The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

How to Become a CMMC Assessor (CCA): 2026 Requirements and Step-by-Step Path

By The Defense Compliance Report Editorial Team · Last verified: July 17, 2026· Educational research — not legal, contractual, employment, or compliance advice.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or acting on behalf of the Cyber AB, ISACA/CAICO, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

To become a CMMC assessor (CCA), you first complete the Certified CMMC Professional (CCP) pathway, then satisfy the Certified CMMC Assessor (CCA) requirements in 32 CFR §170.11: at least three years of cybersecurity experience, at least one year of assessment or audit experience, a DoD 8140 Work Role 612 (Security Control Assessor) qualification at least at the Intermediate proficiency level, mandatory CAICO-approved training, the CCA exam, a US$50 application fee, and a favorably adjudicated Tier 3 background investigation (or Department-approved equivalent). The CCA exam costs US$575 (ISACA member) / US$760 (non-member).

Now the catch — the one missing from most guides. On July 13, 2026, the Department of War suspended the mandatory Phase 2 third-party assessment requirement — the milestone that was set to make CCA assessment work broadly required across defense contracts. The credential path is still open. The demand picture is not what it was two months ago.

Quick audience check

This guide is for people who want to becomea CMMC assessor — the individual career and credential. If you’re a defense contractor trying to get your company certified, you’re on the wrong page. Jump to The Defense Compliance Report’s Find My CMMC Path tool instead and skip the assessor mechanics below.


The one hard truth up front

The CCA is not an entry-level cyber certificate, passing the exam does not make you a Certified CMMC Assessor, and the credential does not let you assess companies on your own. All three are common assumptions. All three are wrong. The exam is one gate of several. Certification also requires documented experience, a background investigation, and a foundational DoD qualification you must already hold. And even once you’re certified, official Level 2 assessment work happens inside a C3PAO assessment team — not solo.

If you were hoping the CCA is a fast lane into government cybersecurity, or a way to freelance certifications after a short course, we just saved you thousands of dollars. But if you already evaluate security controls for a living, this is exactly the kind of credential that’s worth being hard to get.


What does a CMMC assessor (CCA) actually do?

A CMMC Certified Assessor (CCA) conducts CMMC Level 2 certification assessments of defense contractors — formally, Organizations Seeking Certification (OSCs) — in support of a C3PAO, evaluating them against the 110 security requirements in NIST SP 800-171 Revision 2 using the assessment procedures in NIST SP 800-171A. Under 32 CFR §170.11, a CCA works only as part of a C3PAO assessment team and cannot conduct or sign off on an assessment independently.

A CCA is an individual credential. A C3PAO is an organization— the entity the Cyber AB authorizes and accredits to deliver assessments. You can be a fully certified CCA and still not be able to certify anyone on your own, because the authorization to run an assessment and issue a Certificate of CMMC Status belongs to the C3PAO, not to you (32 CFR §170.8).

What a CCA is authorized to do (§170.11(a)):

What a CCA is not automatically authorized to do:

Here is how the individual credentials and the organization relate — because “assessor,” “auditor,” and “C3PAO” get used interchangeably in job posts and they are not the same thing:

TermPerson or organization?Formal Level 2 role
CCP (Certified CMMC Professional)IndividualSupports assessments as a team member under CCA oversight; the CCA makes all final determinations
CCA (Certified CMMC Assessor)IndividualConducts Level 2 certification assessments in support of a C3PAO
LCCA (Lead CMMC Certified Assessor)IndividualLeads the assessment team and final determinations
CCI (CMMC Certified Instructor)IndividualTeaches CCP/CCA/CCI candidates (ISACA currently markets this as "CMMC Credentialed Instructor")
RP / RPO (Registered Practitioner / Organization)Individual / organizationReadiness and advisory role; RP/RPO status alone does not authorize formal certification-assessment work
C3PAO (CMMC Third-Party Assessment Organization)OrganizationThe authorized assessment organization; issues Certificates of CMMC Status

Source: 32 CFR §§170.8–170.13 (ecfr.gov Subpart C).

The practical takeaway: you don’t “become a CCA” directly. You become a CCP first, then upgrade. That order is set by the regulation, not by a training vendor selling a bundle.

For context: CMMC Level 2 currently maps to the 110 requirements across 14 families in NIST SP 800-171 Revision 2. NIST has since published Revision 3, but 32 CFR Part 170 currently incorporates Revision 2 for CMMC Level 2 unless the rule is amended.


Who controls each gate? (The map most guides skip)

The CMMC assessor path is run by four different bodies. The Department of War (through 32 CFR Part 170) sets the legal requirements; ISACA, as the CAICO, runs training approval, exams, applications, certification, and continuing education; the Cyber AB authorizes C3PAOs and runs the Marketplace; and a C3PAO is who actually engages you for assessment work.
AuthorityWhat it controls
Department of War / 32 CFR Part 170The legal program role, the CCA/CCP requirements, Tier 3, experience and Work Role 612 gates, and the assessment process (§170.11)
ISACA (as the CAICO)Approved training, the CCP and CCA exams, applications and fees, certification issuance, and continuing professional education (isaca.org/credentialing/cca)
Cyber AB (Accreditation Body)Authorizing and accrediting C3PAOs, and the CyberAB Marketplace directory (§170.8)
DCSA / Washington Headquarters ServicesProcessing the Tier 3 background investigation (initiated with SF-86) on the Department side
A C3PAOEngaging the assessor, providing the authorized assessment environment, and issuing Certificates of CMMC Status

Does the July 2026 Phase 2 suspension kill the CCA path?

No — but it changes the calculus. The July 13, 2026 suspension pauses the mandatory Phase 2 Level 2 (C3PAO) requirement; as of this verification date it has not removed the CCA requirements in 32 CFR §170.11 or caused ISACA to withdraw the credential. What it removes is near-term certainty about how soon a new CCA would bill assessment hours, because the mandate driving that demand is paused pending a 60-day review.

What was suspended:

The Phase 2 milestone that would have put mandatory C3PAO assessment requirements into Department contracts starting November 10, 2026. Phases 3 and 4 were suspended too, until further notice. A CMMC Reform Task Force has roughly 60 days to review the program and deliver recommendations to the Department CIO, putting that around mid-September 2026.

What remains firmly in place:

There’s precedent worth knowing. This isn’t CMMC’s first pause. CMMC 1.0 took effect November 30, 2020; the Department began an internal review in March 2021 and announced the revised program — CMMC 2.0 — in November 2021. So a review is not an obituary. But it is a genuine fork in the road, and a serious professional plans around it, not through it. See what the Final Rule actually says →

Our editorial read by situation:

If you’re…Our read on the suspension
An experienced assessor whose employer is paying, with a role already tied to C3PAO workThe path may still be rational — verify your employer's plan and timeline in writing
An experienced auditor adding CMMC capability to an existing careerLower-risk than a full pivot; the skills transfer regardless of program timing
A beginner self-funding because of "huge imminent demand"The demand catalyst was just paused. Build transferable skills first and reassess after the review
Already deep in the processBase the finish decision on the credential's standalone value and a written work plan, not a promised date

Do you even qualify? The four states of CCA eligibility

You are not CCA-eligible just because you can buy a course. The controlling requirements — an active CCP, three years of cybersecurity experience, one year of assessment or audit experience, a Work Role 612 qualification, mandatory training, the exam, and a Tier 3 determination or Department-approved equivalent — come from 32 CFR §170.11(b). The distinction most guides skip is that these aren't one "eligible" line; they're four milestones that happen at different times.
  1. Eligible to begin the pathway.You understand the role and you’re building toward it. No purchase required.
  2. Eligible to register for the exam.You hold an active CCP, you’ve completed the mandatory CAICO-approved CCA course, and you hold a qualifying 8140 (Work Role 612) certification.
  3. Eligible to receive the CCA credential.You’ve also passed the exam, documented your experience, paid the application fee, met the ethics and CPE commitments, and cleared Tier 3 (or the Department-approved equivalent).
  4. Positioned to perform official assessment work. You’re certified andengaged with a C3PAO that can put you on a team. The credential alone doesn’t create the assignment.

The financial trap is buying for stage 3 or 4 when you’re actually stuck at stage 1 or 2. Here’s the full gate-by-gate map we built from the regulation and ISACA’s current pages:

The CCA Eligibility & Friction Map

GateCurrent requirementAuthorityTypeCommon failure
1. Understand the roleA CCA conducts Level 2 certification assessments in support of a C3PAO (§170.11(a))DoW / 32 CFRRegulation-statedBelieving the individual credential lets you freelance official certifications
2. CCP foundationHold an active CCP. Note: CCP training, exam, and application can happen before Tier 3, but an active CCP itself requires Tier 3 or an approved equivalent (§170.13)DoW + ISACABothBuying CCA training before locking in the CCP step and its Tier 3
3. Cybersecurity experienceAt least 3 years (§170.11(b)(6))DoW / 32 CFRRegulation-statedListing general IT tenure without security responsibilities
4. Assessment/audit experienceAt least 1 year (§170.11(b)(6))DoW / 32 CFRRegulation-statedTreating implementation work as if it were assessment work
5. Work Role 612 qualificationA foundational qualification aligned to at least the Intermediate proficiency level of DoD 8140.03 Security Control Assessor (Work Role 612) (§170.11(b)(6))DoW + ISACABothRelying on an old blog's 8570 certification list instead of the current DoD source
6. Approved CCA trainingMandatory CAICO-approved course through an ATP on the CyberAB MarketplaceISACA / Cyber ABOperationalBuying general CMMC training that doesn't unlock the official exam
7. CCA examActive CCP + approved training + a qualifying 8140 certification to register; six-month eligibility window after registrationISACAOperationalAssuming a passing score alone equals certification
8. ApplicationCurrent application, experience proof, ethics commitment, and a US$50 application processing feeISACAOperationalRelying on a third-party article's application-window number (ISACA's own pages conflict — see below)
9. Tier 3 (or equivalent)Favorably adjudicated Tier 3 national-security eligibility, or a Department-determined equivalent (§170.11(b)(3)–(4))DoW / DCSARegulation-statedCalling Tier 3 a security clearance
10. Credential issuanceAll requirements complete; certification valid 3 years (§170.11(b)(1))ISACABothConfusing "exam passed" with "CCA certified"
11. Official assessment workPerformed in support of a C3PAO, using the C3PAO's authorized systems (which must have passed a DCMA DIBCAC Level 2 assessment or higher) (§170.11(b)(7))C3PAORegulation-statedPlanning to store assessment data on personal devices
12. MaintenanceContinuing education and renewal under ISACA's CPE policy; a CyberAB Marketplace listing also requires Delta TrainingISACA / Cyber ABOperationalBudgeting only for training and exams, ignoring upkeep

Sources: 32 CFR §§170.11 and 170.13 (ecfr.gov); ISACA CCA pages (isaca.org/credentialing/cca), verified July 17, 2026.


Does ISACA require an active CCP before the CCA exam?

This is a genuine gray area worth confirming before you pay. ISACA's CCA registration page states you need an active CCP to register for the CCA exam. A separate ISACA statement says candidates who pass the CCP exam and complete CCA training may sit the CCA exam before finishing Tier 3. Those can't both operate literally, because an active CCP certification under 32 CFR §170.13 itself requires Tier 3. Confirm the live registration gate in MyISACA before scheduling or paying.

We’re flagging this rather than papering over it, because it directly affects the order in which you spend money. The regulation is clear that both the CCP (§170.13) and the CCA (§170.11) require Tier 3. ISACA’s operational language about sitting the exam before Tier 3 is a candidate convenience — but “active CCP” and “before Tier 3” are in tension. One quick check in your MyISACA account resolves it for your specific situation.


How to become a CMMC assessor (CCA), step by step

The safe sequence: confirm your target, map your experience and Work Role 612 qualification, complete the CCP pathway (training, exam, application, and Tier 3 to reach active CCP), complete approved CCA training, pass the CCA exam, submit the certification application, clear Tier 3 for the CCA, receive the credential, and then perform assessment work through a C3PAO. Some steps overlap — but paying for them in the wrong order is where candidates lose money.
  1. Confirm CCA is actually your target. Not CCP, not RP consulting, not starting a C3PAO. If you want to advisecompanies on getting ready, that’s a readiness lane and the CCP may serve you better.
  2. Map your experience before you pay. The three-year cybersecurity and one-year assessment/audit requirements are the gates that stop otherwise-qualified people. Write down every qualifying role: employer or client, dates, the securitywork you did (not just “IT”), and someone who can verify it.
  3. Verify your Work Role 612 qualification, and how ISACA operationalizes it. The regulation requires a foundational qualification aligned to at least the Intermediate proficiency level of DoD 8140.03 Security Control Assessor (Work Role 612). Confirm which specific certification ISACA’s current registration process accepts. If you don’t hold a qualifying credential, this is often the longest lead-time item after experience.
  4. Complete the CCP pathway.CCP training, the CCP exam, the CCP application, and Tier 3 (or the approved equivalent) to reach an active CCP certification. The CCA is an advanced credential layered on top of the CCP — you can’t skip it.
  5. Run Tier 3 in parallel where you can.You do not need Tier 3 complete before CCA training or the CCA exam — ISACA is explicit about this, and it’s a gift to your timeline, because adjudication is outside your control. Just remember Tier 3 is required to reach an active credential.
  6. Complete the mandatory CCA training.It has to be a CAICO-approved course through an ATP listed on the CyberAB Marketplace. Before you pay, confirm the provider’s ATP status on the Marketplace and save a timestamped screenshot. General CMMC training will not unlock the official exam.
  7. Register for and pass the CCA exam. Registration is continuous, and once you register you have a six-month eligibility windowto sit the exam. Don’t register until you’re prepared to use that window. Exams run at PSI test centers or via remote proctoring.
  8. Pay the application fee and submit your evidence. The current CCA application processing fee is US$50. This is where your Step 2 experience documentation earns its keep.
  9. Complete Tier 3 (or the approved equivalent) for the CCA.Passing the exam is not the finish line. You need a favorably adjudicated Tier 3 determination — or, if you’re not eligible for Tier 3, the Department-determined equivalent (§170.11(b)(4)).
  10. Receive the credential and maintain it. CCA certification is valid for three years. Keep up with CPE and renewal, and complete Delta Training if you want a CyberAB Marketplace listing.
  11. Join or contract with a C3PAO.The credential qualifies you; it doesn’t assign you. Official assessment work happens through a C3PAO as an employee, subcontractor, or authorized team member. In the current suspended-Phase-2 environment, this step is exactly where the timing uncertainty bites.

Do I need a CCP before the CCA?

Yes. 32 CFR §170.11(b)(6) requires a CCA to be a CCP, and ISACA requires an active CCP to earn the CCA. Treat the CCA as an advanced assessor credential layered on top of the CCP — not an alternative to it. And note that the CCP itself requires a Tier 3 investigation under §170.13(b)(3), so Tier 3 sits underneath both credentials.

Should you buy a combined CCP-and-CCA bundle? Depends on your gate:

Your situationBundle verdict
Experience and Work Role 612 already verifiedReasonable to consider — after checking ATP status and refund terms
Assessment/audit experience uncertainDon't prepay for the CCA portion until you can document the year
Complete beginnerA bundle is not a shortcut past the experience gates
Employer is paying with a documented development planPotentially reasonable
Buying purely on assumed demandWait for the outcome of the review

When you’re ready to compare actual courses and prices, that’s a separate decision from this one. Compare current CCP and CCA training options →


Which DoD 8140 Work Role 612 qualification counts?

32 CFR §170.11(b)(6) requires at least one foundational qualification aligned to the Intermediate proficiency level for the DoD Cyberspace Workforce Framework's Security Control Assessor (Work Role 612), from DoD Manual 8140.03. Separately, ISACA's current CCA exam-registration process asks candidates for a certification from its 8140 list. Because recognized qualifications can change, verify yours against the current official DoD source rather than an undated list on a training site.

What counts as 3 years of cybersecurity and 1 year of audit experience?

32 CFR §170.11(b)(6) sets the durations — three years of cybersecurity experience and one year of assessment or audit experience — but it does not turn every IT task into qualifying work. Reduce your risk by documenting duties, dates, standards used, and verifiable responsibilities rather than relying on job titles.

Strong cybersecurity experience (potential evidence categories, not automatic approval):

Security architecture and engineering, risk and controls work, incident response, vulnerability management, identity and access management, security operations, information system security roles, and federal-controls implementation.

Strong assessment or audit experience:

Evaluating controls against defined criteria, collecting and validating objective evidence, testing whether controls actually operate, documenting findings, performing scoping, writing assessment reports, and conducting interviews and observations under a recognized methodology (NIST, ISO, SOC, FedRAMP, or internal audit against a real control set).

Weak or ambiguous (don’t assume these carry the day):

Generic help-desk work, unspecified “IT management,” selling security products, implementing a control without ever assessing one, or informal peer review with no criteria and no documented conclusions.

The distinction that matters most: implementing a control is not the same as assessingit. Plenty of strong engineers have three years of cyber and zero defensible years of assessment. If that’s you, the honest move is to build and document real assessment work — or start with the CCP — rather than assume a course closes the gap.

Before you spend anything, build your case on paper. A simple worksheet with these columns is enough: employer/client · role · start and end dates · cybersecurity duties · assessment/audit duties · framework or standard used · deliverables · supervisor or verifier · supporting documentation.


Is the Tier 3 background investigation a security clearance?

No. 32 CFR §170.11(b)(3) states plainly that the Tier 3 background investigation "will not result in a security clearance and is not being executed for the purpose of government employment." It is a determination of national-security eligibility for the CMMC role, initiated with the Standard Form 86 (SF-86), for positions designated non-critical sensitive at a "Moderate Risk" level.

What Tier 3 is:

A background investigation, started with the SF-86, that results in an eligibility determination for the assessor role. Under §170.8, these investigations are submitted through Washington Headquarters Services for processing by the Defense Counterintelligence and Security Agency (DCSA). It is not the same as holding a clearance for access to classified information.

Can training and the exam happen before Tier 3?

Yes. ISACA states directly that CCA candidates do not need to complete Tier 3 before taking CCA training and the exam. Because adjudication timelines are outside your control, running Tier 3 in parallel is usually the smart sequencing — just remember it’s required to reach an active credential.

Can a non-U.S. citizen become a CCA?

The rule does not impose a blanket citizenship bar. Section 170.11(b)(4) provides that a candidate who is not eligible for a Tier 3 investigation must meet “the equivalent of a favorably adjudicated Tier 3 background investigation,” with the Department determining that equivalence. Don’t accept a flat “you must be a U.S. citizen” claim — but also don’t assume any particular foreign investigation will be accepted.


How much does it cost to become a CMMC assessor?

There is no single official all-in CCA price, because training costs vary and most candidates must first hold a CCP and a qualifying 8140 credential. The CCA-specific fees verified directly on ISACA's site are a US$575 (member) / US$760 (non-member) exam fee and a US$50 application processing fee, before training and ongoing maintenance.
CostCurrent amountFixed or variable?
CCA exam — ISACA memberUS$575Fixed
CCA exam — non-memberUS$760Fixed
CCA application processingUS$50Fixed
CCA training (mandatory, via ATP)Varies by providerVariable
CCP pathway (training + exam + application)Additional; separate feesPartly fixed, partly variable
Work Role 612 qualificationCandidate-specificVariable
Membership (affects exam price)OptionalYour choice
Annual maintenance (CPE + fee)RecurringRecurring

Source: ISACA CCA credential page, verified July 17, 2026. ISACA notes that exam prices rose while annual renewal fees were lowered.

The current CCA exam plus application fee totals US$625 for an ISACA member or US$810 for a non-member— and that’s it for the fixed, knowable CCA-specific fees. It excludes CCA training, the CCP pathway, Work Role 612 qualification costs, membership, prep, and maintenance. Training price is a major swing factor in your total.

A few money-protection rules: verify eligibility before any non-refundable purchase; confirm ATP status on the day you pay; don’t buy a bundle just because it’s discounted; confirm exactly what a course price includes; and don’t confuse the individual CCA cost with the (much larger) cost of standing up a C3PAO.


How long does it take to become a CMMC assessor?

There is no defensible universal timeline, because candidates start from very different positions on experience, CCP status, Work Role 612 qualification, and background investigation. The exam carries a six-month eligibility window after registration, but experience acquisition, Tier 3 adjudication, application review, and finding C3PAO work can make the full path substantially longer.

Your timeline is set by your slowest gate, not the course calendar:

Starting pointMain bottleneck
Active CCP, experience and Work Role 612 satisfiedTraining, exam, application, and Tier 3 adjudication
Cyber professional without the audit yearBuilding and documenting legitimate assessment experience
Auditor without qualifying cyber backgroundThe three-year cybersecurity requirement
BeginnerYears of experience — not course scheduling
Credentialed but no C3PAO relationshipFinding assessment-team work (harder in the current suspension)

What’s on the CCA exam?

ISACA's current CCA exam content outline states the exam contains 150 questions across four domains: Evaluating Organizations Seeking Certification against Level 2 (15%), Level 2 assessment scoping (20%), the CMMC Assessment Process or CAP (25%), and Assessing Level 2 practices (40%). Assessing Level 2 practices is the largest single domain by a wide margin, so hands-on assessment judgment — not terminology recall — carries the exam.
DomainWeight
Evaluating the OSC against CMMC Level 215%
CMMC Level 2 assessment scoping20%
CMMC Assessment Process (CAP)25%
Assessing CMMC Level 2 practices40%

Nearly two-thirds of the exam sits in the CAP and actual practice-assessment domains. Memorizing the names of NIST requirements won’t get you there. Scoping judgment and evidence evaluation deserve dedicated preparation — you’re being tested on how you’d assess against the objectives, not whether you can recite them.

Logistics:You must hold an active CCP and complete mandatory approved training before registering; the exam is delivered at PSI centers or via remote proctoring; the exam has 150 questions. Confirm the current time limit and passing score in ISACA’s CCA exam candidate guide — those operational details can change. As of our July 2026 review, ISACA’s own CCA prep products were still marked “coming soon,” so plan your preparation accordingly.


Can a CCA work independently, or do I need a C3PAO?

A CCA is an individual credential, but official Level 2 certification-assessment work is performed in support of a C3PAO. 32 CFR §170.11(b)(7) goes further: assessors must use the engaged C3PAO's authorized IT, cloud, cybersecurity services, and endpoint devices — which must have passed a DCMA DIBCAC Level 2 assessment or higher — and are prohibited from using personally owned IT to process, store, or transmit assessment reports or related information.
CapabilityCCAC3PAO
Individual professional credentialYesNo
Authorized assessment organizationNoYes
Participate on an assessment teamYesEmploys/contracts the team
Independently market official certification as a solo credential holderNoOnly through authorized organizational status
Provides the authorized assessment environmentUses the C3PAO'sProvides it (systems must have passed a DIBCAC Level 2 assessment or higher)

Can you consult and assess the same client? Here the regulation is specific. 32 CFR §170.8(b)(17)(ii)(G) prohibits a CMMC Ecosystem member from participating in a Level 2 certification assessment for an organization when that member served as a consultant to prepare the organization for any CMMC assessment within the prior three years. Never assume that holding a CCA lets you remediate a client and then assess your own work.

The device rule is not optional. Individual assessors are prohibitedfrom using any other IT — including personally owned devices, internal or external cloud services, and endpoints — to process, store, or transmit CMMC assessment reports or any other assessment-related information. Plan for the C3PAO’s authorized environment from day one.


CCP vs. CCA vs. Lead CCA — which should you pursue?

CCP is the foundational professional credential, CCA is the assessor credential for Level 2 work through a C3PAO, and Lead CCA (LCCA) is the senior designation for leading assessment activity and final determinations. Each step adds experience, qualification, and responsibility — they are not three interchangeable course levels.
CredentialBest suited toKey prerequisiteWork Role 612 levelFormal assessment role
CCPFoundational ecosystem and assessment-support workTraining, exam, application, Tier 3Not specified for CCPSupports assessments under CCA oversight
CCAExperienced cyber and audit professionalsActive CCP + the §170.11(b) gatesIntermediateConducts Level 2 assessments in support of a C3PAO
Lead CCASenior assessors and team leadersActive CCP/CCA + advanced experienceAdvancedLeads official Level 2 assessments and final determinations

Per 32 CFR §170.11(b)(10), the Lead CCA requires at least 5 years of cybersecurity experience, 5 years of management experience, 3 years of assessment or audit experience, and a foundational qualification aligned to the Advanced proficiency level of Work Role 612.


Is becoming a CCA worth it in 2026?

The CCA can still be a rational investment for an experienced assessor with a verified qualification path, employer support, or a documented C3PAO opportunity — but it's a poor speculative purchase for a beginner expecting automatic employment. With the mandatory Phase 2 requirement suspended, base the decision on the credential's standalone professional value and a realistic work plan, not on a promise of imminent assessor scarcity.

Strong-fit candidate:

You already perform control assessments; you meet or nearly meet the experience gates; you hold a qualifying Work Role 612 credential; you have employer reimbursement or a credible C3PAO role; and you want CMMC-specific assessment capability.

Weak-fit candidate:

You have no real cybersecurity or assessment background; you can’t identify a qualifying 8140 pathway; you’re financing the whole thing on the strength of salary or demand claims; or you believe the course itself guarantees the credential.

The decision factors — five questions to sit with:

  1. Would this credential improve my career even if Phase 2’s timing keeps shifting?
  2. Is an employer or C3PAO actually asking me to get it?
  3. Do I already satisfy the difficult experience gates?
  4. Can I absorb the full cost without relying on immediate assessment income?
  5. Do I have a credible route to assessment-team experience?

There is currently no reliable, primary-source dataset supporting a specific CCA salary, placement rate, or time-to-first-assessment figure — and the July 2026 suspension makes any pre-suspension “assessor shortage” headline even less reliable as a basis for spending your money. Anyone quoting you a guaranteed salary or a guaranteed shortage is selling, not sourcing.


Common mistakes that delay or block CCA certification

Most avoidable problems come from treating the CCA like a course-and-exam purchase rather than a regulated professional qualification. Cut your risk by verifying experience, Work Role 612 status, ATP authorization, application evidence, and Tier 3 status before assuming any single completed step means you're certified.

What we verified for this guide

Verified July 17, 2026:

Official-source conflicts we found (and did not paper over):

Not independently established:

A universal completion time; a current CCA employment or placement rate; a specific salary; a guaranteed near-term demand or shortage; an average Tier 3 adjudication time; and a complete, current hardcoded list of every qualifying Work Role 612 credential (verify yours against the live DoD source).

More on how we work: Editorial Standards · Methodology · Corrections Policy. This is educational research, not legal, contractual, employment, or compliance advice. Confirm credential and application requirements with ISACA/CAICO; confirm Marketplace and Tier 3 workflow with the Cyber AB; and confirm any contract question with your Contracting Officer or qualified federal-contracts counsel.


Frequently asked questions about becoming a CMMC assessor

What certification do I need to become a CMMC assessor?
You need the Certified CMMC Assessor (CCA) credential, and the Certified CMMC Professional (CCP) is a prerequisite. Per 32 CFR §170.11(b)(6), you must be a CCP with at least three years of cybersecurity experience, one year of assessment or audit experience, and a qualifying DoD 8140 Work Role 612 credential, plus mandatory training, the exam, and a Tier 3 determination.
Can I become a CCA without being a CCP?
No. Both 32 CFR §170.11 and ISACA require an active CCP before you can earn the CCA. The CCA is an advanced credential layered on top of the CCP.
Does the CCP also require a Tier 3 background investigation?
Yes. 32 CFR §170.13(b)(3) requires the CCP to complete a Tier 3 background investigation (or a Department-determined equivalent), using the same non-clearance, SF-86 process that applies to the CCA. Tier 3 sits underneath both credentials.
Can I take CCA training before Tier 3 is complete?
Yes. ISACA states that CCA candidates do not need to complete their Tier 3 background investigation before taking CCA training or the exam. Tier 3 is still required to reach an active credential, so run it in parallel.
Does the Tier 3 background investigation give me a security clearance?
No. 32 CFR §170.11(b)(3) states the Tier 3 investigation "will not result in a security clearance and is not being executed for the purpose of government employment." It's an eligibility determination for the assessor role, initiated with the SF-86.
Can a non-U.S. citizen become a CCA?
Possibly. The rule imposes no blanket citizenship bar; §170.11(b)(4) provides that candidates not eligible for Tier 3 must meet a Department-determined equivalent. There's no flat citizenship rule, but no guarantee any particular foreign investigation will be accepted — the Department determines equivalence.
Do I need three supervised CMMC assessments to become a CCA?
Not according to the current rule. 32 CFR §170.11 and ISACA's current CCA certification requirements do not list three supervised assessments as a prerequisite. That step appears in some older pathway graphics; confirm any experiential requirements with the CAICO before relying on outdated diagrams.
How much is the CCA exam?
US$575 for ISACA members and US$760 for non-members, plus a one-time US$50 application processing fee, verified on ISACA's CCA pages as of July 17, 2026. Training is separate and varies by provider.
How many questions are on the CCA exam?
ISACA's CCA exam content outline states the exam contains 150 questions across four domains, weighted toward Assessing Level 2 Practices (40%). Confirm the current time limit and passing score in ISACA's CCA exam candidate guide, as these operational details can change.
Can I perform CMMC assessments by myself after becoming a CCA?
No. Official Level 2 certification assessments are performed in support of a C3PAO, by a team led by a Lead CCA. A CCA is an individual credential; the authorization to deliver assessments and issue Certificates of CMMC Status belongs to the C3PAO, and §170.11(b)(7) requires assessors to use the C3PAO's authorized systems.
Does the CCA credential certify my company?
No. The CCA is an individual professional credential. Certifying a company is a separate process — a Level 2 assessment of an Organization Seeking Certification — and requires a C3PAO. If your goal is getting your own company certified, use the Find My CMMC Path tool instead.
How long do I have to apply after passing the exam?
ISACA's current CCA materials conflict: the "Get CCA Certified" steps state five years from passing the exam to apply, while the certification-requirements section on the same page states two years. Confirm the current deadline in your MyISACA account rather than relying on a third-party article.
Is becoming a CCA still worthwhile after the July 2026 Phase 2 suspension?
It depends on your situation. The suspension paused the mandatory third-party (C3PAO) assessment requirement pending a 60-day review, so near-term demand is uncertain. It's more defensible for an experienced assessor with employer support or a documented C3PAO opportunity than for a beginner betting on a shortage. The credential path and requirements remain in place as of this writing.

Your next step depends on your first unmet gate


Disclosure

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Independence

The Defense Compliance Report is not affiliated with the Cyber AB, ISACA/CAICO, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page provides educational research, not legal, contractual, employment, or compliance advice.

Primary sources and further reading

Regulatory facts on this page were verified against the sources above on July 17, 2026. Program phases and rules change — we re-verify on a recurring basis and update the “Last verified” date when we do.