CMMC career paths: Which CMMC certification is right for you?

June 21, 2021 by Patrick Mallory

In April 2020, the FBI, National Security Agency, and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) made a stunning announcement: “hackers working for Russia’s Foreign Intelligence Service (SVR) were actively exploiting five known vulnerabilities to target U.S. companies and the defense industrial base.”

In the wake of the attack, 37 defense-related companies were affected by the sweeping SolarWinds supply chain attack. Fortunately, the Department of Defense (DoD) itself was not breached.

While the specifics of the DoD’s security mitigations and incident response actions are not publicly known, the broad and brazen cyberattack on the U.S. defense industrial base underscores just how timely — and important — the introduction of the Cybersecurity Maturity Model Certification (CMMC) program was.

CMMC standard overview

The CMMC standard was first officially introduced in January 2020, released to help the DoD supply chain and the 300,000 businesses that makeup the defense industrial base be more prepared to handle the sensitive data that they hold in the face of a cyberthreat. Although the data is known as controlled unclassified information (CUI), its theft by malicious actors can pose a risk to DoD networks, systems, research and services. 

Before the CMMC framework, companies that supported the DoD operated under a “self-attestation” model, where they certified that the necessary security controls, tools and policies were in place to secure CUI. However, with the implementation of the CMMC standard, these companies are now required to have a third-party assessment of their networks and operations to ensure that they meet one of the five maturity levels of cybersecurity, increasing in the level of advancement as the levels reach the fifth level.

Although the model was released in early 2020, it includes input from the private sector, federally-funded research and development organizations and university-affiliated research centers and 171 practices that are well-known best practices across the cybersecurity industry. Of those, 110 of them are part of the NIST SP 800-171 rev1 security framework. There is also input from many other sources: 

  • Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
  • Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2
  • DFARS 252.204-7012

The CMMC standard will require all suppliers to hold a CMMC certification by 2025 to bid on contracts. However, businesses can choose to just certify the segment of their network that is working on DoD-related projects or their entire enterprise network, depending on where CUI is handled and stored. The CMMC-AB estimates that an organization can complete the certification process in about six months.

Overview of Cybersecurity Maturity Model Certification program professional certificate levels 

Following the launch of the CMMC program, the CMMC accreditation board (CMMC-AB) began work on developing the curricula, exams, professional standards and training required to implement the standard and perform the necessary independent assessments. 

Working with CMMC-AB Licensed Training Partners (LTP) to achieve the necessary training, CMMC-certified security professionals will make up teams that make up CMMC third-party assessor teams, also known as CMMC third-party assessor organizations (C3PAOs), that perform CMMC assessments. These C3PAOs will use a standard assessment protocol to identify a DoD supplier’s level of security maturity, reliability and strength. The result of this assessment is a determination of the organization’s maturity level. 

The roles that will make up the C3PAOs include: 

  • Certified CMMC professional (CCP)
  • Certified CMMC assessor (CCA)

In addition to these professional roles, which can be employed by C3PAOs or by organizations directly to assist with achieving and maintaining compliance, the CMMC-AB will also rely on several professional development roles:

  • Certified CMMC instructor (CCI)
  • Certified CMMC master instructor (CCMI)
  • CMMC Quality auditor (QA)

In addition to these roles, some professionals can assist in the implementation or understanding of CMMC standards, known as CMMC registered practitioners.

We will explore the scope of each role as well as the necessary experience and training one must achieve to perform at that level below.

CMMC registered practitioner (RP)

Unlike the rest of the other CMMC standard’s roles, RPs will provide “advice, consulting and recommendations to their clients,” but they are not able to conduct CMMC assessments. 

RPs will have basic online training on the CMMC and be required to sign a code of professional conduct, but their roles will be limited to advisory, consultative services to DoD suppliers.

Certified CMMC professional (CCP)

Working with the CMMC assessors, the CCPs and the CMMC third-party assessor organizations evaluate an organization’s security protocols, policies and practices. 

These professionals must:

  • Possess either a college degree in a technical field or other equivalent experience (including military) or two or more years in cyber or other information technology field
  • Meet the respective citizenship requirements
  • Have their application approved by the CMMC-AB, confirming their education and experience requirements
  • Complete certified CMMC professional class
  • Pass the CMMC CCP exam
  • Have or gain a favorably adjudicated tier-three background check or possess an NAC (National Agency Check), DHS Suitability credential or other DoD accepted clearance (required to participate on ML-2 or higher assessment teams)

Once all these steps are completed, the security professional can then participate on a CMMC assessment team member under the supervision of a Certified CMMC assessor. They are also eligible to continue their training and growth to become a Certified CMMC assessor.

Certified CMMC assessor (CCA)

There are levels of CCAs, each qualified to evaluate and identify an organization’s security maturity level up to the standard to which they are certified. For each role, however, the professional must have:

  • Met all of the requirements and be confirmed as a CCP
  • Completed the necessary CCA level-specific training
  • Passed the associated exam
  • Have had their first attestation supervised by a CMMC quality auditor (QA)

Certified CMMC assessor level one (CCA-1)

CCA-1s can conduct CMMC maturity level one (ML-1) assessments and supervise CCPs as they conduct these assessments. Their first attestation at this level must be supervised by a CMMC quality auditor (QA) before the designation will be granted.

Certified CMMC assessor level three (CCA-3)

CCA-1s can conduct CMMC maturity level assessments up to ML-3 and supervise CCPs as they conduct these assessments. Their first attestation at this level must be supervised by a CMMC quality auditor (QA) before the designation will be granted.

Additionally, CCA-3s must have more than four years of cybersecurity or IT experience and have completed the CCA-3 level exam.

Certified CMMC assessor level five (CCA-5)

CCA-1s can conduct CMMC maturity level assessments up to ML-5 and supervise CCPs as they conduct these assessments. Their first attestation at this level must be supervised by a CMMC quality auditor (QA) before the designation will be granted.

Additionally, CCA-5s must have completed 15 CMMC ML-3 assessments and have completed the CCA-5 level exam.

Certified CMMC instructors

Although applications and CMMC-AB provided information are not yet available for this role, there will be two levels:

Certified CMMC instructor (CCI)

Certified CMMC instructors are security professionals approved by the CMMC-AB to teach CCA, CCP and RPs.

Certified CMMC master instructor (CCMI)

Certified CMMC master instructors are security professionals approved by the CMMC-AB to teach CCIs.

CMMC quality auditor (QA)

Although applications and CMMC-AB provided information is not yet available for this role, CMMC quality auditors will provide the final approval of completed assessments.

Begin your CMMC certification journey

Although it will come with a lot of work for each member of the DoD supply chain, the implementation of the CMMC standard will be a vital step toward bolstering the security of the DoD’s supply chain to meet the cyberthreats of tomorrow. 

With this work comes plenty of opportunity for those looking to begin a new career, expand their cybersecurity knowledge, and assist the DoD to more securely perform their mission. Where you begin that journey depends on your goals, experience and how you would like to help organizations reach compliance: as a member of an assessment team, as a trainer helping those move their way through CMMC training or as an advisor helping organizations reach compliance.

Given the nascent stage of implementation of the CMMC standard and certification process, those interested and able to achieve the CCP designation — no matter which level they seek to achieve — are likely to have a strong job outlook and plenty of opportunities for career growth.

If you are ready to learn more about any of the CMMC certifications or even begin your journey toward achieving the CMMC CCP certification from a trusted information security training provider, you can click here to learn more.



Certified CMMC Professionals and Certified CMMC Assessors, CMMC Accreditation Body

Nearly 40 defense companies were impacted in SolarWinds breach, FedScoop

NSA, FBI, DHS expose Russian intelligence hacking tradecraft, CyberScoop

The CMMC Standard, CMMC Accreditation Body

The Cybersecurity Maturity Model Certification explained: What defense contractors need to know, CSO Online

Posted: June 21, 2021
Patrick Mallory
View Profile

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program. Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.