• Individuals Performing Services (IPS) Training

• Registered Practitioner (RP) Training

• Registered Provider Organization (RPO) Training

• Certified Third-Party Assessor Organization (C3PAO) Training

• CMMC Professionals (CCPs) and CMMC Assessors (CCAs)

• CMMC Provisional Assessor Training

• Conclusion

Navigating your current CCP training options 

There are 54 Licensed Training Providers (LTPs) listed on the CMMC-AB Marketplace.

We’ve combed through each to build a complete list of those providers, their contact information, the price of their Certified CMMC Professional (CCP) course (if provided), and the availability of CCP training courses.

If you’re interested in CCP training but don’t want to comb through each website to find these details.

Of the 54 LTPs researched, less than half actually offer CCP training today.  Prices ranged from $1,995 to $4,935. Most modalities support Virtual Instructor-Led Training (VILT) and a few were offering in-person courses.

This list of 54 LTPs were created based on the CMMC-AB LTP Marketplace and course information was collected from each individual website on November 17, 2021. Pricing referenced in the spreadsheet reflects the LTPs published pricing and does not reflect any discounts or promotions.

The Cybersecurity Maturity Model Certification (CMMC) ecosystem consists of individuals known as performing services (IPS).

IPS’ have different levels of certification and affiliations with service provider organizations. This blog post will identify the differences between these individuals and organizations. Also, we’ll discuss the accreditation process for each and the roles they play in the CMMC ecosystem.

Individuals performing services fall into three categories: registered, certified, and provisional.

• Registered: you passed a basic background check and completed basic training.

• Certified: you passed a commercial background check and more rigorous training.

• Provisional: you passed a Tier 3 background check and rigorous training.

Let's take a closer look at one of the types of individuals performing services.

Registered practitioners (RPs) are consultants who help organizations seeking certification (OSCs) prepare.

To become an RP, you must first apply with the CMMC Accreditation Body (AB). The application fee was $500 and you must pay for your background check ($35).

Upon passing the background check, you’ll have access to training on the CMMC ecosystem.

The training is web-based and consists of 12 modules. You must pass a quiz at the end of each module with a score of 80% or better to progress to the next module. There is a pool of quiz questions so you may not see the same questions if you retake a quiz. You can take two attempts on the same day. The max number of attempts per quiz is six.

All participants in the CMMC ecosystem sign the code of professional conduct (CoPC).

Registration concludes after completing the basic background check, RP training, and CoPC.

The CMMC-AB lists all RPs. As of December 2021, there were over 2,000 registered practitioners listed in the marketplace.

RPs can provide non-certified consulting services to OSCs.

This includes creating practices and process documentation that meet or exceed CMMC requirements. RPs aren’t authorized to conduct or take part in certified assessments.

The training that RPs complete is more focused on the goals of CMMC and the participants in the process.

RP training covers scoping and pre-assessment preparedness at a high level. It doesn’t go into detail at the practice or assessment objective level.

On an organizational level, ensure that your RP has the domain experience that’s relevant to what you need help with.

Registered Provider Organizations (RPOs) are the organization equal to RPs.

RPs can affiliate or work for RPOs as well as other service provider organizations,  RPOs have gone through a business background check and paid an application fee to the CMMC-AB.  Much like RPs, the CMMC-AB marketplace lists all RPOs.

RPOs aren’t authorized to conduct CMMC assessments.

Another type of provider organization is a certified third-party assessor organization (C3PAO).

The purpose of C3PAOs in the ecosystem is to provide certified assessments to OSCs.

Organizations may apply to become C3PAOs and pay a one-time application fee of $1,000. There is also a one-time activation fee paid upon acceptance of $2,000. Annual maintenance fees are currently assessed at $2,000 per year. Upon review of the application, the AB will schedule an interview with the executive team.

The C3PAOs must then sign a license agreement with CMMC-AB as well as the Code of Professional Conduct (CoPC). They must provide proof of insurance for liability, errors and omissions, and cybersecurity.

They must also have a…

• DUNS number

• A complete organizational background check

• A U.S. Citizen owner or complete a Foreign Ownership, Control or Influence (FOCI) investigation.

• Pass their own CMMC Level 3 assessment

• An ISO 17020 accreditation

As of December 2021, there are currently five authorized C3PAOs in the marketplace. Meanwhile, 181 candidates are waiting for their CMMC 2.0 Level 2 assessments.

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is conducting C3PAO assessments. It may take up to 6 to 9 months for C3PAOs to have their DIBCAC assessment scheduled.

C3PAOs can provide consulting services to OSCs but there are limits. RPs can work or affiliate with C3PAOs to provide these consulting services. A C3PAO cannot consult for a company it’s also assessing. There is no time restriction on this rule. Once a C3PAO provides consulting services, it cannot provide assessment services to that OSC.

Other ISPs employed by C3PAOs include certified CMMC professionals (CCPs) and certified CMMC assessors (CCAs).

The biggest difference between certified and registered designation is the training and accreditation involved. Remember that certification implies more rigorous training and evaluation.

Before we discuss the CCPs and CCAs, let's first discuss the CMMC body of knowledge (BOK).

The BOK is available to any registered or certified member of the CMMC ecosystem. It will contain the following...

• The CMMC Model and Appendixes

• Assessment Criteria

• Assessment Methodologies

• Learning objectives for each course

• Blog posts and articles from the CMMC-AB

• Discussion boards for ISPs to share information

The BOK is the embodiment of CMMC. 

Licensed Publishing Partners (LPPs) develop courses and curricula based on the BOK.

Licensed Training Partners (LTPs) then license the certified content from the LPPs.

LTPs provide the mechanisms to deliver the corresponding training. Examples of LTPs include universities, professional education programs, training centers and corporations. There are currently 19 publishing partners and 54 training partners listed in the CMMC-AB marketplace.

Certified Instructors lead the training offered by LTPs. These instructors need to know not only how to teach but also how to conduct assessments. They must pass certification as an assessor before they certify as an instructor. Certified instructors must certify at or above the maturity level they teach.

That is, an instructor must certify as a level 3 assessor before they certify as a level 3 instructor.

As we mentioned earlier, there are no certified professionals or assessors at the current time of writing.

LTP training started in October 2021 for CCP but certification exams were not expected to be available for this first class of CCPs until February 2021. The release of CMMC 2.0 delayed the schedule for CCP exams and the CMMC-AB has yet to issue a revised schedule.

Certified Training is available now but curricula adjustments will be forthcoming.

If you're interested in taking training to become a CCA or CCP, check the marketplace for LTPs.  When browsing the available training from these LTPs, look for certified training. Browsing a few different LTPs will show a range of prices for certified training from $2,000 to $4,000.

The difference between a CCA and CCP is the ability to lead assessment teams. Both CCA and CCP can take part in assessment teams. But, only a CCA can lead an assessment team.  CCP will be a prerequisite for CCA.

CCP certification requires…

• A college degree or two years of experience in information technology.

• Education or experience approved by the CMMC-AB.

  • Suggested CompTIA A+ or equivalent knowledge/experience

• Completion of the Department of Defense (DoD) Controlled Unclassified Information (CUI) training no earlier than three months prior to exam.

CCA-1 requirements build on the CPP requirements. To be a CCA-1 you must…

• Be certified as a CCP

• Have 4+ years of cyber or other information technology experience

• Be a U.S. Person (a Green card is acceptable).

• Have or gain a Tier 3 security clearance or have other DoD accepted clearances.

• Complete the training and exam for Level 1 assessor.

A CCP Beta Certification Exam for provisional assessors was initially scheduled to take place in early December but this has been delayed with the release of CMMC 2.0. 

Only provisional assessors can take the exams without completing the training

So who are the provisional assessors?

The CMMC-AB authorized provisional assessors to conduct provisional assessments before the release of CMMC 2.0. The CMMC-AB is not accepting any new applications for provisional assessors and the release of CMMC 2.0 paused new provisional assessments until DoD rulemaking occurs.  The provisional assessor designations already granted will remain valid until 6 months after formal CCA training is available.

To be a provisional assessor, you must…

• Pass a Tier 3 background check.

• Have 10 years of experience conducting evidence-based assessments. Assessment experience should be in cyber or other technology fields.

• As an alternative, an applicant could have 20 years of cybersecurity consulting experience. In this case, they must also qualify for a DoD 8570 IAM Level III certification.

There are currently 104 provisional assessors listed in the CMMC-AB marketplace. These individuals represent the most experienced assessors.

The CMMC-AB trained them and they are currently conducting provisional assessments. They will take the upcoming certification Beta and Final exams.

Passing the certification exam will result in certification as an assessor.  If they fail the final exam, they will have to take a certified training course and retake the exam.

The DoD wanted to start placing CMMC requirements within all of its contracts by 2026. That meant that the Accreditation Body had no choice but to begin training before everything’s set in stone. 

If you're interested in learning more about CMMC, I would suggest starting with the CCP. For organizations seeking certification that are thinking about hiring a consultant, you should know the difference between registered and certified.  Organizations seeking certification can also send their own information security professionals through the certification courses - CCP or CCA, as we’ve discussed in another blog post.