CCA CMMC assessor exam - is it worth pursuing before the regulation fully stabilizes?
I've been doing IT security consulting for about 8 years and my firm is starting to see a lot more DoD supply chain clients asking about CMMC. I'm looking at the CCA certification and trying to figure out if the time investment makes sense right now or if I should wait until the regulation settles a bit more.
From what I've gathered, the CCA exam covers cybersecurity fundamentals, CMMC-specific assessment methodology, and the 110 practices across the 17 domains. The exam is 75 questions and you need a 70% to pass. I've been working through the CMMC Assessment Process document and the NIST 800-171 controls and there's a lot of overlap with my existing CISSP knowledge but framed differently.
My concern is the authorized C3PAO pathway requirement. Even after passing the CCA exam, you need to complete a certain number of assessment days with a C3PAO to get fully credentialed. Finding a C3PAO willing to bring on a new assessor for that experience time is apparently harder than the exam itself.
Is the exam format mostly multiple choice or are there scenario-based questions? And for people who've already passed, how much did prior NIST 800-171 or FedRAMP experience actually help?
NIST 800-171 fluency is the foundation. If you can walk through all 110 practices and explain the assessment objectives for each, you're probably ready for the exam portion. The CAP document is dense but it's essentially the exam syllabus.
The C3PAO access problem is real. I passed the exam in Q3 and still haven't finished the required assessment days because finding a C3PAO that isn't already maxed out is tough. Budget 6-12 months after the exam for the experience requirement.
Passed the CCA exam back in January. If you have CISSP and hands-on NIST 800-171 experience, the exam content won't surprise you much. The scenarios are framed around assessment activities - what you document, how you score practices, what qualifies as MET vs NOT MET. I scored 84% and the CMMC Accreditation Body study materials were sufficient.
Coming back to this thread — just passed my CCA yesterday. Everything about the cca practice test section is accurate. For anyone still studying, the free cca cybersecurity practices controls was the closest thing to the real exam I found.
Quick update: just cleared 84% on my most recent CCA practice set using free cca cybersecurity practices controls. Sitting for the real thing in 4 weeks. Feeling cautiously optimistic.
Related Discussions
- Is the CCA designation actually worth it for credit analysts right now?6 replies
- CCA exam prep — what resources are people actually using?6 replies
- CCA Certified Carbon Auditor — is it worth it for a sustainability consultant?5 replies
- CCA exam — is it mostly Casper configuration or does it test actual workflow logic?5 replies
- CCA exam - is the financial reporting section really 40% of the test?4 replies