by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
CMMC Registered Practitioners (RPs) and Registered Practitioner Organizations (RPOs) are extremely valuable pre-audit resources that can help you get ready for CMMC certification. While using this type of CMMC consultant will be an up-front expense, their expertise can ultimately save you time and money in your quest for certification.
If you are a contractor or subcontractor that 1) works with the Department of Defense and 2) handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you need to become CMMC-compliant.
Although CMMC compliance is not yet a requirement in defense contracts, it will be in the near future. The Department of Defense submitted the CMMC 2.0 rule to the Office of Management and Budget Office of Information and Regulatory Affairs in Q3 2023. We expect that defense contracts will likely have CMMC requirements in Q1 2025. Since it can take a year or more to reach compliance, it is important to start as soon as possible to avoid being disqualified from contract opportunities.
CMMC Registered Practitioners are individuals recognized by the Cyber AB, the DoD’s exclusive CMMC implementation partner, as being qualified to help organizations prepare for CMMC certification. If you rely on DoD contracts and plan to become CMMC certified, it is highly recommended to work with one because preparing for and passing the audit is complex and costly.
The CMMC ecosystem
The Cyber AB (formerly the CMMC Accreditation Body) is the independent, exclusive implementation partner of the Department of Defense. It oversees the training, and certification of assessors and organizations seeking certification. Its website provides an overview of roles in the CMMC ecosystem. Here are a few key roles.
CMMC Registered Practitioners are individuals with in-depth knowledge and experience in cybersecurity. A Registered Practitioner can assist your organization to prepare for and achieve CMMC certification according to its needs, capabilities, and budget. There are two levels of Registered Practitioner — regular and advanced. As the Cyber AB states, “Individuals holding any level of an RP designation can provide CMMC implementation consulting services”.
There are several steps to become a Registered Practitioner:
- Pay a $600 application fee
- Pass a commercial background check and be a citizen of the USA, Australia, South Korea, or NATO countries
- Complete basic online training and online course exams
- Sign a Cyber AB Code of Professional Conduct and RP Agreement
- Pay a $500 annual renewal fee
After achieving the RP designation, an individual can complete additional steps to gain the Registered Practitioner Advanced (RPA) designation:
- Pay a $1000 application fee
- Implement, at minimum, 50 cybersecurity controls from NIST 800-171 which forms the basis of CMMC 2.0 Level 2
- Complete a more thorough online training
- Take and pass the Cyber AB RPA exam
- Sign an updated Code of Professional Conduct
- Pay a $750 annual renewal fee
Registered Practitioners can work independently or for a Registered Practitioner Organization. At E-N Computers, we have one Registered Practitioner listed in the Cyber AB Marketplace, Ian MacRae. He is working toward his Registered Practitioner Advanced (RPA) designation. And in the near future, we expect that ENC will be listed as a Registered Practitioner Organization.
Registered Practitioner Organization
A Registered Practitioner Organization is a business that has one or more Registered Practitioners on staff. These organizations are well-versed in cybersecurity standards and can offer full-scale support to companies seeking to comply with CMMC requirements. Working with a Registered Practitioner Organization ensures a streamlined and professional approach to reaching the desired certification level.
Certified Third-Party Assessor Organizations (C3PAOs)
C3PAOs are authorized to conduct official CMMC assessments. There are requirements and guidelines that these organizations must meet, and their assessors (Certified Assessors) have different levels of certification based on the CMMC levels they are authorized to assess. They employ Certified CMMC Assessors (CCA) and Certified CMMC Professionals (CCP).
Working with a Registered Practitioner
How much does it cost to work with a Registered Practitioner?
At E-N Computers, CMMC consulting with a Registered Practitioner costs about $1000/month. It also costs you some time: we expect you to set aside at least one hour every one to two weeks to work through all the details. True CMMC compliance will affect your business workflows, and this collaborative approach produces much better results and less disruption than having us make all the decisions for you.
While the investment in a Registered Practitioner might seem substantial, the value it provides often outweighs the expense. Not only can it speed up your certification process, it can help you improve how you run your business.
Why use a Registered Practitioner
The value that Registered Practitioners provide to organizations seeking certification is enormous, including:
- Expert Guidance: Tailored support to navigate the complexities of the CMMC framework.
- Cost-Efficiency: Utilizing proven methods to achieve compliance without unnecessary expenses.
- Trust and Credibility: Enhancing reputation with governmental bodies, partners, and clients.
- Risk Mitigation: Implementing security measures to protect vital information and business continuity.
Can a Registered Practitioner or organization help maintain compliance?
Yes, we are happy to help you maintain compliance. CMMC compliance efforts are ongoing due to factors like:
- adjustments to cybersecurity best practices like NIST 800-171,
- changes in contract requirements, and
- changes in your business.
Am I required to work with a Registered Practitioner?
No, you are not required to work with a Registered Practitioner. However, there is immense value in working with a consultant that is validated by the Cyber AB to have the knowledge, skills, and experience necessary to guide you to compliance. The CMMC framework is complex; implementing the necessary controls is a significant time investment. The last thing you want is to fail your third-party audit because something was missed. A Registered Practitioner is a sound investment in your certification.
Can an individual be my Registered Practitioner and my assessor?
No. An individual can hold multiple designations, but they cannot assess your company if they previously assisted you with an implementation consultation.
How to prepare for a CMMC audit
To prepare for a CMMC audit, you need to set realistic expectations about:
- what CMMC level you need,
- how long it takes,
- your role in the process, and
- how expensive it is.
Which CMMC level do I need to reach?
The CMMC framework is aligned with NIST 800-171 and consists of three certification levels.
- Level 1 (27 controls): Sufficient for businesses handling Federal Contract Information (FCI). The audit for this level is not expected to be as documentation heavy.
- Level 2 (110 controls): Required for handling Controlled Unclassified Information (CUI). Because each control can have multiple objectives, there are over 300 objectives to meet. A third-party audit is likely to be required for all organizations seeking level 2 certification.
- Level 3: Suitable for organizations at high risk. This level is usually reserved for prime contractors.
A Registered Practitioner can help you determine which level you realistically need. Together, we’ll examine 1) what kind of information you handle and 2) what systems process and store sensitive information on. We’ll also look at what systems you have in place to simplifyy administrative tasks like user account control (e.g. single sign-on).
How long does it take to become CMMC compliant?
Becoming CMMC compliant can easily take 12 to 18 months, depending on your starting point and the level you need to reach. During this period, you need to:
- assess your current security posture,
- perform a gap analysis to determine what you are missing to reach your desired CMMC level,
- implement all necessary controls and processes,
- complete an audit by a C3PAO, and
- receive certification by successfully passing an audit.
How involved will I be?
We mentioned this in the section on cost, but it bears repeating: you will be regularly and actively involved throughout the process of working toward CMMC compliance. Full collaboration is absolutely critical to a successful implementation and audit. Consider a few reasons.
CMMC implementation will affect the way you do business. A Registered Practitioner knows cybersecurity and CMMC, but you know your business and team. The combination of your areas of expertise will produce the best result — one that you understand, support, and that works for you day-to-day.
There will be a LOT of documentation. As you can expect when working with the government, especially the Department of Defense, paperwork is the name of the game. There will be a lot of documentation to produce and review in preparation for the audit. You have information that will be integrated into that documentation. But you will also be expected to understand how all the pieces fit together.
This is an opportunity to streamline your technology and strengthen your competitive advantage. Too often, poorly designed and implemented tech inhibits business functions. The deep dive that you will do while preparing for certification will reveal inefficiencies and weaknesses in your tools and processes. You can ignore them and do the bare minimum to reach compliance, or you can take advantage of the situation and optimize with the guidance of an expert consultant.
The CMMC audit
How much will a CMMC audit cost?
A rough estimate is that the audit will cost $20,000 to $40,000 for organizations seeking Level 2 certification.
In general, what should I expect during the audit?
The assessor will examine and validate your documentation. They may interview your staff to verify the technical and procedural safeguards you have in place.
What happens if we do not pass the audit the first time?
You will receive a list of deficiencies and be given 180 days to correct them. Once you correct the deficiencies, the assessor will return to re-assess. As long as the re-assessment happens in the allotted time, it should not cost extra.
What happens if we do not maintain CMMC compliance?
Failure to comply with CMMC requirements can lead to serious consequences, including losing existing DoD contracts, becoming ineligible for future contracts, legal penalties, and reputational damage. Non-compliance can also be considered a breach of contract.
Frequently Asked Questions
The costs in the table below are geared to CMMC 2.0 Level 2 and are ballpark figures only. Your costs will depend on the maturity of your IT environment.
Consultation: This is the preparatory work you do, ideally with a Registered Practitioner. This is a relatively long-term engagement.
Implementation: This includes implementing controls, tools and software, and training. Implementation costs are the least predictable because they are heavily dependent on what you’ve already done. Many contractors use Google Workspace or Microsoft 365 but will need to move to the government cloud version of these products to become compliant. This migration alone can cost tens of thousands of dollars.
Audit: As mentioned above, recent estimates place an audit by a C3PAO in the $20,000 to $40,000 range.
Ongoing costs such as software subscriptions, monitoring, and training are not included here. Our Pricing Calculator can give you an idea of the monthly costs we charge for an organization with CMMC compliance requirements. Set the slider to the number of users you have and select the box “I need help with security and compliance”.
Where can I find a list of Registered Practitioners?
Visit the Cyber AB Marketplace for an updated list of Registered Practitioners (RP/RPA), Registered Practitioner Organizations (RPO), Certified Third Party Assessor Organizations (C3PAO), and more.
We also encourage you to ask for references, case studies, and detailed explanations of the RP’s approach to ensure their experience aligns with your specific needs and expectations.
Learn more about CMMC
The Cybersecurity Maturity Model Certification is a unifying standard for cybersecurity implementation across the Defense Industrial Base (DIB). It encompasses three maturity levels that range from basic to advanced cybersecurity practices. By adhering to the CMMC, organizations can assure that they are implementing the cybersecurity best practices that meet federal requirements, protecting sensitive data, and mitigating risks. You can learn more about CMMC in the following articles:
Working toward CMMC compliance now, in collaboration with a Registered Practitioner, can do more than prepare you to fulfill a legal mandate. It can be a catalyst to reach IT maturity by aligning your technology partnerships, strategy, systems, and settings to meet the needs of your business. Find out where you stand today with our free IT Maturity Self-Assessment.
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.