How to become a CMMC Certified Assessor (CCA): Requirements & Assessment Process

A CMMC Certified Assessor (CCA) is a qualified assessor who performs official Level 2 certification assessment work as part of a C3PAO team. Lead CMMC Certified Assessors (LCCAs) are the senior assessors authorized to lead Level 2 assessment teams and deliver final compliance determinations.

When the U.S. Department of Defense (DoD) instituted the Cybersecurity Maturity Model Certification (CMMC) program, it introduced a dramatic shift towards a more systemized approach to security. But it also created a dire need for qualified security professionals. Among these cyber experts, the CCA is a high-level individual CMMC credential. In this role, they are a crucial element of the CMMC assessment process.

Note: As of April 2026, all certification activities have moved to ISACA, which now serves as the CMMC Assessor & Instructor Certification Organization (CAICO). Learn how this affects CCA certification in our webinar with ISACA.

WATCH NOW

What does a CMMC Certified Assessor (CCA) do?

A CCA plays a formal assessment role during a Level 2 assessment conducted by Certified Third-Party Assessment Organizations (C3PAOs). The DIB is broad, encompassing any organization that contributes products or services to the supply chain used by the U.S. military. To ensure these companies have adequate security systems in place, a CCA works as part of a C3PAO assessment team, checking whether each company has implemented the security controls outlined in NIST SP 800-171.

They may work with CCPs on assessment teams. CCAs also contribute to assessment findings and make determinations within the role authorized by the CMMC assessment process. LCCAs lead assessment teams and hold final determination authority for Level 2 certifications.

The CCA role in assessments includes tasks such as:

• Planning assessments. They collaborate with clients to determine what will be assessed, ensuring the scope aligns with the organization’s required CMMC level, assessment scope and the types of Controlled Unclassified Information (CUI) the company handles.
• Collecting evidence. There are 14 NIST cybersecurity protection families, or categories, and a CCA must ensure the team reviews and evaluates evidence of how the company implements the necessary tools and systems.
• Interviewing personnel. A CCA may have to personally interview help desk staff, executives and others on an organization’s cyber defense team to see if the company’s practices align with its policies.

At a high level, they provide quality assurance. The buck stops with the assessment leadership team because they ensure the assessment is accurate and thorough, providing a real view of the organization’s cyber defense posture.

Prepare for the new era of CMMC

Join Infosec Institute and Todd Gagnon, ISACA CAICO Director, to learn how the CMMC is changing.

Watch Now [ ]

CMMC Certified Assessor (CCA) requirements

As an advanced individual in the CMMC assessment process, a certified assessor must fulfill several requirements. 

Prerequisites

A CMMC Certified Assessor needs to have an active CMMC Certified Professional (CCP) certification. When considering CCA vs. CCP, this is a key distinction. All CCAs have a CCP because it’s a prerequisite for the CCA position. Those interested in becoming a CCA may start by earning their CCP certification; RP is optional and not a prerequisite for CCA.

They also need 3+ years of cybersecurity experience and 1+ year of assessment or audit experience. In prior roles, they need to have demonstrated competence as assessors. In this way, they show they do more than simply meet regular CMMC assessor requirements, which RPs and CCPs also have to meet. They could be considered one of the more qualified people on the assessment team.

Additional CCA certification requirements

A CCA needs to pass a CCA exam. This, along with demonstrating competence, requires CCA training.

Part of this training may involve practical assessment preparation, but current ISACA public requirements do not list supervised assessments as a required CCA certification step.

In addition, a CCA must achieve a favorable Tier 3 investigation determination or equivalent conducted by DoD or possess a NAC (National Agency Check) or other DoD accepted clearance if recognized by current ISACA/CMMC requirements to reduce risk across the CMMC ecosystem. CCA candidates must also hold at least one baseline certification aligned to the Intermediate and/or Advanced Proficiency Level for the Career Pathway Certified Assessor 612 from the DoD Manual 8140.3 Cyberspace Workforce Qualification & Management Program.

Step-by-step path to CMMC Certified Assessor

Understanding how to become a CMMC assessor means knowing what steps to expect. Even though earning CCA credentials can be challenging, by approaching it step by step, you can reach your goals once you meet the required CCP, experience, training, exam, Tier 3 and DoD 8140.3 pathway requirements.

Step 1: Obtain and maintain a CMMC Certified Professional (CCP)

You have to get CCP first, which qualifies you as a foundational professional on a CMMC assessment team. You also must maintain your CCP credential until you get your CCA. To get your CCP, you must:

• Have either:
  • A college degree in a cyber or information technical field
  • Two or more years of related education experience
  • OR two or more years of related experience, including military experience, in a cyber, information technology or assessment field
• Complete training from an approved provider
• Pass the CCP exam
• Submit an application to ISACA
• Achieve a favorable Tier 3 investigation determination or equivalent conducted by DoD

Step 2: Gain CCP experience

Once you have your CCP, you should participate in multiple assessments or related audit, compliance or cybersecurity activities to gain experience. Some skills you’ll hone during this time may include:

• Assessing an organization’s readiness for CMMC certification
• Supporting the assessment team as they gather evidence and evaluate the tools and controls the organization uses, in the context of the NIST requirements
• Helping organizations maintain their compliance through consultations, internal reviews or training

Your goal is to demonstrate competence, showing you have the ability to work well with a team and thoroughly evaluate an organization’s CMMC qualifications and documentation.

Prepare for the new era of CMMC

Join Infosec Institute and Todd Gagnon, ISACA CAICO Director, to learn how the CMMC is changing.

Watch Now [ ]

Step 3: CCA training with an ATP

Before getting your CMMC CCA certification, you have to undergo mandatory CCA training through an Approved Training Provider (ATP), like Infosec Institute, around advanced assessment methodologies, such as risk-based and threat-informed assessments.

Since a CCA plays a formal role on assessment teams, you also have to develop a range of skills around leading and working with a team. A CMMC assessment professional needs important soft skills, such as:

• Organizing and motivating teams of assessors
• Communicating with representatives and executives of the companies being assessed
• Communicating expectations and timeline requirements
• Mentoring or supporting other assessment professionals, where appropriate

As a CMMC evaluation specialist, a CCA must also excel at writing reports. These have to clearly outline the areas where an organization meets or falls short of the NIST SP 800-171 standards. This may require significant effort and attention to detail, especially given the 110 standards an organization may need to meet.

Quality assurance is another key element of being a third-party CMMC assessor, especially while taking the lead as a CCA. “Quality” involves a combination of detail and accuracy during the assessment and reporting process. This is especially important when an organization fails to qualify for CMMC certification. In that case, you must make sure they know exactly why they have fallen short and what it would take to earn their credential.

Step 4: Pass the CCA exam

Whether your goal is to work for an independent CMMC evaluator or as a consultant, you must pass the CCA exam. The exam is more rigorous than the CCP test, and it consists of:

• 150 multiple-choice questions
• A scaled scoring system that requires a passing score of 450 or higher on a 200-to-800-point scale
• Four-hour time limit

The exam focuses on technical scenarios. You have to demonstrate you know how to navigate a range of situations that require leadership and prudent decision-making.

To illustrate, you may see a question like this: Which system is most likely in scope for a CMMC Level 2 assessment?

1. A public-facing marketing website
2. A system that stores, processes or transmits FCI only
3. A system that stores, processes or transmits CUI
4. A system owned by a third-party MSP

In this case, the correct answer would be C. A system that stores, processes or transmits CUI. This is the correct answer because CMMC Level 2 specifically applies to systems that handle CUI.

Step 5: Complete remaining CCA requirements

After passing the exam, complete the ISACA certification application process. Current ISACA public requirements include paying the application processing fee, demonstrating the required experience, holding a Tier 3 determination by the DoD, meeting the applicable DoD 8140.3 Certified Assessor 612 pathway requirement and adhering to ISACA’s Code of Professional Ethics and CPE policy.

If your employer or C3PAO uses supervised practice assessments as part of internal development, treat those as professional preparation rather than a current public ISACA certification requirement unless the current candidate guide says otherwise.

Step 6: CCA credential awarded

Once you’ve gone through training, passed the exam and completed ISACA’s certification application and eligibility requirements, you qualify for your CCA credential. This affords you:

• Full CCA status, enabling you to include this as a credential in your professional profile
• The ability to perform formal Level 2 assessment work as part of a C3PAO team
• The ability to include “CCA” as a credential in your CMMC marketplace listing

CMMC Certified Assessor levels

While there is only one CCA credential, it's important to understand the individual assessor hierarchy. The CMMC assessor credentials, from foundational to most advanced, are:

• CMMC Certified Professional (CCP): A foundational credential for professionals who provide advice, consulting, and recommendations to organizations preparing for CMMC compliance; cannot make final certification determinations.
• CMMC Certified Assessor (CCA): A fully qualified assessor who can conduct Level 2 CMMC assessment work and make determinations within role authority as part of a C3PAO team.
• Lead CMMC Certified Assessor (Lead CCA / LCCA): The most senior individual credential in the CMMC ecosystem. The LCCA is earned by meeting advanced DoD experience requirements and is authorized to lead official Level 2 assessment teams and issue final determinations on behalf of accredited C3PAOs.

Career as a CMMC Certified Assessor

As you compare careers associated with the CMMC ecosystem, you’ll want to explore employment opportunities and what you can expect for your CMMC assessor salary.

Employment opportunities

The most common employment track for a CCA is working on Level 2 assessment teams for a C3PAO. CCAs who later earn LCCA may move into lead assessor roles. You could also serve in a managerial capacity or as an executive overseeing an assessment organization’s teams.

It’s also common for someone with CCA certification to be an independent contractor. In this role, you advise organizations on how to qualify for CMMC certification. You may also be helpful to assessment teams that need consultation or leadership while evaluating organizations.

The great news is that there’s a high demand for CCA assessors and a limited supply of professionals. This means that once you earn your certification, you may not have to compete against a deep stack of other applicants as you apply for jobs.

Maintaining CCA credential

To maintain your CCA status, you need to:

• Pay an annual fee of $45 for ISACA members or $85 for non-members.
• Maintain your qualification as revealed through a background check. This includes having a favorable Tier 3 investigation determination or equivalent.
• Abide by the CMMC assessor code of conduct.

In addition, it’s important to conduct quality assessments. This ensures the assessments you oversee adhere to the quality standards expected by The Cyber AB and ISACA. Failure to do so could endanger the cybersecurity of the organizations you assess and the U.S. military.

Next steps

To start pursuing your CCA certification, you have to first earn your CCP cert. You then need to meet CCA eligibility requirements, including 3+ years of cybersecurity experience and 1+ year of assessment or audit experience.

On the other hand, suppose you already hold your CCP, and you’ve been working in cybersecurity and assessment or audit roles long enough to meet ISACA’s CCA requirements. If this is the case, you can start your CCA training right now. Infosec’s CMMC Certified Assessor (CCA) Boot Camp uses the latest version of CMMC materials to ensure participants have the knowledge and skills needed to pass the CCA exam.

Prepare for the new era of CMMC

Join Infosec Institute and Todd Gagnon, ISACA CAICO Director, to learn how the CMMC is changing.

Watch Now [ ]

FAQs

How long does it take to become a CCA?

You can become a CCA in about two years, depending on your current certifications and experience. For those who already have their CCP cert and a year or so of experience, earning a CCA may take less time.

Can I skip CCP and go straight to CCA?

No, you cannot skip CCP and go straight to CCA because having a CCP is a prerequisite for earning your CCA.

Do I need to work for a C3PAO?

No, as a CCA, you don’t need to work for a C3PAO. Even though working on a C3PAO team is a common role for a CCA, you can also be an independent consultant, working on your own.

How much do CCAs make?

Your CCA salary will vary based on where you work, years of experience and qualifications, such as other tech certifications. However, you can expect to make between $100k and $150k in many related roles, though this should be treated as a market estimate rather than guaranteed CCA compensation.

What if I fail the CCA exam?

If you fail the CCA exam, follow ISACA’s current retake rules before scheduling another attempt. If you pass the exam but do not yet meet the experience or other certification requirements, continue building qualifying experience and apply once you meet ISACA’s requirements within the allowed application window.