The process of obtaining a Cybersecurity Maturity Model Certification (CMMC) is similar to that of most compliance frameworks. However, one key difference sets it apart from the others: it has a controlled and maintained ecosystem of providers.
Most commonly referred to as the CMMC Ecosystem, this group of professionals serves various roles when it comes to Organizations Seeking Certification (OSC). Firstly, the ecosystem is split between organizations and individuals. Organizations can hold any of the following roles:
- Registered Practitioner Organization (RPO)
- CMMC Third-Party Assessment Organization (C3PAO)
- Approved Training Provider (ATP)
- Approved Publishing Partner (APP)
An OSC typically will engage with an RPO and a C3PAO during their certification journey. However, it is possible for an OSC to never engage with the CMMC Ecosystem if they plan on only obtaining CMMC Level 1 or the self-assessed variant of CMMC Level 2. For OSCs obtaining third-party certified CMMC Level 2 and 3, they will need to at least engage with a C3PAO to receive their official certification. It is highly recommended for an OSC to engage and hire an RPO to assist them in their implementation process. However, it is not necessary, and some IT teams may be able to handle this process internally.
Beyond the roles that organizations can hold, individuals can also hold various ecosystem roles while working for or independently of organizations listed in the CMMC Ecosystem. These individualized roles include the following:
- Registered Practitioners (RPs)
- Registered Practitioners Advanced (RPAs)
- Certified CMMC Professionals (CCPs)
- Certified CMMC Assessors (CCAs)
- Lead Certified CMMC Assessors (LCCAs)
- Certified CMMC Instructors (CCIs)
RPs and RPAs typically work for RPOs, while CCPs, CCAs, and LCCAs typically work for C3PAOs. However, these roles do have a caveat to them: RPs and RPAs are allowed to work as independent consultants without being associated with RPOs. However, CCPs, CCAs, and LCCAs are NOT allowed to perform their assessor duties unless they are working under an authorized C3PAO.
These rules enable OSCs to reach out to individual RPs and RPAs to provide specific CMMC consulting services. While it is always recommended to hire an RPO who can provide relevant level of expertise (often via a staff with a variety of roles and certifications), an OSC may only require minimal consulting if their internal team is doing the implementation and upkeep.
An OSC with a solid understanding of the roles in the CMMC Ecosystem can then take full advantage of browsing the CMMC Marketplace. The marketplace showcases every individual and organization that holds one or more of the aforementioned ecosystem roles. The most useful tabs within the marketplace when looking for a provider are the “Ecosystem Role” and the “Primary Time Zone” tab. The reason the “Primary Time Zone” tab is the most useful tab for narrowing down providers is that it shows you where the organization or individual is based, even if they offer services remotely.
As an OSC, having a basic understanding of the CMMC ecosystem and marketplace is vital to ensure you find an RPO and C3PAO that is appropriate for your size and budget. If you are currently searching for an Alaska-based RPO to help you through any part of your CMMC journey, reach out to us at Stratus Services to see what we can offer you!
