CMMC Acronym Soup

Sep 28, 2021 | CMMC, C3PAO, RPO

Government contractors are figuring out that bidding or working on non-public government contracts, eventually, they will need to be compliant. Right now, that consists of working toward CMMC certification and self-assessing compliance status through the Supplier Performance Risk System (SPRS). Which brings me to the point of this writing.

CMMC-AB has had a field day changing the terms and processes in the original NIST Special publication 800-171. As we communicate with the industry, we notice that these terms often cause unnecessary confusion. So let’s help clear the air with some acronym definitions.

C3PAO – A Certified 3rd Party Assessment Organization approves, validates, and certifies that the organization is CMMC compliant. They employ or contract CAs to conduct the audits. C3PAOs will be responsible for relaying the results of the OSCs audits to the DIB.

CA – Certified Auditors provide their services for C3PAOs. They are the individuals who do the actual audits and provide the results to the C3PAO for certification.

CP – A Certified Practitioner is the consultant who works with the client to prepare for certification. He or she reviews all processes and procedures in place (or not) and then reports on what they found.

DIB – Defense Industrial Base is a term used to refer to a government’s industrial assets that are for the production of equipment or services for the DOD.

DIBCAC – Defense Industrial Base, Cybersecurity Assessment Center is the group responsible for assessing C3PAOs to ensure they meet the same standards as the OSCs in terms of the CMMC maturity level they will be assessing.

OSC – Organizations Seeking Certification is a term used for any organization that is seeking a CMMC maturity level certification.

RPO – A Registered Provider Organization is an organization that helps other organizations determine their compliance status and prepares them for CMMC certification.

There are 9 steps that an organization will go through in order to become certified:

  • Understand the CMMC requirements.
  • Identify the scope of the CUI environment.
  • Identify the CMMC maturity level the organization will need to achieve.
  • Self-assess the delta (gap) of the organization current state of CMMC readiness.
  • Implement the missing components.
  • When the OSCs feel they are ready, conduct an official certification assessment with a C3PAO (located on the CMMC-AB marketplace).
  • If necessary, over 90 days, implement any missing or weak components found.
  • When everything is remediated, the CMMC-AB reviews the assessment, and an approval is decided.
  • Once approved, a 3-year certification is issued.

CP Process Diagram - Duffy Compliance Services

Using the acronyms, a simplistic approach to these 9 steps would be:

  1. A CP assesses your gaps in CMMC compliance
  2. An RPO can be used to help remediate those gaps
  3. A CA (as a member of a C3PAO) conducts the official assessment

Some of our clients try to go through the process themselves, and they find it complicated as learning all these new acronyms.  Let Duffy Compliance manage the process so that you can manage your business.  No one needs the stress of going through this process alone.

It takes experience and expertise to help OSCs become CMMC ready.  Duffy Compliance can be of assistance, whether it is to help you go through the Supplier Performance Risk System (SPRS) or begin the CMMC process; we can manage this process to ease the burden on you and your organization.  Reach out to discuss the best path for you and your organization.

Subscribe to Our Monthly Newsletter

Free education for cybersecurity.


Your personal information will not be shared and you are able to unsubscribe at any time.