CMMC career paths: RP vs CCP vs CCA: Which certification is right for you?

The CMMC professional landscape is packed with opportunities. The Defense Industrial Base (DIB) continues to grow, making the Cybersecurity Maturity Model Certification (CMMC) increasingly necessary for more organizations.

This is great news for both individuals and organizations. Individuals can earn credentials that qualify them to perform or support assessments. Organizations can build teams of CMMC-certified people to found consulting practices or set up an assessment company.

Your career can progress quickly once you get started. You can go from having an entry-level designation to a lead assessor credential in a few years, depending on how quickly you learn the necessary skills.

Editor's note: ISACA took over CMMC professional credentialing in April 2026. Watch our webinar with ISACA to learn more.

CMMC individual certifications overview

This article compares three common individual pathways within the CMMC ecosystem.

Registered Practitioner (RP)

This is an entry-level designation for people who are new to the CMMC ecosystem. It’s also a good fit for those transitioning into cybersecurity compliance from another career. An RP typically supports organizations preparing for assessment, but they don’t perform official assessments. They also don’t take a leadership role, guiding assessment teams as they work. You can think of an RP as someone just getting started in the CMMC space.

CMMC Certified Professional (CCP)

A CMMC Certified Professional (CCP) actively participates in performing CMMC assessments. However, they do so under the supervision of a CMMC Certified Assessor (CCA), described in the next section.

A CCP may work as a member of an assessment team. They help perform hands-on evaluations of an organization’s compliance.

CMMC Certified Assessor (CCA)

CCA is an advanced assessor certification. CCAs are qualified to perform formal Level 2 assessment work as part of a C3PAO team. Lead CMMC Certified Assessors (LCCAs) are the senior assessors authorized to lead official Level 2 assessment teams and deliver final compliance determinations. A C3PAO that performs assessments needs to have at least one LCCA, one CCA and one quality assurance individual who is also a CCA associated with the organization.

Natural progression

The typical path for a CMMC professional is straightforward, going from RP to CCP to CCA.

However, you can skip becoming an RP if you already qualify to be a CCP.

It’s important to understand, though, that there’s no way of skipping your CCP certification. A CCP cert is a prerequisite for becoming a CCA.

Registered Practitioner career details

For those who are relatively new to cybersecurity assessments, the Registered Practitioner (RP) role is the launching point. It is relatively accessible, and The Cyber AB’s public RP requirements do not list prior experience as a prerequisite.

At the same time, your potential is limited as an RP. You can only support organizations preparing for CMMC assessment; you can’t conduct them on your own.

Who should get RP certification?

An RP opportunity is best for those who are:

• Switching from another career to security compliance
• Newcomers to cybersecurity, without a lot of background knowledge or experience in the field
• Trying to get a CMMC career off the ground and need RP designation to get going
• Recent graduates with an interest in CMMC compliance work

Pros of RP designation

Since an RP designation is an entry-level credential, it comes with some distinct benefits, such as:

• Has a low barrier to entry. It’s easy and quick to obtain because there are no experiential and limited background knowledge requirements.
• Makes it easy to get your foot in the door. Once you have your RP designation, you already have what many Registered Practitioner Organizations (RPOs) are looking for in applicants.
• Provides a foundation for advancement. If you’re working in an administrative role in a CMMC company, earning your RP can help you send your career in a different direction.

Cons of RP designation

At the same time, there are some drawbacks that come with only having your RP designation:

• You can only serve in a consulting or preparation-support capacity
• You can't participate in official assessment determinations like a CCP or CCA, or lead assessment teams like an LCCA.
• Most likely, you’ll have a lower salary, at least until you progress to becoming a CCP.

You can learn more about what it takes to be an RP and the responsibilities you can expect in our complete RP guide.

CMMC Certified Professional career details

The CCP credential is a professional-level certification. It requires a qualifying technical degree or at least two years of related education or experience working in IT, cybersecurity or the CMMC ecosystem.

The biggest difference between those with a CCP certification and an RP designation is that CCPs can participate in official assessment activities within the limits of the CCP role. Even though they must do so under supervision, they can play an active role on an assessment team.

The other significant difference is salary, which you can expect to fall between $70K and $120K per year, based on market estimates.

Who should get CCP certification?

CCP certification is a good option for those serious about progressing in the CMMC compliance space, as well as anyone interested in general cybersecurity compliance, such as:

• IT and security professionals who want to work in the defense space
• Those who already have experience with cybersecurity compliance work or who already have their RP designation
• Professionals interested in being CMMC consultants

Pros of CCP certification

A CCP certification can lead to a fruitful career because:

• You can perform a meaningful, rewarding role on an assessment team.
• It comes with a stronger salary potential than being an RP.
• Having your CCP cert can pave the way for consulting and other CMMC career opportunities.
• It’s a stepping stone to earning your CCA.

Cons of CCP certification

While there are many upsides, you should keep in mind that:

• You need to meet ISACA’s education or experience eligibility requirements to become a CCP.
• It may cost more to prepare for the exam.
• The exam is more rigorous than what’s required to get your RP designation.
• You still need to be supervised while performing assessments.
• You can’t help an aspiring C3PAO meet its assessor staffing requirements unless you advance to the appropriate assessor credentials.

There’s a lot more to being a CCP, and you can explore further using our complete CCP guide.

Certified CMMC Assessor career details

A CCA holds a high-level credential in the CMMC ecosystem. They provide formal Level 2 assessment expertise as part of a C3PAO team. A CCA can also help a C3PAO meet its required assessor associations.

To become a CCA, you need your CCP cert first. When comparing CMMC certification requirements, this can be a sticking point for some. Once you have the position, you are qualified to perform Level 2 assessment work as part of a C3PAO team. Lead CCA (LCCA) is the credential associated with leading official assessment teams and final determinations.

Along with greater responsibility comes higher pay. You may make between $100K and $200K per year as a CCA or LCCA, based on market estimates.

Who should get their CCA certification?

A CCA cert is one of the most compelling CMMC certification options because it’s a powerful credential that’s good for:

• Experienced professionals who hold CCP and meet the CCA experience requirements
• Those who currently work for a certified third-party assessment organization (C3PAO) or are seeking a C3PAO opportunity
• Senior consultants, such as those who lead teams of other consultants
• Assessment professionals who want to perform formal Level 2 assessment work and potentially advance toward LCCA

Pros of CCA certification

There are several advantages to pushing your career to the CCA level, including:

• Having one of the highest credentials, which qualifies you for many positions in the CMMC ecosystem
• Being able to perform formal Level 2 assessment work as part of a C3PAO team
• Earning some of the highest salaries in the CMMC space
• Being in high demand since there are so many organizations that need assessments or guidance toward earning their CMMC certification

Cons of CCA certification

Despite all the benefits, you should also remember that:

• The CCA certification has the longest path to qualification (of RP, CCP and CCA), particularly because it has the most requirements to meet.
• You need your CCP certification before earning your CCA.
• Like CCP holders, CCA holders must meet ISACA’s continuing professional education (CPE) obligations and renewal requirements to maintain certification status.

In our complete CCA guide, you can dig deeper into what it takes to be a CCA. 

Comprehensive comparison table: RP vs. CCP vs. CCA

Are you thinking, “Which CMMC certification should I get?” Here’s a CMMC certifications comparison table:

Aspect	RP	CCP	CCA
Education & experience	None listed by The Cyber AB	A college degree in a cyber or information technology field, OR 2+ years of related education experience, OR 2+ years of related experience	CCP, 3+ years of cybersecurity experience, 1+ year of assessment or audit experience, 1 baseline certification aligned to the intermediate or advanced proficiency level for the Career Pathway Certified Assessor 612 from the DoD Manual 8140.3 Cyberspace Workforce Qualification and Management Program
Training	Complete RP class from The Cyber AB	Complete CCP class from an Approved Training Provider (ATP)	Complete CCA class from an Approved Training Provider (ATP)
Exam	Pass quizzes from each RP course	170 questions	150 questions
Cost	$600 (application, training and testing)	$3,000–$5,000 (application, ATP training, exam)	$3,000–$5,000 (application, ATP training, exam)
Timeline	6–8 weeks	3–4 months	12–24+ months
Assessment role	Support only	Under CCA supervision	Level 2 assessment, led by Lead CCA
Renewal	$500 annual	$45–$85 annually, plus 120 CPE hours over 3 years)	$45–$85 annually, plus 120 CPE hours over 3 years)
Best for	Entry-level	Mid-career	Senior/expert

Career paths & progression

There are a number of CMMC career paths if you want to climb the CMMC certification ladder. Here are some CMMC professional pathways:

Path 1: Entry to expert

1. Start as an RP
2. Gain experience supporting CMMC readiness and implementation work
3. Advance to becoming a CCP
4. After meeting CCA eligibility requirements, become a CCA

This would give you a timeline of between three and five years, starting from the bottom and moving up to CCA.

Path 2: Skip RP

1. Start by earning your CCP using your current experience and passing the exam
2. Gain experience as a CCP
3. Advance to becoming a CCA

In this scenario, you’re looking at a timeline of between two and four years.

Path 3: Non-assessment

1. Become either an RP or a CCP
2. Work in consulting or supporting compliance teams

With this path, you don’t need to earn your CCA, but you can still have a rewarding CMMC certification career. You also focus on providing advisory services instead of performing actual assessments. The consultancy path can position you for higher income, since you can charge whatever rates you want as long as they fit your clients’ budgets.

CMMC job roles by certification

The CMMC jobs you qualify for depend on which certification you have:

RP roles

• Junior consultant, which is someone who supports other consultants
• Compliance coordinator, which involves organizing and scheduling compliance readiness activities
• Assessment support, which can include anything that assessors need, from administrative tasks to help render the reports they prepare — as long as the RP does not perform official assessment determinations
• Documentation specialist, who is someone who prepares documentation based on the insights assessors or consultants provide

CCP roles

• CMMC consultant, which involves helping an organization get ready for CMMC assessment
• Compliance manager, who takes care of coordinating compliance activities
• Assessment team member, who participates in assessment activities within CCP role limits
• Security analyst, which involves evaluating an organization’s security as it relates to the standards in NIST SP 800-171

CCA roles

• CMMC assessor, who performs Level 2 assessment work as part of a C3PAO team
• Senior consultant, who may oversee other CMMC consultants as they advise companies on how to qualify for certification
• C3PAO principal, which involves being a VP or other executive in a C3PAO and overseeing CCPs or other CCAs
• Practice lead, which positions you to run your own CMMC consulting or assessment-related practice, with official assessments requiring the appropriate C3PAO structure and assessor credentials

Decision framework

You can use the following as a quick reference if you’re not sure which CMMC professional pathway to take:

Choose RP if you’re:

• New to the CMMC field
• A career changer
• Need a quick start
• Budget conscious
• Want a foundation for advancing in the CMMC space

Choose CCP if you:

• Already have IT/security experience or a qualifying technical education background
• Want an assessment role
• Have consulting aspirations
• Are ready for commitment
• Need a path to CCA

Choose CCA if you:

• Are an experienced professional
• Want to perform formal Level 2 assessment work and potentially advance toward leading assessments as an LCCA
• Want a top-tier salary
• Are ready for a long-term commitment
• Need to advance your C3PAO career

Industry demand & outlook

CMMC is expected to affect hundreds of thousands of organizations across the defense industrial base, creating demand for qualified professionals. There’s also a need for consultants because companies often seek guidance while navigating their CMMC certification journey.

Training is another gap that needs to be filled because organizations need staff who understand how assessments work and how to implement tools and strategies to qualify for CMMC certification.

A supply and demand imbalance

Supply is currently lagging behind demand due to limited CCAs. Even though the CCP pool is growing and many RPs are entering the industry, there is still room for more because so many organizations want to do business in the DIB.

This results in opportunities at all levels in the CMMC space, from entry to managerial and oversight.

Geographic considerations

When looking for CMMC-related jobs, you’ll want to focus on areas that are hubs for the defense industry. At the same time, there may be remote work opportunities as well, depending on the positions available.

If you go the consultant route, there may be some travel requirements you’ll need to take into consideration, as well.

Your pay may vary depending on the region you choose to work in. For instance, in areas where the cost of living is significantly less, salaries may be lower, as well.

Salary comparisons

Salary can vary quite a bit depending on different factors. Treat the figures below as market estimates only.

Certification level:

• RP: $50k–$90K
• CCP: $70K–$150K
• CCA: $100K–$200K

Role

As an assessor, you can expect a relatively steady, consistent income. As a consultant or independent freelancer, however, your pay may fluctuate according to what clients can afford and what you choose to charge.

The size of the organization may be another factor because larger companies may be able to pay you more than smaller or startup companies.

Industry

C3PAOs may offer strong compensation for qualified assessors, while defense and the government may pay a little less. Your pay while working for a consulting firm can vary. For entry-level and support positions, you may not make a lot, at least not at first. But as you move up the ranks, for example by becoming a senior consultant with a CCA cert, you may earn even more than you would with a typical C3PAO.

Making your decision

Here are some questions you can ask as you decide which CMMC route to take:

• What’s your current experience? You may be able to qualify for your CCP right now.
• What’s your timeline? As discussed above, getting your CCP or CCA may take longer.
• What’s your budget? The expense tends to go up with the certification level, with CCA costing the most.
• What role appeals to you? Roles that involve actively assessing organizations require a CCP or CCA cert, for instance.
• Are you in IT long-term? If IT is something you want to do for years to come, the CMMC path can be a rewarding option.

Next steps

If you’re ready to start your CMMC journey, you should:

• Review detailed guides about what’s required for each type of certification.
• Assess your qualifications to see where you currently stand and the certifications you may qualify for.
• Consider your career goals and pinpoint which cert best supports them.
• Choose your path by mapping out which certification you’ll get first, second, etc.
• Begin training so you’ll be ready to pass whichever exam you need to take.

FAQs

Which CMMC certification should I get?

You should get your RP designation if you’re brand new, your CCP if you already have qualifying cybersecurity, IT, assessment or technical education experience, and your CCA if you already hold CCP and meet ISACA’s CCA requirements.

Can I skip RP and go straight to CCP?

Yes, if you meet CCP eligibility requirements.

Do I need all three certifications?

No, you can earn one or more. As a CCA, you need to have already earned your CCP, however.

Which certification pays the most?

The CCA tends to pay the most among the three credentials compared here, though salaries vary by role, employer, location and additional qualifications.

Can I work independently?

Yes, for consulting or advisory work if you follow conflict-of-interest rules. Official CMMC assessment work must be performed within the authorized C3PAO assessment ecosystem.

Which is hardest to obtain?

The CCA is the hardest to get because it requires experience, an exam, active CCP status, Tier 3 determination and the applicable DoD 8140.3 pathway requirement.

Can I change paths later?

Yes, you can change paths whenever you want, but to earn your CCA, you need your CCP first.