MorganFranklin is approved as an RPO and is currently a C3PAO candidate, enabling it to offer CMMC Readiness Assessment and compliance support services.
Unlike NIST 800-171, which permitted self-certification, a contractor’s compliance with the CMMC must be evaluated and certified by a third-party auditor authorized by the CMMC Accreditation Body. This certification will demonstrate compliance with the requirements of one of the five CMMC levels.
The DoD defines two roles in the certification process:
- Registered Provider Organization (RPO) is certified to provide guidance to an organization working toward achieving CMMC compliance.
- Certified Third-Party Assessment Organization (C3PAO) is authorized to perform a CMMC audit and make the recommendation to issue a CMMC certificate.
An organization can engage with both an RPO and a C3PAO during its CMMC certification process, but an organization’s RPO cannot also act as their C3PAO.
Learn more about CMMC readiness preparation here.