The Certified CMMC Professional (CCP) Certification Guide (2024)
What is CCP certification?
The Certified Cybersecurity Maturity Model Certification (CMMC) Professional (CCP) is the first step in the journey to becoming a Certified CMMC Assessor (CCA). For those working closely with the Department of Defense (DoD) across the defense supply chain, the CMMC framework is the latest cybersecurity model to identify, assess and mitigate cyber risk.
-
- Learn the specific set of compliance requirements to comply with CMMC
- Understand the different CMMC maturity levels and how they apply to organizations
- Ideal for IT auditors, security engineers, compliance officers, risk managers and more
Key facts
- Average information risk analyst salary: $112,398
- Experience needed: College degree, equivalent experience or 2+ years in IT or cybersecurity
- Full CMMC implementation: Expected by Fall 2025
Start your journey to earning your Certified CMMC Professional certification with Infosec.
CMMC CCP exam overview
The CCP exam tests your knowledge of the CMMC framework and the CMMC ecosystem. Passing the exam, which covers six domains, is part of your journey to becoming a Certified CMMC Professional.
Domain 1: CMMC Ecosystem (5%)
In this domain, you'll need to identify and compare roles, responsibilities and requirements of different authorities across the CMMC ecosystem. These organizational bodies include the Office of the Undersecretary Of Defense, the Cyber Security Maturity Model Certification Accreditation Body, CMMC assessors, Licensed Training Providers and more. You'll need to recognize the responsibilities of these individuals while also understanding how they function together.
Domain 2: CMMC-AB Code of Professional Conduct (Ethics) (5%)
This domain covers the guiding principles and practices of the CMMC-AB Code of Professional Conduct (CoPC)/ISO/IEC/DOD requirements. You'll be required to understand general ethics topics around professionalism, objectivity, confidentiality and proper use of materials, as these are critical skills in maintaining high-quality defense standards.
Domain 3: CMMC Governance and Sources Documents (15%)
As you receive and transmit FCI and CUI, you'll need to understand the rules and regulations around each type of controlled information. The CMMC v.20 program requirements focus on streamlined models, reliable assessments and flexible information. You'll also need to identify Foundational/Level 1 and Level 2 CMMC assessments and requirements, as well as the consequences of non-compliance.
Domain 4: CMMC Model Construct and Implementation Evaluation (35%)
This domain evaluates your ability to apply the appropriate CMMC Source Documents as an aid to evaluate the implementation and review of CMMC practices. This includes the model architecture, model levels, practices and domains. You'll also need to display adequate knowledge of using evidence in different scenarios.
Domain 5: CMMC Assessment Process (CAP) (25%)
This domain covers choosing the appropriate roles of the CCP in the CMMC Assessment Process and applying those process requirements that pertain to the role of a CCP team member on the assessment team. You'll also need to demonstrate comprehension of the CCP role in the preparation of the assessment report and the evaluation of outstanding assessment issues. You'll also need to determine the appropriate phases/steps to assist in the preparation/conducting/reporting on a CMMC Level 2 Assessment.
Domain 6: Scoping (15%)
For the final domain, you'll need to understand organizational scope at a high level and analyze the organization environment to generate an appropriate scope for FCI assets.
CMMC CCP exam details
Two common questions are "Is CCP certification worth it?" and "How long does it take to get CCP certification?" Passing the CCP exam is required if you want to work as a CMMC Assessor, but the time it takes to officially become a CCP varies. Once enrolled in training from a Licensed Training Provider (LTP), the training is only five days followed by the exam. However, the full CCP application process can take 2-6 months. For more information, see the timeline from the Cyber AB.
| Launch date: | 2022 | Last update | 2022 |
| Number of questions: |
170 |
Type of questions: | Multiple-choice |
| Length of test: | 3.5 hours | Passing score: | 500 points |
| Recommended experience: | College degree or 2+ years of related experience; CCP training from an LPT; pass DoD CUI Awareness training (see full details) | Languages: | English |
| Duration (how long it's valid): | 1 year (annual renewal fee required) | CPE requirements: | To be determined |
Speak to an Infosec rep for the most up-to-date information on CCP certification costs.
Additional CCP resources
Taking a training course is required to earn your CCP, which is the only and best certified CMMC Professional certification available. As part of the CMMC ecosystem, Infosec is both an LPP and an LTP, so you can rest assured the training meets the requirements and high standards set by the Cyber AB.
CMMC Licensed Publishing Partners
The Cybersecurity Assessor and Instructor Certification Organization (CAICO) approves Licensed Publishing Partners (LPP) like Infosec to develop a curriculum that aligns with the certification exam objectives blueprint. The DOD limits LPPs to a maximum of 20.
CMMC Licensed Training Provider
LTP is an established training organization that CAICO has approved. Like Infosec, those in the CMMC marketplace have been vetted and are responsible for delivering CMMC training using LPP materials.
Other free CMMC training resources
There are a number of free resources available to help understand the CMMC framework and ecosystem:
- The Cyber AB is the official accreditation body of the Cybersecurity Maturity Model Certification (CMMC) ecosystem and a great resource for additional information.
- The DoD CIO website contains official CMMC documents, including the model overview, scoping guidance, assessment guides and more.
- Infosec's CMMC ebook (coming soon) is designed to get you up to speed quickly on the CCP and CCA certification process and includes answers to students' most common CMMC questions.
CCP jobs and careers
Certified CMMC Professionals have valuable skills that can apply to careers in CMMC compliance and beyond. Your CCP certification salary will likely vary depending on your job title, location and experience.
Common CCP job titles
-
IT auditor
-
Security engineer
-
CMMC compliance manager/officer
-
Compliance analyst
-
Risk and compliance manager
-
Consultant
CCP training and exam prep
You have two primary options when exploring CCP exam prep and other CMMC-related training: live, instructor-led boot camps and self-paced training courses.
Live CCP Boot Camps
Infosec offers a 5-day, live Certified CMMC Professional Boot Camp that includes everything you need to prepare for and pass your CCP exam.
-
Live instruction: Build your CMMC skills with expert, live instruction. Infosec CMMC instructors have 10+ years of real-world experience and are among the best in the industry.
-
Authorized CMMC materials: As both an LPP and an LPT, Infosec is uniquely positioned as both a fully vetted creator of CMMC training materials and an authorized deliverer of CMMC training.
-
Improved pass rates: Infosec stands by its CMMC training with Exam Insurance. That means if you fail your CCP exam on your first attempt, you get a second attempt to pass — for free.
Learn more about the CCP Training Boot Camp.
Self-paced training
Although an official CCP Boot Camp is required to earn your CCP, there are a number of self-paced training options that can support your CMMC journey.
-
Certified CMMC Professional Learning Path: Get an introduction to the six CCP domains in this 13-hour training.
-
NIST 800-171 Learning Path: Learn the 110 controls in the 800-171 framework and how they help protect Controlled Unclassified Information (CUI).
-
Browse the Infosec Skills course library: Explore hundreds of other IT, risk and cybersecurity courses.
Learn more about self-paced training with Infosec Skills.
CCP certification comparisons and alternatives
CCP is an excellent certification, but there are other options you should be aware of — both inside and outside the CMMC ecosystem.
CMMC CCP vs. CMMC Registered Practitioner
A Registered Practitioner can provide CMMC implementation consulting services and guidance to organizations as they prepare before an assessment. This is a critical role in identifying gaps and mitigation strategies before a CCP evaluates. On the other side of the assessment, CCPs provide specialized expertise in maintaining a robust security posture as part of the CMMC assessment process.
CCP vs. CCA
The Certified CMMC Assessor (CCA) is the next step on your journey to become a DOD Certified CMMC Assessor — after you earn your CCP. CCAs can take on additional responsibility, such as the ability to work as an assessor on Level 2 assessments if they work for a Certified Third-Party Assessor Organization (C3PAO).
CCP vs. CISA
CCP is specific to CMMC controls, while the Certified Information Systems Audit (CISA) is a aimed at broader IT auditing and controls. The CCP designation helps navigate the intricacies of the CMMC framework. CISA is a globally recognized certification focused on auditing, controlling, monitoring and assessing information systems across the entire infrastructure.
Explore Infosec certifications to find the best fit for your career goals.
