Why You Should You Hire a RPO for Gap Analysis and/or Pre-Assessment Support

April 12, 2021

Aronson LLC is a Registered Provider Organization (RPO) with the CMMC-AB, the accreditation body responsible for managing the CMMC program. Our team of CMMC-AB Registered Practitioners (RP) is ready to assist your organization with preparing for a formal CMMC assessment and/or meeting the existing requirements of NIST 800-171.

What is a Registered Provider Organization (RPO)? 

Most organizations seeking certification (OSC) may be familiar with the certified 3rd party assessors (C3PAO) that will conduct formal assessments and submit the assessment results to the CMMC-AB. They may be less familiar with RPO who:

  • Are you familiar with the basic constructs of the CMMC Standard
  • Deliver non-certified CMMC Consulting Services
  • Agree to abide by the CMMC-AB Code of Professional Conduct

RPOs, such as Aronson LLC, are ideally suited to assist your organization with preparing for a CMMC assessment. This could be in the form of a pre-assessment readiness review (for those organizations that believe they are ready for a formal assessment but would like an outside opinion before engaging a C3PAO). We can also assist your organization with identifying and addressing gaps in your security program and providing recommendations to implement or improve security processes and practices.

Why should you hire an RPO (vs. C3PAO) for Pre-Assessment Support? 

If you have implemented all the required security practices and processes (don’t forget about those!) and are ready for a formal CMMC assessment, you may decide your next step is to hire a C3PAO. While that is certainly a valid option, it is essential to remember that the C3PAO cannot provide advice or recommendations to an organization during an assessment.

The assessment is conducted on a pass-fail basis (you either satisfactorily demonstrate compliance with each practice/process OR you have not). There is certainly the opportunity to dispute the assessment results after it is submitted to the CMMC-AB, but that may be too late. In addition, C3PAOs cannot assess organizations for which they may have previously provided consulting services.

However, RPOs are not limited in their ability to provide remediation advice before formal assessments. That is a great reason why you may prefer to go through a pre-assessment readiness review with an RPO such as Aronson. We not only help confirm your readiness for a formal assessment, but we can also provide actionable advice to enhance compliance with security practices. In addition, we can assist your organization with updating relevant documentation (e.g. policies, procedures, etc.) to reflect any recommended changes. This is an important consideration as the C3PAO isn’t solely looking for evidence in regards to having a practice in place, but also that you have been consistently performing the said practice for some time.

Aronson difference? 

Our approach is to partner with your organization and vendors in the IT/cybersecurity ecosystem. As a trusted business advisor and partner to related stakeholders such as technology startups/businesses, Aronson is here to advise your organization on your cybersecurity maturity journey. We have the technical expertise to assist you with meeting the existing requirements of NIST 800-171, preparing for a CMMC assessment, and/or developing or enhancing your cybersecurity program.