and CCA — and why we won’t rank them
No single training provider is “best” for everyone, and we won’t pretend otherwise. A credible ranking would require independent, verified outcome data — pass rates, student results, audited quality — that no public source reliably has. So instead of a fake leaderboard, we give you the thing that actually protects your money: a short list of source-checkable criteria, the official directory to verify them against, and the email to send before you commit.
That’s our one admission, and we’d rather lead with it than bury it: we’re an independent trade publication on CMMC 2.0 and DIB compliance, not a course seller, so we can’t hand you a “#1 pick” the way a vendor’s own page can. Here’s why that’s the better deal for you. On this exact search, most of page one is either a provider ranking itself first or a guide that still describes the pre-ISACA Cyber AB model. Neither tells you how to avoid the expensive mistake — paying for training that can never unlock the exam.
Judge any provider on these eight things:
- Listed as an ATP on the CyberAB Marketplace?This is non-negotiable. Training from a provider that isn’t a listed Approved Training Provider is not “official,” and it will not give you access to the CCP or CCA exam.
- Instructors who are actual CCAs or Lead CCAs with real assessment experience — not generalists reading slides.
- Uses approved courseware developed by an Approved Publishing Partner (APP) and the current CMMC Assessment Process (CAP) version — 5.6.1 as of mid-2026— which your ATP supplies. Don’t rely on an older copy posted publicly.
- Delivery format that fits you — live virtual, in-person, or self-paced — with a schedule you can actually make.
- Transparent pricing, including team or group discounts, posted before you have to call.
- Exam-prep depth: practice exams, blueprint mapping, and scenario practice, not just lecture.
- A clear retake policy.Retakes and any required retraining add cost, so confirm ISACA’s current retake policy before you register — first-attempt prep matters.
- Track record and responsiveness— how long they’ve delivered CCP/CCA, and whether they answer questions before you’ve paid.
A note on the trust signals practitioners actually talk about: in defense and GovCon forums, the recurring complaint isn’t course quality — it’s that the official marketplace is clunky and that some authorized providers have surprisingly thin websites. That’s exactly why a polished site is not a proxy for legitimacy, and why step one is always the Marketplace, not the homepage.
Before you pay for any course, do two things: send the provider the verification email (below) so the answers are in writing, then confirm their current status yourself on the official CyberAB Marketplace.
How to verify an Approved Training Provider on the official CyberAB Marketplace
The CyberAB Marketplace at cyberab.org is the authoritative public directory of Approved Training Providers, C3PAOs, RPOs, and certified individuals. Filter for ATPs, open the listing, and confirm its current status before you pay — listings can show organizations whose credentials have lapsed. If a training company isn’t listed as an ATP, its course is not official CMMC training and will not unlock the CCP or CCA exam.
This is the most important sentence on the page, so we’ll be blunt about the rule behind it. Per the Cyber AB’s own program documents, pure self-study is not allowedfor these credentials, and access to the exam is gated on completing training through a listed Approved Training Provider. Your ATP — not you — reports your completion to the CAICO, and ISACA validates your application against that submitted training data. Buy from an unlisted “CMMC prep” course and you can do everything right and still be locked out of the test.
How to check, in under two minutes:
- Go to the CyberAB Marketplace and filter for training providers (ATPs).
- Open the provider’s listing and read the statusfield. Don’t rely on an old logo, a 2023 blog post, or a badge in an email signature.
- Screenshot the listing with the date for your own records before you pay.
One terminology note that trips people up: the role is now called Approved Training Provider (ATP); it was previously Licensed Training Provider (LTP). Likewise, the firms that build the official courseware are now Approved Publishing Partners (APPs), formerly Licensed Partner Publishers (LPPs). Same ecosystem, updated labels. A provider that still markets itself only as an “LTP” isn’t necessarily a problem — but the Marketplace status is what counts, so check it there.
The CMMC training provider comparison: what’s public, and what to verify
This is a shortlist of providers with public CCP and/or CCA course pages — not a ranking, an endorsement, or a “best of” award. We read each provider’s public course pages and compare what’s checkable: credential coverage, a price snapshot, delivery format, who each is a fit (and not a fit) for, and what to confirm before you pay. We sell no courses and earn no referral fees from any provider listed. Every status below is provider-stated from public pages — we did not independently verify each one’s live Marketplace listing, so confirm that yourself. Prices are public snapshots as of and change often; treat them as a starting point, then confirm at checkout.
| Provider (provider-stated status — verify on Marketplace) | CCP / CCA coverage | Public price snapshot (verify at checkout) | Format | Best fit / Not best fit |
|---|---|---|---|---|
| CMMC Training Academy — states ATP since 2021 | CCP and CCA | CCP ~$2,495; CCA ~$2,795; combo available | Live online; accelerated combo | Fit: transparent pricing, scheduled live-online. Not: beginners taking the accelerated combo without NIST 800-171 grounding |
| CyberDI — states ATP | CCP and CCA | ~$2,895 list / ~$1,999 sale signal | Remote/live dates | Fit: price-sensitive remote learners. Not: those who need in-person |
| Infosec Institute — states ATP; LTP/APP history | CCP and CCA boot camps (both publicly offered) | CCP boot camp ~$3,499 | 5-day live online or private/on-site | Fit: candidates who want bundled prep and an exam voucher. Not: budget-first buyers |
| Learning Tree — states ATP | CCP; related CCA | CCP ~$2,659–$3,140; CCA “starts from” ~$3,350 | 4-day instructor-led; online/in-class | Fit: employer-funded learners who want scheduled classes. The page notes the exam is bought separately through ISACA |
| WTI Networks — states ATP | CCP, CCA, and CCP+CCA bundle | CCP live ~$2,850; self-paced CCP ~$1,995; CCA ~$3,200; bundle ~$4,895 | Live Zoom and self-paced | Fit: those who need a self-paced CCP or a visible bundle. Not: buyers who skip verifying self-paced exam eligibility |
| Redspin — states first Authorized C3PAO + LTP history | CCA and CCP | CCP individual pricing visible on its page; CCA quote-based | 5-day; virtual or in-person for groups | Fit: teams or CCA candidates who want assessment-experienced instructors. Watch independence boundaries if the same firm might also assess your employer |
| Applied Technology Academy — states authorized CMMC/LTP | CCP and CCA boot camps | Not publicly listed — request | Instructor-led, self-paced, hybrid | Fit: candidates comparing delivery formats. Not: buyers who won’t request written terms |
A “public price” is rarely the final number — exam, application, and membership fees are often separate (see costs below). A C3PAO offering training can be a real plus for assessment context, but C3PAO status alone doesn’t make a course the right fit. And a missing public price doesn’t mean a bad provider; it means you ask for the details in writing before you compare.
Shortlist two or three, then send the verification email before you pay — it puts every answer that matters in writing.
The 7-point verification checklist and the email to send before you pay
Provider verification is the single highest-value step in buying CCP or CCA training. Before you pay, get seven things confirmed in writing: current Marketplace status, the exact course title, completion reporting, instructor credentials and format, exam-fee or voucher handling, support materials, and refund/transfer terms. This is what separates a confident purchase from an expensive guess.
- Marketplace status— confirm they’re a current ATP and capture a dated screenshot.
- Exact course title— official CCP training? Official CCA training? A general awareness course? A bundle, and what’s in it?
- Completion reporting — who reports it, to whom, and how long it takes (ISACA validates your application against this data).
- Instructor and delivery— who teaches, whether it’s live/recorded/self-paced/hybrid, and what happens if you miss a session.
- Exam fee and voucher — included or separate? Voucher provided? Are retakes included?
- Support materials— recordings, practice exams, study guides, post-class Q&A.
- Cancellation, transfer, refund, and sensitive-data rules — and a reminder that no CUI or sensitive contract data should go into training exercises.
Copy, paste, and send this before you register:
Subject: CCP/CCA training verification before registration
I’m evaluating your [CCP/CCA] course before registering. Can you confirm in writing:
- Your current CyberAB Marketplace training-provider (ATP) status;
- The exact official course title;
- Whether completion supports ISACA exam eligibility, and how/when completion is reported to the CAICO;
- Whether the exam fee or an exam voucher is included, and your retake policy;
- Instructor credentials and delivery format (live, recorded, self-paced, hybrid);
- Your refund, transfer, and missed-session policy;
- Confirmation that students should not submit CUI, drawings, or sensitive contract data during exercises.
Thank you.
If a provider won’t answer these clearly and in writing, that’s your answer. Pair their reply with your own Marketplace check, and you’ve removed the two biggest risks in this purchase.
Can you take CCP or CCA training online or self-paced?
Yes — most ATPs offer live-online training, and some advertise self-paced options. Your job isn’t to assume the format qualifies; it’s to confirm that the exact online or self-paced course is official for the CCP or CCA path and that completion supports ISACA exam eligibility. Live-online courses run on a fixed schedule with an instructor; self-paced courses let you work on your own time, which matters if you can’t disappear from your desk for a week.
The catch is the same one from the Marketplace section: the format doesn’t change the rule. Whether you learn live or self-paced, the training still has to come from a listed ATP, and that ATP still has to report your completion to the CAICO before you can register for the exam. Self-paced is where buyers get burned most often, because a low-priced “self-paced CMMC course” can turn out to be general awareness training that never unlocks the test. Before you buy a self-paced option, send the verification email and get one line in writing: does completing this specific self-paced course make me eligible to register for the CCP (or CCA) exam through ISACA? If they can’t say yes plainly, keep looking.
CCP certification: requirements, the exam, and the step-by-step process
To earn the CCP you complete a course with a listed ATP (no self-study), pass the CCP exam through PSI, then apply for certification and pay a $200 application processing fee. ISACA recommends a cyber/IT degree or about two years of related experience, plus CompTIA A+-level knowledge and the DoD Mandatory CUI Awareness Training. To participate in assessments, you’ll also need a favorable Tier 3 background determination (or a DoD-determined equivalent), which begins after you apply.
Walk the process in ISACA’s actual order so there are no surprises:
- Complete mandatory CCP training with a listed ATP. Your ATP reports your completion to the CAICO; ISACA validates your application against that data. (No self-study — training is the gate to the exam.)
- Register for and pay for the CCP exam through ISACA, then schedule at a PSI center or online with remote proctoring. You can schedule about 48 hours after paying, and your exam eligibility lasts six months.
- Pass the CCP exam — 170 multiple-choice questions, scaled scoring from 200 to 800, with 450 the minimum passing score.
- Apply for CCP certification and pay the $200 application processing fee, submitting your education and experience documentation.
- Tier 3 begins after you apply (for U.S. citizens); certification completes once Tier 3 — or the equivalent for non-citizens — is favorably adjudicated.
You don’t have to apply the moment you pass; confirm the current application window in your ISACA account. The CCP exam tracks a public blueprint covering the CMMC ecosystem, the Code of Professional Conduct, the CMMC model and scoping, and the assessment process — your ATP supplies the correct CAP reference for it.
And the question every honest candidate eventually asks: can I just self-study and skip the course?No. Per the Cyber AB’s program documents, the exam is gated on completing official ATP training, and these are not open-book exams. You cantake CCP training purely for the knowledge without sitting the exam — but you are not a CCP, and cannot advance to CCA, until you pass it. Either way, budget for the course: it’s the price of admission to the test.
CCA certification: requirements — and the DoD 8140 cert that trips people up
To sit for the CCA you must already hold an active CCP, complete a CAICO-approved CCA course through an ATP, and pass the CCA exam — plus you need at least three years of cybersecurity experience, one year of assessment or audit experience, and a favorable Tier 3 determination or equivalent. The requirement most people miss: a baseline certification aligned to DoD 8140.03 Work Role 612 (Security Control Assessor)at Intermediate proficiency or higher. This is set in 32 CFR §170.11, which we read directly. (You don’t need Tier 3 before the CCA exam — but you do need it to certify.)
That 8140 baseline cert is the tripwire. Candidates book CCA training, then discover at application that they’re short one qualifying certification — and those take weeks to prepare for. Schedule it early. ISACA specifically names CISA and CISM as qualifying examples. Other certifications commonly mapped to Work Role 612 include:
| Certification | Notes |
|---|---|
| ISACA CISA | Named by ISACA as a qualifying example |
| ISACA CISM | Named by ISACA as a qualifying example |
| ISC2 CISSP | Commonly cited; widely used CCA baseline |
| ISC2 CGRC (formerly CAP) | Governance/authorization track |
| CompTIA CySA+ | Analyst track |
| CompTIA Security+ | Often cited, but confirm it meets the Intermediate proficiency bar for 612 before relying on it |
| GIAC GSEC / GSLC / GSNA | Verify the specific certification’s current mapping |
Now two corrections, because half the internet still gets them wrong — and we checked both against primary sources:
- You do not need three supervised assessments. Older guides (and a few provider pages) still list “complete three CMMC assessments as a CCP team member” as a CCA prerequisite. The Cyber AB’s own published FAQ confirms that requirement was removed when the experience and 8140-certification requirements were introduced. If your employer runs you through practice assessments, treat that as professional development — not a certification requirement.
- You do not have to be a U.S. citizen to earn CCP or CCA. U.S. citizens obtain a favorable Tier 3 determination; non-citizens who aren’t eligible for Tier 3 meet a DoD-determined equivalentinstead. (Only U.S. citizens can apply for Tier 3 itself, so non-citizens use the equivalent path.) Several provider pages overstate this as “U.S. citizen required for CCA” — the Cyber AB’s materials and 32 CFR §170.11 center on the Tier 3 or equivalent determination. Confirm your specific eligibility with ISACA.
One rule you can’t engineer around: an assessor must follow the Cyber AB’s conflict-of-interest policies, and as a practical matter cannot assess an organization where they — or a conflicted provider relationship — provided the consulting or implementation. That’s why readiness help and formal assessment have to stay separate: the same provider shouldn’t both fix your environment and certify it.
What CCP and CCA training really cost in 2026
Plan for the CCP path to run a few thousand dollars all-in, and the full path to CCA to land in a wide range — commonly cited at $15,000–$25,000 once you count CCP, a possible 8140 baseline cert, the much pricier CCA course, exams, and renewals. The fixed numbers we canstate precisely are ISACA’s: the CCP and CCA exams each cost $575 for ISACA members and $760 for non-members; the application processing fee after you pass is $200 for CCP and $50 for CCA; and annual maintenance runs $45 (member) / $85 (non-member). Course prices are set by each ATP and vary widely — the CCA course is the swing factor in that range.
Treat any single “CMMC certification costs $X” claim with suspicion. The real cost is a stack:
| Cost component | What to expect | Where to confirm |
|---|---|---|
| CCP training (ATP course) | ~$2,000–$3,500 (snapshot) | The ATP’s course page / invoice |
| CCP / CCA exam | $575 member / $760 non-member (each) | ISACA exam registration |
| CCP application fee (after passing) | $200 | ISACA |
| CCA application fee (after passing) | $50 | ISACA |
| Annual maintenance | $45 member / $85 non-member | ISACA |
| 8140 baseline cert (if needed for CCA) | Varies (e.g., Security+, CISA, CISSP exam + prep) | The certifying body |
| CCA training (ATP course) | ~$2,800–$15,000 (snapshot; higher figures reflect bundled/enterprise programs) | The ATP |
| All-in CCA path | ~$15,000–$25,000 (commonly cited; driven mostly by the CCA course price) | Get a written provider quote |
The trap is what the course price doesn’tinclude. Before you assume a sticker price is the total, confirm whether it covers: the exam fee, the application fee, ISACA membership, retakes, practice exams and study materials, travel (for in-person), your time away from billable work, and the annual renewal and CPE you’ll owe for years. Cheapest is fine when the provider is official, current, and clear about exam access; it gets expensive fast when the “deal” turns out to be general CMMC awareness training that never unlocks the exam.
CCP or CCA first? How to choose your path (and who shouldn’t pursue it yet)
Most candidates should buy CCP first, because CCP is foundational and an active CCP is required for the CCA path. CCA is the advanced assessor step and should only be purchased after you’ve mapped the CCP, experience, 8140-certification, background-investigation, exam, and application requirements. Buying CCA training before you’ve confirmed those is the most common way to waste money on this path.
Buy CCP training if:
- You’re new to the CMMC credential ecosystem.
- Your employer wants in-house CMMC literacy.
- You want assessor-track work eventually but haven’t earned CCP yet.
- You want a lower-risk first step before committing to CCA’s cost.
Buy CCA training if:
- You hold (or are about to hold) an active CCP.
- You understand NIST SP 800-171 Rev. 2 and CMMC assessment context.
- You’re pursuing formal assessment work inside a C3PAO.
- You’ve mapped your 8140 Work Role 612 baseline cert and your Tier 3 path.
Buy a CCP+CCA bundle only if:
- You already have real controls, audit, or compliance experience.
- You can handle accelerated pacing.
- The provider confirms both courses are official for your path and spells out exam-fee inclusion, timing, and completion reporting in writing.
Don’t buy CCA yet ifyou can’t clearly explain FCI versus CUI, NIST SP 800-171 Rev. 2, assessment evidence, and scoping — or if you’re hoping a course will substitute for experience it won’t. And if you’re a beginner without a security background, a CCP-for-knowledge course may be the smart first spend, but don’t treat CCP/CCA training as a replacement for foundational cybersecurity and 800-171 fluency. If that’s you, build the base first.
If, somewhere in here, you’ve realized you’re actually a companytrying to get certified rather than an individual chasing a credential, training one employee won’t make your business CMMC-ready — and it won’t replace a required C3PAO assessment. That’s a different decision track.
The biggest (and most expensive) mistakes when buying CMMC training
The costly mistakes are predictable: buying general “CMMC awareness” training instead of official credential-track training, buying CCA before confirming prerequisites, ignoring the exam and application fees, and trusting a marketing badge without checking current Marketplace status. A good purchase starts with verification, not a coupon code.
- Mistake 1 — Buying “CMMC training” when you need CCP or CCA training.General education won’t unlock the exam. Confirm the exact official course title.
- Mistake 2 — Assuming a logo means current approval. Status changes. Check the Marketplace the week you buy.
- Mistake 3 — Buying CCA too early.Without active CCP, the experience minimums, and an 8140 Work Role 612 cert, you can’t certify.
- Mistake 4 — Ignoring exam and application fees. The $575/$760 exam, the $200 CCP (or $50 CCA) application fee, and annual maintenance are often separate from the course price.
- Mistake 5 — Treating self-paced as automatically eligible. Self-paced can be fine if official and current — but verify it, in writing.
- Mistake 6 — Assuming a C3PAO is automatically the best trainer. Assessment experience helps; it doesn’t replace course fit, instructor access, and price.
- Mistake 7 — Confusing individual certification with company status. Training a person does not certify a company.
- Mistake 8 — Sharing sensitive data in training exercises. Don’t submit CUI, drawings, or contract details into a provider’s form or classroom exercise unless your organization has approved the environment. Use sanitized examples.
How CMMC training relates to the Final Rule, NIST SP 800-171 Rev. 2, and DFARS
CCP and CCA are individual professional credentials — they are not the same as a company’s required CMMC status. A contractor’s obligations come from the solicitation and the contract clause, not from whether an employee completed training. Understanding that line keeps you from buying the wrong thing.
The framework, briefly and with sources: the CMMC Program Rule is 32 CFR Part 170, effective December 16, 2024. The contract requirement flows through DFARS 252.204-7021 (the CMMC clause), and the DFARS implementation rule took effect November 10, 2025; under that rule, the required CMMC level is stated in the solicitation and contract. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2 — 110 security requirements across 14 control families — not Revision 3, unless and until the DoD amends the rule. NIST SP 800-172 supplies the enhanced requirements relevant to Level 3. Rollout is phased: Phase 1 runs November 10, 2025 through November 9, 2026, and Phase 2 enforcement begins November 10, 2026. Those dates are why assessment demand — and the assessor shortage that makes this credential attractive — is real and time-bound.
Here’s how the individual credentials sit next to the provider categories a company actually hires:
| Role / category | What it is | What it is not |
|---|---|---|
| CCP | Individual foundational credential | Company certification |
| CCA | Individual assessor credential | Authority to assess independently outside a C3PAO |
| RPO / RP (Registered Provider Organization / Registered Practitioner) | Readiness and implementation support | A formal C3PAO assessment |
| C3PAO | Authorized third-party assessment organization | Your implementation consultant for the same engagement |
| MSSP (Managed Security Service Provider) | Managed IT/security operations | Formal assessment authority |
| GRC platform | Evidence and workflow software | A substitute for implementation or assessment |
| CUI enclave | A controlled environment strategy | A blanket compliance guarantee |
If you came here as a contractor — not a candidate — this table is your signal that you need a provider category, not a course. The right category depends on your level, FCI vs CUI handling, assessment type, cloud environment, and timeline, and the contract clause sets your level, not a checklist.
Want the deeper background first? See our explainers on CMMC Level 2 requirements and C3PAO vs RPO: who to hire first.
What we verified for this guide
We separate three kinds of claims on this page: regulatory facts tied to primary sources, current facts that carry a verification date, and editorial judgments derived from the verified facts. That distinction is the whole point of an independent trade publication on CMMC 2.0 and DIB compliance.
Primary and official sources we read:32 CFR Part 170 and §170.11 on the federal eCFR; the Federal Register entries for the CMMC program and the DFARS implementation rule; NIST SP 800-171 Rev. 2 and NIST SP 800-172 on the NIST CSRC; DoD Manual 8140.03 and the DoD Cyber Exchange Work Role 612 page; ISACA’s CAICO announcement and its CCP/CCA credentialing, fee, and exam pages; and the Cyber AB’s program and FAQ documents.
Current facts we date-stamped (verified ): ISACA exam fees ($575/$760), the $200 CCP and $50 CCA application fees, $45/$85 renewal, and the PSI exam vendor; the CCP exam structure (170 questions, scaled 200–800, passing 450); and the provider course-price snapshots in the comparison table.
What we did not verify, and won’t pretend to:provider pass rates, private discounts, or student outcomes; each provider’s live Marketplace status (we read public course pages and labeled status as provider-stated); and any provider’s marketing claims about market leadership or success — those we attribute to the provider and tell you to confirm yourself. We do not claim any provider is endorsed by the Cyber AB, ISACA, the DoD, or by us. See our editorial standards and corrections policy.
Frequently asked questions
Who runs CMMC certification now — ISACA or the Cyber AB?
As of , ISACA runs CMMC training, examinations, and certification as the CAICO (the CMMC Assessor and Instructor Certification Organization), covering the CCP, CCA, Lead CCA, and CCI credentials. The Cyber AB remains the program’s accreditation body and still administers the Tier 3 background investigations.
What’s the difference between CCP and CCA?
CCP (CMMC Certified Professional) is the foundational credential — it supports readiness and consulting work and lets you serve on a Level 2 assessment team under a CCA’s supervision, and it’s the prerequisite for CCA. CCA (CMMC Certified Assessor) lets you perform Level 2 certification assessments and make determinations as part of a C3PAO team.
Can I self-study for the CCP or CCA exam?
No. Per the Cyber AB’s program documents, you must complete a course with an Approved Training Provider listed on the CyberAB Marketplace. Training from a provider that isn’t listed will not give you access to the exam, and these are not open-book exams.
Do I need a CCP before a CCA?
Yes. An active CMMC Certified Professional (CCP) certification is a mandatory prerequisite for the CMMC Certified Assessor (CCA), per ISACA and 32 CFR §170.11.
What certification do I need before the CCA?
You need one baseline certification aligned to DoD 8140.03 Work Role 612 (Security Control Assessor) at Intermediate proficiency or higher. ISACA names CISA and CISM as examples; other commonly mapped certifications include CISSP, CGRC, and CySA+. Confirm the current authoritative list on the DoD Cyber Exchange.
Do I have to be a U.S. citizen to earn a CCP or CCA?
No. U.S. citizens obtain a favorable Tier 3 background determination, while non-citizens who aren’t eligible for Tier 3 meet a DoD-determined equivalent, per the Cyber AB’s materials and 32 CFR §170.11.
How much do the CCP and CCA exams cost?
Each exam is $575 for ISACA members and $760 for non-members. After passing, the application processing fee is $200 for CCP and $50 for CCA, with annual maintenance of $45 (member) / $85 (non-member) — verified against ISACA’s published pricing as of . Training is a separate, larger cost set by each provider.
How much does training cost?
In a public snapshot taken , CCP courses ran roughly $2,000–$3,500 and CCA courses roughly $2,800 and up; full all-in paths to CCA are commonly cited at $15,000–$25,000 once prerequisites, exams, and renewals are included. Verify current pricing at checkout.
How do I find a legitimate CMMC training provider?
Use the official CyberAB Marketplace, filter for Approved Training Providers, open the listing, and confirm its current status before you pay. Providers that aren’t listed aren’t authorized to offer official CMMC training.
Is a C3PAO a good CMMC training provider?
A C3PAO may offer useful assessment-context training, but C3PAO status alone doesn’t make a course the best fit. Compare official ATP status, instructor access, format, total cost, and your certification path.
Should a beginner buy a CCP+CCA bundle?
Usually only if the provider confirms the path is appropriate and you already have enough controls, audit, or cybersecurity background to handle accelerated pacing. Most beginners are better served by CCP first, then CCA after the prerequisites and experience are clearer.
Can I submit CUI or contract details during training?
No. Don’t submit CUI, drawings, export-controlled data, or sensitive contract details into a training form, classroom exercise, or upload portal unless your organization has formally approved the handling environment. Use sanitized examples.
Choose your next step
If you’re an individual or consultant: map your path, then verify any provider before you pay.
If you’re a defense contractor choosing a provider for your company: Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Primary sources
- 32 CFR Part 170 (CMMC Program Rule), incl. §170.11 (CCA / Lead CCA) — federal eCFR
- DFARS 252.204-7021 and the DFARS implementation rule — Acquisition.gov / Federal Register
- NIST SP 800-171 Rev. 2 (Level 2, 110 requirements / 14 families) and NIST SP 800-172 (Level 3 enhanced) — NIST CSRC
- DoD Manual 8140.03 and the DoD Cyber Exchange Work Role 612 (Security Control Assessor) page — public.cyber.mil
- ISACA CAICO announcement and CCP/CCA credentialing, fee, and exam pages — isaca.org
- CyberAB Marketplace (official directory) and Cyber AB program/FAQ documents — cyberab.org