September 20, 2024

Last Updated on September 20, 2024

For contractors that want to do business with the US Department of Defense (DoD), compliance with the Cybersecurity Maturity Model Certification (CMMC) framework at the contractually specified level will soon be a near universal prerequisite. Many defense suppliers still need to evaluate their current cybersecurity controls and begin taking steps to close their CMMC compliance gaps.

Among the accredited professionals available to help organizations seeking certification (OSCs) get ready for their CMMC compliance assessments, two of the most important in this regard are Registered Practitioners (RPs) and Certified CMMC Professionals (CCPs). This article explains the roles these professionals play in the CMMC ecosystem, the important ways they differ, and when to use them on the path to CMMC certification.

 

What is CMMC and when is compliance required?

The DoD announced version 2 of the CMMC framework and audit program back in November 2021. Based on the NIST SP 800-171 standard, CMMC 2.0 is intended to improve cybersecurity within the US defense industrial base (DIB) by ensuring that defense contractors and their subcontractors can adequately protect controlled unclassified information (CUI) and federal contract information (FCI).

Most DIB orgs whose contracts mandate compliance with CMMC Level 2 (Advanced) will need to undergo a third-party assessment to achieve their initial CMMC certification, with reassessments required every three years. Firms participating in “non-prioritized acquisitions” at CMMC Level 2 plus all organizations at CMMC Level 1 (Foundational) can demonstrate compliance through an annual self-assessment backed by an affirmation from a senior executive. Certification at CMMC Level 3 (Expert) will start with a third-party assessment to confirm Level 2 compliance, followed by a DoD assessment to validate the additional Level 3 controls.

CMMC is nearing the end of the rulemaking process, with important updates proposed on August 15, 2024. The DoD expects to finalize the CMMC 2.0 rule by early 2025. CMMC implementation in contracts is likely to begin 30 to 60 days after the finalization date, with a 3-year phased rollout planned.

 

Who can help OSCs achieve CMMC compliance?

Within the CMMC ecosystem there are multiple organizational and individual roles intended to support OSCs. These include:

  • CMMC Third-Party Assessment Organizations (C3PAOs), which are authorized to conduct certification assessments.
  • Registered Practitioner Organizations (RPOs), which can deliver non-certified consultative/advisory services to OSCs but do not conduct CMMC certification assessments.
  • Licensed Training Providers (LTPs)—training organizations that have been vetted and approved to participate in the CMMC ecosystem.
  • Registered Practitioners (RPs), who are trained and tested providers of CMMC implementation/preparation services to OSCs. RPs may work as independent contractors or as members of an RPO.
  • Certified CMMC Professionals (CCPs) have received rigorous training from an LTP and passed associated certification exams that enable them to participate in CMMC certification assessments. CCPs may work as independent contractors or as members of an RPO or C3PAO.
  • Certified CMMC Assessors (CCAs) are similar to CCPs but have received additional training that authorizes them to conduct CMMC Level 2 assessments under the auspices of a C3PAO.

If your business is looking for help to prepare for CMMC compliance and certification, should you hire an RP or a CCP? What are the specific qualifications and capabilities involved? I’ll address these questions below.

 

What are CMMC Registered Practitioners (RPs)?

The primary role of RPs within the CMMC ecosystem is to help OSCs implement the required CMMC controls and prepare for CMMC Level 1 or Level 2 assessments. Whether as an internal or external resource, the RP’s focus is on providing general guidance, offering consulting services, and helping OSCs understand and interpret the CMMC requirements.

While the RP training requirements are basic, many RPs are experienced cybersecurity professionals with strong consulting backgrounds who have helped organizations improve their cybersecurity postures and/or pass assessments to comply with voluntary certification standards like ISO 27001 or SOC 2.

RPs are not authorized to conduct or participate in official CMMC certification assessments. But they can play a key role in an OSC’s gap analysis and/or internal audit activities. Other services that an RP can potentially perform include helping to implement or validate CMMC controls, offering remediation advice, supporting remediation activities, and preparing CMMC policies and documentation.

 

What are Certified CMMC Professionals (CCPs)?

Unlike the RP, a CCP can engage in assessments as part of a C3PAO team, typically under the guidance of a CCA. In that context, the CCP role is a prerequisite and effectively a stepping-stone to becoming a CCA.

However, CCPs can also serve as internal or external consultants to OSCs, similar to RPs. Consulting and advisory services that CCPs can potentially perform include:

  • Driving the creation of an organization’s CMMC program
  • Ensuring a CMMC certified company maintains continuous compliance while a contract is active
  • Helping an OSC prepare for a C3PAO assessment
  • Helping an OSC perform a CMMC Level 1 self-assessment

The official training and testing to qualify for the CCP role are significantly more extensive than for RPs, along with tighter US citizenship requirements. A consultant’s overall cybersecurity background and expertise will also be highly relevant to performing either the RP or CCP role.

 

RPs versus CCPs: What are the key differences?

The major differences between RPs and CCPs are in three areas:

  1. Training and testing.
    The CCP role requires significantly more training and financial investment than the RP role. The RP’s scope of training is foundational and there is no exam, while the CCP requirements are much more detailed and comprehensive and includes a stringent exam.
  2. Participation in certification assessments.
    As noted above, RPs are not authorized to participate in CMMC assessments. The RP role is better suited to helping an OSC prepare for an assessment. The CCP role, in contrast, is designed to support a CCA or the OSC team during the assessment.
  3. Because more training time and cost is involved, CCPs could justify charging more for their services in some circumstances than RPs.

As consultants to OSCs preparing for CMMC Level 1 or Level 2 certification, RPs and CCPs can perform similar services, with the only practical difference being the level of CMMC mandated training and testing their official titles require.

 

When should you engage an RP versus a CCP?

The top scenarios for engaging an RP are:

  • For overall guidance when your business is beginning or partway through its CMMC journey.
  • In any situation where you need pre-assessment preparation or remediation advice and/or hands-on expertise.

The top scenarios for engaging a CCP are:

  • When your company is ready or almost ready to undergo a formal CMMC Level 2 assessment.
  • Anytime you need CMMC-related consulting services.

Some typical RP versus CCP use cases include:

  • An SMB contractor looking to build a basic cybersecurity framework for CMMC Level 1 certification or to meet a client’s “flowdown” requirements might find hiring an RP to be more cost-effective while offering the needed expertise.
  • Larger contractors with complex CMMC compliance requirements might consider a strategic investment in CCP training for one or more employees to help ensure successful certification.

For most OSCs, choosing to engage an RP or a CCP will come down to factors like your company size, CMMC environment complexity, budget, in-house cybersecurity expertise, and specific compliance concerns.

Or why choose one when you can benefit from both? Working together as part of a RPO or other consulting team, RPs and CCPs can collaboratively support an OSC throughout the CMMC process, from preparation to compliance to certification.

 

What’s next?

CMMC will soon be the most widely applied cybersecurity standard ever, impacting an estimated 200,000-plus organizations.

With the CMMC 2.0 rollout just months away, now is the time to assess your current CMMC readiness and consider whether your business would benefit from the services of an RP and/or CCP as a next step.

CBIZ Pivot Point Security offers a full complement of CMMC readiness services to help OSCs achieve and maintain CMMC compliance. Contact us to discuss your goals and questions with a CMMC expert.