CMMC RPOs, otherwise known as Cyber-AB RPOs, provide pre-assessment consulting services to government contractors and other Organizations Seeking Certification (OSC) and/or assist during assessments in the event a finding is uncovered. They differ from C3PAOs in that they are not authorized to conduct actual CMMC assessments. The RPO role exists exclusively to provide CMMC guidance and support to OSCs in the DIB. Unless they are also certified as an RPO, the C3PAO cannot offer these services and cannot extend both services (assessment and advisement) to the same company.
Since its release by the US Department of Defense (DoD) in January, the Cybersecurity Maturity Model Certification (CMMC) has had a significant impact on the defense industrial base (DIB) as suppliers and contractors moved to comply with the new standardized consolidation of several cybersecurity requirements. Many Aerospace and Defense companies of all sizes have tactically used a combination of internal and external resources to enhance their cybersecurity posture for CMMC compliance.
However, not all third-party consultancies or advisors are created equally. To help DoD contractors find the assistance they need, the CMMC Accreditation Body (Cyber-AB) opened up applications for five certifications: Certified Third-Party Assessor Organizations (C3PAOs), Cyber-AB Certified Professionals (CCPs), Cyber-AB Certified Assessors (CCAs), Registered Provider Organizations (RPOs), Registered Practitioners (RPs) and Licensed Partner Publishers (LPPs). This article will focus on the RPO certification, both what it is and how it’s attained.
How to Become an RPO
To obtain the RPO designation, a company must:
- Be an entity owned by a “US person”
- Be registered with the Cyber-AB in order to receive authorization and use the official logo distributed by the Cyber-AB.
- The company has signed the RPO agreement, which includes a commitment to comply with the Cyber-AB Code of Professional Conduct.
- Pass an organizational background check.
- Employ or contract at least one Registered Practitioner (RP). An RP is trained and authorized by the Cyber-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” at all times.
- Pay the annual registration fee.
By imposing these requirements, the Cyber-AB ensures suppliers who contract the services of these accredited companies can be confident in their abilities and alignment with the Cyber-AB. For RPOs who gain this certification, they can quickly begin operating in the rapidly expanding CMMC ecosystem.
How to Select the Right RPO
When deciding which RPO to partner with, DoD suppliers will want to find certified RPOs who also have experience in security and maintaining compliance in highly regulated industries. While the CMMC was released in January 2020, it has been federally mandated by the most recent DFARS Interim Rule change with the addition of the new DFARS 70 series clauses: 7019, 7020, 7021. CMMC is a consolidation of various existing cybersecurity requirements and best practices. Specific practices within each of the CMMC domains align to and in some cases, expound upon existing frameworks, such as the CERT RMM v1.2, NIST SP 800-171, NIST SP 800-53, NIST SP 800-172. ISO 27002, and CIS CSC 7.1, which means RPOs with a background in cybersecurity compliance with these frameworks can bring valuable experience to a supplier’s assessment preparations. For example, CMMC Level 2 most closely aligns with NIST 800-171 and DFARS 7012 requirements, and any organization handling Controlled Unclassified Information (CUI) will have to become CMMC Level 2 compliant; this also applies to that organization's subcontractors as well. RPOs must be practicing these requirements in their own business in order to set OSCs up for successful compliance audits. The below conversation includes Regan Edens of the Cyber-AB and discusses the criteria companies should look for in an RPO, such as MSPs and MSSPs.
Note: If you are considering partnering with MSPs / MSSPs for CMMC compliance and your organization passes CUI to the MSPs / MSSP, then your RPO must become CMMC certified at the same level. The webinar below from one of the latest Cloud Security and Compliance Series (CS2) events covers this in detail.
At their core, RPOs are consultancies and many of the same principles and factors that establish industry leaders apply adequate resourcing, ability to scale up or down as necessary, and expertise in specific areas. After a self-evaluation of their needs, an OSC may find that they are particularly lacking in certain domains. Finding an RPO with a strong background in any domains or technologies where weaknesses have been identified can help shore up deficiencies. An RPO that is more a “jack of all trades” or has some proficiency in each domain and/or technology may provide some flexibility, but that flexibility hinges upon the RPO’s resource alignment and ability to scale. Also, choosing an RPO with past performance aligned to an organization's IT strategy and infrastructure can be key.
Ultimately, this new credentialing program benefits suppliers, as it allows them to begin engaging with RPOs confidently. This standardized accreditation helps to verify the RPO’s alignment to the Cyber-AB, and the annual fee ensures that the RPO has “skin in the game”. For more about the requirements and benefits of the RPO role, please visit the Cyber-AB site here.
Summit 7 Selected To Be an RPO
Summit 7 Systems was selected as a CMMC accredited Registered Provider Organization (RPO) to provide CMMC services to contractors in the Department of Defense. You can read more here.