What is a CMMC RPO?

CMMC rpo

Throughout 2020, the U.S. Department of Defense released details surrounding the Cybersecurity Maturity Model Certification (CMMC) requirements for companies in the defense industrial base (DIB). These new consolidated cybersecurity requirements are driving suppliers and contractors to dedicate time, money, and other resources to strengthen their cybersecurity strategy to meet compliance. Depending on the company’s existing cybersecurity posture, some will have much more work to do than others, and they will all need professional guidance.

It’s no surprise that the market has been recently flooded with consulting firms claiming to be experts in CMMC compliance requirements. Keep in mind that not all third-party consultancies are created equal. As a small business, we understand how important it is to properly vet vendors, and make sure you’re getting the most out of every dollar you assign to projects like these.

The CMMC Accreditation Body (CMMC-AB) has introduced five certifications and authorizations to differentiate entities offering CMMC compliance services. These are:

  • Certified Third-Party Assessor Organizations (C3PAO)
  • Registered Provider Organizations (RPO)
  • Registered Practitioners (RP)
  • Certified Professionals (CP)
  • Certified Assessors (CA)

We’re happy to provide some details regarding the RPO authorization, and what is involved.

RPOs like The Greentree Group are authorized by the CMMC AB to provide consulting services to government contractors and other companies in preparation for their CMMC assessments. We can also assist during these assessments if there is a finding that will prevent you from attaining your desired CMMC maturity level. However, we do not conduct certification assessments, and we do not grant certified status. Only C3PAOs are equipped to conduct these certification assessments. As an RPO, we are here to provide CMMC guidance and support to companies impacted by these new regulations. It’s important to remember that C3PAOs cannot provide guidance unless they’re also certified as an RPO – and even then, they cannot offer the same services (assessment + guidance) to the same company.


WHAT GOES INTO BECOMING AN RPO

A company must do the following to become certified as a CMMC RPO:

  1. Be an entity owned by a “US person”.
  2. Be registered with the CMMC-AB in order to receive authorization to use the official logo distributed by the CMMC-AB.
  3. Sign an RPO agreement, reflecting a commitment to comply with the CMMC-AB Code of Professional Conduct.
  4. Clear an organizational background check.
  5. Have at least one Registered Practitioner (RP) on their team. An RP is specially trained and authorized by the CMMC-AB to deliver “non-certified advisory services informed by basic training on the CMMC standard” at all times.
  6. Pay an annual registration fee.

These requirements put in place by the CMMC-AB are helpful for companies seeking certification because they provide a measure of legitimacy. As with any new regulations or rules, there will be many companies claiming to be experts in the field, and competing for your business. By selecting a company that has attained its RPO authorization, businesses can be confident that their choice is well suited for the job and committed to CMMC standards.


CHOOSING THE RIGHT CMMC RPO FOR YOUR COMPANY

RPO authorization is an important consideration when choosing a provider- but there are other things you should keep in mind. Other important questions you may want to ask –

  • How much experience does the RPO have in cybersecurity and maintaining compliance in highly regulated spaces?
    • The Greentree Group has supported both DoD programs and DIB clients with obtaining and maintaining required cybersecurity compliance for over a decade
  • Do they have experience with other frameworks such as CIS CSC, NIST SP 800-53, NIST SP 800-171, and ISO 27001?
    • Greentree has cybersecurity experts for the cybersecurity framework you require
  • How knowledgeable are they about the defense contracting environment?
    • Greentree’s cybersecurity team has a combined 50+ years of defense contracting experience
  • How many years have they been in business? Are they well-established?
    • The Greentree Group has been in business for 26 years with an established reputation for excellence in customer support
  • How easy is it for the provider to scale efforts appropriate to your business?
    • We support clients of all different sizes and architectures, as your business grows our support for your cybersecurity needs can grow with you

Note: Back To Business I.T. is a service brand of The Greentree Group.


WHY IS THE RPO AUTHORIZATION IMPORTANT FOR YOUR BUSINESS?

The new CMMC-AB authorization process for RPOs is an effective way for companies to sift through the increasing chatter in the CMMC consultancy space. The RPO certification signals that a consulting firm is invested in the CMMC space, and has committed to cybersecurity best practices. By visiting the CMMC marketplace, companies can look for certified RPOs in their area and reach out on their own terms.

We are authorized by the CMMC-AB as an RPO, and ready to guide your business along in the CMMC journey. Are you ready to learn more? Fill out this form and one of our cybersecurity experts will be happy to provide more information about CMMC compliance.

The Greentree Group is a CMMC Registered Provider Organization (RPO)

CMMC Registered Provider Organization

We are now a Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) authorized by the CMMC-AB.

This new achievement solidifies our position as a leader in CMMC compliance solutions and services meant to protect government data in defense contractor systems. According to the National Accreditation Board, CMMC-AB is an independent accreditation body “responsible for establishing, managing, controlling, and administering the CMMC assessment, certification, training, and accreditation processes for the Department of Defense (DoD) supply chain.” Our new Registered Provider Organization (RPO) status reflects our commitment to the CMMC Accreditation Body (AB) code of professional conduct. It allows our company to provide advice, recommendations, and consultation to our customers as they seek their own CMMC-AB certifications.

Since 1993, The Greentree Group has been providing comprehensive professional services and technology solutions to small and medium-sized organizations, including:

  • Cybersecurity solutions
  • I.T. Support
  • Cloud Solutions
  • Technology Strategy

We offer a suite of comprehensive business technology services to include solutions which support Cybersecurity Maturity Model Certification (CMMC) compliance. Our team of cybersecurity experts assist defense contractors in becoming CMMC audit ready by implementing technical solutions and developing documentation and policies required by CMMC. In addition, we provide options for ongoing services to maintain compliance after certification.

CMMC SUPPORTS IT MODERNIZATION AND SUPPLY CHAIN SECURITY

CMMC is a new cybersecurity compliance standard that will be required for contractors to bid and win DoD contracts. The Defense Federal Acquisition Regulation interim rule took effect on November 30, 2020 and initial assessments are expected to begin in calendar year 2021.

CMMC-AB authorized RPOs provide advice, consulting, and recommendations to their clients. They are the implementers and consultants, but do not conduct Certified Assessments. They understand the CMMC Standard, and are qualified as:

  • Aware – Employs staff trained in basic CMMC methodology
  • Registered Practitioner Staffed – Offers CMMC trained consultative services
  • Targeted – CMMC assessment preparation
  • Trusted – Bound by a professional code of conduct

View our listing on the CMMC-AB Marketplace!

Ready to learn more? Our team of cybersecurity professionals would be happy to provide more details about the CMMC requirements, and what they mean for your business. Contact us today!

Skip to content