What is a CMMC Registered Provider Organization?

By Corey Shields | December 8, 2020
Corey is the Digital Marketing Manager at Ntiva, and brings with him over a decade of working in the information technology and services industry.

Failing to take the right steps to protect your sensitive information can end in catastrophe, and the US Department of Defense knows that better than anyone.

That’s why the DoD came up with the Cybersecurity Maturity Model Certification, CMMC for short.

The CMMC was put in place to normalize and standardize cybersecurity preparedness across the federal government’s defense industrial base (DIB), and it’s the highest level framework for cybersecurity practices and processes out there.


New call-to-action


The Cybersecurity Maturity Model Certification

The overall goal of the CMMC is to set crystal clear expectations when it comes to cybersecurity. It sets out clear guidelines for what the metrics are and how the federal government audits and reviews government contractors for meeting the CMMC standard.

 In the first CMMC announcement from January 2020, the opening line stated that “by the end of September, the Defense Department will require at least some companies bidding on defense contracts to certify that they meet at least a basic level of cybersecurity standards when responding to a request for proposals.”

UPDATE 30NOV20 - The DoD has released an Interim Rule mandating that all government contractors submit a self-assessment based on NIST SP 800-171 to SPRS before they can even be considered eligible for any contract award.

These “cybersecurity standards” are what the CMMC is focused on delivering.

By putting standards in place, this program gives the department a mechanism to certify the cyber readiness of the largest defense contractors.

Considering about $600 billion is lost through cyber theft each year, getting the CMMC up and running was a completely necessary step.


What is the CMMC-AB?

The CMMC-AB is the independent accreditation body that’s responsible for training and assessing members of the DoD contractor community.

The accreditation board is made up of 13 high-ranking members of the DIB and cybersecurity community, so they know their stuff when it comes to keeping data and information technology secure.

By the year 2025, all DoD suppliers will need to go through the certification process and CMMC assessment with the AB if they plan to bid on DoD contracts.

Under the CMMC-AB, there are different levels to determine cybersecurity maturity, ranging from 1 to 5 (1 being the most basic and 5 being the most sophisticated).


What is a CMMC RPO?



Now that we’ve covered the basics of CMMC and CMMC-AB, we can finally get into the next acronym: CMMC RPO.

This stands for Cybersecurity Maturity Model Certification Registered Provider Organization, and even though it’s a mouthful, it’s actually a pretty simple concept.

 Companies that are given the CMMC RPO seal are ones that are “cyber-knowledgable” and have a good understanding of CMMC requirements and protocols.

It’s also a tell-tale sign that a company follows the Code of Professional Conduct set in place by the CMMC-AB.

The main role of CMMC RPOs is to provide CMMC consulting and support to organizations that are seeking CMMC certification.

The C3PAO, short for CMMC Third-Party Assessor Organization, is a similar certification, but the main difference between C3PAO and CMMC RPO is that an RPO can not conduct assessments while a C3PAO can.

What are the Requirements for Becoming an RPO?

CMMC RPOAccording to the official CMMC-RPO page, there are 4 requirements for moving ahead with this certification:

  1. Receive authorization from the CMMC-AB after registering
  2. Sign the RPO agreement with the Accreditation Body (this document is sent to applicants for review)
  3. Must pass an Organizational Background Check via data provided to the CMMC-AB by Dun & Bradstreet and have a DUNS number
  4. At least one Registered Practitioner (RP) must be associated with the RPO at all times (there’s a 30-day grace period for this)


The 4-Step Registration Process

In order to be deemed knowledgeable on all things cybersecurity and officially approved as a registered provider of the CMMC, there’s some work involved.

Here’s a complete breakdown of how the RPO registration process works:

Step 1

These “US person-owned” companies aren’t just handed their registration on a silver platter; they have to go through an intensive online application process and pass an organization background check. And that’s just the first step of the process.

Step 2

The next step is to train and hire a CMMC registered practitioner. This is the individual who will be responsible for everything associated with the RPO once it’s officially registered. The CMMC training is entirely online, and more than one RP can be trained depending on the organization’s needs and expectations.

Step 3

Once the RP is trained, another background check has to be done for that individual. Every RP that goes through the training has to be checked.

Step 4

Step 4 is simple - it’s when everything comes together and registration is officially complete. Once an organization gets to this point, the registration is valid for 1 year, and there’s a $5000 fee (which can only be refunded within 30 days) that you’ll need to dish out annually.


What Are the Benefits of Becoming an RPO?

The main reason the RPO program was put into effect is to give organizations the opportunity to provide CMMC consulting without actually having to be a certified advisory service.

That’s a huge advantage, but here are a few more perks that come along with the RPO registration:

  • Authorized to represent the organization as familiar with the basic constructs of the CMMC Standard with a CMMC-AB provided logo
  • Deliver non-certified CMMC Consulting Services
  • Signifies that you have agreed to the CMMC-AB Code of Professional Conduct
  • Listed on the CMMC-AB Marketplace


Why Do I Need to Work with an RPO?

At this point you might be wondering, what does the CMMC mean to me and why should I care?

Well, working with a CMMC certified professional is the easiest way to know that you’re dealing with someone who has been fully trained in cybersecurity according to DoD standards.  

In a world where cyber threats are becoming more real by the minute, that in itself is a big deal and reason enough to work with RPOs.

Ntiva is now a CMMC-AB RPO, which means we are accredited to provide CMMC consulting and support to Organizations Seeking Certification (OSC) in the Defense Industrial Base (DIB).

Contact us if you need any help with your NIST SP 800-171 or CMMC certifications!


New call-to-action

Tags: Government Contractor