How to become a CMMC registered practitioner (RP)

Patrick Mallory
June 22, 2021 by
Patrick Mallory

In April 2021, months after the public revelation of the SolarWinds-based cyberattack, the U.S. Department of Defense (DoD) announced “they’ve found no evidence that adversaries managed to use the security flaws to steal data or do anything malicious.”

Unfortunately, 37 companies that support the DoD were not so lucky; their systems were exploited and had sensitive internal data stolen and other systems manipulated.

This is exactly the scenario that the DoD envisioned when it began work on what is now known as the Cybersecurity Maturity Model Certification (CMMC) program

So what is the CMMC and how do CMMC registered practitioners (RP) support its implementation?

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

CMMC standard overview

The CMMC standard was officially published in January 2020, designed to help the more than 300,000 businesses that make up the DoD’s defense industrial base be better prepared to protect the sensitive data they hold from cyberthreats. Although the data may be controlled unclassified information (CUI), its theft by malicious actors can still pose a risk to DoD networks, systems, research and services. 

Before the CMMC framework, companies that supported the DoD self-reported that the necessary security controls, tools and policies were in place within their organization to secure CUI. However, with the implementation of the CMMC standard, these companies are now required to have an independent, third-party assessment determine the maturity of their network and operational security to meet at least one of the five maturity levels defined in the CMMC standard, which increase in sophistication as the levels increase until the fifth level.

The CMMC standard includes input from the federally funded research and development organizations, the private security and university-affiliated research centers, including 171 CMMC practices that would be familiar best practices to those within the cybersecurity industry. Of those, 110 of them are part of the NIST SP 800-171 rev1 security framework and there is input from the following:

  • Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”
  • Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2
  • DFARS 252.204-7012

Members of the DoD’s supply chain will be required to meet — and be assessed for confirmation — the CMMC standard by 2025 in order to bid on DoD contracts. 

How to become a CMMC registered practitioner professional

Unlike the rest of the other CMMC standard’s roles, which perform quality audits and conduct CMMC assessments, CMMC RPs will provide “advice, consulting and recommendations to their clients,” looking to achieve and maintain their maturity level designation. Their role is still, however, overseen by the CMMC accreditation board (CMMC-AB).

To become a CMMC RP, security professionals  have to meet the following requirements:

  • Pay a $500 application fee
  • Complete basic online training on the CMMC standard
  • Pass a commercial background check
  • Sign a CMMC code of professional conduct

CMMC RP’s certification is valid for one year and they must work with a CMMC registered provider organization (RPO), also known as a CMMC RPO, in order to perform their CMMC-related consultative services. 

The future of the CMMC registered practitioner profession

The CMMC standard and its associated training course, application processes, role certifications and company assessments are still being established, but those serving as a CMMC RP will be very important in the years to come.

As of today, organizations can work with CMMC RPs and other cybersecurity professionals to become prepared for their CMMC assessments. But once they are ready, they are required to contract with a CMMC-AB certified third-party assessment organization (C3PAO), the CMMC CCPs and CMMC CCAs to achieve their official designation.

Therefore, given their role, their requirements and their relationship with other CMMC roles, it would benefit companies to ensure that those CMMC RP that they choose to work with have at least a couple of years of related cybersecurity experience.

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

Begin your CMMC registered practitioner journey

The implementation of the CMMC standard is a major change for the businesses that make up the DoD’s supply chain, but as seen with the SolarWinds and Microsoft Exchange vulnerabilities that threatened these businesses in the last year, it is a vital step toward improving the security to meet the cyberthreats of tomorrow. 

Of course, with so many businesses and the introduction of new standards, there will be plenty of opportunities for those cybersecurity professionals to begin a new career, deepen their cybersecurity knowledge and assist the DoD and its associated supplier to be more secure. 

CMMC RPs are a key part of the processes, providing advice, consulting and recommendations to their clients, serving as an indirect partner to the certified CMMC professionals and certified CMMC assessors that perform the independent attestations.

Given the recent rollout of the CMMC standard, the related training and certification process, those interested in earning the CMMC RP designation will have a strong job outlook and plenty of opportunities for career growth.

If you are ready to learn more about any of the CMMC certifications or even begin your journey toward achieving one of them from a trusted information security training provider, click here to get started.



Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.