The full compliance process for CMMC, the Cybersecurity Maturity Model Certification, culminates in an audit that validates an organization’s cybersecurity posture and its implementation of the security controls that apply to it.

Throughout this process, there is a gatekeeper who performs your audit. You may have heard of them referred to as a CMMC Auditor or a CMMC Assessor. With these two terms in play, you may be wondering what the difference is between them.

What is a CMMC Auditor?

A CMMC Auditor is an unofficial name for the individual or company that performs the audit on your organization when you believe you have achieved a security posture that adheres to your desired level of CMMC.

They run through the checks, audit your systems, and provide a final report on whether you pass or fail the audit, with commentary on what you did wrong and what needs to be fixed.

What is a CMMC Assessor?

A CMMC Assessor is an official name for the individual who performs the audit on your organization when you believe you have achieved a security posture that adheres to your desired level of CMMC. They run through the checks, audit your systems, and provide a final report on whether you pass or fail the audit, with commentary on what you did wrong and what needs to be fixed.

If you glossed over that paragraph, you might have a bit of déjà vu. Did we just say the same thing twice? Well… almost.

There are a couple of key differences between the two.

First, the word official. The technical term for the person providing an audit, as accredited by the Cyber-AB, is the Certified CMMC Assessor. They are an auditor, for sure, but the term “auditor” is not the official term used by the Cyber-AB to describe the person in this role.

In fact, the term “auditor” is not used on the Cyber-AB site at all, outside of the descriptions of member organizations in the marketplace, which are descriptions submitted by those organizations, not by the Cyber-AB themselves.

Second, the omission of the word company. A Certified CMMC Assessor, or CCA, is an individual with the training and authorization to provide audits to organizations with regard to CMMC security. The key here is that a CCA is an individual. Companies can provide assessment services, but those companies are not known as auditors or assessors; they’re C3PAOs.

Assessors are auditors, and auditors are assessors, but only one is the actual term used by the Cyber-AB to discuss the official role they certify.

What is a CMMC Professional?

A CMMC Professional, or CCP, is essentially the intermediary step between a layperson and a CCA. All CCAs need to have been CCPs at some point.

The technical term is actually Level 1 CMMC Assessor, but in order to differentiate between Level 1 and Level 2 (the CCA), the name CCP was designated.

How Do You Become a CMMC Assessor?

Anyone interested in becoming one of the professionals tasked with helping to uphold the security of the defense industrial base and supply chain should consider becoming a level 2 CMMC assessor. Though the process is lengthy and requires keen attention to detail, it’s a valuable role to take on, and it helps to secure the overall operations of the country as a whole.

In order to become a Certified CMMC Assessor, the level 2 assessor, you must first become a CCP or Certified CMMC Professional, the level 1 assessor role.

Many people actually work on achieving their CCP certification simply as a way to validate their experience and knowledge surrounding CUI and CMMC, treating it like any other workplace certification, so it’s relatively common to achieve this level of certification.

This certification has some specific requirements. First and foremost, you must have a college degree in a field such as cybersecurity, information technology, or an equivalent field. Alternatively, you need at least two years of directly related experience in the field, including military experience.

Secondly, you should have a CompTIA A+ certification or an equivalent level of knowledge and experience. The Cyber-AB does not govern CompTIA, but the CompTIA A+ certification has been around long enough and is trusted enough that it meets the needs of the Cyber-AB. Rather than reinvent the wheel, they simply accept that it is what it is and does the job well enough.

The Cyber-AB also recommends taking the DoD CUI Awareness Training, specifically the module Mandatory Controlled Unclassified Information Training, which can be found here. Most people operating in a business that handles CUI in a secure way will have already been exposed to this training, but it can’t hurt to get a refresher.

Once you meet these baseline requirements, you can then pursue the CCP certification.

• Apply with CAICO, the Cybersecurity Assessor and Instructor Certification Organization, and remain in good standing with them. This means signing any agreements and complying with them as part of your application, as well as paying the application and renewal fees as necessary.
• Identify an Approved Training Partner (formerly known as a Licensed Training Partner), take a CMMC Certified Professional course, and pass it.
• Take and pass the CMMC Certified Professional Examination.
• Obtain a Tier 3 determination from the DoD. This is essentially a background check, among other things, performed by the DoD to make sure you aren’t vulnerable or hiding something important.

Once you have passed all of these requirements, you can become a licensed CCP. CCPs are able to participate in full CMMC assessments and can assess the Level 1 requirements, but they cannot issue final determinations or lead assessments. Level 2 and up requirements, as well as final determinations, need to be made by the lead CCA performing the assessment.

Many people stop here. However, there need to be CCAs in order to staff C3PAOs and to manage audits on their own, so some portion of CCPs need to progress into full CCAs. So, how do you continue and become a CCA? The requirements are essentially the same but with higher stringency and a couple of additional line items.

• Hold and maintain an active CCP license that is in good standing.
• Have and hold a Tier 3 determination from the DoD.
• Apply and remain in good standing with CAICO, paying your fees as necessary.
• Complete a CMMC Assessor course offered by an Approved Training Provider.
• Pass the CMMC Assessor examination.
• Have at least three years of cybersecurity experience.
• Have at least one year of assessment or auditing experience.
• Hold at least one baseline certification from the list maintained here at the intermediate or advanced level. There are over a dozen possible certifications you can pick from, including the CompTIA PenTest+, Security+, or CySA+, the ISACA CISM, the GIAC GSLC, and others. Note that the list may change over time.

Once you meet all of these requirements, you can be issued a CCA license and can lead CMMC audits on behalf of a C3PAO or on your own.

One additional potential hurdle is that if you work for an organization seeking compliance with CMMC, you cannot then become a CCA and run your organization’s audit. You can obtain certification and run audits for other organizations, and you can contribute to your own organization’s security, but you can’t perform an audit for an organization you have a conflict of interest with.

One thing that may be worth mentioning here is that the current CMMC ecosystem is relatively small and will likely need to expand rapidly over the coming year. The CMMC 2.0 Final Rule has finally taken effect, and that means the next couple of years will be a flurry of activity on both the DoD and Cyber-AB’s side, as well as on the side of the defense industrial base. As hundreds or thousands of companies and organizations now have new rules to adjust to, new audits to pass, and new standards to maintain, it falls to the CMMC Assessors to be able to cast judgment on them.

At the same time, the standards changed, which means the assessors changed. Formerly accredited assessors for CMMC 1 may no longer hold an appropriate license necessary to provide modern assessments. There was a lot of turnover in the list, and there’s plenty of space for more assessors and C3PAOs to spring up in the coming months. It’s a great opportunity, in other words. With under 300 CCAs currently licensed, there’s plenty of room for more.

A Note on the Assessments Requirement

There’s a lot of conflicting information going around about the requirement that a CMMC Professional complete at least three assessments in order to be a CMMC Assessor. Until very recently, the final rule wasn’t in force, so it wasn’t actually possible to perform those assessments. So, according to those rules, it would be impossible to meet the requirements.

This has been worked around in several ways.

One way is by conducting JSVAs, or Joint Surveillance Voluntary Assessments. These assessments are enough to count as an assessment for the purposes of the CCA certification requirements.

A second workaround is to join one of the existing C3PAOs. C3PAOs also technically couldn’t exist because of the requirements, but several were seeded in through direct DoD approval, and those have been able to perform assessments on others to get them certified as well. By operating as a CCP and performing assessments as part of a team with a C3PAO, you could meet the requirement.

A third option is to simply ignore it and still get the certification. Several town hall meetings brought up this question, and the Cyber-AB representatives stated that the “requirement” for three assessments wasn’t actually a requirement. Those CCAs who have performed at least three assessments get an additional badge in the marketplace, but not performing them doesn’t stop you from becoming a CCA.

What Does the CMMC Assessor Do?

The CMMC Assessor is, as mentioned, the individual in charge of leading a team to conduct the audit that evaluates an organization’s security posture. Any organization seeking certification will need to undergo this assessment, and the assessment has to be performed by someone licensed to perform it properly.

There’s a lot of detail to this, of course. A full CMMC audit is a deep dive into a thousand little details, from tiny settings and configurations in granular systems to overall organization-wide employee training and much more. It’s certainly too much to sum up in just a few sentences here, which is why we have other resources on it throughout our blog.

Do You Need a CMMC Assessor?

Whether or not you need a CCA depends on your specific needs.

If you’re looking to improve your overall security posture but don’t necessarily want to pursue CMMC, you don’t need a CCA. You could get someone with a CCP since they will have at least a decent baseline level of knowledge of industry standards, or you can work with other cybersecurity experts outside of the CMMC framework.

If you’re looking to achieve CMMC certification but are not yet to the point where you need an audit, a CCP can help you with internal evaluations and consulting. CCAs can also do that, though you need to be careful; hiring a CCA as a consultant might be costly, and then you’ll need to find another one to do your audit because a CCA working with you on your compliance implementation cannot also be the one to issue judgment on your certification eligibility.

If you’ve done as much implementation as you can and you believe that you’re ready to pass an audit, you will generally want to find a C3PAO. Your C3PAO will have a team led by a CCA – so you don’t need to find one individually – who will be able to go through the audit with you. Since the audit is generally such a large and intensive process, it doesn’t usually make sense for a CCA to be operating on their own, though some specialize in very small businesses and are able to do so.

Overall, CMMC Assessors play a critical role in the overall CMMC ecosystem, so hopefully, this has cleared up some confusion around terminology and requirements. If you have further questions, feel free to reach out and ask!

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/cmmc/cmmc-auditor-assessor-cca/