What Does a CMMC RPO Do?

CMMC stands for Cybersecurity Maturity Model Certification. The first version of the CMMC was released at the start of 2020 after much anticipation. For those who are unaware, this is a unified standard for the implementation of cybersecurity across the DIB—the Defense Industrial Base. This new standard will affect over 300,000 companies within the supply chain.

Big changes caused by the introduction of CMMC

The introduction of the CMMC has certainly had a big impact on the DIB, as contractors and suppliers have been frantically making changes to ensure compliance with the new standardized consolidation of a number of different cybersecurity requirements. Many Defense and Aerospace businesses of different sizes have utilized a number of external and internal resources in a tactical manner to improve their cybersecurity posture for CMMC compliance. 

Nevertheless, not all advisors or third-party consultancies are equal. To ensure that DoD contractors are able to get the help that they require, applications for five different advisory certifications were opened up by the CMMC Accreditation Body. One of these was applications for RPOs, with RPO standing for Registered Provider Organizations.

What does an RPO do?

A CMMC RPO will supply pre-assessment consulting services to government contractors and any other types of organizations that are looking to achieve CMMC certification. There is a difference between the RPO role and that of a C3PAO, which standards for Certified Third-Party Assessor Organizations. Unlike C3PAOs, PROs are not authorized to carry out assessments.

Instead, the role of the RPO has been created for the sole purpose of supplying CMMC support and guidance to organizations in the DIB that are looking to secure certification. Unless a company is also certified as a RPO, a C3PAO cannot provide these services; however, there are guidelines in place for organizations functioning as both a CMMC RPO and a C3PAO to ensure an impartial assessment for every organization.

Steps to take for your business to become an RPO

Should you wish to become an RPO, there are a number of different steps you’ll need to follow. First, it is imperative that your company is an entity that a U.S. person owns. You will also need to register with the CMMC-AB to make sure you get authorization, and you must utilize the official logo the CMMC-AB distributes. 

You will also need to pass the RPO agreement, and then you need to pass a background check on your organization. Also, a Registered Practitioner (RP) must be contracted or employed. Finally, there is a yearly registration fee that needs to be paid.

With this information, you can gain a basic understanding of CMMC certification and the responsibilities of a CMMC RPO. For more information, check out the CMMC-AB’s resources on RPOs here.