CMMC RPO Consultants: What They Do, When to Hire One, and How to Choose
CMMC RPO consultants — Registered Practitioner Organizations — are readiness advisors, not certifiers. You hire one when you need help scoping Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), building a System Security Plan (SSP), preparing NIST SP 800-171 Rev. 2 evidence, supporting a Level 1 or Level 2 self-assessment, or getting ready for a separate Level 2 assessment by a Certified Third-Party Assessment Organization (C3PAO). You do nothire an RPO expecting a CMMC certificate: the Cyber AB defines RPOs as non-certified advisory providers, and CMMC Level 2 certification assessments may only be performed by an authorized or accredited C3PAO under 32 CFR Part 170. Secureframe’s March 2026 Cyber AB Marketplace dataset reported roughly 387 RPOs, 103 C3PAOs, and 748 Certified CMMC Assessors (CCAs) — a wide bench, but Marketplace status is the floor of vetting, not the ceiling.
Three things matter before you sign anything: (1) the independence rule — under 32 CFR 170.9 and the Cyber AB Code of Professional Conduct, an ecosystem member who served as a consultant preparing your organization for a CMMC assessment cannot participate in that organization’s Level 2 certification assessment for three years; (2) deliverable specificity— a scoped statement of work that produces a usable SSP, POA&M, evidence index, and C3PAO handoff packet; and (3) conflict-aware sequencing — readiness first, assessment second, and never the same engagement team performing both.
Below is the independent framework we wish existed when we started covering this beat: what an RPO does, what it can’t do, when you actually need one, what a fair engagement looks like, the twelve things to verify before signing, and where to go next if you’re still not sure.
Important. This guide is editorial research and is not legal, contractual, or compliance advice. Do not submit Controlled Unclassified Information, drawings, export-controlled data, or sensitive contract details through any form on this site. Consult a CMMC Registered Practitioner (RP) or qualified federal-contracts counsel before making binding decisions.
Quick answer: RPO vs C3PAO vs MSP vs GRC vs CUI enclave
The fastest way to know whether an RPO is your right first hire is to see all five provider categories side by side.
| Provider type | Best for | Not for | Hire when |
|---|---|---|---|
| RPO / readiness consultant | Scoping, SSP, POA&M, evidence prep, mock-assessment readiness | The official Level 2 certification assessment | You’re not sure you’re assessment-ready |
| C3PAO | Formal Level 2 certification assessment | Implementation/remediation on the same engagement (independence) | Your scope, SSP, evidence, and control owners are stable |
| MSP / MSSP | Operating identity, endpoint, logging, vulnerability, IR controls | Compliance strategy by itself | You lack internal security operations capacity |
| GRC platform | Tracking controls, evidence, workflows, SSP/POA&M data | Fixing weak controls on its own | Evidence volume becomes hard to manage manually |
| CUI enclave / secure cloud | Reducing CUI scope by isolating workflows | Solving every compliance issue alone | A defined CUI workflow can be cleanly isolated |
Not sure which category fits your situation?Most readers we hear from already know they need help — they just don’t know whether their first call should be to an RPO, a C3PAO, an MSP, or a cloud provider. The seven-question routing form takes about two minutes and routes you to the right category by level, scope, environment, and timeline.
What a CMMC RPO consultant actually is — and what it isn’t
A CMMC RPO is a firm authorized by the Cyber AB to provide pre-assessment consulting to defense contractors — gap analysis, System Security Plan authoring, Plan of Action and Milestones (POA&M) development, control implementation guidance, evidence organization, and assessment preparation. The Cyber AB explicitly states that RPOs deliver non-certified advisory service and do not conduct Certified CMMC Assessments. That authority belongs to C3PAOs at Level 2 and to DCMA DIBCAC at Level 3.
The acronym is “RPO” — Registered Practitioner Organization in the Cyber AB’s current ecosystem-roles language. Some older Cyber AB and vendor materials use “Registered Provider Organization,” and you’ll still see both terms on firm websites today. The current Cyber AB usage is “Registered Practitioner Organization,” and that’s the term we use throughout this guide.
It is not recruitment process outsourcing. It is not recovery point objective. The entity we’re talking about is the CMMC ecosystem role.
The Cyber AB registers four kinds of credentialed entities relevant to readiness work:
- Registered Practitioner (RP) — an individual consultant with foundational CMMC training and a signed Code of Professional Conduct (CoPC).
- Registered Practitioner Advanced (RPA) — a senior individual consultant with advanced training and demonstrated experience.
- Registered Practitioner Organization (RPO) — a firm that employs at least one RP, has signed the Cyber AB RPO Agreement and CoPC, and has passed an organizational background check.
- Certified CMMC Professional / Certified CMMC Assessor (CCP / CCA) — credentials on the assessor side of the house, not the consulting side. A CCA on the staff of an RPO does not make that firm a C3PAO.
When you hire an RPO, you are hiring an organization. Inside that organization, the work is done by an individual RP or RPA. The single most useful question to ask a prospective RPO before signing is, “Which RP or RPA will be assigned to this engagement, and what is their tenure?” The Cyber AB Marketplace at cyberab.org/Catalog lets you verify each of those individuals separately.
Why “RPO” is a necessary but not sufficient signal of quality
Marketplace listing tells you: the firm signed the Cyber AB agreements, paid the program fees, passed an organizational background check, and employs at least one credentialed RP. That’s a real floor — it filters out the “we’ll get you compliant in 30 days” cold-email vendors. It does not tell you the firm has guided a contractor through a successful C3PAO-assessed Level 2 engagement, knows your environment (GCC High vs AWS GovCloud vs on-prem), or holds itself to deliverable discipline. RPO quotes can look similar on the cover page while covering very different scope, deliverables, and assessment-support assumptions — which is exactly the gap this page exists to close.
Do you actually need a CMMC RPO? A five-question diagnostic
Most contractors handling CUI under a Level 2 obligation benefit materially from an RPO; most contractors handling only FCI at Level 1 do not. The Level is set by your contract clause — typically DFARS 252.204-7021 or DFARS 252.204-7025 — not by your guess. CMMC Level 1 is a self-assessment against the fifteen safeguards already required by FAR 52.204-21; CMMC Level 2 is the 110 security requirements of NIST SP 800-171 Rev. 2, assessed either by self-assessment or by a C3PAO; CMMC Level 3 adds 24 selected requirements from NIST SP 800-172 and is assessed by DCMA DIBCAC.
We’ve reduced the decision to five questions. If you can answer them honestly, you know whether an RPO is your right first move.
Question 1 — What does your contract clause actually require?
Read the solicitation. If you see DFARS 252.204-7021 or 252.204-7025, identify the Level (1, 2 Self, 2 C3PAO, or 3) and the assessment type stated by the contracting officer. Reading “Level 2” without confirming the assessment type is the most common scoping error we see.
Question 2 — Do you handle FCI, CUI, or both?
Federal Contract Information is defined at FAR 52.204-21. If you only touch FCI, you’re almost certainly Level 1. If you process, store, or transmit CUI — including in email, file storage, ERP, CAD/CAM systems, or any subcontractor handoff — you are almost certainly Level 2.
Question 3 — Do you already have an SSP that matches your real environment?
Not a templated SSP. A real one — written to the 320 assessment objectives of NIST SP 800-171A, mapped to actual systems and owners. If yes, you may need only narrow scope-and-evidence support. If no, an RPO is the single highest-leverage hire you can make.
Question 4 — What does your environment look like?
Microsoft 365 GCC High, AWS GovCloud (US), Microsoft 365 GCC, on-premises, or a hybrid? Specialized environment experience matters more than firm size.
Question 5 — When does your assessment need to happen?
If your Phase 1 obligation triggers in the next six months and you have no SSP, you need an RPO yesterday. If your obligation is twelve to eighteen months out and you have meaningful internal capacity, you may be able to start internally and bring in an RPO mid-stream.
| Your situation | Need an RPO? | Why |
|---|---|---|
| Only handle FCI; Level 1 self-assessment; IT staff comfortable with the 15 FAR safeguards | Probably not | Level 1 maps to FAR 52.204-21 and is achievable internally for most small contractors. |
| Handle CUI; Level 2 self-assessed; no NIST 800-171 Rev. 2 experience in-house | Yes — strongly recommended | A defensible self-assessment is harder than it sounds. An RPO compresses the timeline. |
| Handle CUI; Level 2 C3PAO-assessed; score below 110, POA&Ms open, or evidence posture uncertain | Yes — strongly recommended | The C3PAO cannot consult on remediation. You need readiness work independent of the assessor. |
| Handle CUI; have a real SSP and a recent DoD Assessment Methodology score at or near 110 | Maybe — narrow scope only | An RPO is useful for assessment rehearsal and gap closure, not full remediation. |
| Level 3 candidate; high-value CUI; DIBCAC-assessed | Yes — but Level-3-experienced only | Level 3 expands the control set to 24 selected NIST SP 800-172 enhanced requirements. Not every RPO is staffed for it. |
The damaging admission (the one most RPO websites won’t make)
Not every defense contractor needs an RPO. If your business handles only FCI, if the contract clause specifies Level 1, and if you have an IT lead who can implement and document the fifteen FAR safeguards, hiring a full-scope RPO is overspend. Small FCI-only contractors are routinely oversold full Level 2 readiness packages when their contract requires only Level 1.
If that’s you, the right next step is a self-serve Level 1 checklist, not an RPO conversation. We’ll tell you that even though it costs us the routing inquiry.
The independence rule, explained in operational terms
Under 32 CFR Part 170 and the Cyber AB Code of Professional Conduct, a CMMC ecosystem member who served as a consultant to prepare your organization for a CMMC assessment cannot participate in that same organization’s Level 2 certification assessment for three years. The same firm can hold both RPO and C3PAO designations — many do — but it cannot fill both roles for the same client on the same certification path within that window. The CMMC Assessment Process v2.0 reinforces the rule on the assessment side: if a C3PAO finds an Organization Seeking Certification not prepared, the Lead CCA must inform the Affirming Official in writing, but under no circumstances may the C3PAO, the assessment team, or affiliated personnel provide remedial advice, implementation assistance, or recommendations for improving readiness.
This is the single most consequential ecosystem rule for sequencing your engagements, and it is the rule most commonly misunderstood.
The proof block
| Source | Rule |
|---|---|
| 32 CFR 170.9 + Cyber AB Code of Professional Conduct | An ecosystem member who served as a consultant preparing an OSC for any CMMC assessment cannot participate in that OSC’s Level 2 certification assessment for three years. |
| Cyber AB CMMC Assessment Process v2.0 (adverse-readiness rule) | If the Lead CCA determines the OSC is not sufficiently prepared, the C3PAO informs the OSC in writing. Neither the C3PAO nor the assessment team may provide remedial advice, implementation assistance, or recommendations for improving readiness. |
| Operational rule | Require a written conflict-of-interest determination — tied to the exact legal entity, assigned personnel, and prior consulting activity — before scheduling any C3PAO assessment. |
The Allowed / Not Allowed / Edge Case matrix
| Scenario | Allowed? | Operational note |
|---|---|---|
| Firm X holds RPO + C3PAO; consults on Engagement A; assesses Engagement B (different client, no prior consulting) | ✅ Allowed | Dual designation is permitted across separate clients and engagements. |
| Firm X holds RPO + C3PAO; consults on Engagement A; assesses Engagement A within the 3-year window | ❌ Not allowed | Three-year consultant-then-assessor prohibition applies at firm and individual level. |
| RP from Firm X is the lead consultant; same RP serves as assessor on the same engagement | ❌ Not allowed | Individual-level independence applies in addition to firm-level independence. |
| MSP Y has a parent/affiliate relationship with C3PAO Z; MSP Y operates your controls; C3PAO Z assesses you | ⚠️ Requires written COI determination | A material business or financial relationship can disqualify the C3PAO. Confirm in writing before scheduling. |
| RPO supports the OSC during the assessment (locating evidence, escorting interviews, answering scheduling questions) | ✅ Allowed only as client-side support | The RPO must not perform assessor functions, answer for control owners, alter evidence, or compromise C3PAO independence. Confirm role in writing. |
| Same firm performs a non-certification “mock assessment” and later certifies the same client | ⚠️ Edge case | The CoPC discusses non-certification assessments and conflict conditions. Do not assume blanket allowance. Confirm with the C3PAO and review their written COI screen. |
Why this rule exists, and what happens if it’s violated
It exists for the same reason every third-party audit regime separates assurance from implementation: if the firm that built your controls is the firm validating them, the validation isn’t independent. The practical consequence of a violation isn’t a slap on the wrist. It is potential assessment voidance, certification denial, and Cyber AB enforcement against the firms involved. Which is why the safest pattern, even for clients of dual-designation firms, is to plan for two separate firms — one RPO for readiness, one C3PAO for the assessment.
RPO vs C3PAO: which one do you hire first?
For the vast majority of Level 2 obligations, the correct sequence is RPO first for readiness, C3PAO second for the assessment. If your scope, SSP, evidence, control ownership, and POA&M posture are already clean, you can go directly to the C3PAO. If they are not, going to a C3PAO first costs you time, money, and the Phase 1 readiness review with no remediation help to show for it.
The clean sequence for a Level 2 C3PAO obligation
- Confirm the contract clause and assessment type.DFARS 252.204-7021 sets the Level; the contracting officer’s discretion plus the contract clause set whether it’s self-assessed or C3PAO-assessed. Read it.
- Identify your FCI/CUI flow.Map where CUI is received, where it lives, where it’s processed, and where it’s transmitted. This is the input to scope.
- Scope the CMMC Assessment Boundary. Define what is in scope and what is excluded. Scope decisions reverberate through every downstream control implementation choice.
- Build or update the SSP. To the 320-assessment-objective level of NIST SP 800-171A, not just the 110-control level. Anything less is insufficient for assessment.
- Score against NIST SP 800-171 Rev. 2. The DoD Assessment Methodology produces a numeric score on a 110-point scale that posts to the Supplier Performance Risk System (SPRS).
- Build the POA&M — only where permitted.32 CFR 170.21 permits POA&Ms for specific requirements under specific conditions, with closure timing tied to Conditional vs Final CMMC Status.
- Organize evidence. Every applicable assessment objective needs evidence traceability — with an artifact, interview, or test path tied to an owner and date.
- Run a readiness or mock assessment with conflict awareness. Either internally, with your RPO, or via a non-certification engagement with a firm clearly separated from your eventual C3PAO.
- Verify your prospective C3PAO’s current status on the Cyber AB Marketplace.
- Schedule the C3PAO assessment.
- Maintain. DFARS 252.204-7021 requires an annual affirmation of continuous compliance by the affirming official in SPRS.
What happens if you go to a C3PAO too early
The Cyber AB’s CMMC Assessment Process v2.0 is unambiguous: if the Lead CCA determines during Phase 1 that the Organization Seeking Certification is not sufficiently prepared, the C3PAO informs the OSC in writing — but the C3PAO and its assessment team may notprovide remedial advice, implementation assistance, or recommendations for improving readiness. They have to step back. You’ve paid for a Phase 1 review, you have a list of problems, and you can’t use the C3PAO to fix them. That’s by design, and it’s why “I’ll just call a C3PAO first” is one of the most expensive shortcuts a contractor can take.
What a real CMMC RPO engagement should deliver
A defensible Level 2 RPO engagement runs 6–18 months and produces, at minimum: a scoped CUI/FCI data-flow map, an asset and user inventory, a scope diagram, a System Security Plan written to the 320 assessment objectives, a NIST SP 800-171 Rev. 2 gap score, a POA&M (where permitted), an evidence index, an MSP/MSSP responsibility matrix, an SPRS submission package, and a C3PAO handoff packet. If the engagement ends without these artifacts in your possession, you bought meetings, not readiness.
The Deliverables Acceptance Checklist
| Deliverable | What good looks like | Acceptance test |
|---|---|---|
| CUI/FCI data-flow map | Shows where CUI/FCI is received, stored, processed, transmitted, and protected | A non-technical executive can explain the boundary |
| CMMC level/path memo | States Level 1, Level 2 Self, Level 2 C3PAO, or Level 3 with reasoning | Tied to clause language and data type, not vendor opinion |
| Asset and user inventory | Includes users, devices, systems, cloud services, networks, and External Service Providers in scope | Maps cleanly to the assessment boundary |
| Scope diagram | Shows CMMC Assessment Scope and explicitly excluded systems | Reviewable before tools are purchased |
| System Security Plan (SSP) | Describes system, controls, responsible parties, ESP/CSP relationships, to objective level | Control owners sign off |
| NIST SP 800-171 Rev. 2 gap score | Maps requirements and objectives to MET / NOT MET / N/A with evidence references | Explains the why behind each finding, not just the score |
| POA&M (where permitted) | Uses POA&Ms only where 32 CFR 170.21 allows; includes owner, date, resources | Tracks the 180-day Conditional CMMC Status risk where relevant |
| Evidence index | Names artifacts, owners, dates, control/objective mappings | Can be handed to a C3PAO without redoing discovery |
| MSP/MSSP responsibility matrix | Maps who implements and operates each technical control | Your MSP signs the responsibilities they are accepting |
| Customer Responsibility Matrix (CRM) | For cloud and ESP services, documents inherited vs customer-managed controls | Filed against the SSP and referenced in evidence |
| SPRS submission package | Includes score, scope, CAGE code mapping, affirmation notes | Ready for the affirming official's review |
| C3PAO handoff packet | Scope, SSP, evidence, COI screen, readiness determination | The C3PAO can review without re-running discovery |
| Written conflict screen | Documents whether any readiness provider can or cannot participate in later assessment | Signed before any C3PAO is scheduled |
If an RPO statement of work doesn’t itemize these deliverables with acceptance criteria, you don’t have a statement of work. You have a retainer.
The “template dump” problem
A common failure mode: the engagement ends, and you receive a folder of well-formatted templates. They’re not populated to your environment. The control owners haven’t reviewed them. The evidence references point to nothing. A template is not a deliverable. A populated, scoped, owner-signed artifact is.
The “we’ll get you compliant” problem
A more expensive failure mode: an RPO frames the engagement as “we’ll get you to compliant,” takes a six-figure retainer, and then your in-house team discovers ten months in that no one is operating any of the controls in steady state. The contractor remains responsible for its own implementation, status, and affirmations under DFARS 252.204-7021. The RPO can build the program; only your people can operate it.
Real timeline expectations
- 6 months. Realistic only for organizations starting from a mature NIST 800-171 baseline, with engaged executive ownership, a single primary environment, and a willing internal owner.
- 12 months. Typical for SMBs (25–200 employees) with partial maturity, a single primary environment (most often GCC High or AWS GovCloud), and acceptable starting documentation.
- 18+ months. Typical for organizations with multiple business units, hybrid on-premises plus cloud environments, mixed CUI types (especially with export-controlled overlays), or no prior NIST 800-171 work.
If a prospective RPO quotes “90 days to full Level 2 readiness” for a non-mature client, that’s a red flag.
How much CMMC RPO consultants cost in 2026
The CMMC Program Rule’s Initial Regulatory Flexibility Analysis provides DoD’s own small-entity cost estimates for the assessment and affirmation burden. Those figures are the floor of the certification overhead, not the ceiling of the readiness investment. Full readiness engagement pricing depends on company size, environment, and current maturity; published market ranges span roughly $15,000 for narrow templated engagements at the smallest contractors to well into six figures for full Level 2 readiness in complex hybrid environments.
What DoD itself estimates — the Federal Register cost figures
When DoD published 32 CFR Part 170, it included an Initial Regulatory Flexibility Analysis with explicit small-entity cost estimates by Level. These figures cover the assessment and affirmation burden itself — they do not cover full NIST 800-171 implementation, environment migration, or ongoing managed services. Treat them as the floor of the certification overhead.
| Cost type | What DoD estimates for a small entity | What it does not cover |
|---|---|---|
| Level 1 annual self-assessment + affirmation | $5,977 per year | Implementation, tools, MSP, remediation |
| Level 2 Self triennial assessment + 3 annual affirmations | $37,196 over three years | NIST 800-171 implementation, remediation, cloud, MSP |
| Level 2 C3PAO triennial assessment + 3 annual affirmations | $101,752 initial; $104,670 over three years | Full readiness, remediation, MSP, environment migration |
| Level 3 triennial certification + 3 annual affirmations | $12,802 over three years (excluding nonrecurring engineering costs DoD estimates separately) | Implementation of selected NIST SP 800-172 enhanced requirements |
What the market actually charges for readiness work
Federal Register estimates are the assessment burden alone. The work between “we know we have a CMMC obligation” and “we’re ready to be assessed” is a separate engagement — usually the larger one. The following ranges are useful order-of-magnitude calibration. They are not quotes.
| Profile | Employees | Environment | Starting state | Typical Level 2 RPO range |
|---|---|---|---|---|
| Micro DIB | 1–25 | Single environment, narrow CUI workflow | No SSP, no prior work | $15,000 – $40,000 |
| Small DIB | 26–100 | GCC High or AWS GovCloud, single environment | Partial documentation, some gaps | $40,000 – $90,000 |
| Mid-tier DIB | 101–250 | GCC High or hybrid | Partial SSP, POA&M open | $80,000 – $180,000 |
| Mid-tier complex | 101–250 | Hybrid + on-prem; multiple CUI types | No SSP or invalid scope | $150,000 – $300,000 |
| Upper mid / large | 251–500 | Multi-environment; mixed CUI; export controls | Variable | $200,000 – $500,000+ |
What inflates the price — and what doesn’t
The cost lever readers tend to assume is “firm size and brand.” It usually isn’t. The actual cost levers:
- Undefined or shifting scope. Engagement creep on an hourly basis is the most reliable way to double a quote.
- Multiple environments. Hybrid on-prem plus cloud, or multiple cloud tenants, adds complexity faster than employee count.
- Export-controlled CUI. ITAR overlay materially changes user access controls and adds cost.
- No current SSP, no executive sponsor. You are paying for the RPO to do organizational work that should be done internally.
- Distributed workforce, BYOD, or shadow IT. Each adds scope-reduction work before readiness can begin.
What doesn’t materially inflate the price:
- A clean CUI boundary. Hard to scope, but once scoped, it shrinks every downstream task.
- A willing internal owner. Can materially reduce external RPO hours.
- A single environment. Lower complexity, faster delivery.
- A candid baseline. Honest gaps shrink the estimate; hidden gaps inflate it later.
The RPO Vetting Matrix — 12 criteria to score any RPO before you sign
Marketplace listing is the floor of vetting, not the ceiling. The twelve criteria below score any prospective RPO against verifiable evidence. A prospective RPO scoring under 8 of 12 is a yellow flag; under 6 of 12, walk away.
1. Marketplace listing status
Direct lookup at cyberab.org/Catalog. The listing should show RPO status as current, not expired, suspended, or pending. Save a screenshot with the date.
2. Number of RPs and RPAs on staff
Ask for names. Cross-check each individual against the Cyber AB Marketplace. A firm claiming RPO status with one part-time RP is different from a firm with twelve RPAs.
3. Tenure on the RPO program
A firm registered in 2020 or 2021 has lived through the CMMC 1.0 → 2.0 transition, the 2023 proposed rule, the 2024 Final Rule, and the 2025 DFARS implementation. A firm registered in late 2025 has not. Tenure is not destiny, but it's a signal.
4. Prior C3PAO-assessed Level 2 engagement references
Ask for at least two contracted client references whose engagements actually reached a C3PAO assessment. Not ‘we did a gap analysis.’ A real reference is a client whose readiness work the RPO led, who then engaged a separate C3PAO, and who can speak to the assessment outcome. If the RPO has no such references — and many don’t — that is itself a finding.
5. Independence posture in writing
Ask for the RPO's written independence policy, especially if the firm holds both RPO and C3PAO designations. The right answer addresses (a) when dual-designation firms can serve which role, (b) which staff are walled off, and (c) how the firm handles the three-year prohibition under 32 CFR 170.9 and the CoPC.
6. Environment specialization
Stated and demonstrable experience in your specific environment: Microsoft 365 GCC High, AWS GovCloud (US), Microsoft 365 GCC, on-premises, or hybrid. Ask the assigned RP to describe a recent migration in your environment. The depth of the answer is the test.
7. Scoping methodology
Ask: ‘How do you define the CMMC Assessment Boundary for a client with our profile?’ Ask for a sample scoping deliverable (redacted). A real methodology has structure: data flow, asset enumeration, user enumeration, ESP enumeration, exclusion criteria. A weak methodology is ‘we’ll figure it out together.’
8. NIST SP 800-171 Rev. 2 mapping discipline
Confirm the RPO works at the 320-assessment-objective level of NIST SP 800-171A, not just the 110-control level. Anything less is insufficient for a C3PAO assessment.
9. SSP and POA&M sample availability
Ask to see a redacted SSP and POA&M from a prior engagement. Strong RPOs maintain samples specifically for prospect conversations. If they can't show you what their finished work looks like, you're buying a black box.
10. In-assessment support model
Will the assigned RP/RPA be present during the C3PAO assessment? In what role? Helping you locate evidence and respond to assessor follow-ups is allowed — provided the RPO doesn't perform assessor functions or answer for control owners. Confirm the rate and the cap in writing.
11. Knowledge transfer and exit terms
When the engagement ends, what stays with you? Is the SSP in your tenant or theirs? What's the offboarding workflow? An RPO whose work doesn't transfer to your team in steady state has built you a dependency, not a program.
12. Engagement scope and change-order discipline
Is the SOW measurable, with deliverables, dates, and acceptance criteria? Are change orders defined in advance? Or is the engagement structured around hourly billing with vague scope? The latter is how a $90,000 quote becomes a $180,000 engagement.
Scoring
- 10–12 of 12: Strong fit. Proceed to scoped proposal.
- 8–9 of 12: Workable, with specific conditions added to the SOW.
- 6–7 of 12: Yellow flag. Compare against at least two alternatives before signing.
- Under 6 of 12: Walk away.
How to read a Cyber AB Marketplace listing — the 5-minute verification walkthrough
Every legitimate RPO has a public listing on the Cyber AB Marketplace at cyberab.org/Catalog. Verifying directly at the source — not via the firm’s marketing site — is the single best sixty-second sanity check before any CMMC engagement.
What the Marketplace listing tells you
- Current credential status — active, lapsed, suspended.
- Organizational name and primary address.
- Affiliated Registered Practitioners and Registered Practitioner Advanced (individual lookup).
- Listed service categories.
- Any additional designations (RPO + C3PAO, for example).
What the listing does not tell you
- Engagement quality.
- C3PAO-assessed client outcomes.
- Financial stability.
- Specific environment expertise.
- Whether the firm meets your scope, timing, or budget.
Three verifications to run in five minutes
- Confirm RPO status by direct search at cyberab.org/Catalog and capture a screenshot with the date.
- Look up the individual RP or RPA who will run your engagement and confirm they are listed and current.
- If the firm claims dual designation (RPO + C3PAO), confirm both designations appear in the listing and request the firm’s written independence policy.
The CMMC ecosystem, by the numbers (March 2026)
| Ecosystem role | Count (March 2026) | What they do | Can issue CMMC certification? |
|---|---|---|---|
| Registered Practitioner (RP) | ~2,000 | Individual consultant; foundational CMMC training; signed CoPC | No |
| Registered Practitioner Organization (RPO) | 387 | Firm employing ≥1 RP; signed RPO Agreement; passed background check | No |
| Certified CMMC Assessor (CCA) | 748 | Authorized to lead or participate in Level 2 assessments under a C3PAO | No (individual credential) |
| Certified Third-Party Assessment Organization (C3PAO) | 103 | Organization authorized to perform Level 2 certification assessments | Yes — Level 2 |
| DCMA DIBCAC | 1 (government) | DoD-internal assessor; performs Level 3 certification | Yes — Level 3 |
RPO fit by environment — match the specialization to your reality
RPO selection is less about firm brand and more about environment match. A 15-person manufacturer with CUI in CAD/CAM files needs an RPO with engineering workflow experience. A 100-person services firm with CUI in Microsoft 365 GCC High needs an RPO with GCC High depth. The right RPO for the wrong environment is still the wrong RPO.
| Profile | RPO specialization to prioritize | What to verify in SSP / CRM | Common mistake |
|---|---|---|---|
| Tiny FCI-only contractor | Light Level 1 documentation; basic safeguarding | Boundary excludes any CUI workflow | Buying Level 2 tooling before confirming there is no CUI |
| Small contractor with narrow CUI | CUI scoping; enclave strategy; small-business implementation | Enclave control inheritance and isolation | Migrating everything before mapping the CUI flow |
| Manufacturer with CAD/CAM/CUI | Engineering workflow; endpoints; on-prem/OT awareness | Endpoint and workstation controls; CUI marking and handling | Treating CUI like ordinary office documents |
| Company with an established MSP | MSP responsibility mapping; evidence governance | Customer Responsibility Matrix and MSP-signed responsibilities | Assuming the MSP already has CMMC evidence in hand |
| GCC High / AWS GovCloud environment | Cloud control inheritance; Customer Responsibility Matrix | CSP CRM references in the SSP; FedRAMP authorization basis | Assuming cloud authorization equals company compliance |
| Prime/sub with complex flowdowns | Subcontractor flowdown; evidence-request workflow | Subcontractor scope, clause flowdown, and affirmation paths | Asking subcontractors for "CMMC certification" before clarifying the clause |
| Level 2 C3PAO-bound company | Assessment readiness; evidence indexing; written conflict screen | C3PAO handoff packet and COI determination | Scheduling the C3PAO before scope and SSP are stable |
| Level 3 candidate | The 24 selected NIST SP 800-172 requirements; DIBCAC readiness | Level 3 control implementation and Level 2 dependency status | Hiring an RPO with no Level 3 experience because the cost is lower |
What to bring to your first RPO call — and what not to send through a web form
Bring non-sensitive scoping facts to your first RPO conversation. Do not transmit CUI, drawings, export-controlled technical data, network diagrams with sensitive details, vulnerability reports, or incident details through generic web intake forms.
Bring this to the first call
- Solicitation language or clause names (DFARS 252.204-7021, 7025, 7012, 7019, 7020), without uploading the underlying sensitive documents.
- Whether you handle FCI, CUI, both, or are unsure.
- Whether your prime has issued a flow-down requirement.
- Current employee and user count.
- Number of people who routinely touch CUI.
- Existing MSP/MSSP relationships.
- Cloud environment (Microsoft 365 GCC, GCC High, AWS GovCloud, on-prem, hybrid).
- Current security tools at a category level (EDR, SIEM, MFA, vulnerability management).
- Current SSP and POA&M status.
- Current SPRS score or posting status, if known.
- Deadline or contract trigger driving the timeline.
- Whether you are tracking toward Level 2 Self or Level 2 C3PAO.
Do not send through a generic web intake
- CUI files.
- Engineering drawings, CAD/CAM data.
- Export-controlled technical data.
- Contract attachments with sensitive markings.
- Network diagrams with sensitive details (IPs, hostnames, segmentation maps).
- Credentials, vulnerability reports, or incident details.
CUI handled outside compliant systems is a contractual and potentially statutory issue. Wait until the engagement is scoped and the RPO has established a compliant intake channel before transmitting anything sensitive. A serious RPO will instruct you to wait. If they ask you to upload CUI to a Typeform, that’s a finding.
When you’re ready to move from RPO readiness to C3PAO assessment
Move to a C3PAO when scope, SSP, evidence, control ownership, NIST SP 800-171 Rev. 2 score, POA&M posture, and conflict screening are stable.
The assessment-ready checklist
- ✅CMMC Assessment Scope is stable. No active scope debates with internal stakeholders.
- ✅SSP is complete and current. Written to the 320 assessment objectives, with control owners signed off.
- ✅Evidence exists for every applicable objective. Not "we have policies." Real artifacts with owners and dates.
- ✅Control owners can answer interviews. The assessor will interview real people. Coach them.
- ✅MSP and MSSP responsibilities are documented in writing. With the MSP's signature on what they own.
- ✅CSP/ESP relationships and Customer Responsibility Matrix references are included in the SSP.
- ✅POA&M items are permitted under 32 CFR 170.21 and actively tracked. Closure timelines understood.
- ✅Your NIST SP 800-171 Rev. 2 score is understood, not just calculated.
- ✅Affirming official understands their responsibilities under DFARS 252.204-7021.
- ✅C3PAO conflict screen is complete and in writing.
- ✅Artifacts are retained for the required period and hash-ready where the assessment process requires.
CMMC RPO red flags — what to walk away from
Walk away from any CMMC RPO that guarantees a certification outcome, blurs RPO with C3PAO authority, refuses to itemize written deliverables, pushes a platform purchase before mapping your CUI, references NIST SP 800-171 Revision 3 as the current CMMC Level 2 baseline without caveat, or asks you to transmit CUI through unsecured web intake.
| Red flag | Why it matters |
|---|---|
| "We guarantee you'll pass." | No provider can guarantee a CMMC outcome. The Cyber AB Code of Professional Conduct framework prohibits the kind of outcome guarantees that would compromise assessment integrity. |
| "We can prepare and certify you." | RPO and C3PAO roles must be separated for the same OSC under 32 CFR 170.9 and the three-year CoPC prohibition. |
| No written, itemized deliverables in the SOW. | You'll pay for meetings, not artifacts. The SOW is the contract. |
| Recommends GCC High or an enclave before mapping your CUI. | Environment should follow scope. Buying the platform first inflates the total cost. |
| Cannot name the assigned RP/RPA — or names someone you can't find on the Marketplace. | The Marketplace is the verification source. If the assigned individual isn't there, the firm isn't delivering credentialed work. |
| No working knowledge of SPRS. | The Supplier Performance Risk System is central to NIST 800-171 score posting under DFARS 252.204-7019 and -7020. |
| Refers to NIST SP 800-171 Revision 3 as the current CMMC Level 2 baseline. | 32 CFR Part 170 currently incorporates Revision 2 for CMMC Level 2. Rev. 3 is not the controlling CMMC version unless DoD amends the rule. |
| Asks for CUI through a Google Form or Typeform. | Data-handling practice is part of trust. A real RPO uses a compliant intake. |
| Sells templates as "compliance." | Templates are not deliverables. Populated, owner-signed artifacts mapped to evidence are deliverables. |
| Quotes "90 days to full Level 2 readiness" for a non-mature client. | Either the scope is much narrower than you think, or the quote relies on assumptions you need documented before signing. |
What if your RPO is also your MSP, GRC platform, cloud provider, or C3PAO affiliate?
Combining roles can work — but only if responsibilities are clear, conflicts are screened, and assessment authority is kept separate.
RPO + MSP/MSSP
Strong when: the firm can implement and operate the technical controls, produce evidence as part of normal operations, and document control responsibility in a CRM.
Risky when: the firm treats CMMC as ordinary IT support — patch the endpoints, ship the report, call it a day. CMMC requires the firm to own both the readiness artifacts and the operational evidence, and to keep them current.
RPO + GRC platform
Strong when: the tool meaningfully reduces evidence and workflow burden, with a real NIST SP 800-171 Rev. 2 control mapping and assessor-friendly exports.
Risky when: the platform is sold as a substitute for implementation. No platform is a control; controls are operated by people on systems.
RPO + cloud / CUI enclave provider
Strong when: the migration narrows scope by isolating CUI into a defined, monitored workflow, with a clean CRM against the underlying CSP and clear customer-managed control responsibility.
Risky when: the provider implies that buying the environment equals CMMC compliance. FedRAMP authorization of the underlying cloud is a control-inheritance benefit, not a certification of your tenant or your organization.
RPO + C3PAO affiliate
Not automatically forbidden as a business structure. Several firms hold both designations. The structural question is whether the team that performed your readiness work is walled off from the team that will perform your assessment, and whether the three-year consultant-then-assessor prohibition under 32 CFR 170.9 has been screened against the specific personnel and prior consulting activity. That screen must be in writing. The right question to ask a dual-designation firm: “Can you put your independence policy and your engagement assignment in writing before we sign?”
Methodology — how we built this guide
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, NIST, or any U.S. government agency. We are not an RPO, RP, or C3PAO.
Source hierarchy
- Federal Register — the controlling rule text and Regulatory Impact / Regulatory Flexibility Analyses.
- eCFR / Acquisition.gov / NIST CSRC / DoD CIO / SPRS — primary regulatory and program references.
- Cyber AB official publications — ecosystem role definitions, Code of Professional Conduct, CMMC Assessment Process v2.0.
- Cyber AB Marketplace — current credential status, individual and organizational listings.
- Aggregator and industry analyses — secondary sources used carefully and labeled.
- Voice-of-customer language — used only to capture how readers describe the problem in their own words, never as evidence for regulatory claims.
What we specifically verified on May 27, 2026
- The CMMC Program Rule at 32 CFR Part 170 (89 FR 83092), effective December 16, 2024.
- The DFARS Final Rule (DFARS Case 2019-D041), effective November 10, 2025.
- DFARS 252.204-7021 and 252.204-7025 clause language at acquisition.gov.
- NIST SP 800-171 Revision 2 and NIST SP 800-171A at NIST CSRC (110 requirements, 14 control families, 320 assessment objectives).
- The Cyber AB definition of Registered Practitioner Organization on cyberab.org.
- The Cyber AB Code of Professional Conduct and CMMC Assessment Process v2.0.
- Federal Register small-entity cost figures from the Initial Regulatory Flexibility Analysis of 32 CFR Part 170.
- Cyber AB Marketplace counts (March 2026) via Secureframe’s published dataset.
Frequently asked questions
What does CMMC RPO stand for?
CMMC RPO stands for Registered Practitioner Organization in the Cyber AB’s current ecosystem-roles language. Some older Cyber AB and vendor materials use ‘Registered Provider Organization.’ Either way, it refers to a firm authorized by the Cyber AB to provide CMMC readiness and advisory services. RPOs do not issue CMMC certifications.
Is hiring a CMMC RPO required?
No. There is no regulatory requirement to hire an RPO. Most contractors with Level 2 obligations benefit from one because the scoping, documentation, and evidence work is substantial, but the rule itself does not mandate RPO engagement.
Can my RPO also be my C3PAO?
Not for the same OSC within three years. Under 32 CFR 170.9 and the Cyber AB Code of Professional Conduct, an ecosystem member who served as a consultant preparing your organization for a CMMC assessment cannot participate in that organization's Level 2 certification assessment for three years. A firm may hold both designations and serve those roles for different clients, but not the same client on the same certification path within that window.
Can a CMMC RPO guarantee that we'll pass a C3PAO assessment?
No. An RPO can help prepare scope, documentation, evidence, and remediation work, but CMMC status depends on the applicable assessment path and the assessor's findings. The Cyber AB CoPC framework prohibits outcome guarantees that would compromise assessment integrity.
What is the difference between an RPO and a C3PAO?
An RPO consults; a C3PAO assesses. Only an authorized or accredited Certified Third-Party Assessment Organization is permitted to perform a Level 2 certification assessment under 32 CFR Part 170. Level 3 certifications are performed by DCMA DIBCAC, not by any commercial firm.
What is the difference between an RP and an RPO?
An RP — Registered Practitioner — is an individual. An RPO — Registered Practitioner Organization — is a firm that employs at least one RP. When you hire an RPO, the actual work is done by an individual RP or RPA inside that firm.
How much does a CMMC RPO cost?
DoD's Initial Regulatory Flexibility Analysis provides modeled small-entity cost estimates for the assessment and affirmation burden: $5,977 annually for Level 1; $37,196 over three years for Level 2 Self; $101,752 initial and $104,670 over three years for Level 2 C3PAO. Full readiness engagement costs are separate and depend on company size, environment, and current maturity.
Can my MSP be my RPO?
Yes, if the MSP firm is registered as an RPO with the Cyber AB and employs at least one Registered Practitioner. Many CMMC-focused MSPs hold RPO designation. Verify directly on the Cyber AB Marketplace before assuming.
Is NIST SP 800-171 Rev. 3 the current CMMC Level 2 baseline?
No. 32 CFR Part 170 currently incorporates NIST SP 800-171 Revision 2 as the Level 2 control set. NIST SP 800-171 Rev. 3 exists and is used in other contexts, but it is not the controlling CMMC Level 2 baseline unless and until DoD amends the rule. Any RPO claiming otherwise without that caveat is a red flag.
Do I need an RPO for Level 1?
Usually only light support, if any. Level 1 is an annual self-assessment against the fifteen FAR 52.204-21 safeguards, posted in SPRS. Most small FCI-only contractors can manage this internally with a checklist.
Do I need an RPO before a Level 2 C3PAO assessment?
Almost always yes, unless you are already truly assessment-ready. The C3PAO cannot help you remediate gaps they find during the Phase 1 readiness review.
Can an RPO submit my SPRS information?
An RPO can help you prepare the submission package, but the contractor and the affirming official remain responsible for the actual posting and the annual affirmation of continuous compliance under DFARS 252.204-7021.
What happens if a C3PAO determines we're not ready?
Per the Cyber AB's CMMC Assessment Process v2.0, the Lead CCA will inform the Affirming Official in writing — but under no circumstances may the C3PAO, the assessment team, or affiliated personnel provide remedial advice, implementation assistance, or recommendations for improving readiness. You will need a separate readiness provider to address the findings.
How do I check if an RPO is real?
Search the Cyber AB Marketplace at cyberab.org/Catalog. Confirm the firm's RPO designation is current, look up the assigned individual RP or RPA, and capture a screenshot with the date for your vendor file.
What's the difference between Level 2 Self and Level 2 C3PAO?
Both are CMMC Level 2 against NIST SP 800-171 Rev. 2. Level 2 (Self) is a triennial self-assessment with an annual affirmation. Level 2 (C3PAO) is a triennial assessment performed by an authorized C3PAO with an annual affirmation. Which one applies is set by the contracting officer under the DFARS rule.
What's the Phase 1 timing?
DoD has stated Phase 1 of CMMC implementation runs from November 10, 2025 through November 9, 2026, with primary focus on Level 1 and Level 2 self-assessment requirements appearing in applicable solicitations. Phase 2, when C3PAO-assessed Level 2 begins appearing in applicable solicitations on a non-discretionary basis, follows.
Your next move
If you’re not sure whether your first call should be to an RPO, a C3PAO, an MSP, or a cloud provider, the seven-question routing brief takes about two minutes and produces a recommendation by level, scope, environment, and timeline — non-sensitive inputs only, no CUI, no contract attachments, no obligation.
Need help deciding what type of CMMC provider you need? Get matched with verified providers in 60 seconds.
Find your CMMC path
Find your CMMC path →About the editorial team
We are The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the DoD, or any U.S. government agency. We do not accept editorial-approval rights from sponsors. Our methodology, corrections policy, and editorial & advertising policy are published in full. More about the team →
Sources
Related guides
- Find an Authorized C3PAO: Cyber AB Verification Guide (2026)
- CMMC Provider Directory 2026: Verify C3PAO, RPO & MSP Status
- CMMC Provider Categories: C3PAO vs RPO vs MSP vs GRC
- C3PAO List 2026: How to Find and Verify Authorized Assessors
- CMMC Level 1 vs Level 2 vs Level 3: Which Applies to Your Contract?
- CMMC Consulting Cost 2026: What Quotes Should Include
- CMMC Self-Assessment vs C3PAO: Which Path Is Right for You?