What Is a CMMC Certified Assessor (CCA)? Role, Requirements, and the Ethics of Separation
A CMMC Certified Assessor (CCA) is an individual authorized by the Cyber AB to conduct formal CMMC certification assessments on behalf of a CMMC Third-Party Assessment Organization (C3PAO). Understanding the CCA role, how it differs from consultants like Registered Practitioners (RPs), and why the CMMC ecosystem intentionally separates consulting from assessment is essential for any defense contractor pursuing CMMC Level 2 certification. This guide explains the CCA credential requirements, assessment methodology, ethical boundaries, and how Petronella Technology Group works alongside CCAs to help clients achieve certification.
Key Takeaways: CMMC Certified Assessor (CCA)
- A CCA conducts formal CMMC assessments. They are credentialed individuals who work for accredited C3PAOs and are the only people authorized to perform official CMMC certification assessments on behalf of the DoD.
- CCA is different from RP (Registered Practitioner). An RP like Craig Petronella is a consultant who helps organizations prepare for CMMC. A CCA is an assessor who evaluates readiness. These roles must be separate.
- The consulting-assessment separation is intentional and ethical. The DoD and Cyber AB designed the CMMC ecosystem so that the firm helping you prepare cannot also be the firm that certifies you, preventing conflicts of interest.
- PTG prepares, C3PAOs assess. Petronella Technology Group is a Registered Provider Organization (RPO) that provides consulting and remediation. We refer clients to accredited C3PAOs for formal assessment.
- CCAs evaluate all 110 NIST 800-171 controls during a Level 2 assessment using the CMMC Assessment Process (CAP), reviewing evidence, conducting interviews, and scoring each requirement as MET, NOT MET, or NOT APPLICABLE.
- Verify CCA credentials through the Cyber AB Marketplace before engaging with any C3PAO. Legitimate CCAs and C3PAOs are publicly listed and verifiable.
What Is a CMMC Certified Assessor (CCA)?
A CMMC Certified Assessor (CCA) is an individual who has been trained, examined, vetted, and authorized by the Cyber AB (formerly known as the CMMC Accreditation Body, or CMMC-AB) to lead and conduct formal CMMC certification assessments. The CCA credential represents the highest assessment qualification within the CMMC ecosystem. CCAs are the professionals who actually evaluate whether a defense contractor has implemented the required cybersecurity controls to the standard demanded by the Department of Defense.
CCAs do not work independently. They are employed by or contracted to a CMMC Third-Party Assessment Organization (C3PAO), which is an organization that has itself been accredited by the Cyber AB and authorized by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to conduct assessments. The C3PAO provides the organizational framework, quality management systems, and liability insurance required for assessments, while the CCA provides the technical expertise and professional judgment necessary to evaluate an organization's cybersecurity posture against NIST SP 800-171 requirements.
During a formal CMMC assessment, the CCA leads the assessment team through a structured, multi-day evaluation of the Organization Seeking Assessment (OSA). This evaluation involves reviewing documentation such as the System Security Plan (SSP) and Plan of Action and Milestones (POA&M), examining technical evidence of control implementation, interviewing key personnel, observing processes in action, and testing security configurations. The CCA must apply consistent, objective judgment to determine whether each of the applicable security requirements has been met. For CMMC Level 2, this means evaluating all 110 security requirements derived from NIST SP 800-171 Revision 2.
The CCA role is fundamentally different from the role of a consultant or advisor. A consultant, such as a CMMC Registered Practitioner (RP), helps organizations understand the requirements, identify gaps, develop remediation plans, build documentation, and prepare for the assessment. The CCA, by contrast, arrives after preparation is complete and renders an independent, objective judgment on whether the organization meets the standard. This distinction is not merely procedural. It is an ethical requirement built into the CMMC ecosystem by design, as we will explore in detail later in this guide.
CCA Certification Requirements
Becoming a CMMC Certified Assessor requires significant professional experience, specialized training, rigorous examination, and ongoing authorization from the Cyber AB.
Professional Experience Prerequisites
Before an individual can even begin the CCA certification path, they must demonstrate substantial professional experience in information security, cybersecurity, or IT audit. The Cyber AB requires candidates to have a minimum number of years of relevant professional experience, typically three or more years, with direct involvement in cybersecurity assessment, audit, or implementation activities. Many CCA candidates come from backgrounds in federal cybersecurity compliance, IT audit, or information assurance, and they frequently hold related certifications such as CISSP, CISA, CEH, or Security+ that demonstrate foundational competency.
CCP Prerequisite: CMMC Certified Professional
The path to becoming a CCA typically begins with obtaining the CMMC Certified Professional (CCP) credential. The CCP is the entry-level assessment credential within the CMMC ecosystem. CCP holders have completed foundational training on the CMMC framework, NIST SP 800-171 requirements, and basic assessment methodology. While CCPs can participate in assessment teams, they do so under the supervision and leadership of a CCA. The CCP credential serves as a prerequisite that ensures CCA candidates have demonstrated baseline knowledge before advancing to the lead assessor role.
CCA Training and Examination
Candidates who meet the experience and CCP prerequisites must complete the official CCA training course, which is delivered by Cyber AB-authorized Licensed Training Providers (LTPs). This intensive training program covers the CMMC Assessment Process (CAP) in comprehensive detail, including assessment planning, evidence evaluation techniques, interview methodologies, objective assessment scoring, report writing, and the ethical obligations of assessors. The training includes practical exercises and scenario-based evaluations that simulate real assessment situations.
After completing the training, candidates must pass a rigorous proctored examination that tests their knowledge of the CMMC framework, NIST SP 800-171 requirements, assessment methodology, evidence evaluation standards, and professional ethics. The examination is designed to ensure that only individuals with the competency to render reliable, consistent assessment judgments receive the CCA credential.
Background Check and Vetting
All CCA candidates undergo a thorough background investigation. Because CCAs will have access to sensitive information about defense contractors' cybersecurity postures, including detailed knowledge of their security controls, vulnerabilities, and defensive architectures, the Cyber AB requires candidates to pass background checks that verify their identity, professional history, and suitability for handling sensitive information. This vetting process helps ensure the integrity and trustworthiness of the assessment workforce.
Cyber AB Authorization and Affiliation
Upon successful completion of all requirements, the Cyber AB grants the CCA credential and the individual is listed in the Cyber AB Marketplace as an authorized assessor. However, a CCA credential alone does not authorize an individual to conduct assessments independently. The CCA must be affiliated with an accredited C3PAO to perform official CMMC assessments. This organizational affiliation requirement ensures that assessments are conducted within a quality management framework with appropriate oversight, insurance, and accountability structures.
Continuing Education and Renewal
CCA certification is not permanent. Credential holders must complete continuing professional education requirements and maintain their good standing with the Cyber AB through periodic renewal. This ensures that CCAs stay current with evolving CMMC requirements, updated assessment methodologies, and emerging cybersecurity threats that affect how controls should be evaluated. Failure to meet continuing education requirements or any violation of the CCA code of professional conduct can result in suspension or revocation of the credential.
CCA vs. Other CMMC Roles
The CMMC ecosystem includes multiple distinct roles. Understanding the differences is critical for choosing the right partners for your compliance journey.
| Role | Full Title | Function | Works For | Key Distinction |
|---|---|---|---|---|
| CCA | Certified Assessor | Leads and conducts formal CMMC certification assessments; renders MET/NOT MET determinations | C3PAO | Only role authorized to conduct official assessments |
| CCP | Certified Professional | Entry-level assessor; assists CCAs during formal assessments under supervision | C3PAO | Cannot lead assessments; supports the CCA |
| RP | Registered Practitioner | Consultant who advises organizations on CMMC preparation, gap analysis, remediation, and documentation | RPO | Consulting role only; does NOT assess or certify (Craig Petronella holds this credential) |
| RPO | Registered Provider Organization | Consulting firm that employs RPs and provides CMMC preparation services | Independent | Consulting firm; does NOT conduct formal assessments (PTG is an RPO) |
| C3PAO | CMMC Third-Party Assessment Organization | Accredited organization that employs CCAs and conducts official CMMC certification assessments | Accredited by Cyber AB / DIBCAC | Assessment organization; must NOT also provide consulting to the same client |
Why Consulting and Assessment Must Be Separate
The intentional separation of CMMC consulting and assessment roles is not a bureaucratic inconvenience. It is the foundation of the program's integrity and exists to protect you as a defense contractor.
Consulting (RPO / RP Role)
- Helps you understand CMMC requirements and identify compliance gaps
- Develops your System Security Plan (SSP) and supporting documentation
- Implements and remediates security controls to address gaps
- Conducts mock assessments and readiness reviews to prepare you
- Advocates for your organization's best interests throughout the process
Assessment (C3PAO / CCA Role)
- Independently evaluates your cybersecurity controls against NIST 800-171
- Renders objective MET or NOT MET determinations for each control
- Submits assessment results to the CMMC enterprise Mission (eMASS) system
- Must remain impartial and cannot have prior consulting relationship with the client
- Owes duty to the DoD and the integrity of the program, not to the assessed organization
The Conflict of Interest Problem
Consider what would happen if the same firm that helped you build your cybersecurity program was also the firm that assessed whether that program met CMMC standards. That firm would have a powerful financial incentive to pass you. After all, if they failed you, it would be an admission that their own consulting work was inadequate. This creates a direct conflict of interest where the assessor's objectivity is compromised by their prior commercial relationship with the client.
This is not a hypothetical concern. It is exactly the type of conflict that has undermined trust in compliance programs across industries. The DoD and the Cyber AB recognized this risk from the outset and deliberately designed the CMMC ecosystem to prevent it. The structural separation between Registered Provider Organizations (RPOs) that consult and C3PAOs that assess is the primary mechanism for ensuring assessment integrity.
The Sarbanes-Oxley Parallel
The CMMC consulting-assessment separation mirrors a well-established precedent in financial regulation. After the Enron and WorldCom scandals of the early 2000s, Congress enacted the Sarbanes-Oxley Act (SOX), which among its many provisions prohibited accounting firms from providing certain consulting services to the same companies they audited. The reasoning was identical: when the auditor has a consulting relationship with the client, the auditor's independence is compromised and the audit loses its value as an independent verification. The same principle applies to CMMC. If the same organization both prepares you for and conducts your assessment, the assessment is no longer truly independent, and its value as a verification mechanism is diminished.
Why PTG Intentionally Does Not Hold CCA Credentials
Petronella Technology Group, Inc., led by Craig Petronella, CMMC-RP, has made a deliberate ethical decision to operate exclusively as a consulting and remediation firm. PTG is a Registered Provider Organization (RPO), and Craig holds the Registered Practitioner (RP) credential. PTG does not hold CCA credentials and is not a C3PAO. This is not a limitation. It is an intentional choice that protects our clients.
As your consultant and advocate, PTG's interests are aligned with yours. Our job is to get you ready to pass your assessment. We have no conflicting obligation to the assessment process itself. When you work with PTG for gap assessment, remediation, and preparation, and then engage a separate C3PAO for your formal assessment, you get two independent professional perspectives. PTG ensures you are thoroughly prepared, and the C3PAO provides the objective verification that the DoD requires.
Red Flags to Watch For
Defense contractors should be cautious of any firm that claims to offer both CMMC consulting services and formal CMMC assessment services. While it is possible for a parent company to have separate subsidiaries operating as an RPO and a C3PAO, the ethical boundaries between those operations must be strictly maintained. Any firm that suggests it can both prepare you for and conduct your CMMC assessment for the same engagement is either misrepresenting its capabilities or operating in a way that undermines the integrity of the program. If you encounter such claims, verify the organization's credentials through the Cyber AB Marketplace and consider whether the arrangement truly provides the independent assessment that the DoD requires and that your organization deserves.
The Ethical Bottom Line
- PTG is your advocate, not your judge. We prepare you for success and then step aside for an independent C3PAO assessment. This protects you and ensures your certification has real value.
- The separation exists to protect YOU. An independent assessment means your certification carries credibility with the DoD and with prime contractors evaluating your security posture.
- Beware firms that offer both. If someone promises to consult and certify you, ask hard questions about how they maintain independence. The most ethical approach is complete organizational separation.
What CCAs Evaluate During a CMMC Assessment
A CMMC Level 2 assessment covers all 110 security requirements from NIST SP 800-171 Rev 2, organized across 14 control families.
When a CCA-led assessment team arrives at your organization, they are evaluating the implementation status of every applicable security requirement defined in NIST SP 800-171 Revision 2. These 110 requirements are organized across 14 control families that collectively address the full spectrum of cybersecurity practices necessary to protect Controlled Unclassified Information (CUI). The CCA must determine whether each requirement has been implemented, whether it is operating effectively, and whether the organization has documented its approach.
The 14 NIST 800-171 Control Families
The control families evaluated during a CMMC Level 2 assessment include Access Control (22 requirements), Awareness and Training (3 requirements), Audit and Accountability (9 requirements), Configuration Management (9 requirements), Identification and Authentication (11 requirements), Incident Response (3 requirements), Maintenance (6 requirements), Media Protection (9 requirements), Personnel Security (2 requirements), Physical Protection (6 requirements), Risk Assessment (3 requirements), Security Assessment (4 requirements), System and Communications Protection (16 requirements), and System and Information Integrity (7 requirements). Each of these families addresses a distinct aspect of cybersecurity, and the CCA must evaluate all of them.
Evidence Categories
CCAs evaluate three primary categories of evidence during an assessment. First, they review documentation evidence, which includes the System Security Plan (SSP), policies, procedures, network diagrams, data flow diagrams, hardware and software inventories, and incident response plans. These documents demonstrate that the organization has defined how it implements each security requirement. Second, CCAs examine technical evidence by inspecting system configurations, access control lists, encryption settings, audit log configurations, patch management records, and vulnerability scan results. This evidence demonstrates that controls are actually implemented in the technical environment, not just documented on paper. Third, CCAs conduct interviews with key personnel, including system administrators, security officers, IT managers, and end users, to verify that security processes are understood and consistently followed. Interviews reveal whether the organization's security culture matches its documentation.
Scoring Methodology: MET, NOT MET, and NOT APPLICABLE
For each of the 110 security requirements, the CCA renders one of three determinations. A finding of MET means the organization has fully implemented the requirement as defined in NIST SP 800-171 and can demonstrate that implementation through documentary, technical, and testimonial evidence. A finding of NOT MET means the organization has not fully implemented the requirement, either because the control is missing entirely, is only partially implemented, or cannot be adequately demonstrated through evidence. A finding of NOT APPLICABLE means the requirement does not apply to the organization's specific environment, which is relatively rare and must be thoroughly justified. To achieve CMMC Level 2 certification, the organization must receive a MET determination for all applicable requirements, though limited use of Plans of Action and Milestones (POA&Ms) may be permitted for certain requirements under specific conditions defined in the CMMC rule.
The CMMC Assessment Process (CAP)
CCAs follow the structured CMMC Assessment Process, which ensures consistency, thoroughness, and fairness across all assessments conducted by any C3PAO.
-
Pre-Assessment Planning
The C3PAO and the Organization Seeking Assessment (OSA) agree on scope, schedule, and logistics. The CCA reviews the organization's System Security Plan, network architecture documentation, and CUI data flow diagrams to understand the assessment boundary. The assessment team composition is determined based on the complexity and size of the environment being assessed. This planning phase typically occurs several weeks before the on-site assessment begins.
-
Assessment Kickoff and Scope Validation
The CCA leads an opening meeting with the OSA's leadership and key technical personnel to confirm the assessment scope, validate the assessment boundary, review the assessment schedule, and establish communication protocols. The CCA confirms which systems, networks, and facilities are within scope and verifies that the organization's description of its CUI environment matches reality. Any discrepancies between the documented scope and the actual environment must be resolved before assessment activities proceed.
-
Evidence Collection and Review
The assessment team systematically reviews documentation, examines technical artifacts, conducts personnel interviews, and observes operational processes for each of the 110 security requirements. The CCA uses assessment objectives defined in the CMMC Assessment Guide to structure this evaluation. Each requirement may have multiple assessment objectives, and the CCA must gather sufficient evidence across all objectives to render a determination. Evidence is collected through document review, configuration inspection, log analysis, and direct observation.
-
Preliminary Findings and Clarification
As the assessment progresses, the CCA may identify areas where additional evidence or clarification is needed. The assessment team communicates preliminary findings to the OSA, giving the organization an opportunity to provide additional evidence or correct misunderstandings about their environment. This is not a remediation period. The OSA cannot implement new controls during the assessment. Rather, it is an opportunity to ensure the CCA has a complete and accurate understanding of controls that are already in place.
-
Final Determination and Reporting
The CCA compiles the assessment findings into a formal assessment report that documents the MET, NOT MET, or NOT APPLICABLE determination for each requirement. The report includes the evidence basis for each determination and identifies any deficiencies. The CCA presents the findings to the OSA in a closing meeting and submits the assessment results to the CMMC enterprise Mission (eMASS) system. If the organization meets all applicable requirements, the assessment results are forwarded for final quality review, after which the CMMC certification is granted with a three-year validity period.
-
Post-Assessment and Certification Issuance
After the C3PAO submits the assessment report, the results undergo a quality assurance review. If the organization has achieved all required MET determinations, the CMMC certification is issued and recorded in the Supplier Performance Risk System (SPRS). The certification is valid for three years, during which the organization must maintain its security posture through ongoing monitoring, annual affirmations, and continuous compliance management. At the end of the three-year period, a reassessment is required to maintain certification.
How PTG Works Alongside CCAs
Petronella Technology Group prepares you for the assessment. The C3PAO's CCAs conduct it. This two-party model ensures both thorough preparation and independent verification.
Petronella Technology Group's role in your CMMC journey is comprehensive, covering everything from initial assessment through ongoing compliance management, but it intentionally stops short of the formal certification assessment itself. As a Registered Provider Organization (RPO) led by Craig Petronella, CMMC-RP, PTG serves as your trusted advisor, technical implementer, and compliance partner throughout the preparation phase.
Phase 1: Gap Assessment and Roadmap
PTG begins every engagement with a thorough CMMC gap assessment that evaluates your current cybersecurity posture against all 110 NIST SP 800-171 requirements. This assessment mirrors what a CCA would evaluate during the formal assessment, giving you a clear picture of where you stand and what needs to change. PTG produces a detailed gap analysis report with prioritized remediation recommendations, estimated timelines, and budget projections. This roadmap becomes the blueprint for your path to certification.
Phase 2: Remediation and Implementation
Based on the gap assessment findings, PTG provides hands-on remediation services to close identified gaps. This includes implementing technical controls such as multi-factor authentication, encryption, access control mechanisms, and audit logging; developing and refining your System Security Plan (SSP), policies, and procedures; deploying CUI enclave architectures that minimize the assessment boundary; configuring security tools and monitoring solutions; and training your staff on cybersecurity best practices and their specific compliance responsibilities.
Phase 3: Mock Assessment and Readiness Verification
Before engaging a C3PAO, PTG conducts a comprehensive mock assessment that simulates the formal CCA-led evaluation. This mock assessment uses the same CMMC Assessment Guide methodology that CCAs follow, evaluating each requirement against the same assessment objectives. The purpose is to identify any remaining gaps, test your team's readiness to present evidence and respond to assessor questions, and ensure your documentation is complete and accurate. PTG provides a detailed readiness report that indicates your likelihood of passing the formal assessment.
Phase 4: C3PAO Referral and Assessment Support
When PTG determines that you are ready for formal assessment, we refer you to accredited C3PAOs from the Cyber AB Marketplace. PTG does not select the C3PAO for you, but we can provide guidance on factors to consider when choosing an assessment organization, including scheduling availability, industry experience, geographic proximity, and assessment team composition. During the formal assessment conducted by the C3PAO's CCAs, PTG can be available in a limited support capacity to help your team locate evidence or clarify documentation, but we do not interfere with or attempt to influence the assessment process.
Phase 5: Ongoing Compliance and Annual Affirmations
After certification, PTG provides ongoing compliance management services to help you maintain your security posture throughout the three-year certification period. This includes continuous monitoring, annual affirmation support, policy updates, staff training refreshers, and preparation for the triennial reassessment. CMMC certification is not a point-in-time achievement. It is an ongoing commitment, and PTG helps you sustain compliance without the burden of managing every aspect internally.
How to Verify CCA and C3PAO Credentials
Before engaging with any C3PAO for your formal CMMC assessment, you should independently verify the credentials of both the organization and the individual assessors who will be evaluating your systems. The Cyber AB maintains a public Marketplace directory at cyberab.org/marketplace where you can search for authorized C3PAOs and credentialed individuals including CCAs, CCPs, RPs, and RPOs.
When verifying a C3PAO, confirm that the organization's accreditation status is active and that it has been authorized by both the Cyber AB and the DCMA DIBCAC to conduct assessments at the level you require. For individual CCAs, verify that their credential is active, that they are affiliated with the C3PAO that will be conducting your assessment, and that they have no disclosed conflicts of interest that would compromise their objectivity.
You should also verify the credentials of any consulting firm you engage for CMMC preparation. Petronella Technology Group is listed in the Cyber AB Marketplace as a Registered Provider Organization, and Craig Petronella is listed as a Registered Practitioner. These credentials can be independently confirmed through the Marketplace. Any firm or individual claiming CMMC credentials should be verifiable through this same public directory. If they are not listed, their claims should be treated with significant skepticism.
Additionally, ask prospective C3PAOs about their assessment team composition, quality management processes, and experience with organizations of similar size and industry. A reputable C3PAO will be transparent about these factors and will not make promises about guaranteed certification outcomes, as that would compromise the independence that defines their role.
Common CCA Findings and How to Avoid Them
Understanding the most frequent areas where organizations receive NOT MET determinations helps you focus your preparation efforts and avoid costly reassessment delays.
Inadequate CUI Access Restrictions
Organizations frequently fail to demonstrate that access to CUI is limited to authorized users based on a documented need-to-know. Common gaps include overly broad access permissions, missing access control lists, and failure to regularly review and update access rights. PTG addresses this through CUI enclave design and access control policy development.
Incomplete Audit Logging
CCAs frequently find that organizations are not capturing all required audit events, not retaining logs for the required duration, or not reviewing logs regularly. Effective audit logging requires capturing user authentication events, access to CUI, configuration changes, and security-relevant actions across all in-scope systems.
Inaccurate or Incomplete SSP
The System Security Plan is the foundational document CCAs use to understand your environment. If the SSP does not accurately describe your system boundary, network architecture, data flows, or control implementation details, assessors cannot validate that controls are properly implemented. PTG develops detailed, accurate SSPs as a core service.
Missing Baseline Configurations
CCAs look for documented security configuration baselines for all in-scope systems, evidence that baselines are enforced, and a change management process that evaluates security impacts before changes are implemented. Organizations without formal baseline configurations or change management processes consistently receive NOT MET findings in this family.
Weak Multi-Factor Authentication
NIST 800-171 requires multi-factor authentication for network access to privileged and non-privileged accounts. Organizations that rely on single-factor authentication, have incomplete MFA deployment, or use MFA methods that do not meet NIST standards will receive NOT MET determinations. PTG implements compliant MFA solutions across your environment.
Unencrypted CUI in Transit and at Rest
CUI must be encrypted using FIPS-validated cryptographic mechanisms both during transmission and while stored. CCAs frequently identify gaps where CUI is transmitted over unencrypted channels, stored on unencrypted volumes, or protected by cryptographic modules that have not been FIPS 140-2 or 140-3 validated.
The best way to avoid NOT MET findings is to engage experienced CMMC consultants who understand exactly what CCAs look for and can prepare your organization accordingly. PTG's gap assessment and remediation services are designed specifically to address these common findings before a CCA ever evaluates your environment. Our mock assessments use the same assessment methodology that CCAs follow, so you know exactly where you stand before the formal assessment begins.
Craig Petronella
CMMC Registered Practitioner (RP) & CEO, Petronella Technology GroupCraig Petronella is a CMMC Registered Practitioner and the founder and CEO of Petronella Technology Group, Inc., a Registered Provider Organization (RPO) with over 25 years of experience in cybersecurity and compliance consulting. Craig intentionally operates as a consultant and advisor, not an assessor, because he believes the ethical separation between consulting and assessment is essential to serving clients with integrity. He is the author of the CMMC Certification Guide and host of the Encrypted Ambition podcast, where he regularly discusses CMMC compliance strategies, cybersecurity best practices, and the importance of ethical compliance partnerships.
When you work with PTG, you get a team that is fully invested in your success, with no conflicting obligations to the assessment process. Craig and the PTG team will prepare you thoroughly and then connect you with an accredited C3PAO for your independent formal assessment.
Frequently Asked Questions About CMMC Certified Assessors
What is the difference between a CCA and an RP?
A CCA (Certified Assessor) is authorized to conduct formal CMMC certification assessments and works for an accredited C3PAO. An RP (Registered Practitioner) is a consultant who helps organizations prepare for CMMC certification and works for an RPO (Registered Provider Organization). The CCA evaluates and certifies; the RP advises and prepares. These roles are intentionally separated to prevent conflicts of interest. Craig Petronella holds the RP credential and PTG is an RPO, meaning we consult and prepare clients but do not conduct formal assessments. Learn more about our CMMC consulting services.
Can the same firm provide CMMC consulting and conduct my formal assessment?
No, and this is by design. The CMMC ecosystem intentionally separates consulting (performed by RPOs and RPs) from formal assessment (performed by C3PAOs and CCAs). A firm that both consults and assesses the same client has a conflict of interest because it is essentially grading its own work. This is similar to why accounting firms cannot audit companies they also consult for under Sarbanes-Oxley regulations. PTG operates exclusively as a consulting firm and refers clients to independent C3PAOs for their formal assessment. This approach protects you and ensures your certification carries credibility.
How long does a CMMC assessment by a CCA typically take?
The duration of a formal CMMC Level 2 assessment varies based on the size and complexity of the organization's environment, but most assessments take between three and five days of on-site evaluation. However, the total assessment process, including pre-assessment planning, document review, on-site evaluation, preliminary findings clarification, and final report submission, typically spans four to eight weeks from start to finish. Organizations that are well-prepared through thorough gap assessment and remediation tend to experience shorter, smoother assessments.
What happens if a CCA finds my organization is NOT MET on some controls?
If a CCA determines that your organization does not meet one or more security requirements, the specific outcome depends on the nature and number of the deficiencies. Under certain conditions defined in the CMMC final rule, organizations may be allowed to create a Plan of Action and Milestones (POA&M) for a limited number of NOT MET findings and receive a conditional certification while they remediate those specific gaps within a defined timeframe (typically 180 days). However, if the deficiencies are too numerous or affect critical security requirements, the organization will not receive certification and will need to remediate and undergo reassessment. This is exactly why thorough preparation with an experienced RPO like PTG is so important.
How do I verify that a CCA is legitimate?
All authorized CCAs are listed in the Cyber AB Marketplace at cyberab.org/marketplace. You can search by name, credential type, or affiliated C3PAO. If an individual claims to be a CCA but is not listed in the Marketplace with an active credential status, their claim should be treated with skepticism. Similarly, verify that the C3PAO they represent is accredited and authorized to conduct assessments at your required CMMC level. PTG can assist you in identifying and vetting reputable C3PAOs as part of our CMMC consulting engagement.
Is Craig Petronella a CCA? Can PTG certify my organization?
No. Craig Petronella is a CMMC Registered Practitioner (RP), and Petronella Technology Group is a Registered Provider Organization (RPO). Craig is not a CCA, and PTG is not a C3PAO. This is an intentional ethical choice. PTG provides consulting, gap assessment, remediation, documentation development, and assessment preparation services. For your formal CMMC certification assessment, PTG will refer you to an accredited C3PAO with qualified CCAs on staff. This separation ensures that the firm helping you prepare is your advocate, not your judge, and that your assessment is conducted by a truly independent party.
What qualifications do CCAs need beyond cybersecurity experience?
In addition to meeting minimum professional experience requirements, CCA candidates must first obtain the CCP (Certified Professional) credential, complete the official CCA training course from a Cyber AB Licensed Training Provider (LTP), pass a rigorous proctored examination, and clear a comprehensive background investigation. CCAs must also maintain their credential through continuing professional education and periodic renewal. The combination of experience, training, examination, and vetting ensures that CCAs possess both the technical competency and professional integrity required to render reliable assessment judgments.
How many CCAs and C3PAOs are currently authorized?
The number of authorized CCAs and accredited C3PAOs is growing as the CMMC program matures, but the current supply is limited relative to the demand from approximately 80,000 defense contractors expected to need Level 2 certification. As of 2026, the Cyber AB has accredited a growing number of C3PAOs and credentialed CCAs, but assessment scheduling is competitive. This limited supply is one reason why early preparation is critical. Organizations that complete their readiness work with an RPO like PTG well in advance of their assessment deadline will have more flexibility in scheduling their C3PAO assessment.
What is the CMMC Assessment Process (CAP)?
The CAP is the standardized methodology that all CCAs must follow when conducting CMMC assessments. It defines the assessment phases (planning, execution, reporting), evidence evaluation standards, scoring criteria, quality assurance procedures, and reporting requirements. The CAP ensures that regardless of which C3PAO or CCA conducts your assessment, the evaluation is performed consistently and in accordance with the same standards. This standardization is essential for the credibility of the CMMC program and ensures fair, comparable outcomes across all assessments. PTG's mock assessments follow the CAP methodology so you experience the same process before your formal assessment.
How long is CMMC certification valid, and what happens when it expires?
CMMC Level 2 certification is valid for three years from the date of issuance. During that three-year period, the organization must maintain its security posture, conduct annual self-affirmations confirming continued compliance, and address any material changes to its environment that could affect its security controls. When the certification approaches expiration, the organization must undergo a full reassessment by a C3PAO to renew its certification. PTG provides ongoing compliance management services to help organizations maintain their posture between assessments and prepare for triennial reassessment.
Can a CCA provide guidance or recommendations during the assessment?
No. A CCA's role during the formal assessment is strictly evaluative, not advisory. The CCA observes, collects evidence, interviews personnel, and renders MET or NOT MET determinations. They are prohibited from providing consulting advice, suggesting specific remediation approaches, or otherwise guiding the organization toward a passing result during the assessment. This restriction preserves the independence and objectivity of the assessment. If you need guidance on how to implement or improve your security controls, that is the role of your RP and RPO consultant, such as Petronella Technology Group, and that guidance must be provided before the formal assessment begins.
What should I look for when choosing a C3PAO for my assessment?
When selecting a C3PAO, verify their accreditation status in the Cyber AB Marketplace, ask about the qualifications and experience of the CCAs who will lead your assessment, inquire about their experience with organizations of your size and industry, understand their assessment scheduling timeline (availability can be limited), review their assessment process and communication approach, and ensure they have no conflicts of interest with any consulting firms you have engaged. PTG can provide guidance on C3PAO selection as part of our CMMC consulting services, though the final selection is always the client's decision.
Continue Your CMMC Education
Ready to Prepare for Your CMMC Assessment?
Petronella Technology Group helps defense contractors achieve CMMC certification through expert consulting, thorough remediation, and independent C3PAO referral. Let us prepare you for the CCA-led assessment with confidence.