I just finished the CMMC-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience.
Thanks to James Newman (a colleague of mine, fellow CISSP, and security evangelist) who was pre-registered and helped me get up to speed.
How is the CMMC RP Training set up?
The Registered Practitioner training is included with your $500 fee to the CMMC-AB. It went live last week (around September 20th) for those who had prepaid. I applied after the program became available and it took about 3 days to get access (kudo’s to CMMC-AB on the timeliness).
It is 100% web-based training provided directly through the CMMC-AB’s learning management system. The training took me 12 hours to get through, though your pace may vary dramatically. I had no technical glitches using Chrome as my main browser.
This training is meant for people who want to help other organizations (clients) get ready for the CMMC. I’d say it is meant for internal employees of OSCs too, but since the RPs must be associated with an RPO or C3PAO, it appears this is geared more for consultants.
What is covered in the CMMC Registered Practitioner training?
The training spends a lot of time discussing the CMMC-AB and each role in the “CMMC ecosystem”. At the end of it you will definitely know which organization and role is responsible for what. It gives a brief introduction to reading the CMMC model document and a full description of the assessment and appeal process.
The training did not try to address technical questions about practices, it basically pointed at the CMMC model document. From the student perspective, this was frustrating, but I understand the logic. Every answer should be sourced from the CMMC model or else there could be unexpected surprises or simply out-of-bounds assessment criteria.
There also seemed to be very little on the subject of building a system security plan, which I’d have figured is easily half of the workload for a registered practitioner. I don’t remember SSP being mentioned at all, but gathering evidence was. This is probably because a System Security Plan is only required at CMMC level 2+, but I’d make an exception to the focus on level 1 topics and discuss this. If a company hires a registered practitioner today, they are probably dealing with CUI.
For me, the most valuable information was the discussion about scoping assessments around FCI and CUI, preparing evidence, and discussion of process maturity.
The quiz questions were not great. They were about 50% a test of knowledge, 40% ability to read difficult wording, and 10% guessing about whether a term needed to be an exact match or partial match. If you take the training, I encourage you to give feedback to the CMMCAB so they can improve it. At least the quizzes are forgiving – you can retry them but may be forced to wait a day between attempts.
So what is the value of CMMC Registered Practitioner?
The training is helpful to get you oriented to the concept of the CMMC. It introduces key terms, players, and roles in the CMMC ecosystem. It is not a replacement in any way for systems administrator or cybersecurity experience.
This is confusing. The CMMCAB.org website says that the RPO is responsible for background checking the RP. But the training next-steps seem to indicate that the CMMC-AB will perform the background checks. If the CMMC-AB does background checks, this is a great value because the amount of background checking required is extensive and would cost more than $200 by my calculations. If performed by the CMMC-AB, I expect the background check to be a major bottleneck in the process to get our first RPs out the door.
Once you get approved as an RP, the CMMC-AB says they will list you on their marketplace (advertising, connections). They also perform QA on registered practitioners: the CMMC-AB will revoke the badge if they find the person is acting against their code of conduct.
In my opinion, the endorsement and connections provided by the CMMC-AB is the primary benefit of Registered Practitioner.
Apparently RPs are allowed to be team members for provisional assessors. I don’t know why the people who applied for Certified Assessor are being ignored… (so they either want assessors with 20+ years cyber experience or … potentially none??). Anyways. Neat bonus. Anyone need an in-progress registered practitioner for their provisional assessment team? <grin>
Do you need an RP for your org?
To my understanding, Registered Practitioner is NOT required for an individual to provide CMMC preparation services to organizations. An organization is allowed to utilize internal employees or use outside consultants with no CMMC-AB accreditations to get ready for the CMMC.
It is only when the organization is ready for their CMMC assessment that they are required to contract with a CMMC-AB Certified Third-Party Assessment Organization (C3PAO).
However, selecting a Registered Practitioner is beneficial because it provides assurance of a basic level of training, background check, and ethics. I think that having the CMMC Registered Practitioner badge will be a minimum requirement for most consultants in this space. Just make sure that your RP also has real-world cybersecurity experience to meet the needs of your organization.
The Registered Practitioner training and badge are worth the cost in my opinion, especially if you are trying to provide CMMC services today. If background checks by the CMMC-AB are included in the cost, then RP is an excellent value which I’d highly recommend.
Having RP doesn’t fulfill the need for self-study and spending hours considering the CMMC model in detail. For tips on that, I recommend reading through our assessor training resources page.
Thanks for reading!
V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD. Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.