Vancord logo

5 Questions to Ask When You Are Choosing an RPO for CMMC Compliance

In January 2020, the Department of Defense (DoD) announced a new compliance framework called the Cybersecurity Maturity Model Certification (CMMC). Designed to protect Controlled Unclassified Information (CUI) from falling into the wrong hands, CMMC applies to all 300,000 businesses across the DoD supply chain. Every contractor and subcontractor must be CMMC-certified by 2026, or they will be barred from bidding on any DoD contract. That said, many Requests for Proposal (RFPs) already require bidders to meet CMMC Level 1 – Basic Certification. As a result, many prime contractors are already requesting CMMC compliance of their secondary suppliers.


If you’re a small or medium-sized business (SMBs make up 74 percent of the DoD supply chain), you probably lack the internal resources to focus on the stringent new requirements of CMMC. To smooth the way, the CMMC-AB Marketplace created the CMMC Registered Provider Organization (RPO) certification process to help businesses locate a qualified third party to help prepare them for compliance. RPOs must also train and maintain Registered Practitioners (RPs) within their organizations and abide by the Code of Professional Conduct.

Choosing the right RPO for this critical step in your business growth can be overwhelming. Look through the CMMC AB Marketplace, and you’ll find hundreds of RPOs like Vancord and thousands of RPs, all offering different services. So how do you find the one that is right for you?

To navigate this important business decision, we’ve outlined the five questions to ask before you choose an RPO.

  1. Do you have customers that are currently subject to DFARS, NIST SP 800-171, ITAR, and CMMC compliance?

    CMMC builds upon earlier federal requirements regarding the NIST SP 800-171 standard. With CMMC being the new kid on the block, you want to choose an RPO with deep experience in NIST 800-171 compliance to help apply it to CMMC. Look for an RPO who is an industry expert—someone who knows their way around DFARS and ITAR.

  2. How much experience do you have in cybersecurity compliance in highly regulated spaces?

    CMMC compliance standards are necessarily strict, as they aim to protect sensitive government data that, if disclosed, could threaten national security. Look for a partner with deep experience in highly regulated industries like aerospace, government contracting, manufacturing, financial services, and healthcare.

  3. How knowledgeable are you about the defense contracting environment?

    DoD contracting is different from any other kind — requirements are intense, acronyms are complex, and the bureaucracy is labyrinthine. Even among the Armed Services, the rules and formats for similar procurements can vary. You need a partner who gets this.

  4. How easy is it for you to scale efforts appropriate to my business?

    Scalability is key for new and rapidly growing SMBs who may be planning to take on larger or high-security-level contracts with DoD. Therefore, you need a CMMC partner that can scale with you.

  5. Can you work with my existing IT infrastructure?

    Be on the lookout for any RPO that wants you to replace your existing IT infrastructure with their solution. Any experienced RPO will be adept at working within unique infrastructures, and they will not ask you to make the change (unless you need it, of course).

Get in touch today to learn more about how we can help your business prepare for CMMC compliance.

Cybersecurity Tips In Your Inbox.

Get notified when we have something important to share!