This is a historical post from September 2020. Information on Registered Practitioners may have changed since then. You have been warned.
I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience.
Thanks to James Newman (a colleague of mine, fellow CISSP, and security evangelist) who was pre-registered and helped me get up to speed.
How is the CMMC RP Training set up?
The Registered Practitioner training is included with your $500 annual fee to the CMMC-AB. It went live last week (around September 20th) for those who had prepaid. I applied after the program became available and it took about 3 days to get access (kudo’s to CMMC-AB on the timeliness).
It is 100% web-based training provided directly through the CMMC-AB’s learning management system. The training took me 12 hours to get through, though your pace may vary dramatically. I had no technical glitches using Chrome as my main browser.
This training is meant for people who want to help other organizations (clients) get ready for the CMMC. I’d say it is meant for internal employees of OSCs too, but since the RPs must be associated with an RPO or C3PAO, it appears this is geared more for consultants. Note: The AB website says that you need to associate with an RPO, but you should see the option to associate with C3PAOs as well during actual registration.
Code of Professional Conduct
I recommend everyone read the Code of Professional Conduct (CoPC) thoroughly before they sign up. You will be expected to abide by this if you represent yourself as a Registered Practitioner. Some RPs paid their fee before they read the CoPC, and regretted it.
What is covered in the CMMC Registered Practitioner training?
The training spends a lot of time discussing the CMMC-AB and each role in the “CMMC ecosystem”. At the end of it you will definitely know which organization and role is responsible for what. It gives a brief introduction to reading the CMMC model document and a full description of the assessment and appeal process.
The training did not try to address technical questions about practices, it basically pointed at the CMMC model document. From the student perspective, this was frustrating, but I understand the logic. Every answer should be sourced from the CMMC model or else there could be unexpected surprises or simply out-of-bounds assessment criteria.
There also seemed to be very little on the subject of building a system security plan, which I’d have figured is easily half of the workload for a registered practitioner. I don’t remember SSP being mentioned at all, but gathering evidence was. This is probably because a System Security Plan is only required at CMMC level 2+, but I’d make an exception to the focus on level 1 topics and discuss this. If a company hires a registered practitioner today, they are probably dealing with CUI.
For me, the most valuable information was the discussion about scoping assessments around FCI and CUI, preparing evidence, and discussion of process maturity.
The quiz questions were not great. They were about 50% a test of knowledge, 40% ability to read difficult wording, and 10% guessing about whether a term needed to be an exact match or partial match. If you take the training, I encourage you to give feedback to the CMMCAB so they can improve it. At least the quizzes are forgiving – you can retry them but may be forced to wait a day between attempts.
So what is the value of CMMC Registered Practitioner?
The training is helpful to get you oriented to the concept of the CMMC. It introduces key terms, players, and roles in the CMMC ecosystem. It is not a replacement in any way for systems administrator or cybersecurity experience.
*Update May 31, 2021: The RP training is becoming increasingly obsolete over time. In particular, the training that describes how assessment quality reviews and appeals are structured and which states that RPs are eligible to participate in CMMC assessments no longer appears to be correct. Other topics are still accurate. “
The CMMC-AB is organizing background checks via GoodHire.com. You will be expected to register an account and perform a background check on yourself, then send the results to the CMMC-AB. This costs about $35.00.
Once you get approved as an RP, the CMMC-AB says they will list you on their marketplace (advertising, connections). They also perform QA on registered practitioners: the CMMC-AB will revoke the badge if they find the person is acting against their code of conduct.
In my opinion, the endorsement and connections provided by the CMMC-AB is the primary benefit of Registered Practitioner.
Apparently RPs are allowed to be team members for provisional assessors. I don’t know why the people who applied for Certified Assessor are being ignored… (so they either want assessors with 20+ years cyber experience or … potentially none??). Anyways. Neat bonus. Anyone need an in-progress registered practitioner for their provisional assessment team? <grin>
Do you need an RP for your org?
To my understanding, Registered Practitioner is NOT required for an individual to provide CMMC preparation services to organizations. An organization is allowed to utilize internal employees or use outside consultants with no CMMC-AB accreditations to get ready for the CMMC.
It is only when the organization is ready for their CMMC assessment that they are required to contract with a CMMC-AB Certified Third-Party Assessment Organization (C3PAO).
However, selecting a Registered Practitioner is beneficial because it provides assurance of a basic level of training, background check, and ethics. I think that having the CMMC Registered Practitioner badge will be a minimum requirement for most consultants in this space. Just make sure that your RP also has real-world cybersecurity experience to meet the needs of your organization.
The Registered Practitioner training and badge are worth the cost in my opinion, especially if you are trying to provide CMMC services today.
Having RP doesn’t fulfill the need for self-study and spending hours considering the CMMC model in detail. For tips on that, I recommend reading through our assessor training resources page.
Thanks for reading!
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.