CMMC Registered Provider Organization (RPO)

Do you need to comply with DFARS 252.204-7012? A CMMC RPO can help you implement all 110 NIST 800-171 controls to be awarded new defense contracts and avoid fines.
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

The Cybersecurity Maturity Model Certification Accreditation Body (CMMC-AB) has approved Beryllium InfoSec Collaborative as a Registered Provider Organization (RPO).

To be listed as an RPO on the CMMC-AB Marketplace, Beryllium has passed the Organizational Background Check and signed the RPO agreement, indicating our commitment to comply with the CMMC-AB Code of Professional Conduct.

Our team has also developed a suite of consulting services to help organizations understand CMMC standards, maturity levels, compliance requirements and prepare for an official CMMC assessment and certification.

CMMC specifies a set of cybersecurity requirements, practices and processes that all contractors must implement, and keep in place at all times, in order to be awarded new business contracts with the U.S. Department of Defense (DoD). The goal of CMMC is to prevent unauthorized personnel from accessing sensitive defense information, such as Controlled Unclassified Information (CUI). Beginning with CMMC 2.0, independent CMMC Third Party Assessment Organizations (C3PAO) will begin to verify a DoD contractor’s compliance with CMMC.

Do you need to comply with DFARS 252.204-7012? If so, you must implement all 110 NIST 800-171 controls in order to avoid missing out on new DoD contracts. Get DFARS/NIST 800-171 compliant with cuick trac™ today by calling 763-546-8354 or scheduling a free consultation with our cybersecurity experts.

Speak With a NIST Security Expert at Beryllium InfoSec Today
Get a Free Consultation

CMMC-AB Certifications

The CMMC-AB is an independent accreditation body that manages the CMMC on behalf of the DoD. It initially launched in June 2020 and formally announced in August 2020 that it was accepting applications for five types of credentialed roles within the CMMC ecosystem. These include the following:

  • C3PAOs
  • CMMC Certified Assessors (CCAs)
  • CMMC Certified Professionals (CCPs)
  • Licensed Partner Publishers (LPPs)
  • Licensed Training Partners (LTPs)
  • Registered Practitioners (RPs)
  • Registered Provider Organizations (RPOs)

DoD contractors and organizations seeking certification (OSC) need to understand these roles because suppliers will be hiring organizations with these approved and designated roles. Furthermore, service providers may serve in more than one of these roles.

The role of CMMC RPO Certification in CMMC Compliance

The CMMC-AB authorizes C3PAOs to conduct CMMC assessments, and they can also provide advice on passing those assessments for clients they’re not going to be assessing. However, RPOs aren’t authorized to perform CMMC assessments. Instead, their sole purpose is to provide CMMC consulting services in support of government contractors, supply chain/ DoD suppliers, and organizations seeking certification within the Defense Industrial Base (DIB).

The CMMC-AB intends for organizations with the RPO designation to advise DoD contractors on how they can prepare for a CMMC assessment. Its goal is to provide OSCs with confidence that the contractors they hire meet CMMC security requirements, using the published CMMC assessment guides.

However, many disreputable organizations are falsely claiming they can already provide contractors with CMMC certification. While this isn’t possible (yet) at the time this post was written, CMMC registered practitioners do have the basic training needed to understand the CMMC requirements contractors must perform to prepare for certification based on their CMMC level .

RPOs provide an opportunity for organizations who want to be cybersecurity consultants, according to the CMMC-AB. It allows them to obtain the necessary training and qualifications while strengthening their ties to the CMMC ecosystem. RPOs also help the CMMC-AB understand who the players are in information security and what they’re doing, although the RPO designation isn’t necessary to work in that space.

Registered Provider Organization Requirements

The requirements for an organization to become an RPO include ownership by U.S. citizens and passing a background check. It must also register with the CMMC-AB, which requires a commitment to comply with the CMMC-AB Code of Professional Conduct. An organization must have an RP as an employee or contractor at all times to remain an RPO.


An organization must display a certain level of commitment to be a CMMC-AB RPO, including ownership by "US Persons," qualified personnel on staff, training, and ongoing financial expenditures. RPOs can immediately begin operating in this capacity while working towards other CMMC designations such a C3PAO. C3PAOs will also be able to help their clients obtain CMMC certification when they become available.

Do you need to get ready for a CMMC audit? In order to be awarded new defense contracts in the near future, and to avoid potential fines, you must implement NIST SP 800-171 controls. Learn how by contacting us at 763-546-8354  or schedule your free consultation today.

Derek White
Chief Product Officer
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.