Become a Certified CMMC Assessor

The CCA is the credential required to perform formal CMMC Level 2 assessments inside the Department of Defense’s Cybersecurity Maturity Model Certification program. ISACA became the credentialing authority for the CMMC program in April 2026 through the Cybersecurity Assessor and Instructor Certification Organization (CAICO), with the Cyber AB continuing to run the Tier 3 background investigation. Holding a CCA qualifies you to evaluate evidence, validate security controls, conduct stakeholder interviews, and determine whether a contractor handling Controlled Unclassified Information meets the 110 NIST SP 800-171 controls that define Level 2. Only Certified Assessors working with a CMMC Third-Party Assessment Organization (C3PAO) can sign off on those assessments, which is why the credential carries weight in a defense industrial base now operating under a live CMMC rule.

The CCP, Certified CMMC Professional, is the foundational credential. It lets you support readiness work and serve on an assessment team under a Certified Assessor’s supervision. The CCA, Certified CMMC Assessor, is the advanced credential that lets you conduct the assessment and sign findings. You must hold an active CCP before you can sit the CCA exam, so the CCA is the next step up, not a parallel option. The CCP exam covers six domains weighted toward the assessment process and scoping. The CCA exam covers four domains weighted heavily toward assessing Level 2 practices, which makes up 40 percent of the exam, because that’s the work an assessor actually performs in the field. Exam length, scoring difficulty, and prerequisites all step up from CCP to CCA, reflecting the difference between supporting an assessment and running one.

You need an active Certified CMMC Professional (CCP) credential before you can register for the CCA exam. That’s the hard prerequisite. Beyond CCP, ISACA expects experienced cybersecurity and assessment background, completion of official CCA training through an Approved Training Provider, and a favorable Tier 3 background investigation determination conducted by the Department of Defense or an equivalent ISACA accepts. Full certification also requires adherence to ISACA’s Code of Professional Conduct and a certification application fee paid after you pass the exam. Specific experience thresholds and any policy updates are published on ISACA’s CCA page, and we recommend confirming those directly before scheduling. This boot camp is built for candidates who already hold CCP and are stepping into the assessor role.

Harder than the CCP. The CCA is 150 multiple-choice questions over four hours, with multi-select and case-based scenario items mixed in. Scoring runs on a scaled range of 200 to 800, and you need 500 to pass, which works out to roughly 70 percent of items answered correctly. What makes the CCA harder isn’t volume; it’s judgment. Forty percent of the exam tests assessing Level 2 practices against the 110 controls in NIST SP 800-171, meaning you’re evaluating realistic evidence against control objectives rather than reciting framework structure. Twenty-five percent is the CMMC Assessment Process, twenty percent is scoping, and fifteen percent is evaluating organizations seeking certification. Candidates who’ve spent real time on a C3PAO assessment team usually find the exam approachable. Candidates who only studied the framework academically usually don’t.

The CCA exam is currently $450 USD, paid directly to ISACA when you register. The exam is delivered through Meazure Learning, ISACA’s testing partner, at an in-person testing center or via remote proctored session. After you pass, you’ll also pay an ISACA certification application fee to activate the credential. None of these fees are included in our boot camp tuition. We keep the training and the exam separate so the totals on your invoice match what ISACA actually delivers, and so we don’t run afoul of ISACA’s rules around bundling or guarantees. ISACA periodically updates exam pricing, member pricing, and the application fee, so confirm the current figures on the ISACA CCA page before you schedule.

The CCA exam has 150 scored multiple-choice questions across four domains, with unscored field-test items mixed in that don’t count toward your score. You have 240 minutes, four hours, to complete it. Domain weights are: Evaluating Organizations Seeking Certification at 15 percent, CMMC Level 2 Assessment Scoping at 20 percent, the CMMC Assessment Process (CAP) at 25 percent, and Assessing CMMC Level 2 Practices at 40 percent. Question types are a mix of standard multiple-choice, multi-select, and case-based scenarios that drop you inside an assessment situation and ask what an assessor would do next. The exam is linear, not computer-adaptive, and delivered in English only. You receive your overall scaled score on completion, and unsuccessful candidates also receive domain-level percentages so a retake can target the right material.

No. The boot camp gets you exam-ready, and the exam itself is purchased and scheduled separately through ISACA and delivered by Meazure Learning. This is an explicit design choice. ISACA’s program rules don’t allow training partners to bundle, discount, or guarantee outcomes on the CCA exam, so we deliver the training and let ISACA handle the credential. Your tuition covers four days of instructor-led course time, the ecfirst Approved Training Provider courseware and Academy Portal, practice questions and a mock assessment, and instructor support through the exam-scheduling window. You register for the exam directly on ISACA’s site when you’re ready.

ecfirst is one of the most credentialed organizations in the CMMC ecosystem. They hold simultaneous status as a CMMC Approved Training Provider (ATP), an Approved Partner Publisher (APP), a Registered Provider Organization (RPO), and a CMMC Third-Party Assessment Organization (C3PAO). The same auditors who teach the course also run real CMMC assessments in the field, which is the practical advantage no third-party study guide can match. Under the current program rules, the CCA training authorization sits with the ATP, not with the reseller, so we partner with ecfirst to deliver authorized courseware that tracks the live ISACA exam outline. Training Camp handles enrollment, scheduling, payment options, military and government funding, and student support. ecfirst delivers the authorized CCA curriculum.

Training Camp is an award-winning ISACA partner, including recognition as ISACA Partner of the Year. We’ve trained tens of thousands of professionals across ISACA’s credential portfolio, including CISA, CISM, CRISC, CGEIT, CCISO, CDPSE, CCOA, and the newer AI Audit credentials. That partnership matters for CMMC because ISACA became the credentialing authority for the entire CMMC program in April 2026, taking over the assessor and instructor certifications through the CAICO. Working inside the ISACA training ecosystem means our content stays aligned with the live CCA exam outline, our delivery models match how ISACA wants their credentials taught, and our instructors maintain credentials under the same continuing-education requirements students are working toward.

The CCA aligns to DoD Cyber Workforce Framework (DCWF) work role 612, Security Control Assessor, on the assessor qualification pathway under DoDM 8140.03. If you’re filling that role for the Department of Defense as a civilian, service member, or contractor, the CCA is the credential the assessor track points to for Level 2 cyberspace work. Both DoD 8140 qualification deadlines have passed: the cybersecurity workforce element in February 2025 and the remaining elements in February 2026. That means cyber-coded positions are operating under active qualification requirements right now, not approaching ones. You can see the full Work Role 612 certification mapping and the cert paths for Basic, Intermediate, and Advanced proficiency on our DoD 8140 page.

Yes. CMMC is live in DoD contracts. Phase 1 of the rollout began November 10, 2025 under 32 CFR Part 170, and the DFARS clause requiring CMMC certification is now appearing in DoD solicitations. Contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) need a CMMC assessment at the level specified in their contract, typically Level 2 for CUI handlers, before award or by the milestones written into the solicitation. Only Certified CMMC Assessors working with a C3PAO can conduct formal Level 2 assessments, which is the supply-and-demand pressure driving demand for CCAs. The assessor talent pool is still small relative to the volume of Defense Industrial Base contractors who now need certification.

Continued access to the ecfirst Academy Portal, which includes course materials, study guides, practice questions, and exam-prep reinforcement, plus instructor availability through the exam-scheduling window. The boot camp is the structured four days. The support is the runway you need afterward, when you’re scheduling the CCA exam through ISACA, reviewing the domains you scored lowest on in your mock assessment, and finishing your prep around your work calendar. Most candidates schedule the exam two to six weeks after the boot camp, depending on how recent their CCP work is and how much heads-down review time their schedule allows. We stay in the loop through that window instead of disappearing on Friday at five.

Training Camp accepts corporate and team training budgets, all major procurement vehicles including GSA Schedule, GPC, and SF-182, and the major DoD and military funding pathways. That includes the GI Bill, VET TEC, VRRAP, ArmyIgnitED, Air Force COOL, Navy COOL, Marine Corps COOL, and unit-level training budgets. Defense contractors typically expense the boot camp against project training lines or bid-and-proposal budgets when CCA-qualified staff are required for an upcoming Level 2 assessment engagement. Our enrollment team handles eligibility questions, paperwork, and quote requests, usually within one business day. If you’re routing funding through a specific authority and aren’t sure how to structure the purchase, ask before you enroll and we’ll work it out with you.