The CMMC Roles: CCP (Certified CMMC Professional)

The previous blog discussed the major role - the RP. The RP is primarily a consultant. The RP is not allowed to be involved in the assessment.

The next major role is the Certified CMMC Professionals (CCP). There is some information published on this role. In last month's CMMC Townhall, the Board announced that the CCP training curriculum is estimated to be published in October. Training is estimated to begin in November.

cybersecurity professionals working in an office


Unlike the RP, the CCP is allowed to engage in assessments and to become Certified CMMC Assessor (CCA). The Board describes the CCP as a stepping stone to the CCA, and also as an internal or external consultant.

  • Creates the organization's CMMC program
  • Ensures the organization maintains compliance
  • Assessment preparation

Completing the CCP training and testing is stressed for this role.

On the CMMC AB website (https://cmmcab.org/registered-vs-certified/), there is a comparison of RP to CP (i.e. CCP) One is possibly considering a CP as having more expertise than RP. This RP considers that to not be very relevant, since the only role provisioned so far is the RP (therefore RP MUST be experts). The comparison also shows that the CP may be employed at C3PAO on a track to become an Assessor. The CP can also be employed by an OSC to provide consulting (i.e. internal support) to prepare for Assessment.

In this latter case, it is not likely that most OSCs would need to employ Assessors, since that service is provided by C3PAO. However, large OSCs and OSCs that have compartmented their various DoD programs, may wish to have assessors that do internal assessments (e.g. perform assessment of program #1, then program #2 and so on).


Neither curriculum nor training for the assessors has not been published yet. Based on the timing of the CCP curriculum and training, the early estimate is that Level 1 Assessor will be published early 2022.

Assessors will be qualified in several steps. The first step is the CCP detailed above. From that point, CCPs may upgrade to assessor credentials. Assessors are qualified according to the CMMC Level of the assessment. That is, a CCP must acquire an Assessor Level 1 (CCA1) credential to do an assessment of a OSC desiring CMMC Level 1 Certification. The next level of assessment is at CMMC Level 3. In order to do an assessment for an OSC desiring CMMC Level 3 Certification, the assessor (CCA1) must upgrade their personal credential to CCA3.

Refer to https://cmmcab.org/assessors-lp/

One significant difference between CCA1 and CCA3 is US Citizenship. There are some strong restrictions on what CCAs (and CCPs) can do, especially if employed by a C3PAO. The AB provides strong guidelines on separation of the organizations and roles, so as to maintain objectivity, confidentiality and ethics.

The last quarter of 2021 should provide much more details. At the time of writing, there are approximately three C3PAOs, and one can them to publicly present their experiences with the credentials and assessments in the near future.