How to become a CMMC Registered Provider Organization (RPO)
The Cybersecurity Maturity Model Certification (CMMC) program tests a vendor’s security posture that wishes to contract with the Department of Defense (DoD). The CMMC program is built upon the increasing maturity of five security levels, each designed to meet the security requirements of the U.S. government. For a vendor looking to certify at a given level to contract with the DoD, they must prove suitability for the contract via CMMC certification. Achieving this certification requires external help in the form of advisors, consultants and assessors. A Registered Provider Organization (RPO) is one of the entities within an ecosystem of players that help in the process that an OSC goes through to achieve certification.
What is a CMMC Registered Provider Organization (RPO)
The CMMC framework consists of five levels designed to demonstrate that an organization has taken measures to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The CMMC utilizes other existing cybersecurity standards, such as NIST SP 800-171 and DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012. The result is a framework of best practices and guidelines across the five increasing maturity levels of security.
An independent assessment must be made, resulting in certification if requirements are met. A Registered Provider Organization (RPO) plays a part in helping in this certification process. An RPO employs personnel who have a deep knowledge of the CMMC model and its five security levels. This knowledge is used to help advise a company in its implementation of the necessary structure, measures and processes to meet the requirements of any given level.
A Registered Provider Organization (RPO) must be registered with the CMMC-AB (CMMC Accreditation Body) that provides certification pathways to become an RPO. An RPO, once accredited, is then able to manage Registered Practitioners (RPs). An RP and RPO can provide advice, consulting, and recommendations to their clients on meeting CMMC requirements. The CMMC-AB describes RPOs as “implementers” and consultants, but they do not conduct certified CMMC assessments. However, an RPO may assist in a CMMC assessment but cannot conduct one.
The CMMC certification process takes around six months to complete and requires security skills and a deep understanding of the CMMC levels and how to achieve them. An RPO can help take the load off a company attempting to reach a CMMC level and offer the skills needed to take the company through certification.
How do I become a CMMC RPO?
There are specific prerequisites for any organization wishing to be accredited as an RPO:
- Pass an organizational check and a background check on any RP employed by the RPO. This includes obtaining data from Dun & Bradstreet, including a DUNS number
- A “U.S. person” must own the organization
- At least one Registered Practitioner (RP) must always be associated with the RPO (there is a 30-day grace period to hire/train an RP)
- Sign an RPO agreement with a commitment to comply with the CMMC-AB Code of Professional Conduct.
- Be registered with the CMMC-AB to receive authorization and use the official logo distributed by the CMMC-AB.
- Pay the fees of $1,000 for the application and the annual registration fee of $4,000, along with yearly maintenance fees of $5,000
Once registered, an RPO becomes part of the broader CMMC ecosystem that contains other bodies, including:
- Third-Party Assessment Organization (C3PAO)
- Organization seeking clarification
- Licensed partner publisher
- Licensed training provider
How can a CMMC Registered Provider Organization (RPO) stand out from the crowd?
The DoD has around 300,000 contractors known as the Defense Industrial Base (DIB).
This massively extended ecosystem of vendors is a prime target for attacks against the DoD, hence the importance of vendors having CMMC compliance. A 2020 Accenture report, “State of Cyber Resilience 2020,” points out the focus of attacks on the supply chain:
“Indirect attacks against weak links in the supply chain now account for 40 percent of security breaches.”
This security environment requires expertise on attack tactics, methodologies and measures to prevent, detect and mitigate cyberattacks. For an RPO to stand out from the RPO crowd, having the following skills and expertise will help:
- A long history of DoD expertise: for example, having experience of working with security frameworks, including CMMC, such as the NIST Cybersecurity Framework and ISO 27001.
- Employing staff as Registered Practitioners who have the necessary security skills and certification to demonstrate their skill levels.
- Having an effective collaboration model that reflects your ability to work closely with the client during the CMMC process
Are we too small to become an effective CMMC Registered Provider Organization (RPO)?
RPOs help suppliers to prepare for the CMMC assessment and certification. They do not assess an organization or issue a CMMC certificate. As long as the RPO employs at least one skilled RP and goes through the accreditation process to become an RPO, they can offer RPO skills and consultancy to a DIB client. In this way, a smaller organization can offer RPO services before handing them over to a C3PAO to take the client through the whole certification process.
There is a massive potential for growth for an agile and skilled RPO. Since September 2020, many RFIs have the requirement to be CMMC certified. By 2026, all DoD contracts will require CMMC certification at some level. Only 1% of DIB companies have implemented all 110 NIST practices (CMMC certification is based on specific NIST frameworks). Companies must act now if they wish to bid on DoD contracts in the coming years. Initial certification, as well as moving between levels, provides ample opportunities for an RPO. Now is the time to take up the opportunity to grow an RPO offering as the need amongst DIBs continues to grow to 2026.
Infosec, CMMC eBook
Accenture, State of Cyber Resilience 2020
National Defense Magazine, New Cybersecurity Standards Pose Challenges for Industry
Federal News Network, Why DoD’s decision to make cybersecurity an ‘allowable cost’ matters