You Don't Have to Be a US Citizen to Become a CMMC Level 2 Assessor: Understanding Tier 3 Equivalence

CMMC assessor training and certification is not only open to US citizens. 

Non-US citizens can register for the exams, earn CMMC Certified Professional (CCP) and CMMC Certified Assessor (CCA) certification, and serve on CMMC assessment teams today. They just have to clear a Tier 3 background investigation or equivalent.

This “equivalent” pathway is written into the CMMC program, and it is already producing certified professionals that aren’t US citizens.

That matters more than it might first appear. DoD has projected that roughly 80,000 organizations will need a Level 2 (C3PAO) assessment every three years. The current assessor ecosystem has capacity, but will have to scale as demand increases moving into Phase 2. 

What the 32 CFR CMMC regulation actually says

32 CFR 170.13 is the section of the CMMC program rule that defines the CCP requirements. 32 CFR 170.11 contains the parallel CCA requirements, which includes becoming a certified CCP first. 

According to this rule, candidates must complete a Tier 3 background investigation resulting in a determination of national security eligibility.

Two things about that investigation are worth clarifying up front.

1. It does not grant or authorize a security clearance, and it isn't tied to government employment. It's initiated using Standard Form (SF) 86 and the position is designated as non-critical sensitive with a risk designation of “Moderate Risk.”
2. The same section requires candidates who are not eligible for a Tier 3 to meet a DoD-determined equivalent for use with the CMMC program only. Meaning, the rule itself anticipates that some candidates won't qualify for a standard Tier 3 and builds in an alternative.

In other words: Non-US persons were contemplated from the start of CMMC rulemaking.

That isn't only an inference from the text. Since the 32 CFR program rule took effect in December 2024, the DoD has reinforced the point directly in a DoD CMMC FAQ revision clarifying that individuals can apply to join the CMMC ecosystem “regardless of nationality or country of origin.”

Furthermore, in the September 2025 Town Hall, the CyberAB explained that international candidates were already applying as CCP and CCA candidates, with some already certified from Canada, Sweden, South Korea, and the UK.

Two CMMC assessor pathways, both open to non-US citizens

Let’s dive into the two pathways to establish national security eligibility to participate in CMMC assessment activities and program requirements after completing CCP training and certification (which has to be completed before pursuing CCA training and certification). 

1. The standard Tier 3

CyberAB continues to run point on Tier 3 investigations for CCPs and CCAs. All candidates must fill out the Tier 3 application and submit an up-to-date copy of their resume. There is no cost to submit this application. 

2. The DoD-determined equivalent

If a candidate is found ineligible for a Tier 3 after submitting the application and resume to the DoD, then the DoD reaches out to the individual directly to begin the equivalent process and specifies anything additional it needs from them. 

There is no cost for this equivalent process either. The only investment is time.

There are two points to keep in mind and help set expectations:

• First, the DoD has not published the list of background checks it will accept as equivalent. That list is held by the DoD and applied case by case after a candidate is found ineligible for a Tier 3. So there's no public checklist to pre-qualify against.
• Second, all documentation and records have to be provided in English.

How the CCP certification process works, step by step

The sequence is the same regardless of citizenship. The background-check step is where the two pathways diverge.

1. Complete CCP training with an Approved Training Provider (ATP). Only ATPs listed in the CyberAB Marketplace can deliver official training and unlock exam access.
2. Register for and pass the CCP exam. Like the training, there is no citizenship restriction on the exam itself. ISACA, which was authorized as the CMMC Assessor and Instructor Certification Organization (CAICO), administers it.
3. Apply for certification through ISACA. ISACA validates your experience, then sends your information to CyberAB so the background-check step can begin.
4. Wait for the official email from CyberAB before starting Tier 3. Don't submit a Tier 3 application until you receive the email from CyberAB with next steps. Applications submitted earlier are rejected and have to be redone after you pass the exam.
5. Complete the Tier 3, or the equivalent. Eligible candidates complete the standard Tier 3 (SF-86). Candidates found ineligible are contacted directly by DoD to begin the equivalent process.

Why this matters for the Defense Industrial Base

CMMC reaches well beyond US borders. Allied and multinational contractors are part of the defense supply chain, and many of them employ exactly the cybersecurity and audit professionals the assessor ecosystem needs.

Treating CCP and CCA as US-only credentials would shrink an already small talent pool and discourage qualified people from pursuing a role the program depends on.

That’s why in reality, a non-US candidate with the right experience can train, sit the exam, and pursue CCP or CCA certification through the same ecosystem as their US counterparts. As CyberAB's periodic updates on international participation in the CMMC assessment ecosystem, the background-check step is achievable in practice, not just on paper.

The bottom line: If you've been holding off on CCP or CCA certification because you assumed your citizenship disqualified you, it very likely doesn't. Confirm the current specifics with ISACA (as the CAICO) and with CyberAB before you begin since the process is still maturing, but the door is open.