Registered Provider Organization
Also known as: RPO, CMMC RPO
A Registered Provider Organization (RPO) is a consulting firm registered with the Cyber AB to advise and prepare defense contractors for CMMC, without conducting assessments. RPOs implement controls and get companies ready; only a C3PAO can perform the certification assessment, and conflict-of-interest rules keep the two roles separate on any given scope.
In more detail
Registration signals that the firm agreed to the Cyber AB code of conduct and employs registered practitioners; it is not a government license, and hiring an RPO is never required at any CMMC level.
At CMMC Level 1 the calculus is simple: the 15 FAR 52.204-21 requirements are self-assessed, so an RPO is one of several optional ways to get help, alongside consultants, MSPs, and guided software. Most FCI-only contractors can reach a defensible affirmation without one.
Related terms
- CMMC Third-Party Assessment Organization
A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1, Level 1 is exclusively self-assessed, and they are not used at Level 3, which is assessed by DIBCAC.
- Cyber AB
The Cyber AB is the sole accreditation body for the CMMC ecosystem. It is responsible for authorizing and accrediting C3PAOs, Certified CMMC Assessors (CCAs), Certified CMMC Professionals (CCPs), and Registered Practitioners (RPs).
- Certified CMMC Assessor
A Certified CMMC Assessor (CCA) is an individual credentialed by the Cyber AB to lead CMMC Level 2 assessments under a C3PAO. CCAs are not required for Level 1, and the credential itself does not authorize anyone to issue a Level 1 certification.
- Certified CMMC Professional
A Certified CMMC Professional (CCP) is the baseline credential issued by the Cyber AB for individuals participating in the CMMC ecosystem. CCPs may serve as assessment team members under a CCA, but the credential alone does not authorize them to lead assessments or issue certifications.
- Managed Service Provider
A Managed Service Provider (MSP) is an outsourced IT services firm that operates portions of a contractor's information environment. Under CMMC, an MSP that handles FCI is treated as an External Service Provider and must meet the applicable safeguarding requirements for the in-scope environment it manages.