Is the Certified CMMC Professional (CCP) curriculum for CMMC 2.0?2022-02-22T18:16:58+00:00

No, the current curriculum is based on CMMC 1.0, however, the changes are minimum. In addition, the CMMC-AB will provide free, computer-based training, to all CCP graduates that will address the differences between CMMC 2.0 and 1.0.  We anticipate the “Delta” training will be available in March 2022.

When will the CCP exam be available?2022-02-22T18:31:02+00:00

We anticipate the CCP exam will be available in the latter half of 2022.

If the curriculum is CMMC 1.0 and the exam won’t be available until late 2022, why should I take the class now?2022-02-22T18:35:42+00:00

There are several reasons why taking the class now could be of benefit to you:

  • Students will gain a detailed understanding of CMMC fundamentals
  • Having already taken the CCP course and subsequent “Delta” training, you will be ready to take the exam as soon as it is released
  • There are a lot of people waiting until CMMC is mandated through rulemaking or are waiting until the Voluntary Certification period begins. We anticipate a rush of students beginning mid-2022 that will continue through 2023.  Avoid the rush!  Get a head start on your goals to be a CCP, CCA or as the primary responsible to build your organization’s CMMC Program
With the removal of maturity from CMMC 1.0, do I still have to have documentation, such as policies and procedures?2022-03-07T15:52:49+00:00

Yes. The removal of the maturity practices only meant that the organization does not have to demonstrate the maturity of their policies and procedures, simply that they have them in place at the time of the assessment. Documentation is still required.

Do you have an update on the documentation for audit guidance?2022-03-07T15:54:24+00:00

Documentation is still required. If you need assistance with documentation, you can contact an RPO or C3PAO to assist.

Are the CMMC Professional and CMMC Registered Practitioner still applicable?2022-03-07T15:55:58+00:00

Yes. The CCP is meant to assist Certified Third-Party Assessment Organization (C3PAO) with assessments. The Registered Practitioner (RP) is meant to assist Registered Provider Organizations (RPOs) with consulting to prepare organizations Seeking Certifications (OSCs) for their assessments.

How many C3PAOs are now formally accredited?2022-03-07T15:56:25+00:00

The correct term is authorized. There are currently 6 authorized C3PAOs. Redspin was the first authorized C3PAO.


Can you please validate if the Department of Defense (DoD) is moving in a direction that would require all Level 2 assessments (as per CMMC V2.0) to be external now, i.e., no self-assessments for Level 2 would be permitted any more.2022-03-07T15:57:45+00:00

The bifurcation of Level 2 certifications has been removed, although there will be some special cases that can still self-attest. The DoD and the contracting office will determine which contracts that would apply to.

Can you please validate if the Department of Defense (DoD) is moving in a direction that would require all Level 2 assessments (as per CMMC V2.0) to be external now, i.e., no self-assessments for Level 2 would be permitted any more.2022-03-07T15:58:05+00:00

The bifurcation of Level 2 certifications has been removed, although there will be some special cases that can still self-attest. The DoD and the contracting office will determine which contracts that would apply to.

What is the latest verdict on CMMC Level 1 whether it will require audit by C3PAO? Any expectations when the rule making is going to happen?2022-03-07T15:58:29+00:00

CMMC Level 1 will be a self-attestation for those OSCs dealing with Federal Contract Information (FCI). There are some OSCs that would like to have a C3PAO conduct there certification assessment, but the DoD has not decided if that will be allowed.

Is final rule making 24 months away?2022-03-07T15:59:04+00:00

The DoD has set the timeline of the FAR regulation updates for 24 months. They plan on instituting an interim rule that should be in affect by the end of the calendar year 2022.

In one of the DoD sessions, they mentioned that companies should look to get Level 1 certification sooner rather than later. Is there a current path for that or is there a specific form that would be needed for the self-assessment?2022-03-07T15:59:31+00:00

OSCs seeking a level 1 certification should prepare now. When ready, the OSC simply needs to upload their SPRS score. There will be a form that an executive from the OSC must sign, but that is still be designed. OSCs seeking Level 2 certification, should also seek certification now. Calendars are filling up with the C3PAOs as OSCs are wanting to secure their assessment window.

Can ISO Registrars become assessors?2022-03-07T15:59:57+00:00

Yes, but the CMMC training is still required via an LTP.

Will C3PAOs be able to “fail” an OSC based on the documentation (or lack of documentation) of assets in scope per the OSC’s SSP or is this expected to be addressed as part of the CAP?2022-03-07T16:00:28+00:00

Yes. A C3PAO can fail an OSC if documentation is not accurate or does not reflect CMMC 2.0 Language. However, the DoD is still drafting the Plan of Actions and Milestones (POA&M) policy, which may allow the OSC to include the failed practice. The OSC would then have up to 180 days to remediate the POA&M. The Certification Assessment Process (CAP) will cover this area for assessors. It is currently in draft form and should be released by the end of March 2022.

Will assessors be able to award certifications prior to the AB ISO certification?2022-03-07T16:00:53+00:00

Assessors do not award the certificates, nor does the CMMC-AB. The C3PAO is the one who issues the certificate. Assessors complete the assessment, send the reports to the C3PAO, who then uploads them to the CMMC-AB with the result. This must be done by an Authorized C3PAO and can be executed prior to the ISO certification being in place.

Please explain how the CMMC AB will manage DIB organizations expectations on being assessed and receiving a Provisional CMMC assessment prior to the CMMC AB being authorized to issue certifications. Or will there be no CMMC certifications issued before the AB is authorized to certify?2022-03-07T16:03:17+00:00

The provisional portion of CMMC was killed with CMMC 1.0. Organizations that continue with the process, do so in the “Voluntary Phase” of the CMMC program. This assessment is the CMMC Level 2 Certification Assessment. Organizations who are certified now, by a C3PAO, will be good at the time of the certificate award until 3-years after the interim-rule is in place. Then they must re-certify.

I am concerned that you are hiring Assessors, at an entry level position.2022-03-07T16:27:44+00:00

There is no need to be concerned with the hiring of entry level assessors, as they will have experience and mentors to assist; they will not conduct assessments on their own. The training, outlined by the CMMC-AB, is built on a step methodology. All candidates seeking to be assessors must attend the CCP training. Once complete, they enroll in the CCA training and take part in three CMMC Level 2 Certification Assessments before they are awarded their title as an assessor. All entry level assessors are then partnered with lead assessors, with the C3PAOs, to mold and mentor them throughout their career. All PAs, at Redspin, are experienced with numerous assessments/audits and hold multiple industry certifications.

Any word on when DOD PMO will release authorized C3PAOs to start assessing?2022-03-07T16:28:19+00:00

The DoD and CMMC-AB set a goal for C3PAOs to start certifications by the end of first quarter. In order to do so, several documents are required, which include the CAP, POA&M policy, and the Incentives policy.

Is the CAP going to be based on one of the industry standards IT audit frameworks – i.e., AICPA’s COSO framework, or alternatively, ISACA’s COBIT framework?2022-03-07T16:28:48+00:00

The Certification Assessment Process (CAP) is one of the main document’s assessors will use to conduct the assessments. The CAP is based on NIST 800-171a and includes appendix E.

There has been a lot of discussion regarding a new release of NIST 800-171. Will the CMMC model remain consistent with NIST 800-171 revisions in real time?2022-03-07T16:29:12+00:00

The DoD is partnering with NIST to ensure practices are in line with industry best practices and are optimal for protecting CUI data. Any changes to NIST 800-171 will automatically be incorporated into CMMC.

Where do I start with the process of learning what I need to know to pass an audit?2022-03-07T16:29:34+00:00

Contact us at Redspin. We are already assisting organizations in preparing for certifications.

Can you clarify if OSCs need to create policies and procedures for each domain and control for level 2??? There is confusion with how CMMC 2.0 got rid of maturity processes.2022-03-07T16:30:12+00:00

Most of “what the organization is doing” should be captured in the System Security Plan (SSP) and reference out to various policies and procedures. If you are unsure of how to construct your documentation, contact us at Redspin to assist.

What are the non-POAM controls?2022-03-07T16:31:01+00:00

We are waiting on the POAM policy from the DoD. Until it is released, anything heard is rumor.

Any update on when CMMC 2.0 Level 3 guidance will available?2022-03-07T16:31:17+00:00

The DoD has not released that guidance yet. However, we do know that it will contain practices from NIST 800-172. We recommend starting there.

Why was DHG’s DIBCAC audit done under 1.0? It is the first company that was fully approved after DOD announced the CMMC 2.0 model.2022-03-07T16:31:49+00:00

DHG became the 6th C3PAO approved by the DoD and CMMC-AB and the first to be approved after the change to CMMC 2.0. However, they began the process under CMMC 1.0 and thus finished under that model.

Scoping guide/control applicability: If an OSC uses an MSP and the MSP receives CUI from the OSC, does this give an assessor grounds to require attestation that the MSP has a CMMC certification or 800-171 compliance in order to “pass” the OSC on their assessment, or would this be restricted to a government function as a contractual matter?2022-03-07T16:32:17+00:00

Any MSPs receiving. Processing, or storing CUI data must have a CMMC Level 2 Certification. There are still decisions the DoD is making regarding this subject, so in the meantime It is recommended that you obtain the MSPs documentation and link it to yours.

2.0 guidance now highlights SPAs (security protection assets) as part of the CMMC scope. How do services that leverage clouds tie in such as Artic Wolf, IT Glue, Blackpoint etc.? These systems add to the protection but do not store process or transmit CUI.2022-03-07T16:38:01+00:00

Although the systems do not process or store CUI data, they are still in scope because they are providing protections to the network that does process or store CUI data. Therefore, their configurations must be reviewed to ensure they are functioning as expected.

Can a CCP candidate receive CCP study materials/guides from an LTP in order to self-study for the CCP certification exam as opposed to enrolling in a online/onsite CCP training course offered by an LTP?2022-03-07T16:38:23+00:00

No. There are no pure self-study options for CMMC-AB certification programs. The training must be completed with an approved Licensed Training Provider (LTP). However, there are some LTPs that offer a self-paced course.

Can I still take the CMMC Certified Professional (CCP) Course? When will the exam be available?2022-03-07T16:38:43+00:00

Yes. The CCP course is available and going on now. Those who complete the CCP training course will be automatically enrolled in a 3-hour delta course. Exams should be available by summer 2022.

When will Delta training be available and do Provisional Instructors have opportunity to review the Delta training?2022-03-07T16:39:06+00:00

Delta training is currently available for CCPs and PAs. CCP Candidates will be enrolled in the course, once the main CCP course is complete, they will be enrolled in a delta course. Provisional Assessors (PAs) are automatically enrolled in the delta training. It is optional for PAs to attend the CCP training course. The only requirement for the PAs is to complete the CCP exam within 6-months of its release. If the PA fails the exam, they have to enroll in the CCP training course and retake the exam.

With the release of the v2.0 framework delta training, is there any expectation around timeline for a formalized CCP exam to be available for those who have attended CCP training via an LTP?2022-03-07T16:39:32+00:00

Exams should be available by summer 2022.

Is the RP training only for existing RPs, or can new people certify at this time?2022-03-07T16:39:58+00:00

The RP training is available for all.

If a person is in the middle of RP training … will there be a replacement of the current training with updated content? Or is the required RP training still two-fold: 1. Initial RP training plus 2. Delta Training.2022-03-07T16:40:58+00:00

Currently, all courses will include the main course and a delta until all courses can be updated.

Will there be lead assessor training and lead assessor exam?2022-03-07T16:41:22+00:00

Yes, eventually, but it is not the priority right now. Priority is getting all of the delta courses in place, updating current curriculum, then a lead assessor course will be created. Currently, C3PAOs will determine who will be the lead assessors within their teams.

Can people in vendor orgs get RP certification?2022-03-07T16:41:44+00:00

Yes. In fact, it is recommended that OSCs train either an RP or CCP to maintain their posture until the next certification. Contact us at Redspin to help you get started.

I am responsible to prepare my company for CMMC Certification and to manage the program after certification, should I take this course?2022-02-22T18:36:46+00:00

Yes! The vision of the CMMC program is that each organization will maintain experts to prepare their organization for CMMC Certification and then manage CMMC compliance for the duration of the certification period.

If I am responsible for my company’s CMMC program, am I required to be a CCP?2022-02-22T18:37:32+00:00

No. It is not a requirement to be a CCP, however, the vision of the CMMC program is that each organization will maintain experts to prepare their organization for CMMC Certification and then manage CMMC compliance for the duration of the certification period.

There are several Licensed Training Providers for the CCP Course, why should I take the course with Redspin?2022-02-22T18:38:00+00:00
  • Redspin was the first organization to become a C3PAO
  • Redspin’s primary CCP instructor is Dr. Thomas Graham. Dr Graham is Redspin’s CISO and was primarily responsible for Redspin’s C3PAO certification.  He will provide first-hand knowledge of his experience to students in the course.
  • As one of only a few organizations who are both a C3PAO and LTP, Redspin brings this unique perspective as an added value to the CCP curriculum
Do you have a flexible payment plan?2022-02-22T18:38:28+00:00

Yes, there are two payment options.

  • Pay the full tuition upfront, or
  • 50% when registering for the course and 50% when the course starts.
I’m a Provisional Assessor, do I need to take the CCP Course?2022-02-22T18:39:18+00:00

No. Provisional Assessors need to take the CCP exam within 6 months of the exam becoming available, but not the CCP course.  Only PAs that fail the CCP exam will be required to take the CCP course.

I am a CMMC Registered Practitioner who wants to become a Certified CMMC Assessor (CCA), do I need to complete the CCP training and exam before becoming a CCA?2022-02-22T18:43:09+00:00

Yes. The CMMC-AB’s January 2022 Town Hall contains great information concerning the pathway to becoming a CCA.

When will the CCA curriculum and exam be available?2022-02-22T18:43:44+00:00

Currently unknown.


Go to Top