How to become a Certified CMMC Professional (CCP)
As cyberattacks and threats become more brazen, public and sophisticated, the U.S. Department of Defense (DoD) has worked to increase their security controls throughout their procurement processes.
One of the most prominent recent changes was the introduction of the Cybersecurity Maturity Model Certification (CMMC), which requires the more than 300,000 companies that provide goods and services within the defense industrial base supply chain to integrate new methods and standards to protect sensitive defense information on their information systems. The CMMC was first introduced in January 2020 and included input from the private sector, university-affiliated research centers and federally funded research and development organizations.
So how does a Defense Department contractor or supplier certify that their information systems and security protocols meet the new CMMC? That’s where a Certified CMMC Professional (CCP) and Certified CMMC Assessors come in.
The role of a CMMC CCP
Before the launch of the CMMC, DoD contractors and suppliers were responsible for putting the necessary security controls, practices and capabilities in place to protect their sensitive data and remaining current on the latest best practices and threats.
However, the CMMC now requires these organizations to have an independent, third-party assessment conducted by professionals who are trained and certified to understand the CMMC. While there are multiple roles and responsibilities on the CMMC third-party assessor teams, also known as CMMC third-party assessor organizations (C3PAOs), that perform these CMMC assessments, the first step in one’s journey begins with CCPs.
Together with the more experienced CMMC assessors, the CCPs and the CMMC third-party assessor organizations evaluate an organization’s security protocols, policies and practices using a standard assessment protocol, to identify their level of maturity, reliability and strength. The result of this assessment is a determination of the organization’s security maturity level. There are five levels and each builds upon the others’ technical, security competencies, and cybersecurity best practices.
How to become a Certified CMMC Professional
There are several steps outlined by the CMMC Accreditation Body to become a CCP. However, once completed, these security professionals are valuable members of the C3PAOs that assess the DoD suppliers.
According to the official CCP guidance, an individual is required to possess one of the two:
- A college degree in a technical field or other equivalent experience (including military).
- Two or more years in cyber or other information technology fields.
- Meet the respective citizenship requirements
- Have their application approved by the CMMC-AB, confirming their education and experience requirements
- Pay the application and necessary observation fees
- Complete the DoD mandatory CUI training
- Complete Certified CMMC Professional class (CMMC model training) from a Licensed Training Provider
- Pass the CCP exam
- Activate their certification post-application acceptance and exam completion
- Maintain their CCP status, including annual maintenance fees
Once all of these steps are completed, according to the CMMC Accreditation Body, then the security professional is:
- Authorized to participate on a CMMC assessment team member under the supervision of a Certified CMMC Assessor
- Eligible to continue their training and growth to become a Certified CMMC Assessor
- Able to present their credential as an employee with the training to understand the requirements of CMMC for a DoD supplier
- Authorized to use the Certified CMMC Professional logo
- Listed in the CMMC-AB marketplace of certified professionals
Moving from a CMMC CCP to the CCA role
The CMMC Accreditation Body has also outlined the path that a CMMC CCP holder can follow to become a CCA. CCAs can lead third-party assessments, with the support of CCPs, on their own.
However, to achieve the CCA designation, one needs to satisfy several requirements, as identified by the CMMC Accreditation Body:
- Possessing the Certified CMMC Professional credential
- Meeting the respective citizenship requirements
- Completing the CMMC Assessor level one training delivered by an LTP and CMMC Accreditation Body
- Passing the official CCA-1 Assessor exam for the Certified CMMC Assessor level one credential
- Completing a background check
- Activating their CCA-1 certification with the CMMC Accreditation Body and pass suitability determination
After all of these steps are completed, the final step involves the CCA-designate’s first CMMC assessment supervised by an independent senior assessor. After a successful determination, the CCA designation is awarded.
It should be noted that there are multiple CMMC assessor levels, including the CCA-1, for level one, CCA-3 for level three, and CCA-5 for level five. These additional levels are based on:
- The completion of their respective exams
- Favorable suitability determinations or an active clearance
- Additional years of experience in cybersecurity or information technology
- Completing a requisite number of CMMC assessments
It should be noted that, based on the time of writing, the application process and training courses for the CCA level certifications are not yet available and active.
The future of the CCP profession
In addition to the CMMC now being a requirement to do business with the DoD, which companies must achieve by 2025, the increasing scope, scale and occurrence of cyberattacks, data breaches and security and privacy concerns will only benefit those with the CCP credential.
With an estimated 300,000-plus organizations currently doing business with the DoD, third-party assessors will be looking for trained, experienced and certified CCP professionals to fulfill their important assessment role. And, with DoD locations, bases and stations located across the country and around the world, there is an opportunity for more diversity in work locations.
In addition to the more traditional assessment role, CCP professionals can also be employed by the DoD suppliers themselves, helping them to improve their security controls and procedures ahead of an assessment or even remediating deficiencies identified during the assessment process.
Finally, after gaining experience as a CCP, these professionals can choose to continue their growth by achieving the CCA-1 credential, which allows them to demonstrate their experience and training.
Begin your CCP journey
The implementation of the CMMC standard is an important step in securing the DoD’s supply chain by bolstering the security standards of those organizations that support their mission. However, the process to have each supplier meet the CMMC standard is going to take a lot of work, time and trained professionals with the necessary experience.
Given the nascent stage of implementation of the CMMC standard and certification process, those interested and able to achieve the CCP designation are likely to have a strong job outlook and plenty of opportunities for career growth.
If you are ready to achieve the CCP certification or are looking for a trusted information security training provider able to deliver the CCP material, click here to learn more.
Certified CMMC Professionals and Certified CMMC Assessors, CMMC Accreditation Body
The CMMC Standard, CMMC Accreditation Body
The Cybersecurity Maturity Model Certification explained: What defense contractors need to know, CSO Online