Breaking Down the Roles in CMMC Certifications

[00:00:01] Hello Climbers and welcome to Season 3 of Climbing Mount CMMC. Welcome back Climbers to another episode of Climbing Mount CMMC. I'm Bobby Guerra, your host, and I'm also joined by my lovely co-host, Kaylee Floyd. Hello.

[00:00:21] Alright, so today we're going to be talking about something that's a little bit more basic from the perspective of just going through the ecosystem of the Cyber AB, the different components of it, like RP, RPOs, CCP, CCAs, C3POs. Basically, just a lot of acronyms that if you're not quite familiar or you're just newer to the ecosystem, this will be a good one for you to really dial into and start to have a good understanding of the ecosystem and how it's going to impact you if you're MSP or using an MSP. We're going to talk about MSPs to some extent as well.

[00:00:51] Yeah, so I have a lot of conversations with customers or potential customers stepping into the CMMC space that don't really know a lot about even the Cyber AB itself or the different certifications underneath it and the different types of people that they can work with.

[00:01:10] And I feel like, you know, if you are stepping into this journey, if you're a contractor, you know, subcontractor, and you're just trying to figure out who you need to work with and what they do, this is the video for you. Okay? And let's just go from the very top, which, I mean, technically would be the Department of Defense, right? But the Department of Defense did give the Cyber AB, which is a nonprofit, the accreditation to handle CMMC.

[00:01:40] What's the term that Matt Travis says is zero cost or zero dollar contract, I think, or something like that? That the Cyber AB is an independent nonprofit 501c3 organization that supports the Department of Defense through an exclusive no-cost contract. So nothing we say tonight should be construed as representing official DOD policy or U.S. government positions.

[00:02:05] What I did is, again, all of this information that I'm going to speak about today, you actually could access most of this on the Cyber AB's website underneath the ecosystem professions. So what we're going to talk about is the different types of professionals and people in the system of CMMC that you could work with and what potentially they are for. Okay? We're also going to be talking about their requirements.

[00:02:34] So when you see that somebody is an RP or when you see that somebody is a C3PAO, like, okay, what does that mean for me? Like, what did they go through? What kind of credit, you know, credit does that give to somebody? I want to just go ahead and jump in. Again, the Cyber AB website is going to have really most of this for you to view. And I'll link that below so you can check that out as well.

[00:03:01] But let's start with the RP and RPO category. Okay? Something that actually I learned more recently is there are such thing as RPAs and there are RPs. So there's registered practitioners in the CMMC space and there's also a registered practitioner advanced, which has a little bit more requirements to it and a little bit more training.

[00:03:26] The one thing I will say is it includes a background check, but it is not as extensive, very less extensive than the CCP. And we'll talk about that later. It also requires a fee, like an application fee and training and testing. The training and testing is going to take about, they say on the Cyber AB, approximately three weeks, which includes a background check.

[00:03:52] Now, I think that I think you could speed run this, you know, I think you could speed run this less than a week, in my personal opinion. But then you'd have to include the background check, which takes a little bit to get back. And then you have to renew annually. This does not require any type of retesting, any type of renewal testing. It's just a fee to the Cyber AB. So you're giving the Cyber AB some nice $500 a year for you to have that RP.

[00:04:22] But you get a nice badge. Next year name, yeah. They do go through, again, they go through training. And I'm going to have it here on the screen too for people that are listening, the different types. Here's the one thing that I will say, and I found very fascinating when researching about this, is that it talks a lot about FCI in RP training. Okay? A lot about FCI.

[00:04:47] Now, you know, if you're not aware of what FCI is, for those of you who have been following us for a long time, we talk about CUI a lot, the controlled unclassified information. We do not talk about FCI a lot because that mostly has to do with CMMC Level 1. And we focus on CMMC Level 2. Okay?

[00:05:08] So I found that very fascinating that they talk about a lot of CMMC Level 1 stuff in RP training, a little bit about scoping, and mostly about FCI scoping and contracts and agreements, fulfillments. Well, if you kind of go back in time, if I remember correctly, I could be wrong about this. People could correct me. But the CCP and CCA courses hadn't come out yet.

[00:05:31] So they're much more of extensive, longer training that require, you know, a much more aggressive test to take. So it took all this curriculum for them to do. So it was a long time for them to spin up those classes and get training centers to do the tests and all that fun stuff. So the RP and RPOs was kind of like the first shot of getting it out into the ecosystem. And I've heard discussions about them refreshing and trying to get that more up to snuff.

[00:05:59] Because I think if you look at it, the CCA and CCP courses have the most current information with them as far as in how they've gone. But that could change by the time this gets published. Yeah, something that I did find that was really interesting. And I mean, I said this before, but in the RP course module description, it talks a lot about FCI.

[00:06:26] But then the RPA, which is the registered practitioner advanced, that is where you start seeing the CUI show up. And it starts to describe that. And then it also says that there are submodules underneath it that talk about the different domains. Which that means that they're then introducing NIST 800-171 in the controls. So that I found was very fascinating because it seems like the RP training does not really dive into NIST 800-171 very much at all.

[00:06:55] If not, like really any CUI. It's really the RPA that dives mostly into that side of things. So if you're looking to get a start on CUI training, you know, I think the RP would not be enough for you. It would have to be RPA if you decide not to do the CCP, which we'll talk about later. Right. The RP and RPAs I think are individuals, right? And RPOs are for organizations, correct? Yeah.

[00:07:24] So an RPO is a registered practitioner organization. Yeah, that's the organization as a whole rather than just the individual. It does say that all of these take approximately three weeks, including background checks. So I find that very fascinating that all of them take about the same time to do. So I want to emphasize again, this is for the renewal terms. It's just a paid price. Okay.

[00:07:50] So they're not getting reassessed in some way or not getting reconfirmed in some way. It's not the same thing as a CMMC, like, you know, level two assessment, right? It's not the same type of deal where somebody is like auditing you or assessing you in any way. They're just taking a test or a course and then paying, you know, yearly to continue that same thing. Okay.

[00:08:18] So I just wanted to make sure people understood. And in no way when I'm saying that, am I saying that these are not important organizations? Because what an RPO is specifically meant to do in this environment, it's supposed to be able to or an opportunity for organizations to come in and give you consulting or advice. Okay. RPOs are consultants.

[00:08:42] They cannot do assessments, like, for you, like, as far as C3 PAOs can do assessments for you where they actually do CMMC level two assessments. But they are authorized under the Cyber AB to do consulting for CMMC. I'll just share my opinion. I think those came out many moons ago, and so they were necessary to get the ecosystem moving.

[00:09:14] But I've never seen anyone that went through and got RP that when they went and did the CCP training that they were sad they did that. Everybody was like, oh, man, it was so much more deeper. I got so much more information. It taught me so much more. I feel like I really understand a lot more about what's going on. I mean, it's a much longer course. It's proctored, although I think they do have some online teaching courses now. Some of you even do it in the evenings, I think.

[00:09:43] I definitely understand what you're saying is the RP and the RPA is a great stepping stone to get into the space, but it's not the end point. If you want to continue to be a wealth of knowledge for CMMC, you definitely should excel to the CCP at least just to continue that education. And I do think I agree that that is what they made the CCP for.

[00:10:05] Now, in the RPO side, if you are a company that just wants to do consulting, there's not really anything else necessarily that you can get besides going to become a C3PAO, which many do. But some people don't really want to do assessments. So the farthest they go is getting their RPO as a company. But what is important to know is what type of people are inside that RPO business.

[00:10:33] Are they all just filled with RPs or did they excel in their training even further than that as CCPs and CCAs under that RPO? We know many RPOs that we work with that we actually really love and enjoy, and many have CCAs on staff, CCPs. You know, it just doesn't end there. So let's talk about – we've been throwing the names out – CCPs and CCAs. CCAs.

[00:10:58] CCPs are CMMC certified professionals, and CCAs are CMMC certified assessors. You cannot be a CCA before being a CCP. Okay? You have to start with your CMMC certified professionals certification. That's a mouthful. And there's requirements, right, on how long you have to be in the industry. They have requirements. So it's really interesting.

[00:11:25] You have to have a college degree in a cyber or informational technology field or two years plus related experience or education. Another thing that is interesting is they do mention CompTIA A plus or equivalent knowledge experience before taking this course or taking the test. And then DODCUI awareness training, which if anybody knows and you went through that, that is a fun one to do.

[00:11:55] So, yeah, you're going to have a blast with that. But, yeah, they actually have, like, kind of prerequisites, which they do say it's a recommended educational and or experience for the CCP program. So they're not going to be, like, checking your CompTIA A plus at the door immediately when you're doing, like, you know, the courses and whatnot. But they do recommend that.

[00:12:20] The other thing that I'm going to say is with this course material, it's definitely much more extensive to the point where they don't have the modules here on the Cyber AB. You would actually have to reach out to an organization that does that type of education. So there are multiple organizations, which I can link below, that you can check out. There are CCP courses. Bobby has mentioned them. Many of them are five-day courses. Sometimes you can do, like, super long courses for three days.

[00:12:49] I think that's the minimum. But many of them are five-day courses with very, very excellent people. Some examples are Corinne Wise has courses that are awesome. Edwards has courses that are great. Now, here's the thing about this. When you pass your CMMC Certified Professionals exam, you are not done to be listed as a CCP. Bobby knows this all too well. I might be hitting him in the heart with this one.

[00:13:16] But you have to obtain a Tier 3 background check, which is not the same background check that RPs and RPAs have to get. It is much more extensive and it takes much longer of time. So if you do have somebody who is a CCP and has that listed, they did take much longer to go through that background check process in that time.

[00:13:42] And then an RP and an RPA would go through. And then also, if they're a CCA, which is a CMMC Certified Assessor, on top of that, they went through all of this for CCP. Okay. And then they had to go and take the CCA courses. So their Tier 3 is already done. They've already got their CCP certification.

[00:14:05] And then they applied to take the CMMC Certified Assessor classes, which are definitely much more intricate. Talks a lot about the, you know, how you assess somebody, how you assess a control. What do they mean by that? It's, yeah. Scoping conversations. Scoping conversations. Very more in-depth conversations. And they do, I mean, it depends on where you take your course.

[00:14:31] You know, that's one of the things I love because it's instructor-led, the CCP and CCAs. So a lot of times you're getting real people that have perhaps been through assessments before, can give you a lot of real-life insight about it, which is hugely helpful. I mean, if you're trying to step into that space, the CCP and CCAs are a great shot in the arm knowledge-wise. And plus you, I can't tell you how many people that I went through the course I've gotten connections with and gotten to know them and stayed in contact with them.

[00:14:59] So usually the course group that you go through, you kind of build a bit of a bond with and start to learn more about them. I run into them in different conferences and say hello to them and things. It's, yeah, it's really nice. Yeah. And so then if you add on top of that the CCP course, the Tier 3 background check, the classes, and you pass your exam, you actually do have even more things that you have to check off your list. But wait, there's more. Wait, there's more? You have to have that form.

[00:15:27] There's like specific requirements that you have to have, certain certifications. Yeah, 8140. 8140, that's what it is. So it's a… Yeah. It's like CompTIA Cloud Plus, Pentest Plus, Security Plus, you know, one of those kinds of courses. And that's for you to be a CCA, just a standard one. And then a lead CCA requires higher requirements. Yeah, correct. Yeah, do you want to explain, Bobby, what the difference is between a lead CCA versus a CCA? Yeah.

[00:15:57] So in the audit, when you get to get assessed, there has to be at least one lead CCA in every audit to help ensure the quality of the assessment. Mm-hmm. So that's why having that lead CCA could be significant because there's less lead CCAs than there are CCAs. And so C-3PO's are always looking for good leads because they're the ones that are kind

[00:16:25] of, you know, they don't necessarily have to be the people that are doing all the audits, but they are the people that are beating the drum, right? Yeah. So they're like, okay, we're going to do it this way. This is the cadence. We're going to do it. We're going to split it up in this many days. We're going to do these different domains in this certain way. They set the stage and tone of the whole assessment. So picking the right lead is a pretty big deal. Yeah. Yeah. And you're so right about that.

[00:16:51] Any CCA can actually enroll to sign up to become verified as a lead CCA if they've finished their DOD experience and their 8140 requirements. And they can submit a document to the Cyber AB to apply to be a lead CCA. And just like you said, Bobby, they are going to be leading the charge of an assessment rather

[00:17:17] than not necessarily like how you said, doing the full documentation, but beating the drum and taking charge of that. So definitely a different type of person might need to be that type of role. So not every CCA wants to be that. I'd love to be a CCA someday, you know, on some assessments. I'd probably like to do a few a year. Yeah. But I don't think I'd ever want to be a lead. I just, you know, you got to, I think you're going to do lead.

[00:17:43] You probably need to be doing quite a few in a year to really make sure that you, that you're keeping your chops. So shout out to you leads that can do some jobs that not everyone can do. So all of these people that we just talked about, the CCPs, the CCAs and lead CCAs are all going to be working for, in some ways, the C3 PAOs, right?

[00:18:13] The CMMC third-party assessment organizations. These are the organizations that are certified to do actual assessments for contractors or even MSPs like us that are wanting CMMC level two certifications. They are the organizations that do that. And it is much more of an extensive process than an RPO to get certified for that. Something that was really interesting, I think it's worth mentioning.

[00:18:43] A lot of people, especially when I was taking my course, like when I went through my CCP, the test hadn't even come out yet. No one even had taken it because it didn't even exist. So, I mean, who goes through a test, who goes through a course for a test that hadn't been created? This guy. You know? It was really weird. It was like this monster you had to fight and you didn't even know what it looked like. You know? No one had ever seen it. It's out there in the ocean somewhere. You know? And you're just going to go hunt this thing down like Moby Dick or something.

[00:19:11] And so we thought that the CCPs would have a much deeper presence in the audit process that they would be able to be kind of like, you know, the CCAs would be running the show and then there would just be a bunch of CCPs that would help with the audit process. But that's not how it ended up playing out eventually at the end. It was more of like the CCPs can only really participate at level one and they were saying, no, maybe you could, maybe you couldn't.

[00:19:38] To be honest with you, I can't even remember now where they have fallen on which side of that coin things are going to happen. I can put up the description. There's a graph in 32 CFR final rule that shows it. But CCPs can participate in assessments, but they're not required in the assessment team itself. It does not show them as a requirement.

[00:20:03] They are allowed to participate because they actually do have to participate to get their CCA. Like you have to have participations in assessments like to get your CCA. So they have to be able to, but they're not required to be on the team. Yeah, it was just, it was really interesting. So we, it was, the hope is that the CCPs would be a lower cost for the audit so that you could have people to come in and participate without driving the costs up so much.

[00:20:31] But now you have to have basically three CCAs. You have to have a quality control person, another CCA, and a lead CCA. So at a minimum, you have three CCAs involved, one of which has to be a lead. And that drives up the price of the cost of the audit. And that's not how people were thinking it was going to go. But, you know, that's how 32 was written. And that's just how it is. Yep.

[00:20:53] And so a C3PAO on the CyberAB website, the registration duration, they say it takes approximately four months. Now, for you to become a C3PAO, we're going to mention another organization that we haven't talked about. But this does include a DibCAC assessment. So this is what's interesting.

[00:21:18] For C3PAOs to be able to assess other people, they are going to be assessed by DibCAC before they can then assess other people. Right. Right? Also have to have a certain amount of people, like CCAs, I think. They also have to go through an ISO audit as well, I think, in a certain period of time. And it's also way more expensive.

[00:21:46] The cost for the C3PAO is very pricey. Yeah. So if you're going to do it, it's a pretty big deal. And so to round this out, we're going to talk about ESPs, which we have a heart for because it is who we are.

[00:22:07] But it is, you know, I guess you could say a more open category in the sense of an MSP is an ESP, an external service provider. But also there are multiple organizations that can be classified as an external service provider. For example, many RPOs have come up to me angrily and said, why have you not talked about us as an external service provider? And I said, I'm sorry.

[00:22:36] I don't know. I just talk about MSPs because that's what I know. But I'm sorry, RPOs. You are external and you provide consulting services. So you can be considered an external service provider. But let's talk about that because in the 32 CFR final rule, it does not speak clearly to every organization that is an ESP.

[00:22:59] But it does clearly state that there is a difference between cloud service providers and external service providers. Okay. So a cloud service provider is somebody that provides cloud services where you process, store, and transmit, you know, information into their cloud that you pay for, you know, through them. And it's not like a agreement type of MSP service like what we do.

[00:23:28] The example of that would be Microsoft, you know, cloud services, Google, AWS. Those are cloud service providers. Whereas managed services, MSPs, people that provide services to you externally and come into your organization, those are considered external service providers. Of course. Bobby, did you want to add anything else to that? I think really is the credit card involved. I mean, do you – right.

[00:23:58] I mean, it's like, oh, I want to spin up a Microsoft tenant right now. Let me whip out my credit card. That's a cloud provider because they have this whole cloud platform that's designed to receive your just drive-by configuration. And it can just scale up and do whatever. And that's more of the cloud. But an MSP, like no one doesn't not talk to me and just all of a sudden gets my managed services from me. Even if I do have stuff and we do host stuff in our cloud, but that doesn't mean that I'm a cloud service provider.

[00:24:27] Like you don't get access to it because you just go to our website, put your email address, and then bam, you've got all of this cloud solution that ramps up for you. Right. It's not. So that's really kind of that bifurcation. It was NIST and the DOD's attempt to kind of draw that line without saying these guys. Right. It's like we're going to talk about these people, but we're not exactly going to call their names.

[00:24:48] That's kind of the reason why that definition is written in such a roundabout way because they're trying to include anybody that might fall into that specific category. Exactly. And external service providers, there's no type of certification that is required necessarily right off the bat to be one. That is not a testing process that people go through that say like, oh, yeah, I'm an external service provider for, you know, for CMMC. There's not tests. There's not courses or whatnot.

[00:25:18] Now, there are requirements for ESPs. And what I mean by that is an organization seeking certification that pulls an ESP in to their system. So they have an external service provider that works for them and is handling some of their controls potentially for CMMC. That is where the external service provider is going to 100% get pulled in.

[00:25:46] And you can view this in the CAP, the CMMC assessment process. You can see that assessors are going to want to see that external service providers, customer responsibility matrix, and their agreement. Okay. So that is very, very important for organizations seeking certification to know about external service providers. It's really easy to just kind of think of it this way. Like there's you, your organization. You might make lug nuts, right? Whatever it might be.

[00:26:15] And you have to get level two certified. Why would you have to get certified for lug nuts? The DOD will figure it out. Trust me. They'll figure out some way for you to somehow get looped in. But you're looped in, okay? So you have to get level two. Whoever's going to help you perform these technical controls, there's 110 of them, 320 assessment objectives that break down all of those 110. So there's subcategories. So that organization is going to get assessed.

[00:26:39] If they're turning to other people to help them actually do the controls like patching, log management. If they run your Microsoft cloud, right? They do all of your cloud stuff for you. You don't. If you add someone, they add it for you. Those people would be external service providers. They're outside of your organization and they have a relationship with you and they're helping perform services.

[00:27:07] And because they're doing those things, they're going to get looped into your audit. And they're going to have to be able to attest for the things that they're doing for you. A good one would be adding users, right? So an MSP like us, we add users for our clients all the time. That's a big part of what we do. And so the client authorizes them. So that's their job. Our job is to add them. So in the audit, we have to speak to how we're going to do that.

[00:27:35] And they're going to ask us all those wonderful questions and we have to be able to prove it. And so that's where that external part is. We're external to that company that's being assessed, but we're still going to get pulled in. So it's very critical. And you can see, though, why defining and understanding what type of external service provider that person or that organization is for you is critical because the types of services that an RPO would give would be consulting, you know,

[00:28:03] and discussion-based potentially helping you with documentation. Whereas somebody like an MSSP or an MSP is probably doing the technical controls for you. Very different types of services, you know, and there's even more that we haven't listed. So just be aware of, you know, those different types of organizations and those different types of people. Again, we are going to have links to these below.

[00:28:31] And if you're listening to this, we also have a video version on YouTube where we show things visually on the screen. I hope that this was beneficial to you guys that are listening in for the first time or maybe don't really know much about the CMMC ecosystem at all. And if you were listening to this just to judge us, that's so rude. You know, just comment what you think we did better. Whatever. Just help us. I don't know.

[00:28:59] But honestly, we're just reading a lot of this from the Cyber AB. So if you have something to say about it, you can take it up with Matt. You can take that up with Matt Travis later. I'm just kidding. But also, too, if you guys have any questions about things specifically or also, you know, you're interested in something, please make sure to comment. We will respond to your comments and your questions. So just let us know and we'd be happy to help you out.

[00:29:26] Also, if you have if you want specific content on maybe CCP's or CCA's or or something specifically in the future, please let us know so we can so we can cater the content to what you guys are looking for. But we hope you guys enjoyed today's episode and tune in next Thursday for another one. Until then, keep on climbing. See you guys. Make sure to follow us on LinkedIn and YouTube to stay up to date on the latest CMMC news.

[00:29:55] We hope you guys enjoyed today's episode and listen out for the next one. But until then, keep on climbing.