Cyber AB

The Cyber AB manages accreditation for the Department of Defense CMMC program. Its CCP certification covers cybersecurity assessment processes, scoping logic, and regulatory compliance requirements for the defense industrial base.

1Exams

Available Exams

CCP

Certified CMMC Professional

The Cyber AB and the Defense Industrial Base

The United States Department of Defense published the initial Cybersecurity Maturity Model Certification (CMMC) framework in January 2020. That same month, a non-profit organization formed to manage the ecosystem of assessors, instructors, and training providers required to enforce the new standard. Originally known as the CMMC-AB, the group rebranded as The Cyber AB in 2022.

The Cyber AB operates under a mandate from the DoD. It serves as the sole official accreditation body for the CMMC program. Its primary function is to authorize Certified Third-Party Assessment Organizations (C3PAOs) and manage the credentialing pipeline for the individuals who perform the actual audits.

Continue Reading

For defense contractors, CMMC represents a shift from self-attestation to external verification. Companies seeking to bid on DoD contracts must prove they meet specific cybersecurity standards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The Cyber AB regulates the professionals who conduct these verifications.

In September 2025, the DoD published the final CMMC rule in the Federal Register, integrating the requirements into the Defense Federal Acquisition Regulation Supplement (DFARS). The rule took effect on November 10, 2025, initiating a three-year phased rollout. By the end of 2028, defense contractors must hold the appropriate CMMC certification to win or maintain DoD contracts. This timeline places intense pressure on the Defense Industrial Base, creating immediate demand for authorized assessors and compliance consultants.

The CCP Credential

The CCP (Certified CMMC Professional) is the foundational certification within this ecosystem. It validates a candidate's understanding of the CMMC framework, the assessment process, and the legal requirements surrounding DoD supply chain security.

You cannot simply register and take this exam. The Cyber AB enforces strict eligibility prerequisites. Candidates must complete a required instructional program authorized by the body and pass the DoD CUI Awareness Training. They must also pass a background check and sign a code of professional conduct. The Cyber AB recommends that candidates hold at least two years of experience in information technology, cybersecurity, or compliance auditing, though they do not strictly enforce this experience requirement.

The CCP exam runs 210 minutes and contains 170 multiple-choice questions. It operates as a closed-book test. Meazure Learning delivers the exam via online proctoring or at physical testing centers. The grading system uses a scaled score of 200 to 800, and candidates need at least 500 points to pass.

Examining the CCP Blueprint

The CCP is not a technical configuration exam. It does not ask candidates to configure firewalls or write incident response scripts. Instead, it tests regulatory interpretation, scoping logic, and audit methodology.

The largest portion of the exam blueprint, accounting for 35% of the questions, covers Model Construct and Implementation Evaluation. Candidates must understand the three levels of the CMMC 2.0 framework. They must trace CMMC practices directly back to their source controls in NIST SP 800-171. The exam tests how to evaluate evidence—whether a specific policy document, system log, or interview response satisfies the requirements of a given control.

The CMMC Assessment Process (CAP) makes up another 25% of the exam. This domain requires candidates to know the exact phases of an official assessment: planning, execution, analysis, reporting, and closeout. Candidates must understand the decision logic used to mark a practice as "Met," "Not Met," or "Not Applicable." They must also know how to document findings so that the DoD and The Cyber AB can defend the results if a contractor disputes them.

Scoping accounts for 15% of the test. Scoping dictates which servers, networks, and personnel fall under the assessment boundary and which do not. A minor error in scoping can invalidate an entire assessment or force a defense contractor to spend millions of dollars securing out-of-scope assets. The exam expects candidates to differentiate between assets that process CUI, assets that provide security protection, and assets that are logically separated from the secure enclave.

The remainder of the exam covers the structure of the CMMC ecosystem, governance documents, and ethics. The Cyber AB enforces a strict Code of Professional Conduct (CoPC). Assessors operate in high-stakes environments where defense contracts worth billions of dollars depend on their findings. The exam tests candidates on conflict of interest rules, objectivity requirements, and proper handling of sensitive contractor data.

Career Value in Defense Contracting

The CCP carries specific, targeted value. It is irrelevant for IT professionals working outside the defense sector. For those inside the Defense Industrial Base, it serves as a strict gatekeeper credential.

Consulting firms, managed service providers (MSPs), and C3PAOs use the CCP to qualify staff for client-facing compliance work. Organizations seeking certification often hire CCP holders internally to build their System Security Plans (SSPs), organize evidence, and conduct mock assessments before paying for an official audit.

Furthermore, the CCP is a mandatory prerequisite for career advancement within The Cyber AB ecosystem. You cannot advance to lead assessor roles without first holding the CCP. Lead assessors hold the authority to conduct Level 2 assessments, but their path begins with the professional-level exam.

The testing rules reflect the strict nature of the credential. Candidates who fail their first attempt must wait 30 days before retaking the exam. If a candidate fails the CCP twice, The Cyber AB revokes their testing eligibility. At that point, the individual must repeat the mandatory prerequisite instruction from scratch before they can register for a third attempt.