September 1, 2020

Last Updated on January 12, 2024

After a soft launch in June, the CMMC-AB—the independent accreditation body that is managing the CMMC roll-out on behalf of the US Department of Defense (DoD)—has now formally announced the requirements and opened up applications for five certifications: Certified Third-Party Assessor Organizations (C3PAOs), Certified Professionals (CPs), Certified Assessors (CAs), Registered Provider Organizations (RPOs), Registered Practitioners (RPs) and Licensed Partner Publishers (LPPs).

It’s important for both DoD suppliers and the organizations serving them to understand these newly defined roles, because suppliers will be hiring some of them and service providers may opt to perform one or more.

This post focuses on the Registered Provider Organization (RPO) role.
Unlike C3PAOs, which will be authorized to both conduct CMMC assessments and provide CMMC advice and consulting (just not to firms they’re assessing) RPOs will not be authorized to conduct assessments. The role of RPOs is exclusively to provide CMMC consulting and support to Organizations Seeking Certification (OSC) in the Defense Industrial Base (DIB).
The RPO designation is aimed at companies that want to advise DoD suppliers on how to prepare for a successful CMMC assessment. The CMMC-AB’s goal in creating the RPO certification is to give OSCs confidence that the consultants they hire will get the job done.
Many less-than-ethical entities are already falsely claiming that they can “CMMC certify” your organization —before the final guidelines are even available. One need only do a quick online search to find a number of them.

According to Jeff Dalton, chair of the CMMC-AB’s credentialing committee, “The RPOs and the registered practitioners are an opportunity for those who want to be consultants or coaches in the field to not only get training and get some qualifications in CMMC, but also be associated with the CMMC ecosystem, through a listing in our marketplace and our logo. It also gives the AB an opportunity to understand who’s doing what out in the field. You obviously don’t have to have that designation to do work in this space, but we’re trying to build an ecosystem of people that all work together.”

When you hire an RPO, you know they’ve at least gone through “basic training” to understand what it means to be CMMC compliant and how to help companies get there. The requirements to become an RPO are as follows:

  • Only entities owned by “US Persons” need apply
  • Registration with the CMMC-AB in order to receive authorization and use the CMMC-AB logo
  • Signing the RPO agreement, which includes a commitment to comply with the CMMC-AB Code of Professional Conduct
  • Passing an organizational background check
  • At least one Registered Practitioner (RP)—someone trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard”—must be “associated” (as an employee or contractor) with the RPO at all times
  • Ponying up the $5,000 annual fee

In short, with a few good people and some table stakes, a business can be listed as an RPO on the CMMC-AB Marketplace and quickly start operating in the rapidly expanding CMMC ecosystem, while potentially working towards becoming a C3PAO at the same time.
Similarly, DoD suppliers will very soon be able to engage these vetted consultants to help them chart a course toward CMMC certification, which for many will likely include firming up their NIST 800-171 compliance as a preliminary step.
Are you and OSC that is concerned about CMMC compliance? Looking to get a head start on identifying where you stand today and how to prioritize next steps? Pivot Point Security offers a full range of CMMC compliance services today and plans to be among the first RPOs. Contact us today to find out how we can help.