What is the CMMC Certified Instructor (CCI) credential?

The CCI is the official CMMC credential for professionals authorized to teach approved CMMC training content. A CCI with an active CCP may instruct CCP candidates; a CCI with an active CCA may instruct CCP, CCA, and CCI candidates. The CCI is managed by ISACA as the CAICO since December 2025.

Who issues the CMMC CCI credential in 2026?

ISACA was authorized as the CMMC Assessor and Instructor Certification Organization (CAICO) in December 2025, taking over CCI (and CCP/CCA/LCCA) credentialing from Cyber AB. The full transition was completed by April 1, 2026.

What are the prerequisites for the CMMC CCI?

Candidates must hold an active CCP or CCA credential in good standing, have at least 2 years of instruction or teaching experience in IT/cybersecurity, pass a background check, and complete an approved CCI training course. Agreement to the CMMC Code of Professional Conduct is also required.

How long is the CMMC CCI credential valid?

CCI certifications are valid for 3 years from the date of issuance. Renewal requires meeting CAICO (ISACA) continuing education requirements and maintaining compliance with the Code of Professional Conduct.

What domains should I focus on for the CMMC CCI exam?

The exam covers CMMC ecosystem roles, the three-level CMMC 2.0 model, all 14 NIST SP 800-171 control families and their 110 requirements, NIST SP 800-172 Level 3 enhancements, assessment scoping and methodology, CUI handling obligations, CMMC Code of Professional Conduct principles, and adult learning/instructional delivery.

Does the CMMC CCI exam have a published question count and passing score?

ISACA has not publicly published the specific question count, time limit, or passing score for the CCI exam. Candidates should verify current exam details at isaca.org/credentialing/cci.

All Practice Exams

100+ Free CMMC CCI Practice Questions

CMMC Certified Instructor (CCI) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What is the purpose of NIST SP 800-172, and how many of its enhanced requirements are incorporated into CMMC Level 3?

It replaces NIST SP 800-171 entirely; all 39 requirements apply at Level 3

It establishes audit and logging standards; 50 requirements apply at Level 3

It defines FCI protection baselines; 15 requirements are mandated at Level 3

It provides enhanced requirements to defend CUI against APTs; 24 selected requirements are added at Level 3

to track

Same family resources

Explore More CMMC Ecosystem Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CMMC Registered Practitioner (RP)

Practice Questions100 questions

2026 Statistics

Key Facts: CMMC CCI Exam

3 years

Credential Validity

ISACA CAICO

December 2025

ISACA became CAICO

ISACA Press Release

110 requirements

CMMC Level 2 Baseline (NIST SP 800-171)

32 CFR Part 170

320 objectives

Assessment Objectives at Level 2

CMMC Assessment Guide

15 practices

CMMC Level 1 (FAR 52.204-21)

32 CFR Part 170

24 enhancements

NIST 800-172 practices added at Level 3

32 CFR Part 170

180 days

POA&M closure window for Conditional status

32 CFR Part 170

72 hours

Cyber incident reporting window to DC3

DFARS 252.204-7012

The CCI is the CMMC ecosystem's instructor credential, now managed by ISACA as CAICO since December 2025. It requires an active CCP or CCA credential, 2+ years of instructional experience, background check, and completion of CAICO-approved training. CCIs with only a CCP may teach CCP candidates; those with a CCA may teach CCP, CCA, and CCI candidates. Credentials are valid for 3 years.

Sample CMMC CCI Practice Questions

Try these sample questions to test your CMMC CCI exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which organization was authorized as the CMMC Assessor and Instructor Certification Organization (CAICO) effective December 2025, replacing Cyber AB in that role?

A.ISACA

B.CompTIA

C.ISC2

D.PECB

Explanation: ISACA was authorized as the CAICO for the US Department of War's CMMC program in December 2025, taking over training and credentialing oversight from Cyber AB. The full transition of services was completed by April 1, 2026. ISACA now manages the CCP, CCA, LCCA, and CCI credentials.

2What is the primary role of an Organization Seeking Certification (OSC) within the CMMC ecosystem?

A.To conduct third-party assessments of other defense contractors

B.To accredit C3PAOs and manage the assessor marketplace

C.To achieve and maintain a CMMC certification level required by DoD contracts

D.To deliver authorized CMMC training to candidates

Explanation: An OSC is a defense contractor or subcontractor that processes, stores, or transmits FCI or CUI and must achieve a CMMC certification level as required by its DoD contracts. The OSC undergoes self-assessment or third-party assessment depending on the required level and contract type.

3A Certified CMMC Instructor (CCI) who holds only a valid CCP credential is authorized to instruct which candidates?

A.CCP candidates only

B.CCP and CCA candidates

C.CCP, CCA, and CCI candidates

D.CCA and CCI candidates only

Explanation: Under CMMC rules, a CCI with a valid CCP certification may instruct CCP candidates only. A CCI who also holds a valid CCA certification may instruct CCP, CCA, and CCI candidates. The instructor's own credential level gates the courses they are authorized to teach.

4Which CMMC ecosystem actor is authorized to conduct Level 2 third-party certification assessments of OSCs?

A.CMMC Third-Party Assessment Organization (C3PAO)

B.Registered Practitioner Organization (RPO)

C.Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

D.Registered Practitioner (RP)

Explanation: C3PAOs are organizations accredited by Cyber AB to conduct CMMC Level 2 certification assessments of OSCs. They employ Certified CMMC Professionals (CCPs) and Certified CMMC Assessors (CCAs) to perform the assessments. DIBCAC conducts Level 3 assessments, while RPOs and RPs provide advisory services, not certification assessments.

5How many levels does the CMMC 2.0 model contain, and what is each level's primary focus?

A.Three levels: foundational FCI protection, advanced CUI protection, and expert APT defense

B.Two levels: foundational cyber hygiene and advanced CUI protection

C.Four levels: basic, intermediate, advanced, and expert

D.Five levels: matching the original CMMC 1.0 structure

Explanation: CMMC 2.0 has three levels. Level 1 (Foundational) focuses on basic cyber hygiene to protect Federal Contract Information (FCI). Level 2 (Advanced) aligns with all 110 NIST SP 800-171 Rev. 2 requirements for CUI protection. Level 3 (Expert) adds 24 enhanced requirements from NIST SP 800-172 to defend against Advanced Persistent Threats (APTs).

6How many security practices does CMMC Level 1 require, and which federal regulation specifies them?

A.15 practices specified in FAR 52.204-21

B.17 practices derived from DFARS 252.204-7012

C.110 practices aligned to NIST SP 800-171 Rev. 2

D.24 enhanced practices from NIST SP 800-172

Explanation: CMMC Level 1 requires 15 basic cyber hygiene practices specified in FAR Clause 52.204-21(b)(1) to protect Federal Contract Information (FCI). Earlier CMMC documentation referenced 17 requirements, but the final 32 CFR rule consolidated them to 15. These practices cover foundational safeguarding such as limiting system access and protecting information from unauthorized disclosure.

7CMMC Level 2 is built upon which NIST publication and how many security requirements does it encompass?

A.NIST SP 800-171 Rev. 2 with 110 requirements

B.NIST SP 800-53 Rev. 5 with 1,000+ controls

C.NIST SP 800-172 with 39 enhanced requirements

D.NIST CSF 2.0 with 106 subcategory outcomes

Explanation: CMMC Level 2 maps directly to all 110 security requirements in NIST SP 800-171 Rev. 2, which is the standard for protecting Controlled Unclassified Information (CUI) on nonfederal systems. These 110 requirements are organized into 14 control families and collectively have 320 assessment objectives that must be satisfied.

8Which of the following is the correct list of the 14 NIST SP 800-171 control families (domains) that form the basis of CMMC Level 2?

A.Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Incident Response; Maintenance; Media Protection; Personnel Security; Physical Protection; Risk Assessment; Security Assessment; System and Communications Protection; System and Information Integrity

B.Access Control; Business Continuity; Change Management; Configuration Management; Data Loss Prevention; Encryption; Incident Response; Logging; Network Security; Patch Management; Physical Security; Risk Assessment; Vendor Management; Vulnerability Management

C.Asset Management; Business Continuity; Change Management; Encryption; Governance; Human Resources; Incident Response; Legal Compliance; Network Access; Physical Security; Risk; Supply Chain; Third-Party Risk; Vulnerability

D.Identity Management; Intrusion Prevention; Key Management; Log Analysis; Malware Defense; Network Monitoring; Penetration Testing; Physical Access; Policy Management; Secure Architecture; Security Testing; Threat Intelligence; Vendor Risk; Zero Trust

Explanation: The 14 NIST SP 800-171 control families are: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Configuration Management (CM), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical Protection (PE), Risk Assessment (RA), Security Assessment (CA), System and Communications Protection (SC), and System and Information Integrity (SI). A CCI must know these domains precisely.

9What is the purpose of NIST SP 800-172, and how many of its enhanced requirements are incorporated into CMMC Level 3?

A.It provides enhanced requirements to defend CUI against APTs; 24 selected requirements are added at Level 3

B.It replaces NIST SP 800-171 entirely; all 39 requirements apply at Level 3

C.It defines FCI protection baselines; 15 requirements are mandated at Level 3

D.It establishes audit and logging standards; 50 requirements apply at Level 3

Explanation: NIST SP 800-172 provides enhanced security requirements to protect CUI associated with critical programs against Advanced Persistent Threats (APTs). CMMC Level 3 adds 24 selected requirements from the February 2021 version of NIST SP 800-172 on top of the 110 Level 2 requirements. Level 3 organizations also undergo DIBCAC assessment every three years.

10Under 32 CFR Part 170, which entity conducts CMMC Level 3 certification assessments of OSCs?

A.Any accredited C3PAO

B.The CMMC Program Management Office (PMO)

C.The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

D.The CAICO (ISACA)

Explanation: CMMC Level 3 certification assessments are conducted exclusively by DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Before a Level 3 assessment can begin, the OSC must have already achieved a Final Level 2 status through a C3PAO assessment, with all POA&M items closed.

About the CMMC CCI Practice Questions

Verified exam format metadata for CMMC Certified Instructor (CCI) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.