CMMC Level 2: How to Choose the Right Partners and Get Certified

CMMC Level 2 is here, and primes are already encouraging subcontractors to comply. 

Success starts with understanding the roles of RPOs and C3PAOs, choosing partners wisely, and preparing with the right documentation and scope. 

In our webinar RPOs vs. C3PAOs: Decoding CMMC Compliance Partners, we break down what matters most, share best practices for vetting partners, and explain how defense contractors can move from CMMC readiness to certification. Here are the highlights: 

Why CMMC Level 2 Is Urgent Now 

The clock started ticking on November 10, 2025, when the CMMC rule went into effect. 

For the next year, we’re in Phase 1 of the rollout—but don’t let that lull you into thinking you have time. Prime contractors aren’t waiting. They’re already sending letters and memos to their supply chains: Get certified or risk losing work. 

We’ve seen this firsthand. Boeing, Lockheed Martin, Leonardo DRS—they’re all signaling the same thing. If you handle Controlled Unclassified Information (CUI), you need to demonstrate compliance now. 

And that means understanding the ecosystem, choosing the right partners, and building a readiness plan that works. 

Step One: Understand the Roles in the CMMC Ecosystem 

One of the biggest sources of confusion we hear from defense contractors is this: What’s the difference between an RPO and a C3PAO? 

Here’s the short answer: 

• Registered Practitioner Organization (RPO): Advisory and implementation partner. Helps you prepare, implement, and operate to CMMC requirements. 

• Certified Third Party Assessment Organization (C3PAO): Independent assessor. Performs the official certification assessment. 

Why does this separation matter? Because it prevents conflicts of interest. As Fernando Machado of Cybersec Investments, an authorized C3PAO, put it during our webinar: 

“We want to make sure that the person that does the consulting and advisory isn’t the same exact person that does the assessing and certification. Because why would I rate myself wrong?” 

That’s why CyberSheath is an RPO. We guide you through readiness and manage compliance operationally. When it’s time for certification, we work with trusted C3PAOs like Cybersec Investments to get you across the finish line. 

Step Two: Choose Partners Wisely 

Not all RPOs and C3PAOs are created equal. A listing or accreditation alone is not enough.

For RPOs, look for: 

• Teams with deeper certifications (CCP, CCA) and real-world experience. 

• Ability to deliver managed IT, managed security, and managed compliance—not just advice. 

• Proven track record taking clients through successful certification attempts. 

For C3PAOs, ask: 

• How many CMMC Level 2 assessments have you completed? 

• Are your assessors W-2 employees or 1099 contractors? 

• What’s your scheduling timeline and fee structure? 

• Do you have experience with environments like ours? 

These questions matter because the ecosystem is still small—87 C3PAOs at the time of the webinar—and demand is skyrocketing.  

Trying to make sense of DFARS, NIST, and CMMC can feel like navigating a maze. The rules are complex, the terminology is technical, and the pressure to get it right is real. Especially when every vendor seems to offer a different path forward. If you’re feeling uncertain, you’re not alone. 

This guide provides you a starting point for evaluating vendors who might be a fit for your business. 

Step Three: Prepare for Prime Pressure and Implementation Challenges 

Even if the DOD rollout allows self-assessment for now, primes can—and come will—require third-party certification sooner. We’re already seeing it. 

Readiness starts with documentation. If you don’t have a System Security Plan (SSP) aligned to NIST 800-171A assessment objectives, you’re not ready. And don’t stop at control titles. Assessors look for verbs like define, identify, and specify—and they expect to see those requirements implemented and enforced. 

Other essentials:  

• Data flow diagrams showing how CUI moves through your environment. 

• Clear scope (CUI assets, security protection assets). 

• A prioritized POAM for remediation. 

Step Four: Know the Certification Details 

Passing outright is the goal, but if you fall short, there’s a path to a conditional certificate. Under current guidance, a contractor can earn a conditional CMMC Level 2 status if they:

• Score at least 80% (88 of 110 controls met).
  
  
• Have no POAMs for high-value controls (3- or 5-point). 

• Close remaining POAMs within 180 days via a closeout assessment. 

Step Five: Understand the Role CyberSheath Plays 

When you work with CyberSheath, you get more than advisory support. You get a partner that owns compliance operationally. 

We deliver through three lanes: 

• Managed IT Services: IT done compliantly. 

• Managed Security Services: Detection and response aligned to CMMC. 

• Managed Compliance Services: Strategic compliance ownership plus hands-on technical compliance execution.

Every client gets a dedicated compliance analyst who leads the process, coordinates with IT and security teams, and represents you during the C3PAO audit. As Casey Lang said during the webinar: 

“Your compliance analyst is literally across the table from the assessor telling your story on your behalf.” 

That’s how we turn readiness into certification success. 

Your CMMC Readiness Checklist 

Before you schedule with a C3PAO, make sure you can check these boxes: 

• SSP aligned to assessment objectives 

• Data flow diagram for CUI 

• Self-assessment completed 

• POAM for eligible low-value gaps only

• Cloud services FedRAMP Moderate authorized (if applicable)

• Boundary chosen (enclave vs. enterprise) 

• Provider alignment confirmed 

• C3PAO vetted

Start Now 

If you have or plan to have CUI in your environment CMMC Level 2 isn’t optional—and it’s not something you can rush at the last minute. The ecosystem is small, demand is high, and primes are already applying pressure. Start with the right partner, scope smart, meet the assessment objectives, and get in line for certification. 

Watch the webinar to hear Casey Lang and Fernando Machado unpack these insights and answer real-world questions from DIB contractors. 

Frequently Asked Questions 

What is the difference between an RPO and a C3PAO in the CMMC ecosystem? 

An RPO (Registered Practitioner Organization) provides advisory and implementation support to help defense contractors prepare for CMMC compliance. A C3PAO (Certified Third Party Assessment Organization) performs the official certification audit and issues CMMC certificates. The roles are intentionally separated to avoid conflicts of interest. 

Why can’t the same organization provide both consulting and certification for CMMC? 

The CMMC ecosystem enforces a separation between advisory and assessment roles to prevent conflicts of interest. As Fernando Machado explained, “Why would I rate myself wrong?” Organizations that consult cannot certify their own work. 

What documentation is required for CMMC Level 2 readiness? 

Defense contractors SSP must describe control implementation in sufficient detail to demonstrate how the organization meets NIST SP 800-171A assessment objectives. Additional requirements include data flow diagrams, clear scoping of CUI assets, and a prioritized Plan of Action and Milestones (POA&M). 

Do ISO 27001 or SOC 2 certifications satisfy CMMC Level 2 requirements? 

No. While there may be overlap, ISO 27001 and SOC 2 do not fully map to NIST 800-171A. Contractors must implement all 320 assessment objectives to achieve CMMC Level 2 compliance. 

Is FedRAMP Moderate required for cloud services under CMMC? 

Yes. If CUI is processed, stored, or transmitted in a cloud environment, the service must be FedRAMP Moderate authorized or equivalent, with evidence from a FedRAMP 3PAO assessment. 

What is a conditional CMMC Level 2 certificate? 

A conditional certificate is issued when a contractor meets at least 80% of controls (88 out of 110), has no POAMs for high-value controls, and agrees to close remaining POAMs within 180 days through a closeout assessment. 

Is an enclave approach mandatory for CMMC Level 2? 

No. An enclave approach is optional and depends on your environment. If only a small portion of your organization handles CUI, an enclave may reduce cost and complexity. If CUI is pervasive, enterprise-wide scope may be necessary. 

Are MSPs and MSSPs required to be CMMC certified? 

The final rule does not require MSPs/MSSPs to be certified, but many C3PAOs strongly recommend it. Non-certified providers can create risk during assessments, as their practices may be scrutinized alongside the contractor’s. 

How many C3PAOs are currently authorized? 

As of the webinar date, there were 87 authorized C3PAOs in the CMMC ecosystem. 

What questions should I ask when selecting a C3PAO? 

Key questions include: 

• How many CMMC Level 2 assessments have you completed? 

• Are your assessors W-2 employees or 1099 contractors? 

• What is your scheduling timeline and fee structure? 

• Do you have experience with environments like ours?