The CMMC ecosystem has a varied participation. Per the CMMC AB, the potential stakeholders include:
- Third Party Assessor organizations (C3PAO)
- Organizations Seeking Certification (OSC)
- Registered Practitioners (RP)-advisors/consultants to prepare OSC
- ASSESSORS (certified at various levels)
- LTP TRAINERS (provide instruction)
- LPP PUBLISHERS (provide curriculum and materials)
- AB ADVISORS
- RP Organization (RPO)-consultancies employing RPs to service OSCs
- VENDORS ("provide goods/services within CMMC market")
Currently, the only provisioned role is the RP. The CMMC AB has materials and tests to train and qualify persons for the RP role. The CMMC AB intends to field CCP in the fall of 2021: curriculum is anticipated in October and training around November.
Let's explore the RP. The RP homepage is: https://cmmcab.org/registered-practitioners/
However, there are not a lot of details, other than having basic CMMC understanding, passing the test and background check.
This author, has decades of experience in federal and DoD systems as both ISSO and Assessor, and is currently a RP. This author will provide some general statements to assist persons desiring to become a RP. This author estimates that there will be little difference between RP and CCP. The RP will more likely be a consultant. The CCP will be employed by C3PAOs, but may also be within OSCs. The OSC will likely have a CISO or Compliance Manager acquire the CCP credential since that credential is required to participate in an assessment (CMMC materials state this for C3PAOs, but doesn't seem to be explicit for OSCs at the current time). Expect this to be clarified this fall.
The following knowledge is expected for RPs:
- Familiar with CUI and other types of information, and handling requirements.
- Be able to expertly advise OSC on issues (such as internal organization of OSC and information storage, as well as MSP, MSSP, etc.) which could affect scoping.
- Familiarity with the NIST SP 800-171 - be warned that CMMC makes changes to what is known in NIST as "Families". CMMC refers to them as Domains, makes some additions, removals, and relocations. CMMC also refers to "controls" as Practices, and stratifies them in to five (5) levels. Different domains are addressed at different Levels.
- Familiarity with CMMC Processes for documentation, resource management, effectiveness and optimization. These are introduced progressively at different Levels.
- General attributes of RP, CCP, CCAs, Certified Instructors, Licensed Training Providers (LTP) and Licensed Partner Publishers (LPP). Note that at the present time, these are generic. More details for these roles can be expected fall 2021.
- Know and adhere to the Code of Professional Conduct
- Familiarity with the Assessment process, C3PAO and CCP-CCA roles
- Know how to determine what evidence is needed for compliance
- Know how to maintain appropriate separation of duties, communications and personnel to prevent conflict of interest, etc. RPs are not permitted to participate in assessments.
The above is a summary of a list of topics.
There are few details on the CCP, but expect to be similar to RP, but with a viewpoint to the assessment.