Within the CMMC ecosystem, there are numerous certifications, acronyms, and designations that contractors will have to interact with throughout the duration of their time in the Defense Industrial Base (DIB). One of the most common credentials that managed service providers (ESPs under CMMC parlance) will boast about is their RPO or RP status. Many will claim to be CMMC experts, but how far can an RPO status really take you? Below we will outline what an RPO is, what it can or cannot do, and why it is important to partner with a certified MSP to achieve CMMC compliance.
What is an RPO?
Under CMMC, any contractor working within the DIB and has access to CUI or FCI must comply with CMMC requirements and, in many cases, undergo an extensive third-party audit. However, prior to the audit, many contractors will need help implementing the 320 controls that are outlined in NIST 800-171. To meet this demand, many companies will pursue the Registered Practitioner Organization (RPO) status for their organization. An RPO in turn is made up of RP's or Registered Practitioner's.
RPOs receive their designation and are documented by the Cyber AB, a non-government partner of the U.S. DOD that is responsible for "implementing and overseeing the CMMC conformance regime".
How to Achieve RPO or RP Status?
To receive the RP status, an individual must pay $600 for the application, training, and testing. This training provides individuals with a foundational understanding of the basics of the CMMC model, what constitutes FCI, prime and subcontract flow, tools for implementing the CMMC level 1 framework, and a high-level overview of assessment scoping. RP’s must register with the Cyber AB, be able to pass a commercial background check, and complete the course exam. This process can be accomplished in approximately 3 weeks. RPOs must pay $1,000 in application, training, and testing and also be associated with, at minimum, one registered practitioner.
What Can an RPO Do?
- Provide CMMC Consulting: An RPO is able to provide consulting to DoD contractors and help them understand CMMC requirements and how to best prepare for their certification.
- Basic Gap Assessments: RPOs are able to conduct a basic gap assessment that identifies any deficiencies in an organization's compliance posture. They are then able to suggest remediation steps.
- Assist with Documentation: RPOs are able to help in drafting the required documents a contractor need for CMMC. This includes the SSP (System Security Plan), POAM (Plan of Action & Milestones) and others.
- Training: RPOs may provide training and educate employees on CMMC compliance and the necessity of following best cybersecurity practices.
What Can't an RPO Do?
- Perform Official CMMC Assessments: An RPO is not authorized to perform a third-party audit of your CMMC compliance. You cannot receive certification through an RPO.
- Guarantee Certification: An RPO cannot guarantee certification status for an organization seeking certification (OSC)
- Implementation: An RPO is not guaranteed to have the expertise necessary to implement the required controls for CMMC.
While an RPO can offer guidance and support for CMMC compliance, their ability to provide hands-on assistance is highly limited. For example, an RPO can advise on MFA (multi-factor authentication) implementation, but RPOs only provide guidance--they cannot deploy and manage the solution for you.
Why is CorpInfoTech, as an RPO, Different?
CorpInfoTech is a registered RPO under the Cyber AB, however we took the process a step further by becoming level 2 certified via a third-party audit. We have spent the last several years tracking the progress of CMMC and making the necessary implementations to pass our audit with a perfect 110 score. As an RPO, we are able to provide guidance and support through the implementation process, but as a certified MSP we are able to do the actual work of ensuring compliance.
Through TAS for CMMC Compliance, DoD contractors are able to achieve and maintain CMMC compliance in a much faster and flexible manner. Organizations that partner with CorpInfoTech will automatically inherit 200+ of the 320 objectives required by CMMC. Through these pre-certified checks, contractors can go into their audit with greater confidence in their compliance posture. This makes the implementation process faster and significantly cheaper through proven technologies that CorpInfoTech has expertise in.
Self-Certified vs C3PAO Certified
Under the CMMC final rules publication, MSPs may claim that they are "self-certified". For contractors, this is not a guarantee that they are able to protect CUI. In fact, your MSP is still considered in scope for your audit and a failure on their part is a failure for your organization. MSPs that have undergone a C3PAO audit and have been deemed compliant are able to offer pre-certified services to their clients. Your organization will receive an SRM (shared responsibility matrix) that outlines which controls are the responsibility of your MSP and which belong to your organization. If the MSP has been certified, any control that you inherit from the MSP is "pre-certified" and is regarded with less scrutiny. It is always a safer option to partner with a C3PAO certified MSP than a self-certified one.
CorpInfoTech is a CMMC Level 2 (C3PAO) certified MSP that has passed our audit with a perfect 110, making us one of the first MSPs to achieve level 2 compliance.
CorpInfoTech has been through the CMMC certification process, we have insights from direct assessment process experience - we have help you down you CMMC compliant pathway - get you personal questions answered today, reach out!
