CMMC marketplace: Understanding C3PAOs, RPOs, LTPs and more

Susan Morrow
July 6, 2021 by
Susan Morrow

The Cybersecurity Maturity Model Certification (CMMC) program demonstrates an increasingly mature security posture using five successive levels. Since September 2020, several Department of Defense (DoD) requests for information (RFI) have contained some level of CMMC compliance as a requirement. This phased inclusion of CMMC in DoD tenders will continue throughout the next few years until 2026, when all the over 300,000 DoD vendors (the U.S. Defense Industrial Base (DIB)) will be required to comply with one of the CMMC levels. 

Any DIB vendor wishing to contract with the DoD must use a certified external entity to help in the assessment and certification process to meet a CMMC level of compliance. These organizations are accredited by the CMMC Accreditation Body (CMMC-AB) and listed on a “CMMC Marketplace.” This marketplace provides a searchable database of accredited service providers that a DoD contractor can pick from when going through CMMC compliance.

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

Who is the CMMC Accreditation Body (CMMC-AB)?

The CMMC-AB is a not-for-profit organization established to oversee the CMMC certification process. This includes the accreditation of entities involved in taking OSCs through CMMC certification. The CMMC-AB is the only authorized accreditation and certification partner of DoD in its CMMC program; as such, every CMMC certification partner is fully accredited by and listed in the marketplace by the CMMC-AB.

What is the CMMC Marketplace?

The CMMC requires an ecosystem of partners responsible for ensuring the CMMC framework and process to certification happens harmoniously at a given CMMC level. This ecosystem covers all entities involved in leveraging the CMMC relationship between an Organizations Seeking CMMC Certification (OSC) within the Defense Supply Chain and the government agency. To service this relationship, the CMMC-AB has created a CMMC Marketplace to connect OSCs with organizations that can take them through the necessary CMMC level certification process.

The CMMC Marketplace hosts the following seven entities:

  • Registered provider organization (RPO): its role is to prepare OSCs for certification. An RPO acts as a consultant, but they are not certified to carry out CMMC assessments.
  • CMMC 3rd party assessment organization (C3PAO): its role is to provide CMMC certification assessments to OSCs.
  • C3PAO candidate - pending CMMC ML3 assessment: a pending status means that the company must first go through the ML3 assessment before being fully accredited to carry out a CMMC certification assessment.
  • CMMC provisional assessor (PA): this role is authorized to conduct assessments during the provisional period. They typically work alongside/with a C3PAO.
  • CMMC registered practitioner (R.P.): this role provides advice, consulting and recommendations to a client and works with an RPO.
  • Licensed partner publishers (LPP): this role creates approved CMMC training materials.
  • Licensed training provider (LTP): This role trains CCPs and CCAs using LPP material.

The marketplace lists all the CMMC accredited entities available to an “Organization Seeking Certification” (OSC). The listing works using a search facility, with searchable terms including name, description, city, state and type of accredited entity. Using this search can help to identify CMMC certification partners that are most applicable to an OSC. Entities that make it into the CMMC Marketplace, such as an RPO, will have already been through a stringent series of checks, accreditation and paid annual fees. The CMMC-AB essentially provides a filtering system on behalf of the vendors in the U.S. Defense Industrial Base (DIB) and the U.S. government to ensure that the certification of an OSC runs smoothly and effectively. Only entities with the right level of skills, staffing and stability, will be accredited to the level needed to become part of the CMMC Marketplace.

The search function on the CMMC Marketplace is poor. However, expect it to see an overhaul as more certification partners are listed.

Connecting with a CMMC Marketplace service provider

Once a DIB contractor has chosen its certification partner from the CMMC Marketplace, they can interact with that vendor in any way they please. However, the CMMC-AB also provides a CMMC-AB Portal that acts as a forum to allow discussion between groups and entities. The portal takes the form of a user group forum.

Things to consider when using the CMMC Marketplace

The CMMC Marketplace provides a searchable database to research CMMC ecosystem partners to help your organization achieve CMMC certification. At the time of writing, the marketplace was operational, but the search facility needed optimization. You can expect an update soon. When searching for the best partner for your CMMC certification requirements, certain elements may tip the balance to choosing a specific service:

  • Are they local? The process for CMMC compliance is collaborative, and close-by means easier on-site visits if needed and reduced travel costs.
  • Does the CMMC partner specialize in delivering services around CMMC certification?
  • What is the cost structure of the service offering?
  • Do they understand your specific service or product offering?
  • Does the CMMC Marketplace service provider have experience with other government security frameworks?

Earn your CMMC certification

Earn your CMMC certification

Enroll in a boot camp and become one of the first Certified CMMC Assessors (CCA) or Professionals (CCP)!

A marketplace for future security

A recent Samsung survey found that 64% of federal government I.T. and cybersecurity professionals see endpoint security breach prevention as a priority. This makes compliance with the stringent security of the CMMC framework by contractors of vital importance. This position is evidenced in a DHS Homeland Threat Assessment 2020 report, showing that government entities, including the DoD and its OSC ecosystem, continue to fight cybersecurity battles.

The CMMC-AB is the only entity to provide accreditation services for potential CMMC service partners and then list those certified service providers under one umbrella, the CMMC Marketplace. This takes the legwork out of finding the right provider. By choosing a good service provider partner that is a good fit for your organization, the chance of a successful CMMC compliance certification is greatly improved.

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.