RPO vs C3PAO vs MSP vs enclave: who does what
CMMC vocabulary is full of acronyms that sound interchangeable and aren’t. The Cyber AB marketplace itself groups the ecosystem into four broad lanes: DIB companies that are getting assessed, consulting and implementation providers, assessment and certification providers, and training providers (cite [1]). The practical version, the one that matters when you are about to send money, looks a little different.
This guide walks each provider type a buyer typically encounters, explains what they can and cannot do, and gives one or two questions that separate them at a sales call.
RPO: Registered Practitioner Organization
What they do. Advisory and implementation. Scoping, gap assessment, SSP authoring, POA&M tracking, getting your controls into a state an assessor will accept. RPOs are typically whom buyers should be talking to first.
What they cannot do. Issue a CMMC certification. That is the C3PAO line. An RPO can prepare you and tell you when they think you are ready; they cannot tell you that you have passed.
The separating question. “Walk me through how you would scope CUI for our specific contracts. What inputs would you need from us in week one?” A real RPO has a method. A marketing-heavy shop has a brochure.
C3PAO: Certified Third-Party Assessment Organization
What they do. Conduct the certification assessment for CMMC Level 2 and (in some cases) Level 3. Schellman, for example, publicly markets itself as among the first authorized C3PAOs (cite [2]).
What they cannot do (or, more precisely, often won’t do for the same client). Substantial remediation advice. Many C3PAOs draw an internal line between assessment work and consulting for the same client, to avoid conflicts of interest. If your sales contact is comfortable doing both, that is itself information.
The separating question. “Will you tell us, in writing, what we should fix before booking a formal assessment with you?” Either answer can be the right one for your situation; what matters is that the line is explicit.
MSP / MSSP
What they do. Operate IT or security controls on your behalf. Some MSPs are CMMC-specialized, with managed-services product lines that map to NIST SP 800-171 controls; Summit 7’s Guardian MSP, Vigilance MSSP, and Commander Managed GRC are an example of this packaging (cite [3]). Others are general-purpose MSPs that have added CMMC marketing.
What they cannot do. Replace your responsibility for the controls they operate. The certification belongs to you, not to the MSP, even when they run most of the security stack.
The separating question. “Which specific NIST 800-171 controls do you operate on our behalf, and which remain ours?” A defense-specialized provider answers fluently. A generalist hedges.
CUI enclave
What they do. Provide a scoped technical environment where CUI lives, typically with hardened identity, encryption, and access controls, so that the rest of your organization can stay on commercial collaboration tools. PreVeil is an example: end-to-end encrypted email and storage marketed explicitly as an alternative to a full Microsoft 365 GCC High migration (cite [4]).
What they cannot do. Stop a user from copy-pasting CUI back out of the enclave. The technical boundary is only as good as the human workflow and training around it.
The separating question. “How does data enter and leave the enclave in day-to-day work, and how do users avoid silently moving CUI back out?” If the answer is only technical, the deployment will leak.
Documentation specialist
What they do. Sell, write, or co-author the documentation set the assessment depends on. Some are template vendors (ComplianceForge, for example, sells editable cybersecurity documentation templates aligned to NIST 800-171 and CMMC; cite [5]); others are consulting shops that write to your environment.
What they cannot do. Make your documentation accurate without your time. Templates explicitly require tailoring; documentation specialists explicitly need access to how things really work.
The separating question. “Will the SSP you produce match what we do, or will we need to operate to match the SSP you write?” Either can be correct, but the buyer should know which path they are buying.
CMMC / GRC software
What they do. Track evidence, controls, and POA&M items in a tool, generally with reporting that maps to a framework.
What they cannot do. Substitute for a real SSP or operational controls. Buying the software does not pass the assessment; the controls behind it do.
The separating question. “If we buy your platform and use nothing else, what would still be missing for a real C3PAO assessment?” A vendor who answers honestly is a useful vendor.
A note on combinations
A meaningful share of the market sells two or more of the categories above as a bundle. Bundles can be efficient; they can also obscure which role the provider is playing in any given week. The best defense is to ask, separately for each role, “What is the very first thing you would deprioritize or descope if our budget tightened by 30%?” The answers reveal which role is core to the bundle and which is structurally optional.