Do you need a C3PAO, RPO, MSP, software, or scoping help?
Eight short questions. The matcher tells you which provider categories you likely need now, which to defer, and where the conflict-of-interest lines run between roles. Not a vendor ranking. A buyer-side hint about the kind of help you should be asking for first.
Anonymous by default. The directory is unordered and unweighted; no provider pays for placement.
Eight provider types with different roles and different conflicts.
Buyers consistently confuse these. The most expensive CMMC mistakes trace back to engaging the wrong category for the moment.
- RPORegistered Practitioner Organization
Buyer-side scoping, gap assessment, readiness opinion. Usually the right first paid call on a Level 2 path.
- C3PAOCertified Third-Party Assessment Organization
The terminal step of a Level 2 path. The provider type buyers most often book too early.
- MSP / MSSPManaged (Security) Service Provider
Runs the controls the assessor will evaluate. Generalist IT is rarely enough at Level 2.
- vCISOFractional virtual CISO
Security-leadership voice in vendor calls and prime questionnaires without a full-time hire.
- EnclaveCUI enclave provider
Concentrates CUI handling into a tightly scoped tenant. Often the largest single cost reducer.
- SoftwareCMMC / GRC software
Accelerator for evidence and SPRS, not a replacement for an SSP that matches reality.
- DocumentationDocumentation / SSP / POA&M support
Authors the SSP that matches what you do. Where many engagements stall.
- TemplatesPolicy templates
Useful starting point. Adopting templates verbatim is a frequent assessment-failure pattern.
Want the full picture, not just the categories?
The $249 Decision Pack adds path, cost band, source-backed provider shortlist, quote-risk flags, and a 30-day plan to this match.