Meridian Compass
← All guides
Comparison

C3PAO vs RPO vs MSP: a side-by-side comparison

Published May 13, 2026Updated May 13, 20265 min readSources 3 cited

Three of the most common acronyms in CMMC sound similar and aren’t. C3PAO, RPO, MSP. The Cyber AB marketplace itself groups the ecosystem into four broad lanes: OSCs (the buyers), consulting and implementation, assessment and certification, and training (cite [3]). For buyers, the comparison that matters is between the three roles you’ll most often be paying.

The 60-second version

RoleDoesDoesn’tPays for what
C3PAOConducts the formal Level 2 (and sometimes Level 3) certification assessment.Will not (usually) advise on remediation for the same client they certify.Fixed-scope assessment engagement, sometimes with a pre-engagement readiness review.
RPOAdvisory and implementation. Scoping, gap assessment, SSP authoring, POA&M, getting you assessment-ready.Cannot issue a CMMC certification.Time-and-materials or fixed-fee advisory; sometimes a follow-on retainer.
MSP / MSSPOperates IT/security controls on your behalf: identity, monitoring, hardening, IR, patching. Some package as CMMC managed services (cite [2]).Does not certify you. Does not own your responsibility for the controls.Ongoing per-seat / per-endpoint subscription, often multi-year.

Where they conflict with each other

Each role is mostly clean on its own. Trouble lives at the intersections.

  • RPO + MSP, same vendor. Common, sometimes efficient, sometimes scope-padding. The advisor is being paid by the operator. Worth putting the role-separation in writing.
  • RPO + C3PAO, same vendor. Rare for the same engagement. Most C3PAOs (Schellman included, given their public positioning as an audit firm; cite [1]) draw a hard line. Worth asking explicitly which firm will sit on which side.
  • MSP + C3PAO, same vendor. The operator can’t certify themselves. If you see a quote that implies this, push.

Who to hire first

For most Level 2 buyers, the order looks like this:

  1. RPO first, to scope the CUI boundary and give you a plan.
  2. MSP/MSSP second, to operate what the plan requires.
  3. C3PAO last, after the SSP exists, the controls operate, and the POA&M is realistic.

Booking these out of order (particularly booking the C3PAO before the SSP is stable) is one of the most expensive sequencing mistakes a buyer can make.

What to put in the contract for each

  • C3PAO: The remediation policy if you fail. The line on advisory. The data that crosses the assessor’s boundary and where it goes.
  • RPO: The deliverable definitions for SSP and POA&M: what “done” looks like. The ownership transition at the end.
  • MSP / MSSP: The responsibility matrix. Exactly which NIST 800-171 controls they operate vs. which remain yours, mapped one-to-one.

Treat the responsibility matrix as the most important page in any MSP contract. It is the document the assessor will look at first when they ask “who does what.”

Run the check
Take what you read into a four-minute check

The Cost & Provider Fit Check uses your specific inputs to produce a readout you can take into provider calls.

Browse
Browse the provider directory

Independent records with sources and retrieval dates. No rankings, no listing fees.