CMMC RPO vs C3PAO: Which One Do You Need? [2026]

Q: What does RPO stand for in CMMC?

RPO stands for Registered Practitioner Organization. It is a Cyber AB credential for advisory firms that deliver non-certified CMMC readiness services through Registered Practitioners (RPs) and Advanced Registered Practitioners (ARPs). RPOs do not conduct CMMC certification assessments.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research

Published: May 27, 2026Last reviewed: May 27, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

If you searched CMMC RPO vs C3PAO because you just landed a solicitation with DFARS 252.204-7021(the CMMC contract clause effective November 10, 2025) in it, or a prime contractor flowed CMMC language down to you, you’re probably staring at two acronyms and wondering which one to call first: RPO or C3PAO.

Here’s the short answer. An RPO — a Registered Practitioner Organizationauthorized by the Cyber AB — prepares you for your CMMC assessment. A C3PAO — a CMMC Third-Party Assessment Organization, also authorized or accredited by the Cyber AB — performs the official Level 2 certification assessment. They are not interchangeable, and under the Cyber AB Code of Professional Conduct (CoPC) v2.0, a C3PAO and every member of its assessment team are prohibited from performing your Level 2 certification assessment if they provided preparatory, advisory, or consulting services to you within the prior three years. If your contract requires CMMC Status of Level 2 (C3PAO), you typically engage an RPO (or a non-RPO consultant) first for readiness work, then a separate authorized or accredited C3PAO for the assessment. Level 1 (Self) and Level 2 (Self) paths do not require a C3PAO at all.

That’s the part most pages give you. The expensive part — when to hire each, what to budget against the DoD’s own published cost estimates, how to verify a provider on the Cyber AB Marketplace, and what to do when a single firm offers an end-to-end engagement — is what we cover below. Every regulatory claim is tied to the primary-source list at the bottom of this page, and the highest-risk claims are cited inline.

What we actually verified for this guide

We checked the regulatory citations on this page against the source document, not a secondary summary:

32 CFR Part 170— CMMC Program Final Rule, published Federal Register October 15, 2024 (89 FR 83092), effective December 16, 2024 (Federal Register)
48 CFR DFARS final rule— published September 10, 2025, effective November 10, 2025, which activated DFARS 252.204-7021 and DFARS 252.204-7025 (acquisition.gov)
32 CFR § 170.3(e) — four-phase implementation schedule
32 CFR § 170.17— Level 2 certification assessment and affirmation requirements, including eMASS submission and Conditional/Final status (eCFR)
32 CFR § 170.18 — Level 3 certification assessment requirements
Cyber AB Code of Professional Conduct v2.0— including the C3PAO consulting/advisory prohibition with three-year lookback and the limited conditions under which a C3PAO may perform a non-certification assessment (CoPC v2.0 PDF)
DoD regulatory cost estimates— published in the CMMC Program Final Rule Regulatory Impact Analysis

What we did not verify, and are upfront about:the live count of authorized C3PAOs and RPOs as of today’s date (we use the most recently published Cyber AB Town Hall figures below and recommend a real-time check at the Cyber AB Marketplace); market quote ranges for specific providers (we use DoD Federal Register cost estimates as the only primary anchors); and any individual provider’s current Marketplace status (verify directly before signing). Items not verifiable from a primary source are flagged inline as [NEEDS VERIFICATION].

Affiliation: The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

The fast decision table

If you only read one section of this page, read this one.

Your situation	Start with an RPO?	Start with a C3PAO?	Why
You handle FCI only; contract requires Level 1 (Self)	Optional — many handle in-house	No	Level 1 is annual self-assessment per 32 CFR § 170.15
You handle CUI but scope, SSP, or evidence aren’t ready	Yes	Not yet	RPOs scope, document, and remediate; C3PAOs assess what’s already built
Your contract requires Level 2 (Self)	Strongly recommended for first cycle	No	Triennial self-assessment with annual affirmation in SPRS
Your contract requires Level 2 (C3PAO), you are not assessment-ready	Yes, first	Schedule the slot — don’t start the assessment	Under 32 CFR § 170.17, drafts and unapproved policies are unacceptable evidence
Your contract requires Level 2 (C3PAO), you are assessment-ready	Optional, separate-firm evidence support only	Yes	Authorized or accredited C3PAO performs the assessment and submits results into the CMMC instantiation of eMASS
You may need Level 3	Yes — readiness firm with Level 3 experience	Not for Level 3 itself, but Final Level 2 (C3PAO) status is a prerequisite	Level 3 is assessed by DCMA DIBCAC per 32 CFR § 170.18
A single firm offers to “prepare you and assess you”	Use caution	Use caution	The CoPC v2.0 three-year prohibition applies to C3PAO and assessment team members

Get matched with the right provider category in 60 seconds →

Tell us your CMMC Level, scope, environment, and timeline. We route you to the provider category that fits your stage — RPO/readiness, C3PAO, MSP/MSSP, GRC, or CUI enclave — and connect you to verified providers. We do not ask for CUI, contract numbers, system diagrams, vulnerabilities, or any sensitive security details.

Find your CMMC path →

Verified providers, defined: providers whose category, claimed Cyber AB Marketplace status (where applicable), and service fit we check before introduction. Not an endorsement, guarantee of certification outcomes, or official Cyber AB / DoD designation.

CMMC RPO vs C3PAO: what’s the difference?

Short answer: A CMMC RPOis a Cyber AB–credentialed advisory firm that prepares you for your CMMC assessment — scoping, gap analysis against NIST SP 800-171 Revision 2, System Security Plan (SSP) authoring, Plan of Action and Milestones (POA&M) development, control implementation guidance, evidence prep, and mock assessments. A C3PAOis a Cyber AB–authorized or accredited assessment body and the only kind of organization that can perform a Level 2 certification assessment under 32 CFR Part 170. RPOs prepare. C3PAOs assess. The roles are intentionally separated to protect the integrity of the certification.

The authority map

Most pages stop at “one prepares, one assesses.” That isn’t the part that costs you money. The part that costs you money is the layer of authority each role actually carries and what each is and isn’t permitted to do.

Dimension	RPO (Registered Practitioner Organization)	C3PAO (CMMC Third-Party Assessment Organization)
Source of authority	Cyber AB credential under the CMMC Code of Professional Conduct v2.0; not named as a required role in the federal rule	Named in 32 CFR Part 170; only an authorized or accredited C3PAO may perform a Level 2 certification assessment
Function	Pre-assessment advisory: scoping, gap analysis, SSP/POA&M, control implementation guidance, evidence prep, mock assessment	Independent assessment against NIST SP 800-171 Rev. 2 (Level 2); results in Conditional or Final CMMC Status
Who issues a CMMC Status?	No one — RPOs are advisory	The C3PAO performs the assessment and submits results into the CMMC instantiation of eMASS, which flows through to SPRS (32 CFR § 170.17)
Is it required to use?	No. Contractors may prepare in-house, with a non-RPO consultant, or with an RPO. RPO use is not federally mandated.	Yes, for any contract specifying CMMC Status of Level 2 (C3PAO) under DFARS 252.204-7021
Credentialing	Cyber AB authorization; must employ at least one Registered Practitioner (RP) or Advanced Registered Practitioner (ARP); signs CoPC v2.0	Cyber AB authorization or accreditation; FOCI / SF-328 review; DIBCAC assessment of the C3PAO’s own environment; employs CCAs and Lead CCAs
Personnel	Registered Practitioner (RP), Advanced Registered Practitioner (ARP)	Certified CMMC Professional (CCP), Certified CMMC Assessor (CCA), Lead CCA
Conflict-of-interest rule	Cannot also assess the same OSC — three-year lookback applies to the C3PAO and every assessment-team member under CoPC v2.0	Same prohibition from the other side: the C3PAO and its assessment team cannot have provided preparatory, advisory, or consulting services to the OSC within the prior three years
Where to verify	cyberab.org/Catalog	cyberab.org/Catalog

A quick note on terminology

You’ll see two names for the same RPO credential in the wild: Registered Provider Organization (the older term) and Registered Practitioner Organization(the current Cyber AB term). They refer to the same credential. The abbreviation RPO is unchanged. If a vendor still uses the older language in 2026, that’s not a red flag in itself — it usually means their content needs a refresh.

Is an RPO actually required by 32 CFR Part 170?

Short answer: no.32 CFR Part 170 — the CMMC Program Final Rule effective December 16, 2024 — does not require contractors to hire an RPO. RPO is a Cyber AB Marketplace credential, not a federal mandate. You can prepare for your CMMC assessment in-house, with a non-RPO consultant, or with an RPO. A C3PAO, by contrast, is required when your contract specifies CMMC Status of Level 2 (C3PAO) under DFARS 252.204-7021. There is no other authorized path for that level of third-party assessment.

We flag this because several pages currently ranking for this query imply RPO use is mandated by the rule. It isn’t. The reason most contractors use one anyway is practical, not legal: scoping CUI accurately, building an SSP that survives an assessment, and producing evidence that maps cleanly to NIST SP 800-171A assessment objectives is the kind of work that costs more in rework than in advisory fees when it’s done badly.

The takeaway: if you have strong in-house CMMC capability — a security team experienced with DFARS 252.204-7012 safeguarding and cyber-incident reporting and with DFARS 252.204-7019/-7020 NIST SP 800-171 DoD Assessment score requirements, plus a current SSP and clean evidence — you may not need an RPO. You still need a C3PAO for Level 2 (C3PAO) assessment. If you don’t have that in-house capability, an RPO or experienced non-RPO consultant is usually the cheapest path to a passing first-attempt assessment.

Can the same firm be your RPO and your C3PAO?

Short answer: not on the same engagement.The Cyber AB Code of Professional Conduct v2.0 prohibits a C3PAO — both the organization and every member of the assessment team — from performing your Level 2 certification assessment if it provided preparatory, advisory, or consulting services to you within the prior three years. The prohibition applies whether the firm holds one credential or both. A firm can be authorized as an RPO and authorized or accredited as a C3PAO; it just can’t deliver readiness and the certification assessment to the same OSC within that lookback window.

This is the rule that costs contractors the most when they don’t know it exists.

Here’s how it gets you. A vendor with both credentials sells you an “end-to-end CMMC engagement.” They scope you, build your SSP, implement your controls, and walk you up to the door of the assessment. Then — under the CoPC — they have to hand you off to a different C3PAO. That second C3PAO redoes a meaningful amount of evidence review because they didn’t build the environment. You’ve effectively paid for readiness twice: once to the original firm, again in delay and re-verification fees. The end-to-end pitch was real. The end-to-end deliverywasn’t.

Our one damaging admission

We’ll tell you what we don’t do, since most pages ranking for this query won’t. We do not rank named RPOs or named C3PAOs on this page.We won’t tell you Firm A is better than Firm B without doing the verification work — current Cyber AB Marketplace status check, compensation disclosure, evaluation depth disclosure, and a last-verified date on the review page. Our Editorial & Advertising Policy requires all of that, and we’d rather route you to the right categoryof provider and let you pick a named provider from a verified pool than tell you a name we haven’t done the work to defend.

What this means in practice: if you came here looking for a “best C3PAO” ranking, this isn’t that page. What you get instead is the regulatory and operational framework to choose a C3PAO correctly, plus a routing form that connects you to verified named providers when you’re ready. For broader category guidance, our Best CMMC Providers for Small Business and Best CMMC Consultants for Defense Contractors pages go deeper.

The Independence Test: six questions to ask any firm that offers both

If a single firm is pitching readiness and assessment, these are the questions that separate a firm operating a clean ethical firewall from one hoping you don’t read the CoPC.

Which legal entity will perform the readiness work, and which will perform the certification assessment? Two separate entities under a common parent, with assessment-team independence documented, is acceptable. A single entity doing readiness and the official Level 2 certification assessment for the same OSC is a serious conflict-of-interest problem unless the engagement is structured so the assessment team has not provided prohibited preparatory, advisory, or consulting services within the CoPC lookback window.
Will any individual on the proposed C3PAO assessment team have provided readiness, advisory, or implementation services to us within the prior three years? Under CoPC v2.0, the answer must be no.
Will you commit to that prohibition in writing in our Statement of Work?A firm that won’t put it in writing is not a firm to do business with on a regulatory engagement.
What does your internal independence-review process look like? A real firm will be able to describe it in concrete terms.
If a conflict is discovered later, what’s the remedy?The right answer is in writing in the SOW — who pays for reassignment, rework, or a new assessment if a conflict surfaces mid-engagement.
Will you disclose any financial interest in tools, platforms, or services we’d use in the readiness phase?Disclosure isn’t disqualifying. Hiding it is.

Download the Independence Test Worksheet →

A two-page printable version of these six questions with the CoPC v2.0 citation footer and a fillable column for the provider’s response. Bring it to every CMMC sales call.

Download the CMMC Readiness Checklist →

Can a C3PAO perform a mock assessment or gap assessment?

Short answer: Yes — but only as a non-certification assessment under strict CoPC v2.0 limits. No CMMC certificate or status is issued, no results are submitted to eMASS, and the C3PAO is barred from providing recommendations, advice, or consultative information during the engagement. If you want that same firm to perform your later Level 2 certification assessment, ask in writing whether the non-certification engagement triggers the three-year CoPC lookback and disqualifies the firm from your certification assessment.

The nuance is important because the simple “RPO preps, C3PAO assesses” framing isn’t quite the whole picture. A C3PAO can run a clean dry-run assessment, point out where evidence is thin, and tell you whether your scope makes sense — provided they don’t cross the line into telling you what to do about it. The moment they offer remediation advice, control implementation guidance, or “here’s how to fix this” coaching, they’ve performed prohibited advisory work, and the three-year CoPC lookback kicks in for your certification assessment.

Why this matters for your decision:

If you want a real readiness diagnosis and you intend to use a different C3PAO for the certification assessment, a C3PAO-conducted non-certification assessment can be genuinely useful — you get an assessor’s eye on your evidence without the conflict.
If you want a single firm to walk you all the way through to certification, you’re not actually getting that. You’re getting either an RPO doing readiness and a different C3PAO doing the assessment, or a C3PAO doing a non-certification dry-run and a different C3PAO doing the certification.

Treat any provider that blurs this line as a vendor who hasn’t read the CoPC carefully — or one who has, and is hoping you haven’t.

When do you hire each? The order of operations

Short answer:Most contractors needing Level 2 (C3PAO) hire an RPO (or non-RPO consultant) first, work with them on scoping, control implementation, SSP development, and evidence collection, then engage a separate authorized or accredited C3PAO for the certification assessment. Contractors needing only Level 1 (Self) or Level 2 (Self) don’t hire a C3PAO at all — they perform a self-assessment, post the result in SPRS, and submit an annual affirmation.

The timeline most Level 2 (C3PAO) programs follow

The durations below are editorial estimates based on DCR’s review of public provider disclosures, Cyber AB Town Hall practitioner commentary, and reader intake data [NEEDS VERIFICATION via DCR’s published quote/intake methodology, in development]. They are not DoD regulatory deadlines.

Phase	Typical duration	What happens	Who you’re working with
Scoping	Weeks	CUI data-flow mapping, asset inventory, scope boundary definition, enclave decisions	RPO or consultant
Gap analysis	Weeks	Control-by-control gap against NIST SP 800-171 Rev. 2	RPO or consultant
Remediation	Months	Technical control implementation, policy authoring, evidence collection	RPO + internal IT + MSP/MSSP
SSP and POA&M finalization	Weeks to months	Document version control, evidence cross-referencing, POA&M scoping under 32 CFR § 170.21 eligibility rules	RPO
Mock assessment	Weeks	Internal dry run before scheduling the C3PAO	RPO or a separate C3PAO under the non-certification rules above
C3PAO selection and contracting	Weeks to months	Marketplace verification, capacity check, scope of work, conflict review	C3PAO
C3PAO assessment	Months	Planning, evidence review, fieldwork, draft findings, final report, eMASS submission	C3PAO
Affirmation and SPRS posting	Days	Senior official affirmation of continuous compliance	Internal

Decision matrix by Level and contract type

Your CMMC Status	Need an RPO?	Need a C3PAO?	Who issues the status?
Level 1 (Self) — FCI only	Optional	No	Self, posted in SPRS, annual affirmation
Level 2 (Self) — CUI, contract allows self-assessment	Strongly recommended for first cycle	No	Self, posted in SPRS, triennial with annual affirmation
Level 2 (C3PAO) — CUI, contract requires third-party	Strongly recommended (or non-RPO consultant)	Yes — required	C3PAO performs the assessment; results submitted via CMMC eMASS
Level 3 — most sensitive CUI	Recommended (with Level 3 experience)	Final Level 2 (C3PAO) status is a prerequisite; Level 3 itself is DIBCAC-led	DCMA DIBCAC, after Final Level 2 (C3PAO)

If you don’t yet know which Level your contract requires, that’s the conversation to have with your contracting officer or prime before you call any provider. The Level determines everything else.

Know your Level? Get matched with verified RPOs or C3PAOs in 60 seconds →

We route you to providers in the category that fits your contract path. No sales calls until you’re ready.

Get matched →

What does each one actually cost?

Short answer:The only published cost numbers we’ll cite as hard anchors come from the DoD’s own Regulatory Impact Analysis in the CMMC Program Final Rule. For a small entity, DoD estimated a Level 2 (Self) assessment and initial affirmation at $34,277, and a Level 2 (C3PAO) certification assessment and affirmation at $101,752, with the C3PAO engagement component itself at $31,234 (3-person team, 120 hours) and annual reaffirmation at $1,459. These are regulatory estimates, not market quotes. Actual market costs vary widely above and below these figures based on scope, environment, starting maturity, and evidence quality.

DoD’s published estimates (small-entity Level 2)

These come from the DoD Regulatory Impact Analysis at Federal Register 89 FR 83092. Treat them as the regulatory baseline of what’s defensible to budget, not the ceiling.

Cost item	DoD estimate (small entity)	What it covers
Level 2 (Self) assessment + initial affirmation	$34,277 (3-year total: $37,196)	Self-conducted assessment + first affirmation in SPRS
Level 2 (C3PAO) certification assessment + affirmation	$101,752 (3-year total: $104,670)	Full third-party assessment cycle, small entity
C3PAO engagement component (inside the $101,752)	$31,234	3-person assessment team, ~120 hours, per DoD’s labor model
Annual reaffirmation after certification	$1,459	Internal time to file the annual affirmation in SPRS

What’s not in the DoD estimate

Two things, both of which matter to your actual budget:

Readiness and remediation costs— gap analysis, SSP authoring, policy work, control implementation, technology purchases, internal labor. DoD’s small-entity numbers don’t capture the full cost of getting to a passing posture; they assume an entity already substantially compliant with DFARS 252.204-7012 safeguarding obligations and the NIST SP 800-171 controls.
Variance by environment and scope— a 25-person engineering firm with all CUI in a tightly scoped enclave is a different assessment than a 250-person manufacturer with CUI sprawled across email, file shares, and shop-floor systems. Market quotes for the same nominal “Level 2 C3PAO assessment” can vary by 3× or more depending on asset count, sites, and complexity.

Market quote ranges seen in vendor disclosures and industry surveys [NEEDS VERIFICATION via primary quote collection]: RPO gap analyses commonly $5,000–$15,000 depending on size; full readiness programs $25,000–$150,000+; C3PAO Level 2 assessments $50,000–$200,000+ depending on scope. We don’t treat these as authoritative until we publish our own quote-collection methodology.

Why the order of operations matters for your budget

If you call a C3PAO before you’re ready and the assessment doesn’t pass, you don’t just lose the assessment fee. You lose your scheduled C3PAO slot, you trigger remediation costs you would have paid anyway, and you may lose contract eligibility in the interim. The cheapest path through CMMC Level 2 (C3PAO) is the one where you don’t call the C3PAO until you can pass on the first attempt.

Compare scoped quotes from matched providers →

Tell us your Level and scope. We route you to provider categories that match your stage and connect you to verified providers who can return written quotes — not generic package pricing.

Get matched →

The C3PAO readiness gate

Before you call a C3PAO, run this scorecard. It’s the same gate we’d recommend any RPO use with you before they let you schedule an assessment.

Readiness item	Ready?
Required CMMC Status confirmed from solicitation, prime flowdown, or contracting officer	☐
FCI vs. CUI distinction understood for your environment	☐
CUI scope documented in a data-flow map	☐
Complete asset inventory by scope category (in scope, out of scope, contractor risk-managed assets)	☐
Current, environment-specific SSP — not a generic template	☐
Policies and procedures formally approved, not draft	☐
Evidence mapped to NIST SP 800-171A assessment objectives, not just controls	☐
SPRS account, CAGE code, and CMMC UID path understood	☐
POA&M items reviewed for eligibility under 32 CFR § 170.21 (not every control qualifies)	☐
Readiness and assessment-team independence documented per CoPC v2.0	☐

How to read your score:

0–3 checked:You’re in the scoping/RPO phase. Calling a C3PAO now will waste a slot. Focus on scope, SSP, and evidence ownership.
4–6 checked:RPO plus technical remediation. You can begin calendar conversations with C3PAOs to reserve a slot, but don’t sign for an assessment date yet.
7–10 checked: Reasonable to begin C3PAO selection and scheduling in parallel with your final readiness work.

One regulatory detail most contractors don’t see coming

Conditional Level 2 (C3PAO) statusexists under 32 CFR § 170.17. If your final assessment finds open items eligible for a POA&M, you can receive a Conditional status valid for 180 days, during which the POA&M items must be closed and re-verified. If you can’t close them in time, the Conditional status expires — and the cost of re-engagement is on you. Plan for the assessment to result in a Final status. Treat Conditional as the safety net, not the plan.

Get matched with readiness providers who can run the readiness gate against your actual environment →

Not every good readiness provider is an RPO. We route you to RPOs and qualified non-RPO consultants based on your environment and stage.

Find readiness providers →

Phase timing: Phase 1 through Phase 4

Short answer:CMMC is rolling out in four annual phases under 32 CFR § 170.3(e). Phase 1 began November 10, 2025— the effective date of the 48 CFR DFARS final rule that activated DFARS 252.204-7021. Each subsequent phase begins one calendar year later. The phases determine which contracts will require a specific CMMC Status at award; DoD also retains discretion to require higher levels earlier than the default schedule.

Phase	Date range (derived from 48 CFR final rule + 32 CFR § 170.3(e))	Default scope
Phase 1	November 10, 2025 – November 9, 2026	DoD intends to include Level 1 (Self) or Level 2 (Self) as a condition of award for applicable contracts; DoD may, at its discretion, include Level 2 (C3PAO)
Phase 2	November 10, 2026 – November 9, 2027	DoD intends to include Level 2 (C3PAO) for applicable contracts as a condition of award
Phase 3	November 10, 2027 – November 9, 2028	DoD intends to include Level 3 (DIBCAC) for applicable contracts, and to include CMMC requirements as a condition to exercise option periods on existing contracts
Phase 4	November 10, 2028 onward	Full implementation in all applicable DoD solicitations and contracts, including option periods

What this means for your RPO vs. C3PAO timing

If you’re a Level 2 (C3PAO) contractor and you haven’t started readiness, Phase 2 (starting November 10, 2026) is the date that matters. A readiness program plus a C3PAO engagement together can take 9–18 months [NEEDS VERIFICATION: DCR provider-intake/quote dataset], which means contractors starting in mid-2026 are already cutting it close for Phase 2 contracts that bid in the second half of 2026 and award in early 2027.

But — and this is the part most vendors selling urgency leave out — Phase 1 already allows discretionary inclusion of Level 2 (C3PAO) at the contracting officer’s discretion. If your specific contracting office decides to require a C3PAO assessment now, the default schedule doesn’t protect you. Read the solicitation. Don’t assume the phase you’re “supposed to” be in.

How to verify an RPO or C3PAO on the Cyber AB Marketplace

Short answer: Verify every CMMC provider on the official Cyber AB Marketplace at cyberab.org/Catalog. For C3PAOs, look for the status label the Marketplace currently displays for an authorized or accredited assessment body — not Candidate, Pending, or In Process. Only an authorized or accredited C3PAO can perform a Level 2 certification assessment under 32 CFR § 170.17. For RPOs, confirm the firm is listed and employs at least one Registered Practitioner (RP) or Advanced Registered Practitioner (ARP).

The Cyber AB Marketplace ecosystem (most recent published Town Hall figures)

These counts come from the February 2026 and March 2026 Cyber AB Town Hall recaps. They are the most recent published figures we could verify — they are historical, not a live Marketplace snapshot. Ecosystem capacity changes month to month; verify at the Marketplace before making a sourcing decision.

Role	February 2026 Town Hall	March 2026 Town Hall
Authorized C3PAOs	98	103
Registered Practitioner Organizations (RPOs)	378	—
Certified CMMC Assessors (CCAs)	748	759
Lead CCAs	452	—
Certified CMMC Professionals (CCPs)	1,494	—

The capacity reality (and why it matters less than most pages claim)

Industry reporting frequently cites a Level 2 contractor population of 80,000+ across the Defense Industrial Base [NEEDS VERIFICATION against current DoD primary source]. The published count of authorized C3PAOs is just over 100. That math gets quoted constantly as “the C3PAO bottleneck.” It’s worth understanding what it actually means.

Approximately 1,000 organizations had achieved Level 2 certification as of early 2026 — roughly 1% of the population that will ultimately need it [NEEDS VERIFICATION: third-party ecosystem analysis, not DCR-verified primary data]. Practitioner analysis (including a March 2026 Cyber AB Town Hall and a third-party Marketplace ecosystem review) makes a counterintuitive point: the binding constraint isn’t C3PAO capacity. It’s DIB readiness. Approximately 178 new Level 2 certificates were reported issued in March 2026, and the 759 CCAs operating across 103 authorized C3PAOs were not, on average, the bottleneck. The bottleneck was contractors not being ready to be assessed.

The practical takeaway: book your C3PAO slot early — slots really can sit months out — but don’t compress readiness to chase a queue. The contractors that succeed on first-attempt Level 2 (C3PAO) assessments are the ones that didn’t try to short-circuit the readiness phase.

Red flags during Marketplace verification

Candidate, Pending, or In Process C3PAO status. This means the firm has applied or is in the DIBCAC assessment process but is not yet authorized or accredited. They cannot perform a Level 2 certification assessment until that status changes.
Firms holding both RPO and C3PAO credentials.Not disqualifying — but apply the Independence Test above before signing anything that puts both services on the same Statement of Work.
No Marketplace listing at all.Some excellent non-RPO consultants exist. But if a firm claims to be an “official” CMMC provider and isn’t on the Marketplace, ask exactly what credential they’re claiming.

Where MSPs, MSSPs, GRC platforms, and CUI enclaves fit

Short answer:MSPs (Managed Service Providers), MSSPs (Managed Security Service Providers), GRC (Governance, Risk, and Compliance) platforms, and CUI enclaves all play real roles in a CMMC program — but none replaces an RPO or a C3PAO. They operate the controls (MSP/MSSP), organize the evidence (GRC), or reduce the scope (CUI enclave). They don’t prepare you for the assessment the way an RPO does, and they don’t issue the CMMC Status.

Provider type	What they do	What they don’t do	Assessment-scope implication
MSP / MSSP	Operate IT and security tooling — identity, endpoints, logging, monitoring, backup, incident response	Perform the CMMC assessment; certify readiness; replace the RPO’s scoping and SSP work	If an external service provider processes, stores, or transmits CUI, it is generally in scope and requires shared-responsibility documentation
GRC platform	Organize policies, evidence, and POA&M tracking; map controls to NIST SP 800-171 Rev. 2	Implement controls; validate independence; perform an assessment	Reduces evidence overhead but doesn’t change scope
CUI enclave / secure cloud (e.g., GCC High, AWS GovCloud)	Reduce the environment where CUI is processed, stored, or transmitted	Eliminate user, endpoint, or process responsibility; replace the SSP or the assessment	The single biggest scope-reduction lever; the enclave itself is in scope and may have its own CMMC posture requirements

If your MSP or MSSP also holds RPO authorization, that can work — provided the same Independence Test rules apply and the team has hands-on NIST SP 800-171 Rev. 2 implementation experience, not just operational IT chops. The badge doesn’t make the team. The team makes the team.

How to vet an RPO or C3PAO before signing

We treat this as one section because the vetting framework is largely the same: verify the credential, then verify the team, then verify the contract terms.

Verify the credential

For an RPO: Current Cyber AB Marketplace listing, named RPs or ARPs on the engagement, signed CoPC v2.0.
For a C3PAO: Current authorized or accredited status (not Candidate), named CCAs and at least one Lead CCA on your assessment team, current Marketplace listing.

Verify the team

Industry experience matches your environment (manufacturing vs. engineering vs. services vs. software).
Environment fluency matches your stack (GCC High vs. AWS GovCloud vs. on-prem vs. hybrid).
Named individuals on the SOW — not a marketing roster.
For C3PAOs: independence of the assessment team from any prior advisory relationship with you, in writing.

Verify the contract

Written Statement of Work with named deliverables, not “engagement support.”
Defined assessment scope (assets, sites, CAGE codes).
POA&M handling described in the SOW.
Conflict-of-interest disclosure included.
No outcome guarantees — any guarantee of “passing” would violate CoPC v2.0.

Red flags either way

“Guaranteed pass.”
“We’ll certify you” (only the assessment process issues a status; no firm can promise it).
“You don’t need to know your CUI scope first” (you absolutely do).
“Our templates are sufficient.”
Refusal to discuss conflict of interest.
Confusion between Level 2 (Self) and Level 2 (C3PAO).

Common mistakes that cost six figures

These are editorial risk patterns based on the source rules cited in this guide and provider-selection mistakes contractors commonly face. Where a mistake is regulatory, we cite the rule directly.

Hiring a C3PAO for consulting that requires advice or recommendations.Under CoPC v2.0, a C3PAO that provides remediation advice, control implementation guidance, or “here’s how to fix this” coaching has performed prohibited advisory work and is barred from your subsequent certification assessment for three years.
Letting your RPO assess you. Same rule, opposite direction. The advisory work locks them out of the certification assessment.
Scoping too broadly.The single biggest cost lever in any CMMC program is scope. Pull CUI into a tightly scoped enclave wherever you can — assessment cost, technology spend, and ongoing operational burden all follow scope.
Waiting for the contract clause to appear before starting.Phase 1 began November 10, 2025. Readiness plus C3PAO scheduling can take 9–18 months [NEEDS VERIFICATION]. If you’re a Level 2 (C3PAO) contractor and you haven’t started, start now.
Assuming ISO 27001 or SOC 2 equals CMMC ready.There’s overlap, not equivalence. NIST SP 800-171 Rev. 2 has 110 security requirements organized into 14 control families, and the gap between an ISO 27001 program and a passing Level 2 assessment depends entirely on which controls were implemented and how the evidence was documented. Treat it as a gap-analysis question, not a substitution.
Trusting verbal claims of authorization. Always check cyberab.org/Catalog directly.
Forgetting subcontractor flowdown. DFARS 252.204-7021 requires the contractor to include the substance of the clause in applicable subcontracts and ensure subcontractors have current CMMC status at the required level before processing, storing, or transmitting FCI or CUI on subcontractor information systems.

Documents to have ready before you call a C3PAO

This is the artifact list a C3PAO will expect to review during your Level 2 (C3PAO) assessment. If most of these aren’t in place, you’re not ready — keep working with your RPO.

Contract or prime flowdown language specifying CMMC Status required
CUI data-flow map covering people, processes, and technology
Asset inventory by scope category (in scope, out of scope, contractor risk-managed)
Current SSP (environment-specific, version-controlled, approved)
Network diagram showing CUI boundary
Formal, approved policies and procedures (not drafts)
Evidence package mapped to NIST SP 800-171A assessment objectives
SPRS posting, CAGE code, CMMC UID path
POA&M with eligibility-checked items only (per 32 CFR § 170.21)
Cloud and external service provider documentation, including shared responsibility matrices
Incident response plan with test evidence
Access control and MFA evidence (configurations, exceptions, monitoring)
Logging and monitoring evidence
Backup and recovery evidence with test results
Subcontractor flowdown records

If you have all of this, you’re ready for a C3PAO conversation. If you have less than half of it, talk to an RPO first.

Frequently asked questions

What does RPO stand for in CMMC?

RPO stands for Registered Practitioner Organization. It’s a Cyber AB credential for advisory firms that deliver non-certified CMMC readiness services through Registered Practitioners (RPs) and Advanced Registered Practitioners (ARPs). RPOs do not conduct CMMC certification assessments.

What does C3PAO stand for?

C3PAO stands for CMMC Third-Party Assessment Organization. It’s a Cyber AB–authorized or accredited assessment body that conducts Level 2 certification assessments through Certified CMMC Assessors (CCAs) and Lead CCAs. The C3PAO submits assessment results into the CMMC instantiation of eMASS per 32 CFR § 170.17.

Can an RPO certify my company?

No. An RPO provides advisory and readiness services only. Under 32 CFR Part 170, a Level 2 (C3PAO) status can only be issued through an authorized or accredited C3PAO’s certification assessment.

Do I need a C3PAO for CMMC Level 1?

No. Level 1 is a self-assessment path under 32 CFR § 170.15, with annual affirmation posted in SPRS. A C3PAO is not required for Level 1 (Self).

Do I need a C3PAO for CMMC Level 2?

It depends on which Level 2 variant your contract requires. Level 2 (Self) is a self-assessment posted in SPRS with annual affirmation and does not require a C3PAO. Level 2 (C3PAO) requires an authorized or accredited C3PAO to perform the certification assessment under 32 CFR § 170.17.

Can the same company be my RPO and C3PAO?

Not on the same engagement. The Cyber AB CoPC v2.0 prohibits a C3PAO — both the organization and every member of the assessment team — from performing your Level 2 certification assessment if it provided preparatory, advisory, or consulting services to you within the prior three years. A firm can hold both credentials; it can’t deliver both services to the same OSC within that lookback window.

Can a C3PAO conduct a mock assessment for me without disqualifying themselves?

Possibly, but only as a non-certification assessment under CoPC v2.0 — no certificate or status, no eMASS submission, no recommendations, no advice, no consultative information. Ask in writing whether the engagement triggers the three-year CoPC lookback before signing.

How long is a CMMC certification valid?

Per DFARS 252.204-7021, a Final Level 2 (C3PAO) status must be current — not older than three years from the CMMC Status Date — and annual affirmation of continuous compliance is required in SPRS.

What’s the difference between Registered Provider Organization and Registered Practitioner Organization?

They refer to the same Cyber AB credential. The Cyber AB has used both terms over time; current materials use Registered Practitioner Organization. The abbreviation RPO is unchanged.

Who performs Level 3 assessments?

Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC), not by C3PAOs. Level 3 requires a Final Level 2 (C3PAO) status as a prerequisite and incorporates a subset of NIST SP 800-172 controls in addition to NIST SP 800-171 Revision 2.

Does NIST SP 800-171 Rev. 3 replace Rev. 2 for CMMC Level 2?

Not currently. CMMC Level 2 maps to NIST SP 800-171 Revision 2 under 32 CFR Part 170 as the rule stands today. DoD has not amended the rule to incorporate Rev. 3. Watch the Federal Register for any future rule change.

What happens if my C3PAO assessment finds open items?

Per 32 CFR § 170.17, if your open items are eligible for a Plan of Action and Milestones (POA&M), you can receive a Conditional Level 2 (C3PAO) status valid for 180 days. The POA&M items must be closed and re-verified within that window. If they’re not, the Conditional status expires.

Is this legal advice?

No. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This is editorial analysis grounded in primary sources. Confirm contract-specific obligations with your contracting officer, counsel, or a qualified advisor before making decisions that affect your CMMC posture.

Need help deciding what type of CMMC provider you need?

Get matched with verified providers in 60 seconds.

Tell us your CMMC Level, scope, environment, and timeline. We route you to providers in the category that fits your stage — RPO/readiness, C3PAO assessment, MSP/MSSP for operations, GRC platform, or CUI enclave — and connect you to a verified named provider when you’re ready. We do not ask for CUI, contract numbers, system diagrams, vulnerabilities, or sensitive security details.

Get matched with verified CMMC providers →Download the free CMMC Readiness Checklist →

About this page

Byline:: The Defense Compliance Report Editorial Team
Last verified:: May 27, 2026
Refresh cadence:: Quarterly, and immediately on any change to 32 CFR Part 170, DFARS 252.204-7021, the Cyber AB Code of Professional Conduct, or the Cyber AB Marketplace ecosystem counts.

Corrections:If you find a regulatory citation on this page that doesn’t match the primary source, email corrections@thedefensecompliancereport.com. We publish corrections with a visible “Updated [date]” notice. Our full Corrections Policy is on file.

Editorial independence: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. We do not operate as an RPO, C3PAO, MSP, MSSP, or CMMC consultancy. Our matching service routes readers to verified providers; some providers may compensate DCR for introductions or sponsored placements, which never changes the regulatory explanation on this page and is disclosed on provider-specific review pages under our Editorial & Advertising Policy.

Primary sources cited on this page

Related guides

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.