CMMC Registered Provider Organization — What is an RPO and Why You Should Care? | Pivot Point Security

Last Updated on September 1, 2020

After a soft launch in June, the CMMC-AB -the independent accreditation body that is managing the CMMC roll-out on behalf of the US Department of Defense (DoD)-has now formally announced the requirements and opened up applications for five certifications: Certified Third-Party Assessor Organizations (C3PAOs), Certified Professionals (CPs), Certified Assessors (CAs), Registered Provider Organizations (RPOs), Registered Practitioners (RPs) and Licensed Partner Publishers (LPPs).

This post focuses on the Registered Provider Organization (RPO) role.

Unlike C3PAOs, which will be authorized to both conduct CMMC assessments and provide CMMC advice and consulting (just not to firms they’re assessing) RPOs will not be authorized to conduct assessments. The role of RPOs is exclusively to provide CMMC consulting and support to Organizations Seeking Certification (OSC) in the Defense Industrial Base (DIB).

The RPO designation is aimed at companies that want to advise DoD suppliers on how to prepare for a successful CMMC assessment. The CMMC-AB’s goal in creating the RPO certification is to give OSCs confidence that the consultants they hire will get the job done.

Many less-than-ethical entities are already falsely claiming that they can “CMMC certify” your organization -before the final guidelines are even available. One need only do a quick online search to find a number of them.

When you hire an RPO, you know they’ve at least gone through “basic training” to understand what it means to be CMMC compliant and how to help companies get there. The requirements to become an RPO are as follows:

  • Only entities owned by “US Persons” need apply
  • Registration with the CMMC-AB in order to receive authorization and use the CMMC-AB logo
  • Signing the RPO agreement, which includes a commitment to comply with the CMMC-AB Code of Professional Conduct
  • Passing an organizational background check
  • At least one Registered Practitioner (RP)-someone trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard”-must be “associated” (as an employee or contractor) with the RPO at all times
  • Ponying up the $5,000 annual fee

In short, with a few good people and some table stakes, a business can be listed as an RPO on the CMMC-AB Marketplace and quickly start operating in the rapidly expanding CMMC ecosystem, while potentially working towards becoming a C3PAO at the same time.

Similarly, DoD suppliers will very soon be able to engage these vetted consultants to help them chart a course toward CMMC certification, which for many will likely include firming up their NIST 800–171 compliance as a preliminary step.

Are you and OSC that is concerned about CMMC compliance? Looking to get a head start on identifying where you stand today and how to prioritize next steps? Pivot Point Security offers a full range of CMMC compliance services today and plans to be among the first RPOs. Contact us today to find out how we can help.

Originally published at https://www.pivotpointsecurity.com on September 1, 2020.