CMMC - The Journey to RP/RPO Status
I previously wrote a brief overview of what CMMC is; today I wanted to start talking about what the different types of CMMC associations/certifications are, as potential customers need to be able to differentiate between providers, especially when it comes to new compliance standards that are designed to protect the US Department of Defense.
The CMMC Accreditation Body designed several types of associations/certifications when designing the CMMC model; each serves a unique purpose but can sometimes be confusing.
At current, you cannot become a certified assessor (unless you were in the initial test group); these certifications will become available later this year, so I'll start with the Registered Practitioners and Registered Provider Organizations.
Registered Practitioners (RP)
Registered Practitioners are individuals that have signed up with the CMMC-AB, met a few basic requirements, and paid a fee. To become an RP, you need to do the following:
- Sign up and pay the application fee + annual fee (Fees are used to fund the CMMC-AB)
- Complete a commercial background check (not a DOD security clearance, etc.)
- Complete an procedural training (~4 hours of videos + quizzes) on the CMMC Model.
The intent of the RP classification is to designate people who are familiar with the model as a whole. It is NOT a technical certification, and having one does not give you the expertise or authorization to perform CMMC assessments. The RP training touches on fundamental portions of NIST and FARs, but only in the context of how they apply to CMMC levels, not the actual technical/non-technical requirements of meeting the guidelines. It primarily focuses on big picture process, the structure of CMMC and CMMC-AB, and the role of other stakeholders in the "CMMC Ecosystem"
Registered Provider Organization
Registered Provider Organizations (RPOs) are the "organization" equivalents of the RP classification. It means the organization has done the following:
- Applied for RPO status and paid the application fee + annual fee
- Passed a commercial business background check by Dun & Bradstreet
- Affiliated with at least 1 Registered Practitioner. This is an important note - the RPO does not need to even EMPLOY an RP, they can simply affiliate with one as a contractor.
RPOs CANNOT complete CMMC assessments, even if they hire an assessor. They must first become a C3PAO (the requirements for this are significantly higher than RPO status).
RPOs CAN provide guidance and consulting services to help prepare for an assessment IF they also have the knowledge to do so. But the RPO status in itself does not indicate that level of knowledge.
What this means for you:
The RP/RPO status's primary value is that it shows knowledge of the process as a whole, which is a very important step. It shows that the organization is taking action to participate in the CMMC ecosystem, has some knowledge of the CMMC requirements, knows who is responsible for which aspects of compliance, and understands the process to get certified. These are necessary pieces of knowledge. The training provided is useful and necessary for a smooth certification process and proper expectation setting.
However, until additional certifications are available, you need to ask further questions to determine if the provider is capable of helping you prepare for CMMC certification when the time comes. The RP/RPO status does not mean the individual or org has the expertise to effectively assess or implement the FARS/NIST standards that the CMMC is built on, it simply means they signed up and now understand the CMMC process. This is the root of where confusion can occur and where it gets dangerous as their feedback/consulting advice may not get you to where you need to be, and may not pass the test when it comes time for the actual assessor to review your network. C3PAOs are responsible for the actual assessment process, not RPOs.
Right now, there aren't many C3PAOs that exist because the process to become one is intensive and has a lot of requirements - which is good. The number is growing, and over time there will be lots of them. Until then, be sure to ask about your potential provider's background and experience. Who are their consultants? Are they employees or do they contract in an expert as needed? What security certifications do they have? What experience do they have providing these services? How do they handle their own security? When was the last time they had a 3rd party audit completed?
This early in the process, not being a C3PAO doesn't mean you aren't qualified to help - but being an RPO doesn't mean you ARE qualified either. So take the time to understand what the designations are, what they mean, and ask questions to validate the legitimacy of the organization you want to work with.