CMMC marketplace guide: C3PAOs, RPOs & service providers explained

The Cybersecurity Maturity Model Certification (CMMC) program has created a comprehensive ecosystem of service providers to help defense contractors achieve compliance. Since the CMMC Final Rule began its phased implementation on November 10, 2025, understanding how to navigate the CMMC ecosystem has become essential for organizations handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

The CMMC marketplace serves as the official directory where you can find vetted, authorized professionals and organizations to guide you through certification. Whether you need preparation support, formal assessment or training, knowing which type of provider to engage and when can save time, money and frustration.

Note: Tune into our webinar with ISACA, the new CMMC Assessor & Instructor Certification Organization (CAICO), to learn about the latest CMMC updates.

WATCH NOW

Understanding the CMMC marketplace

The Cyber AB (formerly the CMMC Accreditation Body) maintains the official CMMC marketplace. This isn't just another vendor directory. It's the only place where you can verify that a service provider has met rigorous standards, undergone background checks and received official authorization to offer CMMC services.

The Cyber AB marketplace operates as a searchable public database where defense contractors can find authorized CMMC service providers. Every organization and individual listed has undergone stringent vetting, including background investigations and compliance with the Code of Professional Conduct.

The marketplace includes C3PAOs authorized to conduct official Level 2 assessments, RPOs ready to help you prepare, individual professionals with various credentials and approved training providers. You can filter by provider type, geographic location and specific credentials.

Prepare for the new era of CMMC

Join Infosec Institute and Todd Gagnon, ISACA CAICO Director, to learn how the CMMC is changing.

Watch Now [ ]

C3PAOs: Your official assessors

Certified Third-Party Assessment Organizations (C3PAOs) are the only entities authorized to conduct formal CMMC Level 2 certification assessments when the solicitation requires Level 2 (C3PAO). Think of them as the gatekeepers to certification. If your contract requires Level 2 (C3PAO) compliance, you cannot self-assess. You must work with a C3PAO.

C3PAOs operate as independent evaluators, verifying that your organization meets all 110 security requirements from NIST SP 800-171. They conduct rigorous assessments that typically take one to two weeks, examining your security controls, documentation and implementation.

Level 2 (C3PAO) compliance requires a C3PAO assessment every three years. However, some Level 2 contracts allow Level 2 (Self) assessment every three years, with annual affirmations. The assessment produces an official CMMC status that makes you eligible to bid on and maintain contracts requiring Level 2 compliance.

Choosing a C3PAO

Understanding how to find a C3PAO starts with checking The Cyber AB marketplace to verify their current authorization status. Some organizations claim to offer CMMC assessments but lack proper accreditation. Working with an unauthorized assessor means your assessment won't count.

Experience matters significantly. Ask potential C3PAOs how many assessments they've completed and whether they have experience with organizations similar to yours in size and industry. A C3PAO that primarily works with large aerospace manufacturers might not be the best fit for a small software company handling CUI in cloud environments.

The assessment timeline is critical. With growing demand for CMMC assessments, many C3PAOs maintain waitlists. Ask about their current availability and how it aligns with your contract deadlines. Waiting too long could cost you contract opportunities.

Cost transparency matters. Treat the following only as market estimates: C3PAO assessment fees typically range from $30,000 to $120,000 for Level 2, depending on your organization's size, complexity and the scope of your CUI environment. Some C3PAOs charge on the high end because they include additional support services, while others keep costs lower with streamlined processes. Make sure you understand what's included in their fee structure.

Ask pointed questions during your selection process. 

• How many assessments has the C3PAO completed? 
• Do they have experience in your industry? 
• What's their typical timeline from engagement to certification? 
• How do they structure their pricing?
• What kind of support do they provide if you receive findings that need remediation?

For more details on the C3PAO certification process and requirements, learn about C3PAOs.

RPOs: Your preparation partners

Registered Practitioner Organizations (RPOs) serve a completely different role in the CMMC assessment providers' landscape. While C3PAOs assess, RPOs prepare. They're consultants who help you get ready for the formal assessment.

RPOs provide a range of preparation services. They conduct gap assessments to identify where your current security posture falls short of CMMC requirements. They help you implement the necessary controls, develop required documentation like your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) and ensure you're ready for the C3PAO assessment.

You typically engage with an RPO before your C3PAO assessment. If you're starting from scratch or have significant gaps in your security program, an RPO can provide the expertise you need to build compliant systems and processes. They can also offer ongoing compliance support to help you maintain certification between triennial assessments.

Here's a critical distinction: your RPO and C3PAO must remain free of conflicts of interest for the same assessment. If a CCA candidate participated in preparing an organization for CMMC, they cannot participate on the assessment team for that same organization. 

Choosing an RPO

CMMC consultant selection for an RPO follows the same principles as choosing a C3PAO, but you're evaluating different capabilities. Start by verifying their listing in the Cyber AB marketplace. Check what credentials their staff hold. Look for RP or RPA designations. CCP credentials and CCA credentials can be helpful but are not the defining RPO requirement.

Review their CMMC RPO services carefully. Some RPOs specialize in gap assessments and initial preparation. Others focus on ongoing compliance monitoring and maintenance. Make sure their services align with your needs. Industry knowledge can make a significant difference. An RPO that understands your business and technical environment will provide more valuable guidance than one working from generic templates.

RPO costs vary widely based on the scope and duration of engagement. Treat the following only as market estimates: A gap assessment alone might run from $5,000 to $25,000. Full implementation support can range from $25,000 to over $200,000, depending on how far you need to go to achieve compliance. Ongoing support often costs $2,000 to $10,000 monthly. These investments can seem substantial, but proper preparation significantly increases your chances of passing the C3PAO assessment on the first attempt.

For comprehensive information about the RPO role and requirements, understand RPOs.

Individual CMMC professionals

The CMMC marketplace also lists individual professionals with various credential levels. These individuals can provide specialized consulting support or work on assessment teams.

Registered Practitioners (RPs) represent the entry-level designation. They've completed foundational training and provide basic consulting. RPs typically work within RPOs or as individual contractors and cannot lead assessments independently. For more information, check out RP credentials.

CMMC Certified Professionals (CCPs) hold a foundational certification. They can participate in assessment teams under CCA supervision; however, they can only verify requirements, not make final determinations. CCPs can also provide consulting services with deeper CMMC framework knowledge.

CCAs participate in assessment teams and can conduct Level 2 assessment work as part of a C3PAO team and make determinations within their role authority. The Lead CCA (LCCA) is a separate, higher designation authorized to lead official Level 2 assessment teams and deliver final compliance determinations. CCAs and LCCAs work within C3PAOs for official assessments but can provide consulting when not engaged in assessment activities and when doing so does not create a conflict of interest.

As of April 2026, ISACA fully transitioned into the CMMC Assessor & Instructor Certification Organization (CAICO) role and now administers training, exams and certifications for CCP, CCA, LCCA and CMMC Credentialed Instructor (CCI) professionals. The Cyber AB continues to oversee the marketplace and the C3PAO accreditation.

Prepare for the new era of CMMC

Join Infosec Institute and Todd Gagnon, ISACA CAICO Director, to learn how the CMMC is changing.

Watch Now [ ]

Choosing a CMMC professional

When should you consider hiring individual professionals rather than organizations? Specialized consulting needs may require the expertise of a specific expert. Part-time support makes sense if you need someone to fill specific gaps in your team's capabilities. Cost considerations might also drive this decision, as individual consultants typically charge lower rates than full-service organizations.

Individual professional rates vary by credential level. Treat these as market estimates: RPs typically charge $50 to $100 per hour. CCPs generally charge $100 to $200 per hour. CCAs command $150 to $300 per hour, reflecting their advanced qualifications and authority.

CMMC training providers

Organizations seeking certification need training at multiple levels. Your staff needs education on handling CUI and implementing security controls. If you're pursuing professional credentials like CCP or CCA, you'll need specialized training to prepare for certification exams.

The Cyber AB works with ISACA to ensure training providers meet quality standards. When selecting CMMC training, look for providers approved through these channels. Infosec Institute serves as an Approved Training Provider (ATP), offering training programs for the CMMC Certified Professional (CCP) and CMMC Certified Assessor (CCA) certifications.

Choosing a CMMC training provider

When evaluating training providers, first ensure they are an ATP. Consider things like reputation, endorsements from previous students and the qualifications of the instructors. Look for instructors who hold relevant CMMC credentials and have practical implementation experience. 

Check whether the training format fits your learning style and schedule. Compare costs across providers, keeping in mind that the cheapest option isn't always the most effective or that some providers may package things differently while others may sell more piecemeal. Be sure to know what your total expected costs will be.

How to use the Cyber AB marketplace effectively

The CMMC AB marketplace provides several search and filtering options to help you find the right CMMC service providers. You can filter by provider type to see only C3PAOs, RPOs, individual professionals or training providers. Geographic location filtering helps you find providers near you, reducing costs and simplifying coordination. Expertise area filters let you narrow results to providers specializing in particular industries or technical environments.

Vetting providers requires more than marketplace listings. Verify current authorization status, check staff credentials and contact references from other organizations.

Watch for red flags: 

• Organizations not listed in the marketplace
• Expired credentials
• Extremely low prices
• Lack of transparency about processes and qualifications

Working with multiple providers

Most organizations engage multiple types of providers during their CMMC journey. A common scenario involves hiring an RPO to help you prepare, then engaging a separate C3PAO to conduct your assessment. You might also work with a training provider to certify key staff members or educate your team.

Coordinating multiple providers requires clear communication about roles and timelines. Ensure your RPO knows the C3PAO assessment schedule. Maintain proper independence between preparation and assessment functions.

Your RPO needs sufficient time to implement controls before the C3PAO arrives. Training should happen early enough for staff to apply what they learned. Build buffer time for unexpected complications.

Other CMMC service providers

Beyond the authorized providers in the marketplace, other types of vendors can support your CMMC journey, even if they're not Cyber AB accredited.

Technology vendors offer compliance tools, security solutions and documentation platforms that can streamline your implementation and evidence collection. While these tools aren't authorized by The Cyber AB, many provide valuable support for building and maintaining compliant systems.

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) can handle the day-to-day technical implementation and monitoring of security controls. Many have developed CMMC expertise and can help you maintain compliance. Since they're not marketplace-listed, verify their qualifications separately by reviewing their certifications and requesting references.

Legal advisors and insurance brokers also play supporting roles. Compliance attorneys can help you navigate the contractual and regulatory aspects of CMMC. Cyber insurance brokers can help you obtain coverage that may be required or beneficial.

Taking your next steps

Navigating the CMMC marketplace effectively starts with understanding your specific needs. Determine what level of certification your contracts require. Assess your current security posture honestly. Identify which types of providers can best help you close gaps and achieve certification.

Search the Cyber AB marketplace methodically. Filter by the provider types you need. Review multiple candidates in each category. Don't rush to the first provider you find or necessarily choose based on price alone.

Contact multiple providers to compare their approaches, experience, timelines and costs. Ask detailed questions about their process and the services they offer. Request references and follow up with them to hear about real experiences.

The CMMC marketplace exists to help you find qualified, vetted partners for your certification journey. By understanding the different provider types, evaluating them effectively and using the marketplace effectively, you can assemble the right team to achieve and maintain CMMC compliance.

ISACA took over as the CMMC Assessor & Instructor Certification Organization (CAICO) in April 2026. Learn how this affects the CMMC marketplace in our webinar with ISACA.

Prepare for the new era of CMMC

Join Infosec Institute and Todd Gagnon, ISACA CAICO Director, to learn how the CMMC is changing.

Watch Now [ ]

Common questions about the CMMC marketplace

Do I need both an RPO and a C3PAO?

It depends on your starting point. If you're already largely compliant with NIST SP 800-171 and have strong documentation, you might proceed directly to a C3PAO assessment when your contract requires Level 2 (C3PAO). If you have significant gaps or need help building your security program, an RPO can save time and increase your chances of passing the C3PAO assessment on the first attempt.

Can the same company be both my RPO and C3PAO?

A company may hold multiple CMMC ecosystem roles, but it should not prepare and assess the same client for the same CMMC effort. If a provider helped prepare your organization for CMMC, that provider and its assessors generally cannot participate in your Level 2 certification assessment for three years. Use separate providers for readiness consulting and formal assessment.

How do I verify a provider is legitimate?

Check the Cyber AB marketplace. This is the only authoritative source for verified providers. If someone claims to offer CMMC services but isn't listed, they're not authorized for the official ecosystem role they are claiming.

What if there are no C3PAOs in my area?

Many C3PAOs conduct virtual assessments, so geographic location matters less than it once did. You can work with C3PAOs anywhere in the country. Remote assessment capabilities have expanded significantly.

Can I change providers mid-process?

Yes, but it comes with challenges. If you're unhappy with your RPO, you can switch to another one, though you may lose some momentum and need to bring the new provider up to speed. Switching C3PAOs is more complicated if you're already in the assessment process.

What does LTP mean?

Licensed Training Provider (LTP) was a designation used in earlier versions of CMMC, but this specific role no longer exists in CMMC 2.0. Training is now handled through Approved Training Providers (ATPs) working with ISACA as the CAICO. When you see older references to LTPs, understand they refer to the previous program structure.