Review of CMMC Registered Practitioner Training

CMMC Registered practitioners help secure networks

This post was originally written in September 2020. It was updated in July 2024.

In September 2020, I took the Cyber-AB’s Registered Practitioner training course. We aren’t allowed to reproduce the content, so you won’t learn any secrets from me, but I can tell you about my experience.

How is the CMMC RP Training set up?

The Registered Practitioner training is included with your $500 annual fee to the Cyber-AB. It went live in September 2020 for those who had prepaid. I applied after the program became available and it took about 3 days to get access.

It is 100% web-based training provided directly through the Cyber-AB’s learning management system. I had no technical glitches using Chrome as my main browser.

This training is meant for people who want to help other organizations (clients) get ready for the CMMC. I’d say it is meant for internal employees of OSCs too, but since the RPs must be associated with an RPO or C3PAO, it appears this is geared more for consultants. Note: The AB website says that you need to associate with an RPO, but you should see the option to associate with C3PAOs as well during actual registration.

Code of Professional Conduct

You will be expected to abide by the Code of Professional Conduct if you sign up as a Registered Practitioner. The CoPC isn’t visible until you are partway through the registration process.

What is covered in the CMMC Registered Practitioner training?

The training spends a lot of time discussing the Cyber-AB and each role in the “CMMC ecosystem”. At the end of it you will definitely know which organization and role is responsible for what. It gives a brief introduction to reading the CMMC model document and a full description of the assessment and appeal process.

The training did not try to address technical questions about practices, it basically pointed at the CMMC model document. From the student perspective, this was frustrating.

There also seemed to be very little on the subject of building a system security plan, which I’d have figured is easily half of the workload for a registered practitioner. I don’t remember SSP being mentioned at all, but gathering evidence was. This is probably because a System Security Plan is only required at CMMC level 2+, but I’d make an exception to the focus on level 1 topics and discuss this. If a company hires a registered practitioner today, they are probably dealing with CUI.

The quiz questions were not great. They were about 50% a test of knowledge, 40% ability to read difficult wording, and 10% guessing about whether a term needed to be an exact match or partial match. If you take the training, I encourage you to give feedback to the Cyber-AB so they can improve it. At least the quizzes are forgiving – you can retry them but may be forced to wait a day between attempts.

So what is the value of CMMC Registered Practitioner?

Training?

The training is helpful to get you oriented to the concept of the CMMC. It introduces key terms, players, and roles in the CMMC ecosystem. It is not a replacement in any way for systems administrator, CMMC, or cybersecurity experience.

*Update May 31, 2021: The RP training is becoming increasingly obsolete over time. In particular, the training that describes how assessment quality reviews and appeals are structured and which states that RPs are eligible to participate in CMMC assessments no longer appears to be correct. Other topics are still accurate. “

Background Check

The Cyber-AB is organizing basic background checks (looking for felonies). You will be expected to register an account and perform a background check on yourself, then send the results to the CMMC-AB. This costs about $35.00.

Advertising

Once you get approved as an RP, the Cyber-AB says they will list you on their marketplace (advertising, connections). They also perform QA on registered practitioners: the Cyber-AB will revoke the badge if they find the person is acting against their code of conduct. *To my knowledge, no RP has had their badge stripped for bad conduct*

In my opinion, the endorsement provided by the Cyber-AB is the primary benefit of Registered Practitioner.

Do you need an RP for your org?

Registered Practitioner is NOT required for an individual to provide CMMC preparation services to organizations. An organization is allowed to utilize internal employees or use outside consultants with no Cyber-AB accreditations to get ready for the CMMC.

It is only when the organization is ready for their CMMC assessment that they are required to contract with a Cyber-AB Certified Third-Party Assessment Organization (C3PAO).

Now that Certified CMMC Professionals and Certified CMMC Assessors are available on the market, there is no reason to search for an RP. Serious professionals will take the formal training and pass the certification exam for Certified CMMC Professional to show their competency.

Wrap-up

Having RP doesn’t fulfill the need for self-study and spending hours considering the CMMC model in detail. For tips on that, I recommend reading through our assessor training resources page.

Thanks for reading!

I’d love to hear your thoughts and reviews on the Registered Practitioner training! Please send me a connection on LinkedIn or sign up for our newsletter for CMMC updates as they are published.

V. Amira Armond (CISSP, CISA, PMP, MBA) is a computer systems architect, cyber-security consultant, and owner of Kieri Solutions LLC. Kieri Solutions specializes in CMMC preparation and DFARS 252.204-7012 compliance, and designing secure and resilient enterprise systems for private sector and the DoD.  Amira is the chief editor for cmmcaudit.org, a non-sales website that provides news and informational articles about the Cybersecurity Maturity Model Certification.

Reference:

CMMC-AB Registered Provider Organization page

CMMC-AB Registered Practitioner Page

7 thoughts on “Review of CMMC Registered Practitioner Training

  1. Abdullah Secca says:

    I pre-registered and completed the CMMC-AB Registered Practitioner training course last weekend. The material is proprietary so I can’t give details and didn’t encounter any technical issue.

    Before the training I was with the notion that it would be technical given its “Practitioner” name. Nonetheless it introduces prospective to the CMMC landscape, ecosystem, roles and responsibilities of the respective players within the CMMC. Even though the training’s target market is for consultants, OSC employees will benefit equally.

    Kudos to these supporting the training program as they have been
    prompt and responsive.

    The training is valuable for the role and well worth the fee.

    There are typos in the training material that needs correction such CMMCAB.Com instead of CMMCAB.Org among others.

    The required background check is BASIC and nothing else and the link from CMMCAB was provided earlier.

    I know CMMCAB is still being put together as work-in-progress, it would be helpful to all if information is disseminated to all because I learned about the start of the CMMCAB Registered Practitioner training program on this website.

  2. Abdullah Secca says:

    Follow up to my previous question.
    Yes we are supposed to do the basic background check and this applies to:

    • Registered Practitioners
    • Certified Professionals
    • ML-1 Assessors

    “One step in the application process is to complete and pass a basic background check. In order to complete your background check please go to”:

    https://www.goodhire.com/personal-background-checks/

  3. Abdullah Secca says:

    Thanks for your valuable feedback.

    I signed up and prepaid before the changes but I did not receive any notification about the start of training apart from your feedback.

    I have User access and waiting to gain access to the training material.

    Are we supposed to do the Basic background check?

  4. Tom Sharp says:

    Amira – thank you for this info – where would you recommend I look on my own for this kind of timely information? I like the newsletter and will surely continue to read it. However, I’d like to be a little more self-sufficient and the CMMC-AB isn’t sending updates even though I signed up (twice).

    thanks again!
    Tom

  5. Dawn Lee says:

    I have seen one gap in this entire process. We have several different professionals who are becoming certified, but I have yet to really identify a certification for internal professionals working to get their company compliant and to be a resource. We have this for many other compliance areas, why not for CMMC? Even from the beginning, it would be a huge help.

Leave a Reply

Your email address will not be published. Required fields are marked *