CMMC Registered Provider Organization (RPO)

Do you need to comply with DFARS 252.204-7012? If so, you must implement all 110 NIST 800-171 controls to be awarded new defense contracts and to avoid fines.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) has approved Beryllium InfoSec Collaborative as a Registered Provider Organization (RPO). In response, Beryllium has developed a suite of consulting services to help organizations prepare for an official CMMC assessment and certification.

CMMC specifies a set of cybersecurity practices and processes that all contractors must implement, and keep in place at all times, in order to be awarded new business contracts with the U.S. Department of Defense (DoD). The goal of CMMC is to prevent unauthorized personnel from accessing sensitive defense information, such as Controlled Unclassified Information (CUI). Beginning in 2021, independent CMMC Third Party Assessment Organizations (C3PAO) will begin to verify a DoD contractor’s compliance with CMMC.

Do you need to comply with DFARS 252.204-7012? If so, you must implement all 110 NIST 800-171 controls in order to avoid missing out on new contract awards from the DoD. Get DFARS/NIST 800-171 compliant with CUICK TRAC™ today by calling 763-546-8354 or scheduling a free consultation with our cybersecurity experts.


The CMMC-AB is an independent accreditation body that manages the CMMC on behalf of the DoD. It initially launched in June 2020 and formally announced in August 2020 that it was accepting applications for five types of credentialed roles within the CMMC ecosystem. These include the following:

  • C3PAOs
  • Certified Assessors (CAs)
  • Certified Professionals (CPs)
  • Licensed Partner Publishers (LPPs)
  • Registered Practitioners (RPs)
  • Registered Provider Organizations (RPOs)

DoD contractors and organizations seeking certification (OSC) need to understand these roles because suppliers will be hiring organizations with these approved and designated roles. Furthermore, service providers may serve in more than one of these roles.

Speak With a NIST Security Expert at Beryllium InfoSec Today
Get a Free Consultation

Registered Provider Organization RPOs

The CMMC-AB authorizes C3PAOs to conduct CMMC assessments, and they can also provide advice on passing those assessments for clients they’re not going to be assessing. However, RPOs aren’t authorized to perform CMMC assessments. Instead, their sole purpose is to provide consulting services in support of Organizations Seeking Certification within the Defense Industrial Base (DIB).

The CMMC-AB intends for organizations with the RPO designation to advise DoD contractors on how they can prepare for a CMMC assessment. Its goal is to provide OSCs with confidence that the contractors they hire meet CMMC security requirements, using the published CMMC assessment guides. However, many disreputable organizations are falsely claiming they can already provide contractors with CMMC certification. While this isn’t possible (yet) at the time this post was written, an RPO does have the basic training needed to understand the steps contractors must perform to prepare for CMMC.

RPOs provide an opportunity for organizations who want to be cybersecurity consultants, according to the CMMC-AB. It allows them to obtain the necessary training and qualifications while strengthening their ties to the CMMC ecosystem. RPOs also help the CMMC-AB understand who the players are in information security and what they’re doing, although the RPO designation isn’t necessary to work in that space.

Registered Provider Organization Requirements

The requirements for an organization to become an RPO include ownership by U.S. citizens and passing a background check. It must also register with the CMMC-AB, which requires a commitment to comply with the CMMC-AB Code of Professional Conduct. An organization must have an RP as an employee or contractor at all times to remain an RPO. 


An organization must display a certain level of commitment to be a CMMC-AB RPO, including qualified personnel on staff, training, and ongoing financial expenditures. RPOs can immediately begin operating in this capacity while working towards other CMMC designations such a C3PAO. C3PAOs will also be able to help their clients obtain CMMC certification when they become available.

Do you need to get ready for a CMMC audit? In order to be awarded new defense contracts in the near future, and to avoid potential fines, you must implement NIST 800-171 controls. Learn how by contacting us at 763-546-8354  or schedule your free consultation today.

Derek White
Director of Business Development
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.