What is a CMMC or Cyber-AB RPO?

CMMC RPOs, otherwise known as Cyber-AB RPOs, are Registered Provider Organizations. The Cyber-AB authorizes RPOs like Summit 7 to provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC) and/or assist during assessments in the event a finding is uncovered. 

What is the difference between a C3PAO and a CMMC RPO? 

CMMC RPOs differ from C3PAOs in that they are not authorized to conduct actual CMMC assessments. The CMMC RPO role exists exclusively to provide CMMC guidance and support to OSCs in the defense industrial base (DIB). Unless they are also certified as an RPO, C3PAOs cannot offer these preparation services. 

Of course, the code of professional conduct (and common sense) dictate that C3PAOs are not allowed to assess environments that they have helped construct, configure, or otherwise consult on.  

However, most organizations need external help when it comes to implementing NIST SP 800-171 requirements and other assessment prep. That's where hiring an RPO before your C3PAO assessment comes in. 

Why use a CMMC/Cyber-AB RPO? 

Since its release, the Cybersecurity Maturity Model Certification (CMMC) has had a monumental impact on the DIB as suppliers and contractors moved to comply with the new standardized consolidation of several cybersecurity requirements. Many defense contractors of all sizes have tactically used a combination of internal and external resources to enhance their cybersecurity posture for CMMC compliance.  

Unfortunately, not all third-party consultants and advisors are created equally. To help DoW contractors find the assistance they need, the CMMC Accreditation Body (Cyber-AB) opened applications for five certifications: Certified Third-Party Assessor Organizations (C3PAOs), and Registered Provider Organizations (RPOs). 

How to Select the Right CMMC/Cyber-AB RPO 

Even within the realm of certified RPOs, there’s a broad difference in quality among them. While a certification is required to offer RPO services, it doesn’t guarantee a vendor is compliant or accomplished in leading clients through successful assessments. 

CMMC Level 2 aligns directly with NIST 800-171 and DFARS 7012 requirements. Any organization handling Controlled Unclassified Information (CUI) will be required to achieve CMMC Level 2 compliance; this also applies to that organization's subcontractors as well. RPOs must practice these requirements in their own businesses in order to set OSCs up for successful compliance audits.  

The biggest, greenest flag in a potential RPO is demonstrated success with their clients in real CMMC assessments. Has the RPO achieved CMMC L2 status itself? Have their clients? That's the true measure of understanding how to implement the requirements assessed by CMMC. 

Summit 7, for example, has a 100% CMMC Level 2 pass rate with 65+ certified clients. Summit 7 itself also has two CMMC Level 2 certified environments. 

Summit 7 decided to join the RPO program in order to participate in the broader ecosystem of partners. Growing into this ecosystem is important as it binds us to a code of professional conduct, showing that we prioritize the standards expected within the CMMC space. 

If you have known gaps going into your RPO relationship, it’s also a good idea to find an RPO with a strong background in remediating those areas of weakness. Relying on external help often takes the form of partnering with an MSP for a long period of time rather than just an RPO for a brief engagement. 

Note: If you are considering partnering with MSPs / MSSPs for CMMC compliance and your organization passes CUI to the MSPs / MSSP, then your RPO must become CMMC certified at the same level. 

How to Become an RPO 

To obtain the RPO designation, a company must: 

1. Be an entity owned by a “US person” 
2. Be registered with the Cyber-AB in order to receive authorization and use the official logo distributed by the Cyber-AB. 
3. The company has signed the RPO agreement, which includes a commitment to comply with the Cyber-AB Code of Professional Conduct. 
4. Pass an organizational background check. 
5. Employ or contract at least one Registered Practitioner (RP). An RP is trained and authorized by the Cyber-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” at all times. 
6. Pay the annual registration fee.

By imposing these requirements, the Cyber-AB ensures suppliers who contract the services of these accredited companies can be confident in their abilities and alignment with the Cyber-AB. For RPOs who gain this certification, they can quickly begin operating in the rapidly expanding CMMC ecosystem. 

 
So What?

At their core, RPOs are consultancies, and many of the same principles and factors that establish industry leaders apply: adequate resourcing, ability to scale up or down as necessary, and expertise in specific areas. After a self-evaluation of their needs, an OSC may find that they are particularly lacking in certain domains. Finding an RPO with a strong background in any areas or technologies where weaknesses have been identified can help shore up deficiencies. An RPO that is more a “jack of all trades” or has some proficiency in each domain and/or technology may provide some flexibility, but that flexibility hinges upon the RPO’s resource alignment and ability to scale. Choosing an RPO with past performance aligned to your organization's IT strategy and infrastructure can be key. 

Ultimately, this new credentialing program benefits suppliers, as it enables them to confidently engage with RPOs. This standardized accreditation helps to verify the RPO’s alignment to the Cyber-AB, and the annual fee ensures that the RPO has “skin in the game”. For more about the requirements and benefits of the RPO role, please visit the Cyber-AB site. 

Get started with your best foot forward using Summit 7 as your RPO or MSP.