As organizations seek to obtain CMMC compliance, there can be quite a bit of confusion around who they need to approach for help. It’s important to understand where you are in the journey of CMMC compliance and how you need to get there before you select the appropriate provider.
Under the CMMC framework, which is designed to assess and enhance the cybersecurity practices of defense contractors in the United States, there are a few key roles involved:
Registered Practitioner Organization (RPO) – RPOs are instrumental in facilitating the realization of CMMC control objectives. They execute the scoping and preliminary assessments necessary to uncover discrepancies and offer advice and services to equip your organization for the real evaluation. This encompasses precise scoring for the Supplier Performance Risk System (SPRS) and the creation of Plans of Actions and Mitigation (POAMs). As an RPO, Tego has conducted preliminary CMMC assessments for numerous organizations.
Registered Practitioner Advanced (RPA) – RPAs require more in-depth training with a specific focus on NIST 800-171 control implementations. RPAs must meet additional experience requirements by having implemented, at minimum, 50+ cybersecurity framework controls that directly correlate to the 110 CMMC Level 2 Practices.
Registered Practitioner (RP) – RPs are trained and tested against the levels based on the CMMC framework to obtain their designation. RPs provide consultative services to Organization Seeking Compliance (OSC) and can work as independent contractors or members of an RPO. Tego has RPs on staff to assist with CMMC compliance.
Licensed Training Provider (LTP) – A LTP provides rigorous instruction to staff seeking CMMC Certified Profession (CCP) or CMMC Certified Assessor (CCA) compliance. LTPs conduct certified classes and are taught or facilitated by CAICO Approved Training Material (CATM). Through our teaming partners, Tego provides access to LTPs and CATM.
Certified CMMC Assessors (CCP/CCA) – It is recommended that a CMMC Certified Professional (CCP) or CMMC Certified Assessor (CCA) receive their training from an LPT. In addition, they are required to pass upcoming certification exams to become certified professionals or assessors.
Certified CMMC Instructor (CCI) – Any instructor who has passed the upcoming CCI exam and meets the requirements associated with being an assessor for the level they plan to instruct. CCIs work with Licensed Publishing Partners (LPPs) to develop the curriculum for these courses and with LPTs to deliver the courses.
CMMC Third Party Assessment Organization (C3PAO) – A C3PAO conducts assessments of OSCs though CCPs and CCAs. These are organizations that have been authorized and accredited by the CMMC-AB to conduct CMMC assessments. C3PAOs are responsible for evaluating the cybersecurity maturity level of defense contractors and issuing CMMC certifications.
Each of the above roles plays an important part of the CMMC ecosystem depending on the level of compliance you are seeking and where you are at in the process. For more information on help with your CMMC compliance journey, contact us today.