Skip to main content

ISACA CMMC Certified Assessor

AdvancedGRC / CompliancePaid

ISACA's assessor-level CMMC credential, administered through ISACA's CAICO role, for professionals who conduct formal Cybersecurity Maturity Model Certification Level 2 assessments. It builds on the CCP through a 150-question exam concentrated on assessing Level 2 practices, scoping, and evaluating organizations seeking certification. Note: the Department of War suspended CMMC Phase II third-party assessment requirements on 2026-07-13, which most directly affects near-term demand for the assessor roles this credential fills; training and exams continue to operate.

What you'll prove

  • Assess an organization's implementation of CMMC Level 2 practices
  • Scope and conduct a formal CMMC Level 2 assessment
  • Evaluate organizations seeking certification against CMMC Level 2 requirements

Frequently asked

What does the CMMC Phase II suspension mean for the CCA?

On 2026-07-13 the Department of War suspended CMMC Phase II third-party assessment requirements, originally scheduled for 2026-11-10. Because the CCA is the credential that staffs those third-party assessments, it is the one most exposed to the change in near-term demand. Phase I self-assessments remain in force, a reform task force is due to report within about 60 days (around mid-September 2026), and CCA training and exams continue to operate, so the credential remains earnable while the program's future is reviewed.

How much does the CCA cost?

The exam is $575 for ISACA members and $760 for non-members, plus a $50 application processing fee. Mandatory CCA training is also required through an approved provider, and ISACA does not publish a set price for that training.

What are the prerequisites for the CCA?

An active CCP certification, a certification from the DoD 8140 list at intermediate or advanced proficiency for the certified assessor 612 pathway, mandatory CCA training, and a positively adjudicated Tier 3 background investigation by the Department of War. ISACA also lists 3 or more years of cybersecurity experience and 1 or more years of assessment or audit experience.