🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
CCA
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
CCA ISACA Coming Soon

CCA

The ISACA CMMC Certified Assessor (CCA) course teaches experienced cybersecurity professionals how to evaluate organizations seeking certification, scope CMMC Level 2 assessments, conduct the assessment process, and verify Level 2 practices, ensuring compliance and readiness.

240
Minutes
150
Questions
500/800
Passing Score
${'member': 350, 'non_member': 350}
Exam Cost

Who Should Take This

It is intended for Certified Cybersecurity Professionals (CCP) who serve as assessment team members and need formal authorization to perform CMMC Level 2 assessments. These learners typically have several years of information‑security experience, familiarity with NIST 800‑171, and seek to deepen their expertise in CMMC scoping, process execution, and practice validation.

What's Covered

1 All domains and objectives in the CMMC Certified Assessor (CCA) exam: Domain 1 Evaluating Organizations Seeking Certification against CMMC Level 2
2 , Domain 2 CMMC Level 2 Assessment Scoping
3 , Domain 3 CMMC Assessment Process
4 , and Domain 4 Assessing CMMC Level 2 Practices

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

29 learning goals
1 Domain 1: Evaluating Organizations Seeking Certification
2 topics

Organizational readiness evaluation

  • Evaluate organizational readiness for CMMC Level 2 assessment by reviewing system security plans, network diagrams, and CUI data flow documentation.
  • Analyze organizational security posture to identify potential gaps between current control implementations and CMMC Level 2 requirements.
  • Apply pre-assessment evaluation techniques to verify that the organization has adequate documentation, personnel availability, and system access for assessment execution.

System security plan assessment

  • Evaluate system security plan completeness by verifying that all 110 security requirements are addressed with specific implementation descriptions.
  • Apply assessment techniques to verify that SSP descriptions accurately reflect actual system configurations, policies, and operational procedures.
  • Analyze POA&M entries to evaluate remediation timelines, resource allocations, and milestones for conditional certification eligibility determination.
2 Domain 2: CMMC Level 2 Assessment Scoping
1 topic

Advanced scoping techniques

  • Apply advanced scoping techniques for complex CUI environments including multi-enclave architectures, cloud-hosted enclaves, and geographically distributed systems.
  • Evaluate asset categorization decisions to verify correct classification of CUI Assets, Security Protection Assets, and Contractor Risk Managed Assets.
  • Analyze external service provider relationships to determine assessment boundary inclusions and inheritance of security requirements.
  • Design assessment scope validation procedures to confirm that all CUI data flows, processing locations, and storage repositories are captured within assessment boundaries.
3 Domain 3: CMMC Assessment Process
2 topics

Assessment planning and execution

  • Apply assessment planning procedures to develop detailed assessment schedules, evidence request lists, and interview plans for CMMC Level 2 assessments.
  • Apply assessment interview techniques to elicit relevant information from organizational personnel about security control implementation and operational procedures.
  • Evaluate evidence sufficiency by determining whether collected documentation, interview responses, and technical observations adequately support scoring decisions.

Scoring and reporting

  • Apply CMMC scoring methodology consistently across all practices to determine Met, Not Met, and Not Applicable results with documented justification.
  • Analyze scoring results to determine overall assessment outcome including certification recommendation, conditional certification, or certification denial.
  • Design comprehensive assessment reports that clearly document findings, scoring rationale, deficiency descriptions, and recommendations for remediation.
4 Domain 4: Assessing CMMC Level 2 Practices
4 topics

Access control and identification assessment

  • Evaluate access control practice implementations including account management, access enforcement, remote access, and wireless access controls against CMMC Level 2 requirements.
  • Apply assessment techniques for identification and authentication practices including MFA implementation, authenticator management, and replay-resistant authentication.
  • Analyze personnel security and awareness training implementations to assess hiring practices, access agreements, and role-based security training adequacy.

System protection and communications assessment

  • Evaluate system and communications protection practices including boundary protection, CUI encryption in transit and at rest, and session management controls.
  • Apply assessment techniques for system and information integrity practices including flaw remediation, malicious code protection, and security alert monitoring.
  • Evaluate configuration management and maintenance practices including baseline configurations, change control, system maintenance controls, and maintenance personnel oversight.

Audit, incident response, and risk assessment

  • Evaluate audit and accountability practice implementations including audit event generation, analysis, storage protection, and correlation across system components.
  • Apply assessment techniques for incident response practices including incident handling, reporting, response testing, and incident monitoring capabilities.
  • Evaluate risk assessment and security assessment practices including vulnerability scanning, risk management, and security assessment planning and execution.
  • Design integrated practice assessment strategies that efficiently evaluate interdependent security requirements across multiple NIST SP 800-171 families.

Media and physical protection assessment

  • Evaluate media protection practices including CUI media marking, storage, transport, sanitization, and disposal controls for physical and digital media.
  • Apply assessment techniques for physical protection practices including physical access controls, visitor management, and environmental protection measures.
  • Evaluate recovery and contingency planning practices including system backup, information system recovery, and alternate processing capabilities for CUI environments.

Scope

Included Topics

  • All domains and objectives in the CMMC Certified Assessor (CCA) exam: Domain 1 Evaluating Organizations Seeking Certification against CMMC Level 2 (15%), Domain 2 CMMC Level 2 Assessment Scoping (20%), Domain 3 CMMC Assessment Process (25%), and Domain 4 Assessing CMMC Level 2 Practices (40%).
  • Professional-level CMMC assessment knowledge including assessment team operations, advanced evidence evaluation, interview techniques, practice-by-practice assessment, and certification determination.
  • Advanced assessment scoping: complex CUI environments, multi-enclave architectures, cloud and hybrid scoping, external service provider assessment boundaries, and interconnection scoping.
  • Assessment process mastery: assessment planning, assessment team coordination, evidence sufficiency determination, scoring consistency, deficiency documentation, and assessment report compilation.
  • Practice-level assessment: deep evaluation of all 110 NIST SP 800-171 security requirements including evidence sufficiency, implementation effectiveness, and documentation completeness.
  • Organizational evaluation: system security plan analysis, POA&M review, risk assessment evaluation, and continuous monitoring capability assessment for CMMC Level 2 certification.

Not Covered

  • CMMC assessment team leadership and oversight responsibilities (covered by LCCA).
  • CMMC training development and curriculum delivery (covered by CCI).
  • Basic CMMC ecosystem knowledge and foundational model understanding (covered by CCP).
  • General cybersecurity operations beyond CMMC assessment context.
  • Vendor-specific compliance automation platform administration.

Official Exam Page

Learn more at ISACA

Visit

CCA is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

ISACA®, CISA®, CISM®, CRISC®, CGEIT®, and CDPSE® are registered trademarks of ISACA. ISACA does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.