Review of CMMC Registered Practitioner Training

CMMC Registered practitioners help secure networks

This is a historical post from September 2020. Information on Registered Practitioners may have changed since then. You have been warned.

I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience.

Thanks to James Newman (a colleague of mine, fellow CISSP, and security evangelist) who was pre-registered and helped me get up to speed.

How is the CMMC RP Training set up?

The Registered Practitioner training is included with your $500 annual fee to the CMMC-AB. It went live last week (around September 20th) for those who had prepaid. I applied after the program became available and it took about 3 days to get access (kudo’s to CMMC-AB on the timeliness).

It is 100% web-based training provided directly through the CMMC-AB’s learning management system. The training took me 12 hours to get through, though your pace may vary dramatically. I had no technical glitches using Chrome as my main browser.

This training is meant for people who want to help other organizations (clients) get ready for the CMMC. I’d say it is meant for internal employees of OSCs too, but since the RPs must be associated with an RPO or C3PAO, it appears this is geared more for consultants. Note: The AB website says that you need to associate with an RPO, but you should see the option to associate with C3PAOs as well during actual registration.

Code of Professional Conduct

I recommend everyone read the Code of Professional Conduct (CoPC) thoroughly before they sign up. You will be expected to abide by this if you represent yourself as a Registered Practitioner. Some RPs paid their fee before they read the CoPC, and regretted it.

What is covered in the CMMC Registered Practitioner training?

The training spends a lot of time discussing the CMMC-AB and each role in the “CMMC ecosystem”. At the end of it you will definitely know which organization and role is responsible for what. It gives a brief introduction to reading the CMMC model document and a full description of the assessment and appeal process.

The training did not try to address technical questions about practices, it basically pointed at the CMMC model document. From the student perspective, this was frustrating, but I understand the logic. Every answer should be sourced from the CMMC model or else there could be unexpected surprises or simply out-of-bounds assessment criteria.

There also seemed to be very little on the subject of building a system security plan, which I’d have figured is easily half of the workload for a registered practitioner. I don’t remember SSP being mentioned at all, but gathering evidence was. This is probably because a System Security Plan is only required at CMMC level 2+, but I’d make an exception to the focus on level 1 topics and discuss this. If a company hires a registered practitioner today, they are probably dealing with CUI.

For me, the most valuable information was the discussion about scoping assessments around FCI and CUI, preparing evidence, and discussion of process maturity.

The quiz questions were not great. They were about 50% a test of knowledge, 40% ability to read difficult wording, and 10% guessing about whether a term needed to be an exact match or partial match. If you take the training, I encourage you to give feedback to the CMMCAB so they can improve it. At least the quizzes are forgiving – you can retry them but may be forced to wait a day between attempts.

So what is the value of CMMC Registered Practitioner?

Training?

The training is helpful to get you oriented to the concept of the CMMC. It introduces key terms, players, and roles in the CMMC ecosystem. It is not a replacement in any way for systems administrator or cybersecurity experience.

*Update May 31, 2021: The RP training is becoming increasingly obsolete over time. In particular, the training that describes how assessment quality reviews and appeals are structured and which states that RPs are eligible to participate in CMMC assessments no longer appears to be correct. Other topics are still accurate. “

Background Check

The CMMC-AB is organizing background checks via GoodHire.com. You will be expected to register an account and perform a background check on yourself, then send the results to the CMMC-AB. This costs about $35.00.

Advertising

Once you get approved as an RP, the CMMC-AB says they will list you on their marketplace (advertising, connections). They also perform QA on registered practitioners: the CMMC-AB will revoke the badge if they find the person is acting against their code of conduct.

In my opinion, the endorsement and connections provided by the CMMC-AB is the primary benefit of Registered Practitioner.

Perform Assessments??

Apparently RPs are allowed to be team members for provisional assessors. I don’t know why the people who applied for Certified Assessor are being ignored… (so they either want assessors with 20+ years cyber experience or … potentially none??). Anyways. Neat bonus. Anyone need an in-progress registered practitioner for their provisional assessment team? <grin>

Do you need an RP for your org?

To my understanding, Registered Practitioner is NOT required for an individual to provide CMMC preparation services to organizations. An organization is allowed to utilize internal employees or use outside consultants with no CMMC-AB accreditations to get ready for the CMMC.

It is only when the organization is ready for their CMMC assessment that they are required to contract with a CMMC-AB Certified Third-Party Assessment Organization (C3PAO).

However, selecting a Registered Practitioner is beneficial because it provides assurance of a basic level of training, background check, and ethics. I think that having the CMMC Registered Practitioner badge will be a minimum requirement for most consultants in this space. Just make sure that your RP also has real-world cybersecurity experience to meet the needs of your organization.

Wrap-up

The Registered Practitioner training and badge are worth the cost in my opinion, especially if you are trying to provide CMMC services today.

Having RP doesn’t fulfill the need for self-study and spending hours considering the CMMC model in detail. For tips on that, I recommend reading through our assessor training resources page.

Thanks for reading!

I’d love to hear your thoughts and reviews on the Registered Practitioner training! Please send me a connection on LinkedIn or sign up for our newsletter for CMMC updates as they are published.

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.  Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.

Reference:

CMMC-AB Registered Provider Organization page

CMMC-AB Registered Practitioner Page

7 thoughts on “Review of CMMC Registered Practitioner Training

  1. Abdullah Secca says:

    I pre-registered and completed the CMMC-AB Registered Practitioner training course last weekend. The material is proprietary so I can’t give details and didn’t encounter any technical issue.

    Before the training I was with the notion that it would be technical given its “Practitioner” name. Nonetheless it introduces prospective to the CMMC landscape, ecosystem, roles and responsibilities of the respective players within the CMMC. Even though the training’s target market is for consultants, OSC employees will benefit equally.

    Kudos to these supporting the training program as they have been
    prompt and responsive.

    The training is valuable for the role and well worth the fee.

    There are typos in the training material that needs correction such CMMCAB.Com instead of CMMCAB.Org among others.

    The required background check is BASIC and nothing else and the link from CMMCAB was provided earlier.

    I know CMMCAB is still being put together as work-in-progress, it would be helpful to all if information is disseminated to all because I learned about the start of the CMMCAB Registered Practitioner training program on this website.

  2. Abdullah Secca says:

    Follow up to my previous question.
    Yes we are supposed to do the basic background check and this applies to:

    • Registered Practitioners
    • Certified Professionals
    • ML-1 Assessors

    “One step in the application process is to complete and pass a basic background check. In order to complete your background check please go to”:

    https://www.goodhire.com/personal-background-checks/

  3. Abdullah Secca says:

    Thanks for your valuable feedback.

    I signed up and prepaid before the changes but I did not receive any notification about the start of training apart from your feedback.

    I have User access and waiting to gain access to the training material.

    Are we supposed to do the Basic background check?

  4. Tom Sharp says:

    Amira – thank you for this info – where would you recommend I look on my own for this kind of timely information? I like the newsletter and will surely continue to read it. However, I’d like to be a little more self-sufficient and the CMMC-AB isn’t sending updates even though I signed up (twice).

    thanks again!
    Tom

  5. Dawn Lee says:

    I have seen one gap in this entire process. We have several different professionals who are becoming certified, but I have yet to really identify a certification for internal professionals working to get their company compliant and to be a resource. We have this for many other compliance areas, why not for CMMC? Even from the beginning, it would be a huge help.

Leave a Reply

Your email address will not be published. Required fields are marked *