Choosing the right CMMC Registered Provider Organization (RPO) is one of the most consequential decisions in your CMMC program. A capable RPO gets you to C3PAO-ready. An incapable one takes your money, produces deliverables that look thorough, and leaves you failing an assessment you thought you were ready for.
The RPO market ranges from firms with deeply experienced teams and rigorous methodology to individuals who passed a credential exam and are offering services they are not equipped to deliver. The Cyber AB accreditation process for RPOs verifies that an organization has agreed to a code of ethics and has certified professionals on staff. It does not guarantee quality, depth of expertise, or methodology.
Here are seven questions that separate strong CMMC advisory firms from weak ones.
Question 1: Who specifically will work on my engagement, and what are their credentials?
Many professional services firms are accredited as RPOs but staff client engagements with junior consultants who have limited CMMC-specific experience. The credentials that matter for CMMC advisory work are:
- CCP (Certified CMMC Professional): Entry-level CMMC practitioner credential from the Cyber AB. Requires completion of recognized CMMC training and passing a proctored exam. Holders can provide CMMC advisory and consulting services.
- CCA (Certified CMMC Assessor): Assessment credential that qualifies holders to participate in C3PAO assessment teams. Requires more rigorous training and examination than the CCP. A CCA on your advisory team brings direct assessment experience.
- CISSP, CISA, or equivalent: Broader cybersecurity certifications that indicate general security program expertise.
Ask for the specific credentials of the people who will be assigned to your engagement, not just whether the firm holds RPO accreditation. If a firm is accredited as an RPO but cannot name the certified practitioners on your team, that is a gap.
Question 2: What does your gap assessment methodology actually involve?
The quality of a CMMC gap assessment is determined by its methodology. A thorough gap assessment involves three things: document review, technical testing, and interviews. A gap assessment that relies exclusively on questionnaires and document review is incomplete.
Ask the RPO to describe their methodology in specific terms:
- How do you verify that technical controls are actually implemented (not just documented)?
- What technical testing do you perform during an access control evaluation?
- How do you verify MFA is enforced vs. just enabled?
- How do you evaluate network architecture and boundary protection?
- How do you test audit logging completeness?
A strong answer describes specific technical verification activities. A weak answer describes reviewing policies and interviewing the IT team. The C3PAO will conduct technical testing. If your gap assessment did not, it will have missed gaps that the C3PAO finds.
Question 3: How do you align evidence collection to DIBCAC standards?
The evidence that supports CMMC Met determinations needs to match what C3PAO assessors and DIBCAC assessors actually look for. Ask the RPO how they approach evidence collection:
- Do you use the DIBCAC Objective Evidence Lists as your reference?
- How do you document evidence so it is organized for C3PAO assessment?
- What evidence naming and organization conventions do you follow?
- How do you ensure evidence is current (not more than 90 days old at assessment time)?
An RPO that cannot articulate a specific, DIBCAC-aligned evidence methodology is producing documentation that may not hold up under C3PAO scrutiny.
Question 4: Can you give me references from organizations that passed a C3PAO assessment after working with you?
This is the most direct quality signal available. An RPO that has successfully prepared organizations for C3PAO assessments should be able to provide references from those organizations.
Ask specifically:
- How many organizations have you taken through a full C3PAO assessment?
- What was the outcome? Final certification, Conditional, or Not Met?
- How many POA&M items, if any, were open at the time of certification?
- Can I speak with two or three clients of similar size and complexity to my organization?
An RPO that cannot provide any C3PAO pass references, or whose references are all for self-assessments rather than C3PAO assessments, has not yet demonstrated the ability to prepare organizations for third-party assessment.
Question 5: How do you handle the SSP?
The System Security Plan is the most critical document in a CMMC program. Ask the RPO specifically about their SSP approach:
- Do you write the SSP from scratch, or do you use a template that the client customizes?
- How do you ensure the implementation descriptions are specific to my environment and not generic template language?
- How do you validate that SSP content accurately reflects technical implementation?
- How do you update the SSP during remediation as controls are implemented?
The red flag answer: "We use a template that we customize." Templates are appropriate starting structures, but the implementation descriptions must be specific, technical, and written to reflect your actual environment. An SSP built primarily on template language with minimal customization will generate Not Met findings when assessors compare documentation to reality.
Question 6: What is your approach when you find a gap we cannot close before the assessment?
No organization will close every gap before a C3PAO assessment. The question is how the RPO handles the gaps that remain.
Ask:
- How do you help prioritize what goes on the POA&M versus what must be closed?
- How do you ensure no prohibited controls end up on the POA&M?
- How do you build a POA&M that is defensible to a C3PAO assessor?
- What happens if a POA&M item proves harder to close than expected during the 180-day window?
A strong RPO has a clear framework for POA&M strategy: prioritize by point value, verify no prohibited controls, build realistic timelines, and manage the 180-day closeout window with the same discipline as the initial assessment. An RPO that treats the POA&M as an afterthought is setting you up for a conditional certification failure.
Question 7: What does ongoing engagement look like after the gap assessment?
A gap assessment is not a one-time engagement. The work between gap assessment and C3PAO assessment often takes 12 to 24 months. Ask the RPO about the post-gap engagement model:
- How do you support remediation activities over the multi-month program?
- Do you provide project management, or is the client self-directing remediation with periodic check-ins?
- How do you verify that remediation is complete before scheduling the C3PAO assessment?
- Do you offer a pre-assessment review to verify evidence package readiness?
Some RPOs deliver a gap assessment report and then step away. Others provide ongoing program management through C3PAO certification. Depending on your organization's internal capacity, you may need different levels of ongoing support.
The Price Question
Cost matters, and getting CMMC compliance done at a price that makes business sense is a legitimate consideration. However, a few cost-related cautions:
- The cheapest gap assessment may cost the most. An RPO engagement that is significantly below market rate is often significantly below market in depth. If the gap assessment misses critical technical gaps, you will pay for those gaps twice: once in the remediation cost you did not anticipate, and again in the C3PAO assessment fees spent on an assessment you fail.
- Compare scope, not price. When evaluating RPO proposals, compare the scope of what is included: number of domains covered, whether technical testing is included, whether evidence collection is included, whether SSP development is included, and the credentials of the team assigned. A higher-priced engagement that includes these elements may be less expensive in total cost than a lower-priced engagement that does not.
- Use government resources to reduce cost. APEX Accelerator centers can provide referrals to vetted RPOs in your area. CSIAC Cost Analysis Team contracts provide government-rate pricing for cybersecurity consulting. These mechanisms can reduce the cost of a capable RPO engagement significantly.
Red Flags Summary
Avoid RPOs who:
- Cannot name the certified practitioners on your engagement team
- Cannot describe their technical testing methodology in specifics
- Have never taken an organization through a successful C3PAO assessment
- Produce SSPs primarily from generic templates
- Cannot articulate a POA&M strategy that accounts for prohibited controls
- Offer prices significantly below market without a clear explanation of reduced scope
Key Takeaways
- RPO accreditation confirms ethics agreement and credential presence; it does not guarantee quality
- Ask about the specific credentials of the people on your engagement, not just the firm
- Require technical testing as part of methodology, not just document review and interviews
- Ask for C3PAO pass references from organizations of similar size
- Compare scope when evaluating pricing; the cheapest option is often more expensive in total cost
- Government resources (APEX, CSIAC) can help reduce RPO costs without reducing quality
Learn More
For the complete CMMC framework, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Looking for an RPO that can answer all seven of these questions? NR Labs holds CCP credentials, conducts technical testing as a core part of every gap assessment, and has a clear methodology aligned to DIBCAC standards. Contact us to discuss your engagement.
