Understanding the Differences Between Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA)

By: Christopher Buford

I wanted to update you on the latest developments in the Cybersecurity Maturity Model Certification (CMMC). This program is designed to improve how organizations protect sensitive information within the Defense Industrial Base (DIB). On October 11, 2024, the Department of Defense (DoD) published the final rule for the CMMC Program, reaffirming its commitment to strengthening cybersecurity across its contractor network. This rule begins a phased rollout 60 days after publication, with full implementation expected over the next three years (DoD Final Rule).

I feel having a proper understanding the roles of a Certified CMMC Professional (CCP) and a Certified CMMC Assessor (CCA) is essential for anyone aiming to work in the CMMC ecosystem. Each certification has different responsibilities, requirements, and eligibility criteria, which I have detailed below to help you navigate this critical framework

Certified CMMC Professional (CCP)

• Role and Responsibilities: The CCP is an entry-level certification for individuals seeking foundational knowledge of the CMMC framework. CCPs assist organizations in implementing CMMC requirements and can support assessment teams but are not authorized to lead assessments or make final determinations.
• Prerequisites: Completion of CCP training through an Approved Licensed Training Provider (LTP). Passing the CCP examination. Background Investigation: Based on the guidance from Cyber AB, a favorable Tier 3 investigation or an equivalent is required for CCP certification, even though this is not explicitly mentioned in the CCP Blueprint. A Tier 3 investigation typically includes a National Agency Check with Law and Credit (NACLC)

Certified CMMC Assessor Tier Eligibility:

Tier 3 Investigation: This includes a review of criminal records, financial history, and personal conduct. It ensures that candidates demonstrate trustworthiness and reliability. Candidates should expect to provide disclosures about financial or legal issues and employment history.(CCA)

• Role and Responsibilities: CCAs are authorized to lead formal CMMC assessments for organizations seeking certification. They evaluate and validate an organization’s compliance with CMMC practices and processes.
• Prerequisites: Active CCP certification. Completion of CCA training through an LTP. Passing the CCA examination. Experience Requirements: At least three years of cybersecurity experience. One year of assessment or audit experience. Holding a baseline cybersecurity certification, such as those aligned with the DoD’s Cyberspace Workforce Qualification & Management Program (CCA Blueprint). Background Investigation: A favorable Tier 3 determination (e.g., National Agency Check with Law and Credit) is required for CCAs due to their access to sensitive information and decision-making authority.

Tier Eligibility: Tier 3 Investigation: This investigation includes a comprehensive review of criminal, financial, and legal history. References, previous residences, and employment history may also be checked. Candidates must demonstrate the highest level of trustworthiness and reliability.

Key Differences

CMMC Final Rule: A Path Forward

The publication of the CMMC Final Rule marks a pivotal moment in the DoD’s effort to secure the defense supply chain. Organizations and professionals must prepare for a phased implementation, with CMMC requirements becoming fully operational by 2027. For professionals pursuing CCP or CCA certification, understanding the differences in roles and requirements is crucial to aligning their career aspirations with the evolving needs of the CMMC ecosystem.

By distinguishing the responsibilities, prerequisites, and Tier eligibility for CCPs and CCAs, this article aims to guide professionals in making informed decisions about their certification paths. As the DIB adapts to these enhanced cybersecurity measures, certified individuals will play a vital role in ensuring compliance and protecting national security.

References:

• CMMC Program Final Rule – DoD
• Cyber AB Ecosystem Roles
• Cyber AB – CCP Requirements
• Cyber AB – CCA Requirements

?