How to become a CMMC Registered Practitioner (RP) in 2026

The Cybersecurity Maturity Model Certification (CMMC) Registered Practitioner (RP) is an entry-level designation within the CMMC 2.0 ecosystem. It’s designed to address the growing demand for highly qualified cybersecurity compliance experts, specifically those who work in the Defense Industrial Base (DIB). RPs fill a critical gap by providing consulting and readiness support to organizations preparing for CMMC certification — helping them interpret requirements, identify gaps and get ready for the scrutiny of a formal assessment by Certified Third-Party Assessment Organizations (C3PAOs).

They can play a key role in helping organizations prepare for certification. CMMC certification has three levels, and Level 2 typically requires an assessment by a C3PAO while Level 3 requires one by the government. An RP plays a big part in helping organizations attain Levels 2 or 3 certification by guiding them through the preparation for the scrutiny of an outside assessor. At the same time, an RP can benefit an organization aiming for Level 1 certification as well, thanks to their expertise in CMMC requirements.

Editor's note: ISACA took over CMMC professional credentialing in April 2026. If you're planning to advance beyond RP toward CCP or CCA, this change affects you. Watch our webinar with ISACA to learn more.

The role of an RP is an attractive position for many early-career professionals. Becoming an RP is relatively accessible, especially because you don’t need any prior IT or security experience to qualify. This means that recent graduates and career changers can transition into the profession without having to earn years of experience in the IT field.

If you’re interested in becoming an RP, you may also want to compare CMMC certifications to explore your other options.

What does a CMMC RP do?

As you explore how to become a CMMC RP, it helps to understand what the CMMC 2.0 practitioner role involves. This is an entry-level designation designed for those who want to support C3PAOs as they assess an organization’s cybersecurity posture, specifically according to the standards evaluated by The Cyber AB accreditation body. Their responsibilities break down into two basic categories:

Support organizations preparing for C3PAO assessments

To help organizations prepare for a C3PAO assessment, a CMMC Registered Practitioner may be called on to:

• Collect evidence, which may involve gathering system security plans (SSPs) and lists of policies that support the controls outlined by NIST SP 800-171.
• Coordinate interviews, often involving conversations with many stakeholders, including admins and executives.
• Review documents, such as logs, configurations, screenshots and reports, that verify the organization is implementing the measures required to meet certification requirements.
• Prepare reports that summarize a company’s security posture in relation to the required standards and present evidence to support each claim

Provide consulting services

After passing the CMMC RP exam, an RP is also eligible to serve in a consulting capacity. In this role, you:

• Perform gap assessments to figure out how organizations measure up to the list of controls in NIST SP 800-171, according to the CMMC Level they’re trying to attain. By identifying gaps, you can create a roadmap to guide the organization towards certification.
• Document an organization’s policies and control mechanisms. Sometimes a company has systems in place, but they’re informal or passed down by word of mouth. Your CMMC RP training equips you to document these in a way that supports the company’s compliance.
• Perform mock assessments. A simulated assessment is often a precursor to a real C3PAO audit and an effective way to identify cybersecurity weaknesses.
• Develop a plan of action and milestones (POA&M), which identifies cybersecurity vulnerabilities and delivers a plan for mitigating them.

At the same time, a CMMC RP cannot conduct official assessments on its own. Even though you can provide an assessment of a client’s readiness for a CMMC assessment by a C3PAO, you can’t officially certify a client or issue an official CMMC status.

CMMC RP requirements

As you explore how to become a CMMC RP, you may notice the requirements aren’t as stringent as some other tech certifications. This creates a low barrier to entry, accelerating workforce development in this crucial area. Here’s what you need to qualify for the CMMC RP credential:

Education requirements

The Cyber AB’s public RP requirements do not list a college degree or technical certification as a prerequisite. Candidates should verify any current education or documentation requirements in the Cyber AB enrollment process before applying.

Experience requirements

• None required; this is an entry-level certification.
• Recommended: Basic knowledge of compliance, IT and cybersecurity
• A military background may also be helpful on the job.
• Technical writing and documentation skills are also a plus to create detailed reports.

Citizenship requirements

• Citizen of the U.S., Australia, South Korea or NATO countries

International background checks cost $125 USD and are billed separately. You can also expect a commercial background check as part of the RP process.

Step-by-step: How to become an RP

Step 1: Complete prerequisites: Few hours

You can use the following immediate eligibility checklist to complete the prerequisites for CMMC practitioner certification:

1. Gather citizenship documents requested by The Cyber AB enrollment process.
2. Locate any education, experience or identity documents requested in the portal.
3. Self-assess basic computer skills to check proficiency with basic tasks, such as file navigation and using Excel or Word.

Step 2: Complete required training: Between 1 and 2 days

To start preparing to become a registered practitioner CMMC 2.0, you have a few different options:

• Explore the CMMC 2.0 Domains and Practices.
• Study NIST SP 800-171 because it outlines the 110 controls that are mapped to CMMC.
• Learn the assessment process, such as what goes into a POA&M, scoring and reporting.
• Study the CMMC ecosystem and its associated roles, such as C3PAO, Registered Provider Organizations (RPOs) and Authorized Training Providers (ATPs).
• Study best practices in connection with evidence collection.

Approved Training Providers, like Infosec Institute, have training like the CMMC CCP Boot Camp that covers the fundamentals you need to advance beyond RP toward CCP or CCA.

Step 3: Pass the RP exam: Schedule your test when ready

To become an RP, candidates must:

• Register with and receive authorization from The Cyber AB
• Be able to pass a commercial background check
• Complete the online The Cyber AB provided training and pass the respective course exams
• Sign and acknowledge the (1) The Cyber AB Code of Professional Conduct and (2) an RP Agreement

Per The Cyber AB website, the exam requirements are as follows:

• Registration duration: Approximately 3 weeks, including background check
• International background check: $125
• Fee: $600 application, training and testing
• Renewal terms: $500 annual renewal fee

Keep in mind that you can retake the exam if you fail, but if you fail twice, you need to reapply after a 30-day cool-down period.

For more information on the exam, such as the current length, passing scores, cost and more, reach out to The Cyber AB or an ATP like Infosec.

Step 4: Submit The Cyber AB application: 1 to 2 weeks for application review

Your Cyber AB application requires the materials requested in the RP enrollment process. Publicly listed requirements include registration and authorization through The Cyber AB, completion of Cyber AB-provided online training and course exams and signing the Cyber AB Code of Professional Conduct and RP Agreement.

Step 5: Background check: 2 to 4 weeks

The Cyber AB initiates a basic commercial background check. They also verify the credentials presented in your application.

It’s important to note that international background checks get billed separately.

Step 6: Receive RP credential: 2 to 4 weeks

Your RP credential comes once The Cyber AB has approved your application and you’ve paid the necessary fees. You then get listed in the RP marketplace and are authorized to use the RP designation, such as after your name in your professional profile or in your email signature.

The Cyber AB also gives you a digital credential you can use to let others know about your qualification.

Costs and fees

CMMC RP certification cost is another consideration, and the amount you end up paying will depend on how you prepare and whether you need an international criminal background check, which costs an extra $125 USD.

Here are some expenses you can expect:

Training and application costs:

• Application, training and testing fee: $600
• International background check, if applicable: $125
• Optional study materials or additional training varies

Annual maintenance:

• Annual renewal fee: $500

This brings the required initial Cyber AB cost to $600 for most candidates, or $725 if an international background check is required. Optional study materials or additional training would be separate.

Keep in mind that the cost of training, application fees and annual renewal may change, so it's always best to confirm with The Cyber AB or an ATP like Infosec.

CMMC RP vs CCP: What’s the difference?

Below is a brief comparison chart to show you the differences between the RP and CCP certifications. It may also help to learn more about CCP certification and compare all CMMC career paths.

Aspect	RP	CCP
Experience Required	None	2+ years in cyber, IT or an assessment-related field, or a college degree in a relevant technical field
Training Hours	8 hours	40 hours
Exam Difficulty	Entry-level	Intermediate
Assessment Role	Support only	Can perform assessments with CCA May participate on assessment teams within role limits
Cost	$600–$725	$3,000–$5,000
Career Level	Entry	Professional

Career opportunities for RPs

There are several ways to navigate your CMMC assessor career path. RPs work in a variety of different settings, both as consultants and regular employees:

• CMMC Registered Provider Organizations (RPOs)
• C3PAOs, specifically in support roles
• Defense contractors, helping to meet internal compliance standards
• Consulting firms
• MSPs/MSSPs that serve the defense sector

The job functions certified RPs fulfill are similarly diverse:

• Gap assessment support
• Documentation review
• Pre-assessment preparation
• CMMC readiness consulting
• Delivering training
• Internal compliance monitoring

While your CMMC RP salary will vary based on where you live, your experience and your exact job title, here are the ranges and the average salaries, based on data from ZipRecruiter:

Official assessor roles require additional credentials beyond RP.

• CMMC Consultant: $61,000–$103,000
  • Average: $86,430
• CMMC Assessor: $46,000–$97,000
  • Average: $75,259

It’s also important to note that additional certifications can bolster your salary and CMMC career paths and opportunities.

Advancing your career beyond RP

Getting your RP certification is just the first step. You can pursue related certifications, such as the Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA).

The Cyber AB also offers an Advanced Registered Practitioner (ARP) credential for those who want to expand their advisory capabilities — particularly around Level 2 compliance — before pursuing the full CCP path.

Path to CCP:

• Meet ISACA’s CCP eligibility requirements
• Complete mandatory CCP training through an Approved Training Provider
• Pass the CCP exam

Path to CCA:

• First, obtain your CCP cert
• Gain additional experience
• Take CCA training and pass the exam
• Undergo supervised assessments

As of April 2026, ISACA now manages the CCP and CCA credentials. Watch our ISACA CMMC webinar to learn more about any potential changes.

There are other certifications that complement your RP cert because they encompass similar cybersecurity topics and prepare you for roles defending digital assets:

• CompTIA Security+
• ISC2 CISSP
• ISACA CISA
• NIST 800-171 training

Maintaining your RP credential

CMMC RP renewal is relatively simple. The Cyber AB currently lists a $500 annual renewal fee for RP. RPs should also maintain good standing and keep their Cyber AB profile information current. Verify any current continuing-education or renewal requirements directly with The Cyber AB.

Code of professional conduct

The code of conduct helps ensure CMMC RP designation holders uphold the reputation of CMMC and the professionals that work within the ecosystem.

The code of conduct requires you to:

• Maintain confidentiality
• Act with integrity
• Avoid conflicts of interest
• Provide accurate information
• Continue professional development
• Report violations

Failure to abide by the code of conduct may result in:

• Suspension or revocation of your credential
• Having your name removed from the RP marketplace

Finding work as an RP

As a member of the RP ecosystem, you have several ways of finding work.

The Cyber AB marketplace:

• You can be listed in the public directory of RPs
• You’re visible to organizations in need of RPs

It’s important to keep your profile updated, so it represents where you are in your current career path.

Job Boards:

• ClearanceJobs.com
• Indeed, specifically defense contractor positions
• LinkedIn

Networking:

• Go to CMMC community events
• Attend The Cyber AB webinars
• Sign up with local defense industry associations
• Frequent online forums and groups

Tools and resources for RPs

Here’s a boiled-down list of the resources that all RPs need to succeed in their CMMC ecosystem roles:

• NIST SP 800-171 documentation
• CMMC Model documentation
• CMMC assessment guides
• DCISE/DC3 cyber incident reporting resources

Recommended tools

You don’t have to navigate the RP profession on your own. The following tools can streamline crucial day-to-day activities of a CMMC assessment team member:

• Compliance management platforms, such as Exostar and FutureFeed
• Gap assessment templates, such as the NIST SP 800-171 Control Assessment Worksheets and POA&M Identification Worksheets
• Documentation tools, including Microsoft Word, Excel, SharePoint and Confluence

Continuing education

Continuing your education does more than help with CMMC RP renewal. It also ensures you understand the latest priorities of cyber defenders across the defense industry. Some effective options include:

• The Cyber AB webinars
• NIST training
• Earn a more advanced CMMC certification

Infosec is an Approved Training Provider for CMMC certifications. If you're planning to advance toward CCP or CCA, explore our CCP Training Boot Camp to get started.

Next steps

Ready to earn your RP cert? Here are your next steps:

• Register for RP training
• Study the CMMC 2.0 model
• Schedule your exam
• Prepare application materials

To start your prep, get caught up with the latest updates from ISACA or attend a CCP boot camp training.

FAQs

Do I need prior experience to become an RP?

No, you can become an RP without any experience, but a background in cybersecurity, assessing security and IT may help.

How long does it take to become an RP?

You can become an RP in around six to eight weeks.

Can I work independently as an RP?

Yes, you can work independently as an RP in a consultancy role.

What’s the difference between RP and CCP?

CCP is a more advanced certification than RP and has more demanding prerequisites, including 2+ years of experience in IT, security or compliance (or a qualifying technical degree) and a longer, more rigorous exam.

How much can I earn as an RP?

While your earnings will vary based on experience and location, you can expect to earn between $50,000 and $100,000 per year for related roles like CMMC Consultant or CMMC Assessor.

Can I conduct assessments as an RP?

No, as an RP, you cannot conduct official assessments that certify companies as being CMMC compliant. This requires a C3PAO or a government assessor.

Do I need security clearance to be an RP?

The security clearance needed will depend on the company you’re working for, but to earn your RP certification, you don’t need a special security clearance.

How do I maintain my RP credential?

To maintain your RP designation, The Cyber AB currently lists a $500 annual renewal fee. Verify any current continuing-education or additional renewal requirements directly with The Cyber AB.