The Cybersecurity Maturity Model Certification ecosystem is governed by The Cyber AB, the official accreditation body that authorizes practitioners and assessment organizations to operate within the framework. Six designations matter to contractors selecting an advisor or preparing for assessment. Three are individual practitioner credentials. One is an organizational credential for consulting firms. Two are individual assessor credentials, one preparatory and one operational. One is an organizational accreditation for the entities authorized to perform formal CMMC assessments.
The designations are abbreviated frequently in the practitioner community, and the abbreviations are themselves a source of contractor confusion. RP and RPA sound similar but identify different credential tiers. RPO is a separate organizational designation that can include both RPs and RPAs. CCP and CCA sit on the assessor track, distinct from the consulting track entirely. C3PAO is the organizational accreditation that authorizes formal certification assessments. The boundary between consulting and assessment runs through the middle of the ecosystem and is not optional. The same individual cannot do both, and the same organization cannot offer both consulting and certification assessment to the same contractor without violating the ecosystem rules.
The Six Designations at a Glance
| Designation | Type | Track | Authority |
|---|---|---|---|
| Registered Practitioner (RP) | Individual | Consulting | Provide CMMC consulting services to OSCs |
| Registered Practitioner Advanced (RPA) | Individual | Consulting | Provide CMMC consulting services with verified experience |
| Registered Practitioner Organization (RPO) | Organization | Consulting | Employ RPs and RPAs and offer consulting as a firm |
| Certified CMMC Professional (CCP) | Individual | Assessment | Hold the assessor-track credential preparatory to CCA |
| Certified CMMC Assessor (CCA) | Individual | Assessment | Conduct CMMC assessments as part of a C3PAO team |
| CMMC Third Party Assessment Organization (C3PAO) | Organization | Assessment | Conduct formal CMMC assessments and issue certifications |
OSC in the table refers to an Organization Seeking Certification, which is the formal designation for any contractor preparing for or maintaining CMMC compliance. The acronym appears throughout CyberAB documentation and ecosystem rules.
The Consulting Track
Registered Practitioner (RP)
The RP credential is the entry-level individual credential on the consulting track. An RP has completed the CyberAB application process, agreed to the Code of Professional Conduct, and is authorized to provide CMMC consulting services to contractors. The credential signals baseline ecosystem standing and ethical commitment, and it is the credential most consultants hold when entering the practice.
The RP scope of work covers readiness consulting: gap analysis, system security plan development support, plan of action and milestones development support, policy and procedure drafting, and advisory engagement throughout the contractor's preparation for assessment. The credential does not authorize assessment work and does not authorize the holder to issue findings about a contractor's compliance posture in a form that substitutes for a formal CMMC assessment.
Registered Practitioner Advanced (RPA)
The RPA credential reflects additional verification of the practitioner's experience and standing beyond the base RP credential. The Cyber AB introduced the advanced tier to give contractors a clearer signal when selecting a consulting advisor. An RPA has documented experience applying CMMC and NIST 800-171 concepts in operational engagements with contractors, and the credential is verified at a higher diligence threshold than the base RP.
For contractors selecting a consultant, the practical distinction between RP and RPA is one of demonstrated experience. Both credentials authorize the same scope of work. The RPA designation indicates the practitioner has been through enough operational engagements to develop the judgment that distinguishes a strong consulting deliverable from a weak one. The full reference on the credential is at CMMC Registered Practitioner Advanced.
Registered Practitioner Organization (RPO)
The RPO is an organizational credential rather than an individual one. A consulting firm that employs at least one credentialed individual practitioner and that meets the CyberAB organizational requirements may register as an RPO. The RPO designation confirms the firm operates under the ecosystem rules, employs credentialed individuals, and is subject to the organizational dimension of the Code of Professional Conduct.
The relationship between the RPO and the individual credentials is that an RPO is the firm wrapper around RP and RPA practitioners. A contractor engaging an RPO is engaging the firm. The actual consulting work is performed by RP or RPA individuals employed by or affiliated with the RPO. A contractor evaluating an RPO should examine the credentialed individuals associated with the firm rather than treating the RPO designation as a substitute for individual credential verification.
The Assessment Track
Certified CMMC Professional (CCP)
The CCP is the entry-level individual credential on the assessment track. It is preparatory to the CCA credential and reflects training in the CMMC Assessment Process and the methodology assessors apply during a formal assessment. A CCP has completed the required training, passed the certification examination, and is authorized to support assessment work under the supervision of credentialed assessors. The CCP credential alone does not authorize the holder to lead an assessment.
A CCP is on the path toward becoming a CCA. The progression requires additional experience and the higher-tier examination. Some practitioners hold the CCP credential as a way to deepen their understanding of the assessment methodology while continuing to work in consulting roles, and that combination is permitted by the ecosystem rules. The boundary that matters is between consulting and assessment, not between the credentials themselves.
Certified CMMC Assessor (CCA)
The CCA is the operational individual credential on the assessment track. A CCA is authorized to conduct CMMC assessments as part of a C3PAO assessment team, applying the CMMC Assessment Process to evaluate a contractor's compliance posture against the requirements applicable to the contract. The CCA is the practitioner whose judgment determines, within the structure of the assessment team, whether each control is implemented to the standard the framework requires.
CCAs operate under the C3PAO that engages them. The credential is individual but the assessment work is organizational. A contractor undergoing assessment is assessed by a C3PAO, and the C3PAO is the entity that issues the certification. The CCAs on the assessment team are the individuals who conduct the work, but the C3PAO is the entity that bears the accreditation and the certification authority.
CMMC Third Party Assessment Organization (C3PAO)
The C3PAO is the organizational accreditation that authorizes the entity to perform formal CMMC assessments. C3PAOs are accredited by The Cyber AB through a process that includes ISO/IEC 17020 conformance, organizational background checks, and ongoing oversight. The accreditation is the most rigorous in the ecosystem because the C3PAO holds the authority to issue certifications that affect contract eligibility under DFARS 252.204-7021.
For contractors, the C3PAO is the organization that conducts the formal assessment that produces the certification. The contractor selects a C3PAO, contracts with it for the assessment, and undergoes the assessment process the C3PAO conducts. The certification, when issued, is recorded in the CyberAB Marketplace and confirms the contractor's compliance posture for the certification period. The contractor's relationship with the C3PAO is independent of the contractor's relationship with any consulting practitioner. The same firm cannot serve as both the C3PAO and the consulting practitioner for the same contractor, and the ecosystem rules prevent that conflict.
The Boundary That Matters
The single most important structural rule in the CMMC ecosystem is the separation between consulting and certification assessment. The rule exists because the integrity of the certification depends on the assessment being conducted by an entity that is not also the entity that prepared the contractor for the assessment. A practitioner who helped a contractor implement controls cannot also evaluate whether those controls satisfy the framework requirements. The conflict of interest would undermine the verification function the framework is designed to provide.
The rule applies at both the individual and the organizational level. An individual RP or RPA cannot also serve as a CCA on an assessment of the contractor they advised. An organization cannot serve as both the RPO and the C3PAO for the same contractor. Even within larger firms that hold both designations, the personnel and organizational structures must be separated such that the contractor's consulting engagement and assessment engagement are conducted by independent units with no information flow between them. The Cyber AB enforces this separation through ongoing oversight and the Code of Professional Conduct.
For contractors, the practical implication is that the consulting practitioner and the C3PAO are two different selections, conducted independently, with no expectation that the consulting practitioner will recommend a specific C3PAO or vice versa. A contractor engaging a credentialed practitioner for readiness work and then selecting a C3PAO for assessment is following the model the ecosystem was designed to produce.
Selecting Among the Designations
A contractor preparing for CMMC certification typically engages two parties in sequence: a consulting practitioner for readiness, then a C3PAO for assessment. The selection of each follows different criteria.
For the consulting practitioner, the contractor evaluates individual credential standing, demonstrated experience in environments similar to the contractor's, and the working relationship the contractor expects to have throughout the readiness engagement. An RPA brings verified experience above the base RP threshold, which is meaningful for contractors with complex environments such as defense aerospace manufacturers with operational technology in scope. Whether the practitioner is independent or affiliated with an RPO is a structural question rather than a quality signal. Both arrangements work, and the choice depends on the contractor's preference for engagement structure.
For the C3PAO, the contractor evaluates accreditation status, current capacity, geographic reach for any required on-site assessment activity, and scheduling availability against the contractor's target timeline. The C3PAO market has capacity constraints that have intensified as the November 2026 transition approaches, and contractors that wait until close to the deadline frequently find that the available C3PAOs are scheduling assessments out further than the contract timeline allows. The capacity dynamics of the C3PAO market are addressed in the firm's white paper at CMMC Assessment Capacity.
Verifying a Designation
The CyberAB Marketplace at cyberab.org is the authoritative public registry for all six designations. Any individual practitioner holding an RP, RPA, CCP, or CCA credential is listed. Any organization holding an RPO or C3PAO accreditation is listed. The lookup returns three possible answers: a current credential or accreditation, a lapsed credential or accreditation, or no listing at all.
The verification step is a small operational discipline that protects the contractor from engagement with practitioners or organizations whose credential claims do not match their actual standing. The CMMC ecosystem has experienced occasional cases where individuals or firms have represented themselves as credentialed without verification, and registry verification eliminates that risk before any contractual relationship begins. Verification before engagement is the appropriate due diligence for any party representing themselves as operating within the CMMC framework.