32 CFR Part 170: why your CMMC RP and your C3PAO cannot be the same firm
A CMMC vendor-selection guide for Defense Industrial Base contractors
PDF version
Download a printable copy.
Same content as this page, in a sealed PDF you can hand to a colleague or auditor.
32 CFR Part 170: why your CMMC RP and your C3PAO cannot be the same firm
A CMMC vendor-selection guide for Defense Industrial Base contractors. What the regulation actually requires, why the separation exists, and how to structure your CMMC vendor stack so your assessment result survives scrutiny.
Key 102 Consulting Β· 2026 Β· Veteran-owned. SAM-registered. Cyber AB RPO enrollment in progress. Practitioner-led CMMC L1 and L2 readiness on a platform that anticipates the post-credential workflow.
The vendor mistake that voids your assessment
A DIB subcontractor signs with a CMMC consulting firm. The firm helps draft the System Security Plan, walks the 110 NIST SP 800-171 practices, runs a mock assessment, declares the contractor "ready." The same firm then runs the formal CMMC Level 2 assessment.
That sequence is not permitted. CMMC's program structure β codified in 32 CFR Part 170, the DoD's final rule effective 2024-12-16 β keeps the prep-side practitioner and the assessment-side organization structurally separate. Not as a best practice. As a regulatory requirement that protects the integrity of the assessment outcome.
A contractor who lets the same firm do both is taking an assessment whose result a Defense Contract Management Agency review can challenge on independence grounds. The certification might be issued. It might still get rescinded. The contract obligations don't pause while the rescission is litigated.
This paper covers what the regulation actually says, why the separation exists, what each role does, and how to structure your CMMC vendor stack so the work that gets done before assessment day holds up on assessment day.
The three roles 32 CFR Part 170 defines
CMMC's ecosystem has three distinct actor types, governed by the Cyber AB (Cybersecurity Accreditation Body) under DoD authority:
Registered Practitioner (RP) and Registered Practitioner Organization (RPO). Individuals and firms that help contractors prepare for CMMC assessment. RPs and RPOs are vetted by the Cyber AB, listed in the Cyber AB Marketplace, and authorized under 32 CFR Part 170 to provide pre-assessment guidance: SSP authoring, POA&M management, NIST SP 800-171 gap analysis, control implementation review, and SPRS affirmation preparation.
Certified Third-Party Assessment Organization (C3PAO). The organizations DoD has authorized to conduct formal CMMC Level 2 assessments. C3PAOs operate under their own Cyber AB accreditation, employ Certified CMMC Assessors (CCAs), and follow the NIST SP 800-171A methodology to produce a scored assessment package the DoD relies on for certification decisions.
Certified CMMC Assessor (CCA). Individuals employed by C3PAOs. The CCA does the actual hands-on assessment work β interviews, evidence review, finding documentation, scoring. The CCA's credentials are independent of the C3PAO that employs them.
Together: contractor β RP/RPO prepares β C3PAO assesses β CCAs run the assessment β DoD receives the package β certification (or POA&M
- recertification) is issued.
Why the separation is structurally enforced
The CMMC Program's separation between prep and assessment exists for the same reason financial-audit independence exists under SEC rules and the same reason penetration testers are typically separate from the security team they're testing: the work that proves you ready cannot be performed by the work that decides you're ready.
If the same firm does both:
- The firm has a financial incentive to produce a passing assessment, because failure makes their prep work look bad
- The assessor's findings cannot be independently validated; they're scoring the work they themselves helped author
- The DoD's verification of CMMC compliance becomes verification of the consulting firm's marketing claims, not of the contractor's actual control posture
- A False Claims Act challenge against a self-assessed-by-the-prepper certification has visible structural weakness
The DoJ's Civil Cyber-Fraud Initiative has been increasingly active in pursuing FCA cases tied to DoD cybersecurity attestations. An assessment package authored and assessed by the same firm is the kind of structural finding the initiative looks for. Contractors who consolidate the work to save vendor-management overhead are trading one small cost (managing two vendor relationships) for one large risk (an assessment that doesn't survive scrutiny).
What an RP/RPO actually delivers
Pre-assessment work spans the full CMMC L1 or L2 lifecycle:
Scope definition. What systems, networks, and data flows are in the CUI boundary? What's out of scope? The boundary decision determines everything downstream.
System Security Plan (SSP) authorship. A real SSP β not a template fill-in β documents how each of the 110 NIST SP 800-171 practices is implemented in the contractor's specific environment. The SSP is the assessor's primary entry point on assessment day.
Plan of Action and Milestones (POA&M). Findings that aren't yet remediated get tracked with milestones, owners, target dates, and closure-evidence requirements. CMMC L2 permits POA&M items only for specific practices and only within a 180-day window β the RP/RPO knows which practices cannot be POA&M'd at all.
SPRS affirmation preparation. The Supplier Performance Risk System submission package for L1 self-attestation or L2 weighted 110-control scoring. Senior-officer signature; DFARS 252.204-7012 notification chain understood; False Claims Act exposure considered.
Mock / pre-audit assessment. Walk the NIST SP 800-171A methodology against the contractor's actual controls, identify findings before the formal C3PAO does, run the gap-close sprint.
Continuity. A Registered Practitioner stays with the engagement through assessment-day and beyond. They don't ghost after the proposal is signed.
What an RP/RPO does not do: issue the certification, score the formal assessment, or sign the assessor's findings. All of that is the C3PAO's role under 32 CFR Part 170.
What a C3PAO actually delivers
The C3PAO walks the same NIST SP 800-171A methodology the RP/RPO prepared the contractor for β but does so independently, with specific procedural requirements:
Assessment plan. Scope confirmation, objectives, methods (Examine / Interview / Test), evidence requirements per practice.
Evidence collection. Configuration extracts, log samples, screenshots, interview notes, walk-throughs. The C3PAO collects what they consider sufficient; the contractor's prepped evidence package is input to that, not the authoritative answer.
Findings. Per-practice determinations (Met / Not Met / Not Applicable) with specific assessment-objective references. The findings document is the deliverable the DoD reviews.
Scoring. L2 assessments compute the 110-control weighted score per the DoD Assessment Methodology. Critical practices that are Not Met can be POA&M'd within the 180-day window; certain practices cannot be POA&M'd and any single such failure blocks certification.
Assessment package submission. The C3PAO submits to the Cyber AB and DoD per the program's reporting requirements. Certification issues from that submission.
What a C3PAO does not do: help the contractor draft the SSP they're going to assess, write the POA&M they're going to score, or perform the gap-close work they're going to evaluate. Those are the RP/RPO's role.
The Cyber AB Marketplace as verification venue
Every RP, RPO, C3PAO, and CCA the Cyber AB has authorized is listed in the public Cyber AB Marketplace. Before signing with any CMMC vendor, the contractor's contracting officer can verify the credential by hitting the Marketplace directly. The verification path doesn't depend on the vendor's continued cooperation or existence.
This is the diagnostic mechanic prospects should apply during vendor selection:
- Is this firm's RPO designation verifiable in the Cyber AB Marketplace right now?
- Is the C3PAO we're considering for assessment in the Marketplace?
- Are they the same entity? (They cannot be β but the explicit check catches firms running both roles under different brand names.)
A vendor in enrollment but not yet listed should disclose that honestly. A vendor not in the Marketplace at all should explain their position relative to 32 CFR Part 170 β and the contractor should weigh that explanation carefully.
How to structure your CMMC vendor stack
For a DIB contractor with CMMC L2 obligations, the working vendor stack has at least two parties:
Prep-side vendor (RP/RPO). Engaged early β ideally before the contractor's first DoD contract with the CMMC clause is signed, not after. Owns SSP authorship, POA&M creation, NIST SP 800-171 implementation guidance, and pre-assessment readiness work. Stays with the engagement through assessment-day and beyond.
Assessment-side vendor (C3PAO). Engaged when the contractor is genuinely ready β typically 6 to 9 months after RP engagement begins for a fresh L2 implementation, faster for contractors with mature existing controls. The C3PAO is selected after the prep work has produced a defensible posture, not before.
Sometimes a third: cleared bridge consultant. For contractors with specific cleared-facility scope (32 CFR Part 117 NISPOM overlap), a separate cleared advisor may join the engagement. Typically engaged through the prep-side vendor.
Timing matters. Engage the C3PAO too early and you're paying for assessment slots before you can use them; too late and you miss the contract clause window. Phase 2 of CMMC implementation takes effect 2026-11-10 β the DoD-contract clauses begin appearing then, and the assessment-slot availability across all authorized C3PAOs is the visible bottleneck.
What to look for in your prep-side vendor
The RP/RPO selection criteria most contractors don't ask:
Cyber AB credential status β RP for the individual signing your SSP; RPO for the firm. Verify in the Marketplace.
Practitioner continuity β is the engagement assigned to a named human, or routed through a pool? Both models work; the pool model requires the firm to have practitioner depth, not a single person with vacation days.
Federal contractor credentials β UEI, CAGE Code, SAM.gov registration, NAICS codes appropriate to CMMC work (541512 / 541519 / 541690 are common). Vendor-file readiness on the DoD prime's side is real friction.
Deliverable verifiability β when the C3PAO assessor reads the SSP your RP authored, can they verify the SSP hasn't been silently regenerated since attestation? (See Whitepaper #1 in this series for the recipient-verifiable deliverable argument.)
Continuity beyond assessment-day β CMMC certifications are multi-year. The RP/RPO that walks you through assessment should also walk you through quarterly readiness, annual re-attestation, and any contract-clause changes that update scope downstream.
What to look for in your assessment-side vendor
The C3PAO selection criteria most contractors don't ask:
Independence from your RP/RPO β confirm at the Cyber AB Marketplace level that they are not the same entity under different brands.
Scheduling depth β how booked is their CCA team in the next 6 to 9 months? Phase 2 will compress assessment-slot availability dramatically.
Industry experience β has the C3PAO assessed contractors in your specific industry vertical? Aerospace primes, defense trucking, defense medical, and defense IT services all surface different control patterns.
Findings methodology consistency β what do their published scoring patterns look like? Some C3PAOs are known for stricter Not-Met determinations than others; consistency matters more than leniency.
Post-assessment availability β for POA&M re-assessment within the 180-day window, you'll need them again. Confirm scheduling depth for the rolling 6-month forward window.
Conclusion
CMMC's structural separation between the firm that prepares you and the firm that assesses you is not optional. It exists in 32 CFR Part 170 because assessment integrity depends on it. Contractors who consolidate the work to save vendor-management cost trade a small operational savings for a structurally weak assessment result.
The RP/RPO + C3PAO stack is the working model. Selected independently, engaged sequentially, verified through the Cyber AB Marketplace. The same diagnostic principle from Whitepaper #1 applies here: the work has to verify itself to a third party who isn't your vendor.
Start your CMMC prep with Key 102
Key 102 Consulting is veteran-owned, SAM-registered, and based in Phoenix, Arizona. Our methodology follows the registered-practitioner curriculum; Cyber AB RPO enrollment is in progress and will be verifiable in the Marketplace upon activation.
We deliver CMMC L1 (Mission Brief annual cycle) and L2 (Fortress Guided / Managed / Audit Co-Pilot) readiness work. Every artifact β SSP, POA&M, SPRS L1 + L2 affirmations, Master Audit Report β carries a named practitioner signature, server-side SHA-256 hash, RFC 3161 TSA timestamp, and a public verify endpoint your C3PAO can hit independently of Key 102.
UEI: TXQFV5FJX797 Primary NAICS: 541519 (Other Computer Related Services) Additional NAICS: 541512 Β· 541690 Β· 611420 PSC Codes: DJ10 Β· DJ01 Β· D302 Β· R499 Β· U099
Start with a $674 Mission Brief β
The Mission Brief is a 90-minute diagnostic engagement with Tammie and a practitioner. CMMC L1 contractors walk out with the regulator- ready SPRS affirmation package. L2 contractors walk out with a scoped readiness plan and a credit that converts 1:1 into Fortress Guided / Managed / Audit Co-Pilot within 14 days.
More in the Option A series
- #1Why your compliance vendorβs PDF is not assessment evidence
- #3The 72-hour TSA cyber-incident clock: what surface-transport operators need pre-staged
- #4Two-party attestation: how the PCI AoC handoff should work
- #5Cryptographic integrity for HIPAA evidence: hash-anchored audit logs and the OCR question
- #6A / B / C readiness: what an auditor-comprehensible tier rubric actually looks like
- #7From DIY SaaS to firm engagement: the missing middle of compliance