The CMMC Provider Directory: How to Verify and Choose the Right C3PAO, RPO, or MSP (2026)

Q: What is the official CMMC provider directory?

The official CMMC provider directory is the Cyber AB Marketplace at cyberab.org/Catalog. It is the only authoritative source of currently credentialed C3PAOs, RPOs, Authorized Training Providers (ATPs), Licensed Publishing Partners (LPPs), and credentialed individuals (RP, RPA, CCP, CCA, Lead CCA). Third-party directories — including this one — derive from the marketplace and can go stale; verify any listing in the live marketplace before signing.

By The Defense Compliance Report Editorial Team — The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.

Published: May 26, 2026 · Last verified: May 26, 2026

Educational only; not legal, contractual, or compliance advice. The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, the Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC), NIST, or any U.S. government agency. Do not submit Controlled Unclassified Information (CUI), export-controlled data, drawings, contract numbers, system diagrams, vulnerabilities, or sensitive security information through any form on this site.

The official CMMC provider directory is the Cyber AB Marketplace at cyberab.org/Catalog. That is where you verify whether any Certified Third-Party Assessment Organization (C3PAO — the organization that conducts CMMC Level 2 certification assessments and issues Certificates of CMMC Status), Registered Practitioner Organization (RPO — a CMMC readiness consulting firm), or credentialed individual (RP, RPA, CCP, CCA, Lead CCA) actually holds the role they claim. Treat any third-party "CMMC provider list" — including this one — as a derived view. Re-verify in the live marketplace before you sign.

Bottom line up front: most defense contractors at Level 2 (C3PAO Assessment) need two providers, not one — a readiness firm (often an RPO or Managed Security Service Provider) and a separateauthorized or accredited C3PAO for the actual assessment. Under 32 CFR Part 170, a CMMC Ecosystem member who served as a consultant preparing your organization for any CMMC assessment within the prior three years cannot also participate in your Level 2 certification assessment. Level 1 doesn't need a C3PAO at all. Level 3 is assessed by DCMA's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), not by a C3PAO.

What this page solves that the marketplace doesn't: it maps your situation to the right provider category, walks you through verifying any listing in about 60 seconds, and surfaces the cost and conflict traps that quietly burn six figures. (Quick disambiguation for anyone who landed here from a healthcare search: “CMMC” on this page means the U.S. Department of Defense's Cybersecurity Maturity Model Certification program, not Central Maine Medical Center.)

Start here: which CMMC provider do you actually need?

Your provider mix is set by three things: your CMMC Level (1, 2, or 3, set by the contract clause), your assessment type (self-assessed, C3PAO-assessed, or DIBCAC-assessed), and your environment (Microsoft 365 GCC High, AWS GovCloud, on-prem, or hybrid). The table below maps the situations we see most often to the right first call, the wrong first call, and what to verify before signing.

Your current situation	First provider category to call	Don't start with	What to verify and request before signing	Why
You handle only Federal Contract Information (FCI), and your contract calls for CMMC Level 1 (Self-Assessment)	Internal owner or basic IT help	C3PAO	Confirm Level 1 path with the contracting officer; annual self-assessment and senior-official affirmation workflow in SPRS	Level 1 maps to the 15 basic safeguards in FAR 52.204-21 and is satisfied by annual self-assessment. No C3PAO is required.
You handle CUI and the clause specifies Level 2 (Self-Assessment)	RPO or readiness consultant (and an MSP/MSSP if operations are weak)	C3PAO as the first spend	NIST SP 800-171 Rev. 2 scoping; System Security Plan (SSP); DoD Assessment Methodology score; SPRS posting; annual affirmation cadence	Level 2 (Self-Assessment) uses the same 110 NIST SP 800-171 Rev. 2 requirements as Level 2 (C3PAO Assessment), but is self-scored into SPRS with an annual senior-official affirmation. No C3PAO is involved.
Your contract requires Level 2 (C3PAO Assessment) and you are not assessment-ready	RPO first, then a separate authorized or accredited C3PAO when evidence is ready	C3PAO before scope and evidence exist	Cyber AB Marketplace RPO status; written readiness deliverables; written conflict analysis confirming the readiness firm won't also assess you	A C3PAO can't assess an organization it or its team prepared within the three-year prior-consultant window under 32 CFR Part 170. Sequencing matters.
Your contract requires Level 2 (C3PAO Assessment) and you are assessment-ready	An authorized or accredited C3PAO from cyberab.org/Catalog	The same firm or team that prepared you	Authorized or Accredited C3PAO status in the marketplace; named CCA / Lead CCA on the assessment team; written conflict analysis	Only an authorized or accredited C3PAO can conduct the Level 2 certification assessment under the Cyber AB CMMC Assessment Process (CAP) v2.0.
CUI touches email, endpoints, logs, file shares, or security operations	MSP/MSSP that understands External Service Provider (ESP) scope, plus an RPO	Pure policy consultant alone	ESP service description; Customer Responsibility Matrix (CRM); SSP reference for the ESP relationship; CUI/Security Protection Data handling boundary	An ESP that processes, stores, or transmits CUI or Security Protection Data on your behalf becomes part of your CMMC assessment scope under 32 CFR Part 170.
You want to reduce scope with a controlled environment	CUI enclave / secure cloud (Microsoft 365 GCC High, AWS GovCloud, or a FedRAMP Moderate or DoD-recognized Equivalent CSP offering) plus an RPO for scoping	Full-company migration before the boundary is scoped	FedRAMP Moderate authorization (or DoD-recognized FedRAMP Moderate Equivalent) for any Cloud Service Provider handling CUI; CRM; boundary diagram	32 CFR Part 170 requires CSPs that process, store, or transmit CUI on a Level 2 contractor's behalf to be FedRAMP Moderate (or DoD-recognized equivalent).
Your contract signals Level 3	A readiness firm with Level 3 experience; the assessor of record is DCMA DIBCAC, not a C3PAO	A generic Level 2-only provider treated as a Level 3 plan	Final Level 2 (C3PAO) status as a prerequisite; SSP coverage for the selected NIST SP 800-172 (Feb 2021) enhanced requirements	Level 3 layers the defined subset of NIST SP 800-172 (Feb 2021) enhanced requirements on top of Final Level 2 (C3PAO) status, and is assessed by DCMA DIBCAC.
A prime just flowed down CMMC language and you don't know what applies	Clause review and data-scope triage before vendor shopping	Any platform purchase before you know the clause and the data	DFARS 252.204-7021 flow-down language; CUI category; required CMMC Level and assessment type; CMMC Unique Identifier (UID) status in SPRS	The CMMC clause sets your obligations. Read the clause first; the requiring activity, not your headcount, sets the Level and assessment type.

Decision Resolution Point #1

If your row in the table resolved which category to call first, the next step is verifying the actual firms. The Cyber AB Marketplace is the only source of truth for credentialed status, and it changes monthly.

→ Check current Cyber AB Marketplace status (external — the official directory)

→ Get matched with providers in the right category (free, no obligation, non-sensitive scope answers only)

The Defense Compliance Report may receive referral or lead-routing compensation when readers request matched introductions. Provider status must still be verified in the Cyber AB Marketplace. See our Editorial & Advertising Policy.

What is the official CMMC provider directory, and what is it not?

The official CMMC provider directory is the Cyber AB Marketplace at cyberab.org/Catalog. It is the only authoritative status lookup for CMMC ecosystem organizations — C3PAOs, RPOs, Authorized Training Providers (ATPs), Licensed Publishing Partners (LPPs) — and the listed individual credential holders (RP, RPA, CCP, CCA, Lead CCA). A marketplace listing verifies that a firm or individual holds a Cyber AB-recognized role; it is not a recommendation, ranking, fit decision, or quality endorsement.

The Cyber AB is the CMMC Accreditation Body. Under 32 CFR Part 170, the CMMC Program Management Office (PMO) inside the Department of Defense monitors the Accreditation Body and retains oversight prerogatives. The Cyber AB was previously known as the CMMC Accreditation Body (CMMC-AB) and rebranded in 2022. It is a private non-profit, not a U.S. government agency.

The marketplace runs at cyberab.org/Catalog and lists every individual and organization that currently holds a credentialed ecosystem role. As of the March 2026 Cyber AB Town Hall recap, it contained roughly 5,732 active entries representing about 3,607 unique entities. That sounds like a lot until you remember the Defense Industrial Base (DIB) contains 80,000+ organizations expected to need CMMC Level 2 eventually.

The Cyber AB has also been restructuring its certification arm. As of April 2026, ISACA operates the CMMC Assessor and Instructor Certification Organization (CAICO) and administers individual credentials — CCP (Certified CMMC Professional), CCA (Certified CMMC Assessor), Lead CCA, and CCI (Certified CMMC Instructor) — under the Cyber AB ecosystem (ISACA CMMC). The Cyber AB remains the accreditation body for organizations (C3PAOs, RPOs, ATPs); ISACA handles the individual credential lifecycle.

What the marketplace does well:

Confirms current authorized/accredited/registered status by ecosystem role.
Shows the date a role was granted.
Provides a status field — the Authorized or Accredited label is what permits a C3PAO to conduct Level 2 certification assessments under 32 CFR Part 170.
Lets you filter by role type, organization name, and location.

What the marketplace doesn't do — and where this directory steps in:

It doesn't tell you whether you need a C3PAO at all (most companies at Level 1 or Level 2 Self-Assessment do not).
It doesn't warn you about the three-year prior-consultant conflict (the same firm can't prepare you and assess you within that window).
It doesn't surface MSPs, MSSPs, GRC platforms, or CUI enclaves that aren't also credentialed as RPOs — and many critical operational partners live outside the Cyber AB role taxonomy.
It doesn't help you read your own DFARS clause to figure out which Level and which assessment type you actually owe.

That gap is the reason this page exists. Treat the marketplace as a credential lookup, not a hiring engine.

C3PAO vs. RPO vs. MSP/MSSP vs. GRC platform vs. CUI enclave: what each actually does

Five operational provider categories serve the CMMC ecosystem, plus one federal assessor for Level 3. C3PAOs conduct Level 2 certification assessments and issue Certificates of CMMC Status. RPOs (and their Registered Practitioners) provide non-certified readiness consulting. MSPs/MSSPs operate IT and security tooling and may be in your assessment scope as an External Service Provider. GRC platforms track controls and evidence. CUI enclaves and secure clouds isolate CUI to reduce scope. Level 3 is assessed by DCMA DIBCAC, not by any C3PAO.

Most of the confusion in the CMMC market collapses once you internalize that these categories solve different problems, can't substitute for each other, and have very different verification paths.

C3PAO — Certified Third-Party Assessment Organization

The organization responsible for conducting CMMC Level 2 certification assessments and issuing a Certificate of CMMC Status based on the assessment results. C3PAOs employ or contract Certified CMMC Assessors (CCAs) and Lead CCAs, who run the assessment under the Cyber AB's CMMC Assessment Process (CAP) v2.0. Under 32 CFR Part 170, C3PAOs must themselves undergo a Level 2 certification assessment conducted by DCMA DIBCAC as part of authorization or accreditation.

What they cannot do for your engagement: provide readiness consulting and then assess you (or your affiliate) for the same engagement within the three-year prior-consultant window.

Verify at: cyberab.org/Catalog, filtered to Assessor type. Look for Authorized or Accredited status.

RPO — Registered Practitioner Organization (and individual RPs / RPAs)

A consulting firm authorized by the Cyber AB to deliver non-certified advisory services through Registered Practitioners (RPs) and Registered Practitioner Advanced (RPAs). RPOs help with scoping, SSP development, gap assessments, Plan of Action and Milestones (POA&M) planning, evidence preparation, and pre-assessment readiness reviews. RPOs operate under the Cyber AB Code of Professional Conduct.

What they cannot do: conduct a Certified CMMC Assessment or issue a Certificate of CMMC Status. RPOs are not assessors. They are also bound by the three-year prior-consultant rule — if they consulted you, they and their team generally cannot also participate in your Level 2 certification assessment.

Verify at: cyberab.org/Catalog, filtered to Consulting and Implementation → RPO. Individual RP and RPA status is also searchable.

MSP / MSSP / ESP — Managed Service Provider, Managed Security Service Provider, External Service Provider

The operational layer. MSPs and MSSPs run the day-to-day security tooling — identity, endpoint detection and response, multi-factor authentication, centralized logging, vulnerability management, security operations center coverage, backup, and incident response. Many DIB companies cannot pass a Level 2 assessment without one.

Here is the part most contractors miss: under 32 CFR Part 170, any External Service Provider (ESP) that processes, stores, or transmits CUI or Security Protection Data on the contractor's behalf is in the CMMC assessment scope. That means your MSP isn't just a vendor; it's an assessable relationship whose service description, Customer Responsibility Matrix (CRM), and SSP reference become evidence your C3PAO will examine. “Our MSP is CMMC-aware” is not a defense if the documentation doesn't exist.

Cyber AB credential to look for: many MSP/MSSPs are also RPOs (verifiable in the marketplace); some have themselves achieved CMMC Level 2 certification. The MSP Collective ESP Directory tracks self-attested CMMC Level 2 outcomes separately. Useful as a sourcing aid; not a substitute for direct verification.

GRC platform

The system of record for control implementation status, evidence, policies, SSPs, POA&Ms, risk registers, and audit workflows. The leading platforms cover NIST SP 800-171 Rev. 2 control mapping and SPRS scoring support. A GRC platform is software, not a Cyber AB-credentialed entity — you will not find GRC platforms in cyberab.org/Catalog, and that's the way it should be.

What it cannot do: make you compliant. The most common GRC platform mistake we see is purchasing the tool before the boundary, scope, and evidence model are designed. You end up with an empty database and an annual subscription.

CUI enclave / secure cloud / FedRAMP-authorized CSP

A scope-reduction strategy. Instead of placing your entire enterprise inside the CMMC boundary, you isolate CUI workflows in a controlled environment — Microsoft 365 GCC High, AWS GovCloud, a dedicated enclave product, or another FedRAMP Moderate (or DoD-recognized FedRAMP Moderate Equivalent) CSP offering. Done right, this can collapse the assessable surface and the implementation cost.

Done wrong, it produces a multi-year migration that didn't reduce anything because CUI is still leaking into commercial email, personal endpoints, or unmanaged cloud apps. Under 32 CFR Part 170, any CSP that processes, stores, or transmits CUI on a Level 2 contractor's behalf must be FedRAMP Moderate authorized or DoD-recognized FedRAMP Moderate Equivalent. See our GCC High for CMMC guide and managed enclave overview.

DCMA DIBCAC — Defense Industrial Base Cybersecurity Assessment Center

The federal assessor for CMMC Level 3 and the assessor of record for C3PAOs themselves during authorization/accreditation. DIBCAC sits inside the Defense Contract Management Agency (DCMA) and is staffed by DoD personnel. You don't hire DIBCAC; you receive a DIBCAC assessment when your contract or your C3PAO authorization requires one.

Decision Resolution Point #2

If you can now tell a C3PAO from an RPO from an MSP, the next step is checking the actual marketplace status of the firm in front of you. Don't take a sales rep's word for it — credentials get suspended and revoked, and the marketplace is the only authoritative timestamp.

→ Verify a specific firm on the Cyber AB Marketplace (external — the official directory)

→ Compare provider categories side-by-side (our category breakdown — what each can and cannot do)

When do you actually need a C3PAO?

You need a C3PAO when your contract or solicitation requires CMMC Level 2 (C3PAO Assessment) status. You do notneed a C3PAO for Level 1 (annual self-assessment under FAR 52.204-21) or for Level 2 (Self-Assessment), which is triennially self-scored into the DoD's Supplier Performance Risk System (SPRS). Level 3 is assessed by DCMA DIBCAC, not by a C3PAO. The requiring activity selects the applicable CMMC Status for the solicitation or contract — read the clause; don't infer it.

The CMMC Program Rule, 32 CFR Part 170, defines three Levels and an assessment regime that depends on the information your contract involves and how the requiring activity classifies the sensitivity.

Level 1 — Foundational.Applies to contractors handling FCI but no CUI. Requires implementation of the 15 basic safeguards from FAR 52.204-21, an annual self-assessment, and a senior-official affirmation posted in SPRS. No C3PAO assessment. POA&Ms are not permitted at Level 1.

Level 2 (Self-Assessment) — Advanced, self-scored. Applies when the contract clause specifies self-assessment. Same 110 security requirements as Level 2 (C3PAO Assessment) — the 14 control families of NIST Special Publication 800-171 Revision 2 — but the contractor performs the assessment, computes a score using the DoD Assessment Methodology, posts the score to SPRS, and provides annual affirmation. Reassessment is triennial.

Level 2 (C3PAO Assessment) — Advanced, third-party assessed. Same control set, same 110 requirements, but conducted by an authorized or accredited C3PAO under the Cyber AB CAP. Results flow into CMMC eMASS. Reassessment is triennial; annual affirmation is required between assessments. This is the path contractors need when the solicitation or contract requires Level 2 (C3PAO Assessment).

Level 3 — Expert. Applies to the most sensitive CUI handling identified by the DoD program office. Requires Final Level 2 (C3PAO Assessment) status as a prerequisite, plus the defined subset of enhanced requirements in NIST Special Publication 800-172 (the February 2021 publication) identified in 32 CFR Part 170. The assessor is DCMA DIBCAC, not a C3PAO.

A critical regulatory point we see misrepresented constantly: CMMC Level 2 currently maps to NIST SP 800-171 Revision 2, not Revision 3. NIST published SP 800-171 Rev. 3 in May 2024, and SP 800-172 Revision 3 followed in May 2026 — but 32 CFR Part 170 incorporates SP 800-171 Rev. 2 and SP 800-172 (Feb 2021) by reference. Until DoD amends the rule, the operative baselines for CMMC are Rev. 2 (for Level 2) and the Feb 2021 SP 800-172 subset (for Level 3). Any provider citing Rev. 3 as the current CMMC Level 2 control set is ahead of the rulebook, not on it.

Phase 1 timing

The DFARS final rule implementing CMMC contract requirements became effective November 10, 2025 and added the CMMC contract clause at DFARS 252.204-7021 plus related solicitation/provision mechanics (Federal Register, September 10, 2025). The DoD CIO has published a phased rollout schedule: Phase 1 runs from November 10, 2025 through November 9, 2026 and focuses primarily on Level 1 and Level 2 (Self-Assessment) requirements appearing in new DoD solicitations and contracts (DoD CIO CMMC page). Subsequent phases progressively expand the proportion of contracts requiring Level 2 (C3PAO Assessment) and Level 3.

DFARS 252.204-7025is the solicitation provision that notifies offerors of the required CMMC level/status, requires current CMMC status and affirmation in SPRS before award, addresses Conditional POA&M closeout, and requires CMMC UIDs in the proposal (DFARS 252.204-7025 at Acquisition.gov). It works in concert with the long-standing safeguarding and assessment clauses: DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021. For a full phase-by-phase breakdown, see our CMMC Implementation Phases guide.

How to actually use the Cyber AB Marketplace (a 60-second decoder)

The Cyber AB Marketplace at cyberab.org/Catalog is JavaScript-rendered and contains thousands of entries across multiple ecosystem roles. To use it effectively: filter by ecosystem role for the category you need, check the status field on every listing, record the listing URL and the date you verified, and re-verify immediately before signing any contract because status can be suspended or revoked between your search and your engagement.

We use the marketplace daily. Here is the workflow that takes about a minute per provider.

Step 1. Go to cyberab.org/Catalog. Wait for the JavaScript catalog to render — the page is not server-rendered, so on slower networks it will appear blank for a moment.

Step 2. Filter by the ecosystem role you need:

Assessor → C3PAO if you're looking for a Level 2 certification assessor.
Assessor → CCA / Lead CCA if you're verifying a named individual on a C3PAO's proposed assessment team.
Consulting and Implementation → RPO if you're looking for a readiness consulting firm.
Consulting and Implementation → RP / RPA if you're verifying a named individual practitioner.
Training and Instruction → ATP / Instructor if you're vetting CMMC training.

Step 3. Open the firm's listing and read the status field. For a C3PAO conducting Level 2 certification assessments, look for Authorized or Accredited status per 32 CFR Part 170. For RPOs and credentialed individuals, record the exact status label shown in the marketplace on the date you verify it — labels can change as the Cyber AB updates its taxonomy.

Step 4. Record five fields before you contact the firm:

Organization name (exact spelling as shown in the marketplace).
The listing URL.
The role(s) the firm holds (e.g., “Authorized C3PAO” and “RPO”).
The status field value and the date you verified.
A conflict-of-interest note: if you've already discussed readiness work with this firm or any of its named personnel, flag it — they generally cannot also assess you for the same engagement within the three-year window.

Step 5.Re-verify within 30 days of contract signature. Credentials can be suspended for ethics violations, organizational restructuring, or failure to maintain the underlying DCMA DIBCAC assessment that supports authorization. Don't rely on a screenshot from last quarter.

What the marketplace doesn't include

MSPs and MSSPs that aren't also RPOs will not appear in cyberab.org/Catalog. GRC platforms won't appear. CUI enclave products won't appear. That's not a defect of the marketplace — those vendor categories exist outside the Cyber AB credential taxonomy. The MSP Collective ESP Directory is a third-party directory of MSP/MSSPs that have publicly attested to CMMC Level 2 outcomes; treat it as a sourcing aid, not an official directory. Verify any claimed CMMC Status, assessment scope, CRM, and evidence package directly before relying on it.

The state of the CMMC provider ecosystem (March 2026 snapshot)

As of the March 2026 Cyber AB Town Hall recap, the ecosystem contains approximately 103 authorized C3PAOs, ~759 Certified CMMC Assessors (CCAs), ~425 Lead CCAs, and ~1,459 Certified CMMC Professionals (CCPs). Roughly 1,000 organizations have achieved CMMC Level 2 certification to date, with approximately 178 new Level 2 certificates issued in March 2026 alone. The DIB universe expected to need Level 2 is 80,000+ organizations.

These counts come from the Cyber AB's monthly Town Hall recaps published on cyberab.org/News-Events/Town-Hall. The total marketplace entry count (~5,732 active across ~3,607 unique entities) is from a third-party March 2026 marketplace export, not from Cyber AB primary data — we label it as such. We re-verify quarterly.

Ecosystem element	Approximate count	Source	As of
Authorized C3PAOs	~103	Cyber AB Town Hall recap	March 2026
Certified CMMC Assessors (CCAs)	~759	Cyber AB Town Hall recap	March 2026
Lead CCAs	~425	Cyber AB Town Hall recap	January 2026
Certified CMMC Professionals (CCPs)	~1,459	Cyber AB Town Hall recap	January 2026
Total marketplace entries (all roles)	~5,732 active	Third-party marketplace export	March 2026
Unique entities in the marketplace	~3,607	Third-party marketplace export	March 2026
Organizations with CMMC Level 2 certification	~1,000	Cyber AB Town Hall recap	March 2026
New Level 2 certificates issued in March 2026	~178	Cyber AB Town Hall recap	March 2026
Expected DIB organizations needing Level 2	80,000+	DoD program signals	Ongoing

What the ratio tells you

Practical read from the snapshot above:with ~1,000 organizations Level-2 certified against a DIB population of 80,000+ that will eventually need it, the binding constraint right now isn't assessor supply. It's contractor readiness — scoping, SSPs, ESP documentation, evidence. About 1% of the DIB has crossed the line so far.

That has a strategic implication for any contractor planning around Phase 2. The value of starting now is not avoiding the assessor queue. It is avoiding the rushed-remediation tax that small DIB contractors pay when a Phase 2 solicitation lands and they have 90 days to get ready. Once Phase 2 broadens, lead times at the most in-demand firms will tighten — but the binding work happens on your side of the fence.

The three-year independence rule (or: why hiring one firm to “do everything” can void your certification)

Under 32 CFR Part 170, a CMMC Ecosystem member is prohibited from participating in a Level 2 certification assessment of an organization if that member served as a consultant to prepare that organization for any CMMC assessment within the prior three years. The rule is engagement-specific and time-bound. A firm holding both RPO and C3PAO roles can serve different clients in different capacities — but for any given organization it must clear that three-year prior-consultant prohibition and any other unmitigated conflicts before participating in the Level 2 certification assessment.

This is the most expensive rule in the CMMC ecosystem, and the one we see misunderstood most often. A few weeks ago we read a sales proposal from a firm offering an “end-to-end CMMC engagement: we'll prepare you and assess you.” Under 32 CFR Part 170, that is structurally incompatible with the three-year prior-consultant prohibition for the same organization. It is also, in practice, how a contractor can spend $200,000 on a readiness program and then discover the firm that prepared them cannot legally return to certify them.

The rule has four operational layers that matter to you:

Layer 1 — Engagement-level, not firm-level. Many of the best CMMC providers in the market hold both RPO and C3PAO credentials. They simply route engagements so each client gets one role from one firm. The prohibition runs against the specific organization being assessed, looking back three years to see who prepared it.

Layer 2 — Personnel matter. The Cyber AB CAP requires the assessment team to disclose prior involvement with the client. If the lead assessor previously worked on your readiness — at the same firm, at an affiliated entity, or in a prior role — that conflict has to be identified.

Layer 3 — Related entities and personnel.Require a written conflict analysis covering the firm, the proposed assessment team, affiliated or related entities, and any personnel involved in your readiness, consulting, implementation, or product/service sales. Don't accept verbal assurances on this. Get it in writing.

Layer 4 — Time window. The three-year prior-consultant prohibition is the operative regulatory standard under 32 CFR Part 170. Confirm the specifics in writing with the C3PAO before signing and require a conflict analysis on the assessment team.

The two-provider model (this is the safe sequence)

Stage	Provider category	Independence note
1. Scope and readiness	RPO (and/or MSP)	Good fit for prep; document deliverables in writing
2. Technical operation	MSP / MSSP / ESP	Document under SSP with CRM
3. Evidence management	GRC platform	Tool only — no credential conflict
4. Formal Level 2 assessment	Separate authorized or accredited C3PAO	Must clear the three-year prior-consultant prohibition; conflict analysis in writing

Decision Resolution Point #3

If the independence rule just rearranged how you were planning to engage providers, this is the natural moment to route the inquiry into our matching form. We segment by role first — readiness, operations, enclave/cloud, GRC, or assessment — so you don't accidentally contact the wrong category in the wrong order.

→ Get matched with conflict-aware CMMC provider categories (short routing form, free, no CUI required)

→ Read our methodology and editorial standards (how we segment and verify before recommending any category)

ESPs, MSPs, and the CUI scope trap most contractors miss

An External Service Provider (ESP) under 32 CFR Part 170 is any external person, organization, technology, or facility used to provide IT or cybersecurity services where the contractor's CUI or Security Protection Datais processed, stored, or transmitted on the ESP's assets. ESP relationships must be documented in your SSP with an ESP service description and a Customer Responsibility Matrix (CRM). “Our MSP handles all that” is not a defense — your contractor obligations don't transfer.

This is the one our editorial team has seen blow up the most assessments. A contractor signs with a competent MSP, assumes the MSP's tooling covers them, and walks into an assessment with no service description, no CRM, no documented allocation of which control implementations are the MSP's responsibility versus the contractor's. The C3PAO writes findings on most of the affected controls because the evidence of implementation lives somewhere unnameable.

The fix is unglamorous and free:

List every ESP in your environment. Email, identity, endpoint, logging, backup, DNS, web filtering, vulnerability management — anything that touches CUI or Security Protection Data.
For each ESP, get a written service description. What the service does, what data flows through it, where the data lives, which controls it implements.
Get a Customer Responsibility Matrix (CRM) from each ESP. For every applicable NIST SP 800-171 Rev. 2 requirement, the CRM should state: this control is implemented by the ESP, by the customer, or shared (and how).
Document the relationship in your SSP. Not as a one-liner — as an actual ESP service description with the CRM referenced.
For Cloud Service Providers (CSPs) handling CUI: verify the CSP is FedRAMP Moderate authorized or DoD-recognized FedRAMP Moderate Equivalent. Microsoft 365 GCC High and AWS GovCloud are the two most common environments for CUI workloads.

If your current MSP cannot produce a CRM, that is not necessarily a reason to fire them — it is a reason to engage an RPO to build the documentation layer before you call any C3PAO. See our CMMC MSP guide for what to look for in an ESP-aware managed service provider.

Cost reality: what the Federal Register actually says you should expect to spend

The DoD published cost estimates in the CMMC Final Rule (Federal Register, October 15, 2024). For a small entity, the rule estimates Level 2 (Self-Assessment) and affirmation at approximately $34,277 initially and $37,196 over three years, and Level 2 (C3PAO Assessment) certification and affirmation at approximately $101,752 initially and $104,670 over three years. These are DoD planning estimates that assume the contractor has already implemented the NIST SP 800-171 Rev. 2 requirements; they do not include the remediation, technology, or staffing costs to get there. Treat them as the floor, not the ceiling.

We read the Federal Register entry directly. The cost estimates appear in the CMMC Program Final Rule's regulatory impact analysis and small-entity analysis. They are the official baseline for what the DoD believes the assessment activity itself costs — not what the CMMC program costs.

What the DoD estimate excludes:

Readiness consulting (RPO/RP engagement).
Technology purchases (MSSP coverage, MFA tooling, logging infrastructure, endpoint protection, enclave migration).
Remediation labor.
The opportunity cost of internal staff time.
Re-assessment costs if a finding triggers a POA&M closeout or a follow-up engagement.

DCR market-cost read (editorial)

The table below is our editorial market read, not a primary-source rate card. We assembled it from publicly disclosed provider quotes, public engagement reports, and engagements our editorial team has reviewed and documented during the past 12 months. We exclude proprietary client data. Ranges are planning guidance, not guarantees. Quote ranges vary by environment, scope, geography, and Cyber AB role demand at the time of contract.

Provider category	Typical engagement	What drives the cost
RPO / readiness consulting	$50K–$150K for a small DIB Level 2 program; $150K–$500K+ for mid-size DIB; multi-year for larger primes	Gap size at the start; complexity of CUI workflows; environment (on-prem is harder); evidence support depth
C3PAO Level 2 assessment fee	$40K–$150K+ per engagement	Number of in-scope systems, facilities, employees in scope, on-site days required, geographic complexity
MSP/MSSP supporting CMMC scope	Monthly retainer scaling from low five figures to mid-five figures monthly for larger environments	Users, endpoints, log volume, SOC coverage hours, evidence collection responsibilities
GRC platform	Annual SaaS subscription, typically tens of thousands per year for a mid-size program	Users, frameworks, evidence automation depth, integrations
CUI enclave / GCC High / GovCloud	Per-user monthly + setup, plus migration consulting	Number of users in scope, data volume, integration complexity, CSP licensing

The cost truth most directories hide

The cheapest provider category is usually the wrong one, and the most expensive provider is often unnecessary if your scope is smaller than you think. A $90,000 readiness engagement that produces a clean SSP, a tight CUI boundary, and a defensible CRM is materially cheaper than a $40,000 engagement that produces a templated SSP, an over-scoped boundary, and a $200,000 assessment that gets stalled in findings.

The right sequence — scope, then readiness, then operations, then assessment — is cheaper than the cheapest quote. Get three quotes for the right category, not the cheapest quote for the wrong one.

For a deeper cost breakdown by Level and scenario, our CMMC Level 2 Cost Guide covers what drives each line item.

Decision Resolution Point #4

If you now have a realistic picture of what to expect on price, the next step is getting scoped quotes from firms in the right category. Don't ask a single provider for a quote in a category they don't actually serve — that's how you get sandbagged proposals.

→ Request scoped quotes from matched CMMC providers (we route to providers in the right category; no CUI in the form)

→ Read the CMMC Level 2 Cost Guide (deeper cost breakdown by Level and scenario)

How to verify any provider in this directory in eight steps

Verification has two layers: status verification (is the firm credentialed and currently authorized or accredited?) and fit verification (is the firm the right firm for your scope, environment, and timeline?). Status verification happens in the Cyber AB Marketplace in under a minute. Fit verification takes a structured first call and a written scope. Both are non-negotiable.

We use this framework on every named provider we evaluate. It takes about 30 minutes per firm and it has caught misrepresentations more than once.

Verify current status in cyberab.org/Catalog on the day you contact the firm. Record the URL, the status field, and the date.
Match the role to your need. Do not engage a C3PAO before your evidence is ready. Do not hire an RPO for ongoing security operations. Do not buy a GRC platform before your boundary is defined.
Confirm independence in writing.Ask explicitly: “Have you, any related entity, or any individual on your proposed team provided CMMC consulting to our organization within the prior three years?” Require a written conflict analysis if the firm holds both RPO and C3PAO roles.
Verify named individuals. Cross-check the lead assessor (for a C3PAO) or lead practitioner (for an RPO) by name against the individual-credential listings in the marketplace.
Get two recent client references in your sector and call them. Specifically ask: did the firm meet timeline commitments, was scope creep handled fairly, were findings communicated clearly, and would they engage the firm again.
Require a written scope. Environment (GCC High, GovCloud, on-prem, hybrid), employee count in scope, number of in-scope systems, assumed CUI volume, assumed Level and assessment type. The scope document is the basis of every dispute that follows.
Get pricing in writing with the readiness and assessment fees clearly separated.Bundled “readiness plus assessment” pricing in a single engagement is an independence-rule red flag.
Confirm the firm will not promise certification outcomes. The Cyber AB Code of Professional Conduct does not permit certification guarantees or assessment-related incentives.

We publish this framework as part of our CMMC Readiness Checklist package.

Red flags that should slow you down

Common red flags include: claims of guaranteed certification, the same firm offering both readiness and the C3PAO assessment for the same engagement, no current Cyber AB Marketplace listing, vague pricing with no written scope, lead assessors who cannot be matched by name in the marketplace, providers citing NIST SP 800-171 Rev. 3 as the current CMMC Level 2 baseline (it isn't, under current 32 CFR Part 170), and providers asking you to upload CUI through a generic web form.

We've seen every one of these in the market in the past six months. If any of the following appears in a sales pitch, slow down — and in most cases, walk away.

Red flag	Why it matters	What to do
“Guaranteed CMMC certification”	The Cyber AB Code of Professional Conduct does not permit certification guarantees. The outcome is determined by the assessment, not the seller.	Walk away or require the language stricken in writing.
“We'll prepare you and assess you in one engagement”	Three-year prior-consultant prohibition under 32 CFR Part 170. The same firm cannot perform readiness and conduct the certification for the same engagement.	Require a written conflict analysis. Engage two separate firms.
“NIST SP 800-171 Rev. 3 is the current CMMC Level 2 baseline”	False under current 32 CFR Part 170. CMMC Level 2 maps to Rev. 2 unless DoD amends the rule.	Ask how they handle the Rev. 2 → Rev. 3 transition and whether their assessment plan uses Rev. 2 or Rev. 3 today.
“Send us your CUI so we can quote”	A legitimate initial quote should be possible from non-sensitive scope details.	Don't upload CUI, drawings, vulnerabilities, contract numbers, system diagrams, or export-controlled information through a generic web form.
“Our MSP is CMMC certified, so you're covered”	Your contractor obligations don't transfer to your ESP. ESP scope must be documented in your SSP with a CRM.	Require the CRM and service description before relying on the claim.
“Buy this GRC platform first”	Tool-first selling is a common upsell that produces an empty system.	Scope first, evidence model second, tool last.
“We're getting our C3PAO authorization soon”	Status that isn't Authorized or Accredited cannot support a Level 2 certification assessment under 32 CFR Part 170.	Don't accept a Level 2 certification from a non-authorized firm.
No methodology, no named-qualified team evidence, no usable reference path	You can't verify who is doing the work or how they operate.	Pause until they provide a methodology document, named-qualified team evidence, or a reference substitute you can verify.

The first-call script (use this verbatim)

A first call with a CMMC provider should not be a product demo. It should resolve: which role the provider is playing, which CMMC level the proposal assumes, what CUI boundary is assumed, whether any conflict applies, what deliverables you own, and what the quote excludes. The goal of the first call is to know whether a second call is worth scheduling.

Use these twelve questions on every CMMC provider conversation. If the firm cannot answer them, the firm is not ready to quote you.

Which CMMC provider category are you acting as for this engagement — C3PAO, RPO, MSP/MSSP, GRC, CSP, or CUI enclave?
Where can we verify your current Cyber AB Marketplace status?
Which CMMC Level and which assessment type does your proposal assume?
Are you assuming Level 2 (Self-Assessment) or Level 2 (C3PAO Assessment)?
What CUI boundary are you assuming for the quote?
Will any tooling or service you provide process, store, or transmit CUI or Security Protection Data?
Do you provide a Customer Responsibility Matrix (CRM) or Customer Implementation Summary (CIS)?
Would any part of this engagement prevent you, any related entity, or any named assessor from later serving as our C3PAO under the three-year prior-consultant rule?
What deliverables do we own at the end of the engagement?
What is explicitly excluded from your quote?
What conditions would cause this quote to increase?
What should we have in place before engaging a C3PAO?

If the answers are inconsistent across calls with different firms, the difference is your decision matrix.

How we built this directory

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not the Cyber AB, not the DoD, not a C3PAO, not an RPO, and not paid by any single named provider. This directory is category-first, not pay-to-rank.

What we actually verified

Read 32 CFR Part 170 (CMMC Program Rule, effective December 16, 2024) at eCFR and the original Federal Register entry of October 15, 2024, including the cost estimates in the regulatory impact analysis.
Read the DFARS final rule effective November 10, 2025 implementing CMMC contract requirements.
Read DFARS 252.204-7012, -7019, -7020, -7021, and the DFARS 252.204-7025 solicitation provision at Acquisition.gov.
Read the Cyber AB Ecosystem Roles pages for C3PAO, RPO/RP, and Consulting and Implementation.
Cross-checked NIST SP 800-171 Revision 2 and NIST SP 800-172 (Feb 2021) publication status at NIST CSRC, and confirmed that NIST SP 800-171 Rev. 3 and SP 800-172 Rev. 3 are final at NIST but not currently incorporated into 32 CFR Part 170.
Pulled ecosystem counts from the March 2026 Cyber AB Town Hall recap and prior Town Halls.
Confirmed the CAICO transition to ISACA (operational as of April 2026) for individual credentialing of CCP, CCA, Lead CCA, and CCI.
Visited the live Cyber AB Marketplace at cyberab.org/Catalog on May 26, 2026.

What we did not do

We did not rank named providers on this page. Named provider reviews will only appear when each provider has a documented review page per our published Editorial & Advertising Policy.
We did not use Reddit, forums, or vendor marketing pages as evidence for regulatory or assessment-procedure claims.
We did not claim Cyber AB or DoD affiliation. We are not affiliated with either.
We did not promise certification outcomes for any provider category.

Editorial disclosure

The Defense Compliance Report may receive referral or lead-routing compensation when readers request introductions to matched providers through our routing form. Compensation does not make a provider official, authorized, accredited, or recommended by the Cyber AB or any U.S. government agency. Provider credentials must be verified directly through the official Cyber AB Marketplace before engagement. See our Editorial & Advertising Policy for full disclosure.

Frequently asked questions

What is the official CMMC provider directory?

The official directory is the Cyber AB Marketplace at cyberab.org/Catalog. It is the only authoritative source of currently credentialed C3PAOs, RPOs, ATPs, Licensed Publishing Partners (LPPs), and credentialed individuals (RP, RPA, CCP, CCA, Lead CCA). Third-party directories — including this one — derive from the marketplace and can go stale; verify any listing in the live marketplace before signing.

How many CMMC C3PAOs are there in 2026?

As of the March 2026 Cyber AB Town Hall recap, there were approximately 103 authorized C3PAOs. The count changes monthly; re-verify at cyberab.org/News-Events/Town-Hall for the most recent figure. The expected DIB population needing CMMC Level 2 is over 80,000 organizations. For the full C3PAO verification workflow, see our C3PAO directory and verification guide.

What is the difference between a C3PAO and an RPO?

A C3PAO (Certified Third-Party Assessment Organization) conducts the formal CMMC Level 2 certification assessment and issues the Certificate of CMMC Status based on the assessment results. An RPO (Registered Practitioner Organization) provides non-certified readiness consulting — scoping, SSP development, gap analysis, evidence preparation — through Registered Practitioners (RPs) and RPAs, and cannot issue a CMMC certification. Under 32 CFR Part 170, the same firm cannot serve as your readiness consultant and then participate in your Level 2 certification assessment within the three-year prior-consultant window. See our provider categories breakdown for a full comparison.

Can the same company do my CMMC readiness and my CMMC assessment?

Not for the same engagement within the prior-consultant window. Under 32 CFR Part 170, CMMC Ecosystem members are prohibited from participating in a Level 2 certification assessment if they served as a consultant to prepare that organization for any CMMC assessment within the prior three years. A firm that holds both RPO and C3PAO roles can serve different clients in different capacities — but never both roles for the same organization within that window.

Do I need a C3PAO for CMMC Level 1?

No. Level 1 maps to the 15 basic safeguards in FAR 52.204-21 and is satisfied by an annual self-assessment and a senior-official affirmation in SPRS. See our Level 1 vs Level 2 comparison for the full difference.

Do I need a C3PAO for Level 2 (Self-Assessment)?

No. Level 2 (Self-Assessment) uses the same 110 NIST SP 800-171 Rev. 2 requirements as Level 2 (C3PAO Assessment), but the contractor performs the assessment, scores it using the DoD Assessment Methodology, and posts the score to SPRS. Annual affirmation and triennial reassessment apply. Many contractors still hire an RPO for the readiness work, but no C3PAO is involved.

When do I need a C3PAO?

When your contract or solicitation requires CMMC Level 2 (C3PAO Assessment) status. The clause that flows CMMC into individual DoD contracts is DFARS 252.204-7021, effective November 10, 2025; the companion DFARS 252.204-7025 solicitation provision notifies offerors of the required CMMC level/status.

Are MSPs in the Cyber AB Marketplace?

Most MSPs and MSSPs are not in cyberab.org/Catalog unless they also hold RPO status. The MSP Collective ESP Directory is a third-party directory that may help identify candidates that have publicly attested to CMMC Level 2 outcomes — it is not the official Cyber AB Marketplace, and you should verify any claimed CMMC Status, assessment scope, CRM, and evidence package directly.

Is NIST SP 800-171 Revision 3 the current CMMC Level 2 baseline?

No, not under current 32 CFR Part 170. CMMC Level 2 currently maps to NIST SP 800-171 Revision 2. NIST has published Rev. 3, but the CMMC rule has not been amended to incorporate it, and any provider operating against Rev. 3 today is ahead of the rule, not on it.

Is NIST SP 800-172 Revision 3 the current CMMC Level 3 baseline?

No. CMMC Level 3 uses the defined subset of NIST SP 800-172 (Feb 2021) enhanced requirements identified in 32 CFR Part 170. NIST published SP 800-172 Revision 3 in May 2026, but the CMMC rule has not been amended to adopt it.

What is an ESP, and why does my MSP suddenly count as one?

An External Service Provider (ESP) under 32 CFR Part 170 is any external person, organization, technology, or facility used to provide IT or cybersecurity services where CUI or Security Protection Data is processed, stored, or transmitted on the ESP's assets. If your MSP touches any of that, the MSP is in your CMMC scope and must be documented in your SSP with a service description and a Customer Responsibility Matrix.

Is GCC High required for CMMC?

Not universally. Microsoft 365 GCC High is one of several environments commonly used to handle CUI in the DIB; AWS GovCloud and dedicated CUI enclaves are alternatives. The requirement is that any CSP that processes, stores, or transmits CUI must be FedRAMP Moderate authorized or DoD-recognized FedRAMP Moderate Equivalent. See our GCC High for CMMC guide.

How often should I re-verify a provider's marketplace status?

Before every contract signature and again before the actual assessment date. Status can be suspended, revoked, or reclassified between your initial search and your engagement. A screenshot from last quarter is not a substitute for a live verification on the day of signing.

Can a C3PAO guarantee certification?

No. The Cyber AB Code of Professional Conduct does not permit certification guarantees or assessment-related incentives. The assessment determines whether the requirements are met. Any provider promising a certification outcome is selling something they cannot ethically deliver.

The bottom line

The CMMC provider directory is the Cyber AB Marketplace. Everything else — including this page — is a layer on top of that authoritative source that exists to help you read it well. Decide your Level and assessment type from your contract clause. Map your situation to the right provider category using the fit matrix at the top of this page. Verify the firms you shortlist in cyberab.org/Catalog and record the date. Honor the three-year prior-consultant rule. Run the eight-step verification framework and require the written scope, the conflict analysis, and the CRM before you sign.

If at any point you'd rather have us route the inquiry for you, the matching form takes about a minute and segments by role first — so you don't contact a C3PAO when you needed an RPO, or buy a GRC platform when you needed an MSP. Free, no obligation, no CUI in the form.

Need help deciding what type of CMMC provider you need?

Get matched with providers in the right category in 60 seconds. Free. No obligation. Non-sensitive scope answers only — do not submit CUI, drawings, contract numbers, vulnerabilities, system diagrams, or export-controlled information.

Find your CMMC path →

Not ready to be matched? Start with our free CMMC Readiness Checklist — 32 points mapped to the NIST SP 800-171 Revision 2 control families. No email required.

The Defense Compliance Report may receive referral or lead-routing compensation when readers request matched introductions. Compensation does not make a provider official, authorized, accredited, or recommended by the Cyber AB or any U.S. government agency. Verify provider status directly in the Cyber AB Marketplace before engagement.