How to Become a CMMC Assessor (CCA): 2026 Requirements and Step-by-Step Path
By The Defense Compliance Report Editorial Team · Last verified: July 17, 2026· Educational research — not legal, contractual, employment, or compliance advice.
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or acting on behalf of the Cyber AB, ISACA/CAICO, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
To become a CMMC assessor (CCA), you first complete the Certified CMMC Professional (CCP) pathway, then satisfy the Certified CMMC Assessor (CCA) requirements in 32 CFR §170.11: at least three years of cybersecurity experience, at least one year of assessment or audit experience, a DoD 8140 Work Role 612 (Security Control Assessor) qualification at least at the Intermediate proficiency level, mandatory CAICO-approved training, the CCA exam, a US$50 application fee, and a favorably adjudicated Tier 3 background investigation (or Department-approved equivalent). The CCA exam costs US$575 (ISACA member) / US$760 (non-member).
Now the catch — the one missing from most guides. On July 13, 2026, the Department of War suspended the mandatory Phase 2 third-party assessment requirement — the milestone that was set to make CCA assessment work broadly required across defense contracts. The credential path is still open. The demand picture is not what it was two months ago.
Quick audience check
This guide is for people who want to becomea CMMC assessor — the individual career and credential. If you’re a defense contractor trying to get your company certified, you’re on the wrong page. Jump to The Defense Compliance Report’s Find My CMMC Path tool instead and skip the assessor mechanics below.
The one hard truth up front
The CCA is not an entry-level cyber certificate, passing the exam does not make you a Certified CMMC Assessor, and the credential does not let you assess companies on your own. All three are common assumptions. All three are wrong. The exam is one gate of several. Certification also requires documented experience, a background investigation, and a foundational DoD qualification you must already hold. And even once you’re certified, official Level 2 assessment work happens inside a C3PAO assessment team — not solo.
If you were hoping the CCA is a fast lane into government cybersecurity, or a way to freelance certifications after a short course, we just saved you thousands of dollars. But if you already evaluate security controls for a living, this is exactly the kind of credential that’s worth being hard to get.
What does a CMMC assessor (CCA) actually do?
A CMMC Certified Assessor (CCA) conducts CMMC Level 2 certification assessments of defense contractors — formally, Organizations Seeking Certification (OSCs) — in support of a C3PAO, evaluating them against the 110 security requirements in NIST SP 800-171 Revision 2 using the assessment procedures in NIST SP 800-171A. Under 32 CFR §170.11, a CCA works only as part of a C3PAO assessment team and cannot conduct or sign off on an assessment independently.
A CCA is an individual credential. A C3PAO is an organization— the entity the Cyber AB authorizes and accredits to deliver assessments. You can be a fully certified CCA and still not be able to certify anyone on your own, because the authorization to run an assessment and issue a Certificate of CMMC Status belongs to the C3PAO, not to you (32 CFR §170.8).
What a CCA is authorized to do (§170.11(a)):
- Conduct Level 2 certification assessment activities on a C3PAO team
- Evaluate objective evidence against assessment objectives
- Apply the NIST SP 800-171A assessment methods (examine, interview, test)
- Work within the assessment processes in §170.17 and the scoping requirements in §170.19(c)
What a CCA is not automatically authorized to do:
- Issue independent CMMC certifications outside a C3PAO
- Remediate a client and then serve as its assessor within the conflict window
- Store assessment evidence on personal systems (prohibited — see the independence section below)
- Guarantee an assessment outcome
Here is how the individual credentials and the organization relate — because “assessor,” “auditor,” and “C3PAO” get used interchangeably in job posts and they are not the same thing:
| Term | Person or organization? | Formal Level 2 role |
|---|---|---|
| CCP (Certified CMMC Professional) | Individual | Supports assessments as a team member under CCA oversight; the CCA makes all final determinations |
| CCA (Certified CMMC Assessor) | Individual | Conducts Level 2 certification assessments in support of a C3PAO |
| LCCA (Lead CMMC Certified Assessor) | Individual | Leads the assessment team and final determinations |
| CCI (CMMC Certified Instructor) | Individual | Teaches CCP/CCA/CCI candidates (ISACA currently markets this as "CMMC Credentialed Instructor") |
| RP / RPO (Registered Practitioner / Organization) | Individual / organization | Readiness and advisory role; RP/RPO status alone does not authorize formal certification-assessment work |
| C3PAO (CMMC Third-Party Assessment Organization) | Organization | The authorized assessment organization; issues Certificates of CMMC Status |
Source: 32 CFR §§170.8–170.13 (ecfr.gov Subpart C).
The practical takeaway: you don’t “become a CCA” directly. You become a CCP first, then upgrade. That order is set by the regulation, not by a training vendor selling a bundle.
For context: CMMC Level 2 currently maps to the 110 requirements across 14 families in NIST SP 800-171 Revision 2. NIST has since published Revision 3, but 32 CFR Part 170 currently incorporates Revision 2 for CMMC Level 2 unless the rule is amended.
Who controls each gate? (The map most guides skip)
The CMMC assessor path is run by four different bodies. The Department of War (through 32 CFR Part 170) sets the legal requirements; ISACA, as the CAICO, runs training approval, exams, applications, certification, and continuing education; the Cyber AB authorizes C3PAOs and runs the Marketplace; and a C3PAO is who actually engages you for assessment work.
| Authority | What it controls |
|---|---|
| Department of War / 32 CFR Part 170 | The legal program role, the CCA/CCP requirements, Tier 3, experience and Work Role 612 gates, and the assessment process (§170.11) |
| ISACA (as the CAICO) | Approved training, the CCP and CCA exams, applications and fees, certification issuance, and continuing professional education (isaca.org/credentialing/cca) |
| Cyber AB (Accreditation Body) | Authorizing and accrediting C3PAOs, and the CyberAB Marketplace directory (§170.8) |
| DCSA / Washington Headquarters Services | Processing the Tier 3 background investigation (initiated with SF-86) on the Department side |
| A C3PAO | Engaging the assessor, providing the authorized assessment environment, and issuing Certificates of CMMC Status |
Does the July 2026 Phase 2 suspension kill the CCA path?
No — but it changes the calculus. The July 13, 2026 suspension pauses the mandatory Phase 2 Level 2 (C3PAO) requirement; as of this verification date it has not removed the CCA requirements in 32 CFR §170.11 or caused ISACA to withdraw the credential. What it removes is near-term certainty about how soon a new CCA would bill assessment hours, because the mandate driving that demand is paused pending a 60-day review.
What was suspended:
The Phase 2 milestone that would have put mandatory C3PAO assessment requirements into Department contracts starting November 10, 2026. Phases 3 and 4 were suspended too, until further notice. A CMMC Reform Task Force has roughly 60 days to review the program and deliver recommendations to the Department CIO, putting that around mid-September 2026.
What remains firmly in place:
- Phase 1 self-assessments (Level 1 and Level 2 Self) — still required in applicable contracts
- 32 CFR §170.11 CCA requirements — unchanged as of this writing
- ISACA’s CCA training, exam, application, and certification process — operational
- DFARS 252.204-7012 — the long-standing clause requiring contractors to safeguard covered defense information — untouched
There’s precedent worth knowing. This isn’t CMMC’s first pause. CMMC 1.0 took effect November 30, 2020; the Department began an internal review in March 2021 and announced the revised program — CMMC 2.0 — in November 2021. So a review is not an obituary. But it is a genuine fork in the road, and a serious professional plans around it, not through it. See what the Final Rule actually says →
Our editorial read by situation:
| If you’re… | Our read on the suspension |
|---|---|
| An experienced assessor whose employer is paying, with a role already tied to C3PAO work | The path may still be rational — verify your employer's plan and timeline in writing |
| An experienced auditor adding CMMC capability to an existing career | Lower-risk than a full pivot; the skills transfer regardless of program timing |
| A beginner self-funding because of "huge imminent demand" | The demand catalyst was just paused. Build transferable skills first and reassess after the review |
| Already deep in the process | Base the finish decision on the credential's standalone value and a written work plan, not a promised date |
Do you even qualify? The four states of CCA eligibility
You are not CCA-eligible just because you can buy a course. The controlling requirements — an active CCP, three years of cybersecurity experience, one year of assessment or audit experience, a Work Role 612 qualification, mandatory training, the exam, and a Tier 3 determination or Department-approved equivalent — come from 32 CFR §170.11(b). The distinction most guides skip is that these aren't one "eligible" line; they're four milestones that happen at different times.
- Eligible to begin the pathway.You understand the role and you’re building toward it. No purchase required.
- Eligible to register for the exam.You hold an active CCP, you’ve completed the mandatory CAICO-approved CCA course, and you hold a qualifying 8140 (Work Role 612) certification.
- Eligible to receive the CCA credential.You’ve also passed the exam, documented your experience, paid the application fee, met the ethics and CPE commitments, and cleared Tier 3 (or the Department-approved equivalent).
- Positioned to perform official assessment work. You’re certified andengaged with a C3PAO that can put you on a team. The credential alone doesn’t create the assignment.
The financial trap is buying for stage 3 or 4 when you’re actually stuck at stage 1 or 2. Here’s the full gate-by-gate map we built from the regulation and ISACA’s current pages:
The CCA Eligibility & Friction Map
| Gate | Current requirement | Authority | Type | Common failure |
|---|---|---|---|---|
| 1. Understand the role | A CCA conducts Level 2 certification assessments in support of a C3PAO (§170.11(a)) | DoW / 32 CFR | Regulation-stated | Believing the individual credential lets you freelance official certifications |
| 2. CCP foundation | Hold an active CCP. Note: CCP training, exam, and application can happen before Tier 3, but an active CCP itself requires Tier 3 or an approved equivalent (§170.13) | DoW + ISACA | Both | Buying CCA training before locking in the CCP step and its Tier 3 |
| 3. Cybersecurity experience | At least 3 years (§170.11(b)(6)) | DoW / 32 CFR | Regulation-stated | Listing general IT tenure without security responsibilities |
| 4. Assessment/audit experience | At least 1 year (§170.11(b)(6)) | DoW / 32 CFR | Regulation-stated | Treating implementation work as if it were assessment work |
| 5. Work Role 612 qualification | A foundational qualification aligned to at least the Intermediate proficiency level of DoD 8140.03 Security Control Assessor (Work Role 612) (§170.11(b)(6)) | DoW + ISACA | Both | Relying on an old blog's 8570 certification list instead of the current DoD source |
| 6. Approved CCA training | Mandatory CAICO-approved course through an ATP on the CyberAB Marketplace | ISACA / Cyber AB | Operational | Buying general CMMC training that doesn't unlock the official exam |
| 7. CCA exam | Active CCP + approved training + a qualifying 8140 certification to register; six-month eligibility window after registration | ISACA | Operational | Assuming a passing score alone equals certification |
| 8. Application | Current application, experience proof, ethics commitment, and a US$50 application processing fee | ISACA | Operational | Relying on a third-party article's application-window number (ISACA's own pages conflict — see below) |
| 9. Tier 3 (or equivalent) | Favorably adjudicated Tier 3 national-security eligibility, or a Department-determined equivalent (§170.11(b)(3)–(4)) | DoW / DCSA | Regulation-stated | Calling Tier 3 a security clearance |
| 10. Credential issuance | All requirements complete; certification valid 3 years (§170.11(b)(1)) | ISACA | Both | Confusing "exam passed" with "CCA certified" |
| 11. Official assessment work | Performed in support of a C3PAO, using the C3PAO's authorized systems (which must have passed a DCMA DIBCAC Level 2 assessment or higher) (§170.11(b)(7)) | C3PAO | Regulation-stated | Planning to store assessment data on personal devices |
| 12. Maintenance | Continuing education and renewal under ISACA's CPE policy; a CyberAB Marketplace listing also requires Delta Training | ISACA / Cyber AB | Operational | Budgeting only for training and exams, ignoring upkeep |
Sources: 32 CFR §§170.11 and 170.13 (ecfr.gov); ISACA CCA pages (isaca.org/credentialing/cca), verified July 17, 2026.
Does ISACA require an active CCP before the CCA exam?
This is a genuine gray area worth confirming before you pay. ISACA's CCA registration page states you need an active CCP to register for the CCA exam. A separate ISACA statement says candidates who pass the CCP exam and complete CCA training may sit the CCA exam before finishing Tier 3. Those can't both operate literally, because an active CCP certification under 32 CFR §170.13 itself requires Tier 3. Confirm the live registration gate in MyISACA before scheduling or paying.
We’re flagging this rather than papering over it, because it directly affects the order in which you spend money. The regulation is clear that both the CCP (§170.13) and the CCA (§170.11) require Tier 3. ISACA’s operational language about sitting the exam before Tier 3 is a candidate convenience — but “active CCP” and “before Tier 3” are in tension. One quick check in your MyISACA account resolves it for your specific situation.
How to become a CMMC assessor (CCA), step by step
The safe sequence: confirm your target, map your experience and Work Role 612 qualification, complete the CCP pathway (training, exam, application, and Tier 3 to reach active CCP), complete approved CCA training, pass the CCA exam, submit the certification application, clear Tier 3 for the CCA, receive the credential, and then perform assessment work through a C3PAO. Some steps overlap — but paying for them in the wrong order is where candidates lose money.
- Confirm CCA is actually your target. Not CCP, not RP consulting, not starting a C3PAO. If you want to advisecompanies on getting ready, that’s a readiness lane and the CCP may serve you better.
- Map your experience before you pay. The three-year cybersecurity and one-year assessment/audit requirements are the gates that stop otherwise-qualified people. Write down every qualifying role: employer or client, dates, the securitywork you did (not just “IT”), and someone who can verify it.
- Verify your Work Role 612 qualification, and how ISACA operationalizes it. The regulation requires a foundational qualification aligned to at least the Intermediate proficiency level of DoD 8140.03 Security Control Assessor (Work Role 612). Confirm which specific certification ISACA’s current registration process accepts. If you don’t hold a qualifying credential, this is often the longest lead-time item after experience.
- Complete the CCP pathway.CCP training, the CCP exam, the CCP application, and Tier 3 (or the approved equivalent) to reach an active CCP certification. The CCA is an advanced credential layered on top of the CCP — you can’t skip it.
- Run Tier 3 in parallel where you can.You do not need Tier 3 complete before CCA training or the CCA exam — ISACA is explicit about this, and it’s a gift to your timeline, because adjudication is outside your control. Just remember Tier 3 is required to reach an active credential.
- Complete the mandatory CCA training.It has to be a CAICO-approved course through an ATP listed on the CyberAB Marketplace. Before you pay, confirm the provider’s ATP status on the Marketplace and save a timestamped screenshot. General CMMC training will not unlock the official exam.
- Register for and pass the CCA exam. Registration is continuous, and once you register you have a six-month eligibility windowto sit the exam. Don’t register until you’re prepared to use that window. Exams run at PSI test centers or via remote proctoring.
- Pay the application fee and submit your evidence. The current CCA application processing fee is US$50. This is where your Step 2 experience documentation earns its keep.
- Complete Tier 3 (or the approved equivalent) for the CCA.Passing the exam is not the finish line. You need a favorably adjudicated Tier 3 determination — or, if you’re not eligible for Tier 3, the Department-determined equivalent (§170.11(b)(4)).
- Receive the credential and maintain it. CCA certification is valid for three years. Keep up with CPE and renewal, and complete Delta Training if you want a CyberAB Marketplace listing.
- Join or contract with a C3PAO.The credential qualifies you; it doesn’t assign you. Official assessment work happens through a C3PAO as an employee, subcontractor, or authorized team member. In the current suspended-Phase-2 environment, this step is exactly where the timing uncertainty bites.
Do I need a CCP before the CCA?
Yes. 32 CFR §170.11(b)(6) requires a CCA to be a CCP, and ISACA requires an active CCP to earn the CCA. Treat the CCA as an advanced assessor credential layered on top of the CCP — not an alternative to it. And note that the CCP itself requires a Tier 3 investigation under §170.13(b)(3), so Tier 3 sits underneath both credentials.
Should you buy a combined CCP-and-CCA bundle? Depends on your gate:
| Your situation | Bundle verdict |
|---|---|
| Experience and Work Role 612 already verified | Reasonable to consider — after checking ATP status and refund terms |
| Assessment/audit experience uncertain | Don't prepay for the CCA portion until you can document the year |
| Complete beginner | A bundle is not a shortcut past the experience gates |
| Employer is paying with a documented development plan | Potentially reasonable |
| Buying purely on assumed demand | Wait for the outcome of the review |
When you’re ready to compare actual courses and prices, that’s a separate decision from this one. Compare current CCP and CCA training options →
Which DoD 8140 Work Role 612 qualification counts?
32 CFR §170.11(b)(6) requires at least one foundational qualification aligned to the Intermediate proficiency level for the DoD Cyberspace Workforce Framework's Security Control Assessor (Work Role 612), from DoD Manual 8140.03. Separately, ISACA's current CCA exam-registration process asks candidates for a certification from its 8140 list. Because recognized qualifications can change, verify yours against the current official DoD source rather than an undated list on a training site.
- 8140, not 8570.The current rule points to DoD Manual 8140.03 and the DoD Cyberspace Workforce Framework. Older pages still reference retired 8570 baseline lists. If a guide is citing 8570, it’s out of date on this point.
- Intermediate for CCA, Advanced for Lead CCA. The CCA requires alignment to at least the Intermediate proficiency level of Work Role 612. The Lead CCA requires the Advanced level (§170.11(b)(10)).
- “Work role” is not a job title. Work Role 612 is the Security Control Assessor role in the DoD framework. Your title is irrelevant; the qualifying credential and proficiency level are what count.
- ISACA points candidates toward certifications from its 8140 list and, as of our July 2026 review, cites credentials like CISA and CISM as examples. Treat those as examples ISACA gives, not an exhaustive or regulation-defined list. Verify against the current DoD Work Role 612 pathway and DoD Manual 8140.03, and save a dated copy.
What counts as 3 years of cybersecurity and 1 year of audit experience?
32 CFR §170.11(b)(6) sets the durations — three years of cybersecurity experience and one year of assessment or audit experience — but it does not turn every IT task into qualifying work. Reduce your risk by documenting duties, dates, standards used, and verifiable responsibilities rather than relying on job titles.
Strong cybersecurity experience (potential evidence categories, not automatic approval):
Security architecture and engineering, risk and controls work, incident response, vulnerability management, identity and access management, security operations, information system security roles, and federal-controls implementation.
Strong assessment or audit experience:
Evaluating controls against defined criteria, collecting and validating objective evidence, testing whether controls actually operate, documenting findings, performing scoping, writing assessment reports, and conducting interviews and observations under a recognized methodology (NIST, ISO, SOC, FedRAMP, or internal audit against a real control set).
Weak or ambiguous (don’t assume these carry the day):
Generic help-desk work, unspecified “IT management,” selling security products, implementing a control without ever assessing one, or informal peer review with no criteria and no documented conclusions.
The distinction that matters most: implementing a control is not the same as assessingit. Plenty of strong engineers have three years of cyber and zero defensible years of assessment. If that’s you, the honest move is to build and document real assessment work — or start with the CCP — rather than assume a course closes the gap.
Before you spend anything, build your case on paper. A simple worksheet with these columns is enough: employer/client · role · start and end dates · cybersecurity duties · assessment/audit duties · framework or standard used · deliverables · supervisor or verifier · supporting documentation.
Is the Tier 3 background investigation a security clearance?
No. 32 CFR §170.11(b)(3) states plainly that the Tier 3 background investigation "will not result in a security clearance and is not being executed for the purpose of government employment." It is a determination of national-security eligibility for the CMMC role, initiated with the Standard Form 86 (SF-86), for positions designated non-critical sensitive at a "Moderate Risk" level.
What Tier 3 is:
A background investigation, started with the SF-86, that results in an eligibility determination for the assessor role. Under §170.8, these investigations are submitted through Washington Headquarters Services for processing by the Defense Counterintelligence and Security Agency (DCSA). It is not the same as holding a clearance for access to classified information.
Can training and the exam happen before Tier 3?
Yes. ISACA states directly that CCA candidates do not need to complete Tier 3 before taking CCA training and the exam. Because adjudication timelines are outside your control, running Tier 3 in parallel is usually the smart sequencing — just remember it’s required to reach an active credential.
Can a non-U.S. citizen become a CCA?
The rule does not impose a blanket citizenship bar. Section 170.11(b)(4) provides that a candidate who is not eligible for a Tier 3 investigation must meet “the equivalent of a favorably adjudicated Tier 3 background investigation,” with the Department determining that equivalence. Don’t accept a flat “you must be a U.S. citizen” claim — but also don’t assume any particular foreign investigation will be accepted.
How much does it cost to become a CMMC assessor?
There is no single official all-in CCA price, because training costs vary and most candidates must first hold a CCP and a qualifying 8140 credential. The CCA-specific fees verified directly on ISACA's site are a US$575 (member) / US$760 (non-member) exam fee and a US$50 application processing fee, before training and ongoing maintenance.
| Cost | Current amount | Fixed or variable? |
|---|---|---|
| CCA exam — ISACA member | US$575 | Fixed |
| CCA exam — non-member | US$760 | Fixed |
| CCA application processing | US$50 | Fixed |
| CCA training (mandatory, via ATP) | Varies by provider | Variable |
| CCP pathway (training + exam + application) | Additional; separate fees | Partly fixed, partly variable |
| Work Role 612 qualification | Candidate-specific | Variable |
| Membership (affects exam price) | Optional | Your choice |
| Annual maintenance (CPE + fee) | Recurring | Recurring |
Source: ISACA CCA credential page, verified July 17, 2026. ISACA notes that exam prices rose while annual renewal fees were lowered.
The current CCA exam plus application fee totals US$625 for an ISACA member or US$810 for a non-member— and that’s it for the fixed, knowable CCA-specific fees. It excludes CCA training, the CCP pathway, Work Role 612 qualification costs, membership, prep, and maintenance. Training price is a major swing factor in your total.
A few money-protection rules: verify eligibility before any non-refundable purchase; confirm ATP status on the day you pay; don’t buy a bundle just because it’s discounted; confirm exactly what a course price includes; and don’t confuse the individual CCA cost with the (much larger) cost of standing up a C3PAO.
How long does it take to become a CMMC assessor?
There is no defensible universal timeline, because candidates start from very different positions on experience, CCP status, Work Role 612 qualification, and background investigation. The exam carries a six-month eligibility window after registration, but experience acquisition, Tier 3 adjudication, application review, and finding C3PAO work can make the full path substantially longer.
Your timeline is set by your slowest gate, not the course calendar:
| Starting point | Main bottleneck |
|---|---|
| Active CCP, experience and Work Role 612 satisfied | Training, exam, application, and Tier 3 adjudication |
| Cyber professional without the audit year | Building and documenting legitimate assessment experience |
| Auditor without qualifying cyber background | The three-year cybersecurity requirement |
| Beginner | Years of experience — not course scheduling |
| Credentialed but no C3PAO relationship | Finding assessment-team work (harder in the current suspension) |
What’s on the CCA exam?
ISACA's current CCA exam content outline states the exam contains 150 questions across four domains: Evaluating Organizations Seeking Certification against Level 2 (15%), Level 2 assessment scoping (20%), the CMMC Assessment Process or CAP (25%), and Assessing Level 2 practices (40%). Assessing Level 2 practices is the largest single domain by a wide margin, so hands-on assessment judgment — not terminology recall — carries the exam.
| Domain | Weight |
|---|---|
| Evaluating the OSC against CMMC Level 2 | 15% |
| CMMC Level 2 assessment scoping | 20% |
| CMMC Assessment Process (CAP) | 25% |
| Assessing CMMC Level 2 practices | 40% |
Nearly two-thirds of the exam sits in the CAP and actual practice-assessment domains. Memorizing the names of NIST requirements won’t get you there. Scoping judgment and evidence evaluation deserve dedicated preparation — you’re being tested on how you’d assess against the objectives, not whether you can recite them.
Logistics:You must hold an active CCP and complete mandatory approved training before registering; the exam is delivered at PSI centers or via remote proctoring; the exam has 150 questions. Confirm the current time limit and passing score in ISACA’s CCA exam candidate guide — those operational details can change. As of our July 2026 review, ISACA’s own CCA prep products were still marked “coming soon,” so plan your preparation accordingly.
Can a CCA work independently, or do I need a C3PAO?
A CCA is an individual credential, but official Level 2 certification-assessment work is performed in support of a C3PAO. 32 CFR §170.11(b)(7) goes further: assessors must use the engaged C3PAO's authorized IT, cloud, cybersecurity services, and endpoint devices — which must have passed a DCMA DIBCAC Level 2 assessment or higher — and are prohibited from using personally owned IT to process, store, or transmit assessment reports or related information.
| Capability | CCA | C3PAO |
|---|---|---|
| Individual professional credential | Yes | No |
| Authorized assessment organization | No | Yes |
| Participate on an assessment team | Yes | Employs/contracts the team |
| Independently market official certification as a solo credential holder | No | Only through authorized organizational status |
| Provides the authorized assessment environment | Uses the C3PAO's | Provides it (systems must have passed a DIBCAC Level 2 assessment or higher) |
Can you consult and assess the same client? Here the regulation is specific. 32 CFR §170.8(b)(17)(ii)(G) prohibits a CMMC Ecosystem member from participating in a Level 2 certification assessment for an organization when that member served as a consultant to prepare the organization for any CMMC assessment within the prior three years. Never assume that holding a CCA lets you remediate a client and then assess your own work.
The device rule is not optional. Individual assessors are prohibitedfrom using any other IT — including personally owned devices, internal or external cloud services, and endpoints — to process, store, or transmit CMMC assessment reports or any other assessment-related information. Plan for the C3PAO’s authorized environment from day one.
CCP vs. CCA vs. Lead CCA — which should you pursue?
CCP is the foundational professional credential, CCA is the assessor credential for Level 2 work through a C3PAO, and Lead CCA (LCCA) is the senior designation for leading assessment activity and final determinations. Each step adds experience, qualification, and responsibility — they are not three interchangeable course levels.
| Credential | Best suited to | Key prerequisite | Work Role 612 level | Formal assessment role |
|---|---|---|---|---|
| CCP | Foundational ecosystem and assessment-support work | Training, exam, application, Tier 3 | Not specified for CCP | Supports assessments under CCA oversight |
| CCA | Experienced cyber and audit professionals | Active CCP + the §170.11(b) gates | Intermediate | Conducts Level 2 assessments in support of a C3PAO |
| Lead CCA | Senior assessors and team leaders | Active CCP/CCA + advanced experience | Advanced | Leads official Level 2 assessments and final determinations |
Per 32 CFR §170.11(b)(10), the Lead CCA requires at least 5 years of cybersecurity experience, 5 years of management experience, 3 years of assessment or audit experience, and a foundational qualification aligned to the Advanced proficiency level of Work Role 612.
Is becoming a CCA worth it in 2026?
The CCA can still be a rational investment for an experienced assessor with a verified qualification path, employer support, or a documented C3PAO opportunity — but it's a poor speculative purchase for a beginner expecting automatic employment. With the mandatory Phase 2 requirement suspended, base the decision on the credential's standalone professional value and a realistic work plan, not on a promise of imminent assessor scarcity.
Strong-fit candidate:
You already perform control assessments; you meet or nearly meet the experience gates; you hold a qualifying Work Role 612 credential; you have employer reimbursement or a credible C3PAO role; and you want CMMC-specific assessment capability.
Weak-fit candidate:
You have no real cybersecurity or assessment background; you can’t identify a qualifying 8140 pathway; you’re financing the whole thing on the strength of salary or demand claims; or you believe the course itself guarantees the credential.
The decision factors — five questions to sit with:
- Would this credential improve my career even if Phase 2’s timing keeps shifting?
- Is an employer or C3PAO actually asking me to get it?
- Do I already satisfy the difficult experience gates?
- Can I absorb the full cost without relying on immediate assessment income?
- Do I have a credible route to assessment-team experience?
There is currently no reliable, primary-source dataset supporting a specific CCA salary, placement rate, or time-to-first-assessment figure — and the July 2026 suspension makes any pre-suspension “assessor shortage” headline even less reliable as a basis for spending your money. Anyone quoting you a guaranteed salary or a guaranteed shortage is selling, not sourcing.
Common mistakes that delay or block CCA certification
Most avoidable problems come from treating the CCA like a course-and-exam purchase rather than a regulated professional qualification. Cut your risk by verifying experience, Work Role 612 status, ATP authorization, application evidence, and Tier 3 status before assuming any single completed step means you're certified.
- Buying CCA before locking in the CCP (and its Tier 3). The order is fixed by rule.
- Assuming IT experience equals cybersecurity experience. It doesn’t, automatically.
- Assuming implementation equals assessment experience. Different skill, separately required.
- Using an obsolete DoD 8570 (or outdated 8140) certification list. Verify against the current DoD Work Role 612 source.
- “Three supervised assessments.” You may see this in older pathway graphics. It is not a listed requirement in the current 32 CFR §170.11 or in ISACA’s current CCA requirements — we read both. Confirm any experiential requirements with the CAICO.
- Registering for the exam too early and burning the six-month eligibility window.
- Calling Tier 3 a security clearance — it isn’t, per §170.11(b)(3).
- Treating an interview or investigation step as a favorable adjudication. It isn’t.
- Passing the exam but never completing the application. The exam is one gate of many.
- Relying on a third-party article for the application deadline. ISACA’s own CCA pages currently conflict — confirm the window in MyISACA.
- Assuming the credential guarantees a Marketplace listing or paid work. It doesn’t — a CyberAB Marketplace listing also requires Delta Training.
- Planning to use personal devices for assessment evidence — prohibited under §170.11(b)(7).
- Confusing becoming an individual CCA with starting a C3PAO. Two very different undertakings.
What we verified for this guide
Verified July 17, 2026:
- 32 CFR §§170.8, 170.11, and 170.13 — read in full on the eCFR (current eCFR text; source rule published at 89 FR 83214)
- ISACA’s current CCA exam fees (US$575 member / US$760 non-member), the US$50 application fee, the six-month exam eligibility window, and the “Tier 3 not required before training or exam” sequencing — read on ISACA’s CCA pages
- The CCA exam domain weights and 150-question count — ISACA’s CCA exam content outline
- The July 13, 2026 Phase 2 suspension scope — the Department of War’s official release and implementation guidance
Official-source conflicts we found (and did not paper over):
- CCA application window: ISACA’s own “Get CCA Certified” page states candidates have five years from passing the exam to apply in its step-by-step, and two years in its certification-requirements section. Confirm the deadline in MyISACA.
- Active CCP before the CCA exam:ISACA’s registration page requires an active CCP, while another ISACA statement allows sitting the exam before Tier 3 — which can’t both be literal, since an active CCP requires Tier 3 under §170.13. Confirm the live gate in MyISACA.
- Work Role 612:the regulation states a “foundational qualification” aligned to Intermediate proficiency; ISACA operationally asks for a certification from its 8140 list. Verify both.
Not independently established:
A universal completion time; a current CCA employment or placement rate; a specific salary; a guaranteed near-term demand or shortage; an average Tier 3 adjudication time; and a complete, current hardcoded list of every qualifying Work Role 612 credential (verify yours against the live DoD source).
More on how we work: Editorial Standards · Methodology · Corrections Policy. This is educational research, not legal, contractual, employment, or compliance advice. Confirm credential and application requirements with ISACA/CAICO; confirm Marketplace and Tier 3 workflow with the Cyber AB; and confirm any contract question with your Contracting Officer or qualified federal-contracts counsel.
Frequently asked questions about becoming a CMMC assessor
- What certification do I need to become a CMMC assessor?
- You need the Certified CMMC Assessor (CCA) credential, and the Certified CMMC Professional (CCP) is a prerequisite. Per 32 CFR §170.11(b)(6), you must be a CCP with at least three years of cybersecurity experience, one year of assessment or audit experience, and a qualifying DoD 8140 Work Role 612 credential, plus mandatory training, the exam, and a Tier 3 determination.
- Can I become a CCA without being a CCP?
- No. Both 32 CFR §170.11 and ISACA require an active CCP before you can earn the CCA. The CCA is an advanced credential layered on top of the CCP.
- Does the CCP also require a Tier 3 background investigation?
- Yes. 32 CFR §170.13(b)(3) requires the CCP to complete a Tier 3 background investigation (or a Department-determined equivalent), using the same non-clearance, SF-86 process that applies to the CCA. Tier 3 sits underneath both credentials.
- Can I take CCA training before Tier 3 is complete?
- Yes. ISACA states that CCA candidates do not need to complete their Tier 3 background investigation before taking CCA training or the exam. Tier 3 is still required to reach an active credential, so run it in parallel.
- Does the Tier 3 background investigation give me a security clearance?
- No. 32 CFR §170.11(b)(3) states the Tier 3 investigation "will not result in a security clearance and is not being executed for the purpose of government employment." It's an eligibility determination for the assessor role, initiated with the SF-86.
- Can a non-U.S. citizen become a CCA?
- Possibly. The rule imposes no blanket citizenship bar; §170.11(b)(4) provides that candidates not eligible for Tier 3 must meet a Department-determined equivalent. There's no flat citizenship rule, but no guarantee any particular foreign investigation will be accepted — the Department determines equivalence.
- Do I need three supervised CMMC assessments to become a CCA?
- Not according to the current rule. 32 CFR §170.11 and ISACA's current CCA certification requirements do not list three supervised assessments as a prerequisite. That step appears in some older pathway graphics; confirm any experiential requirements with the CAICO before relying on outdated diagrams.
- How much is the CCA exam?
- US$575 for ISACA members and US$760 for non-members, plus a one-time US$50 application processing fee, verified on ISACA's CCA pages as of July 17, 2026. Training is separate and varies by provider.
- How many questions are on the CCA exam?
- ISACA's CCA exam content outline states the exam contains 150 questions across four domains, weighted toward Assessing Level 2 Practices (40%). Confirm the current time limit and passing score in ISACA's CCA exam candidate guide, as these operational details can change.
- Can I perform CMMC assessments by myself after becoming a CCA?
- No. Official Level 2 certification assessments are performed in support of a C3PAO, by a team led by a Lead CCA. A CCA is an individual credential; the authorization to deliver assessments and issue Certificates of CMMC Status belongs to the C3PAO, and §170.11(b)(7) requires assessors to use the C3PAO's authorized systems.
- Does the CCA credential certify my company?
- No. The CCA is an individual professional credential. Certifying a company is a separate process — a Level 2 assessment of an Organization Seeking Certification — and requires a C3PAO. If your goal is getting your own company certified, use the Find My CMMC Path tool instead.
- How long do I have to apply after passing the exam?
- ISACA's current CCA materials conflict: the "Get CCA Certified" steps state five years from passing the exam to apply, while the certification-requirements section on the same page states two years. Confirm the current deadline in your MyISACA account rather than relying on a third-party article.
- Is becoming a CCA still worthwhile after the July 2026 Phase 2 suspension?
- It depends on your situation. The suspension paused the mandatory third-party (C3PAO) assessment requirement pending a 60-day review, so near-term demand is uncertain. It's more defensible for an experienced assessor with employer support or a documented C3PAO opportunity than for a beginner betting on a shortage. The credential path and requirements remain in place as of this writing.
Your next step depends on your first unmet gate
- No active CCP yet→ start with the CCP pathway (training, exam, application, Tier 3)
- Experience uncertain → build your evidence packet before you pay for anything
- 8140 / Work Role 612 uncertain→ verify your credential against the current DoD source
- Eligible and ready to train → compare current CCA training options
- Certified but seeking work→ research current C3PAOs and assessor roles (and factor in the suspension)
- Not sure where you stand → run the CCA Eligibility & Friction Check
Disclosure
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Independence
The Defense Compliance Report is not affiliated with the Cyber AB, ISACA/CAICO, the Department of War, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page provides educational research, not legal, contractual, employment, or compliance advice.
Primary sources and further reading
- 32 CFR §170.11 — CMMC Certified Assessor (CCA) (source rule 89 FR 83214, Oct. 15, 2024)
- 32 CFR §170.13 — CMMC Certified Professional (CCP)
- 32 CFR §170.8 — Accreditation Body (C3PAO authorization, conflict-of-interest rules)
- CMMC Program Final Rule (Federal Register, 89 FR 83214)
- ISACA — CCA credential (fees, requirements, sequencing)
- ISACA — CCA exam content outline (domains and weights)
- DoD Cyberspace Workforce Framework — Security Control Assessor (Work Role 612)
- DoD Manual 8140.03 — Cyberspace Workforce Qualification and Management Program
- NIST SP 800-171 Rev. 2 (110 Level 2 requirements) · NIST SP 800-171A (assessment procedures)
- CyberAB Marketplace
Regulatory facts on this page were verified against the sources above on July 17, 2026. Program phases and rules change — we re-verify on a recurring basis and update the “Last verified” date when we do.