Who Does What in CMMC: The Ecosystem Map

Reference

Who actually does what in the CMMC ecosystem - the rule-writers, the assessors, the accreditors, and the people you can (and cannot) hire. The confusion between these organizations is constant; the roles are not. Verified against 32 CFR Part 170 and the current ecosystem, July 2026.

The one-line version: you hire a C3PAO to assess you. You may hire an RPO to advise you. You never hire DIBCAC, the Cyber AB, NIST, or DoD - they are the system, not vendors in it.

Status note (July 14, 2026): with Phase 2 suspended, C3PAO certification cannot be required in new solicitations during the DoW program review - voluntary assessment remains possible, and DIBCAC continues government-led assessments.

Sets the rules

DoD CIO - Owns the CMMC program: published 32 CFR Part 170, the assessment and scoping guides, and the phased implementation schedule. To you: Defines what level your contracts demand and how assessments run. Not their job: Assessing individual companies or answering your scoping questions directly.

NIST - Writes the underlying standards - SP 800-171 (the 110 requirements), 800-171A (the 320 assessment objectives), and 800-172. To you: The technical yardstick your documentation and evidence are measured against. Not their job: Running CMMC, certifying anyone, or enforcing anything.

NARA / ISOO - Runs the government-wide CUI program and the CUI Registry: categories, marking, and handling rules. To you: Defines what counts as CUI and how it must be marked - the reason the whole regime exists. Not their job: DoD-specific contract enforcement; that is the DFARS side.

Government assessment and administration

DCMA - Defense Contract Management Agency - administers DoD contracts and houses DIBCAC. To you: The contract-administration machinery behind the scenes of your award. Not their job: Routine CMMC certification of contractors.

DIBCAC - The government’s own assessment arm inside DCMA: conducts DFARS 7020 medium and high assessments and participates in joint-surveillance assessments alongside C3PAOs. To you: May assess you directly on higher-scrutiny contracts; joint-surveillance results have counted toward CMMC status. Not their job: A certifier you can book - you cannot hire DIBCAC, and they do not consult.

The certification ecosystem

Cyber AB - The accreditation body: authorizes C3PAOs and maintains the official marketplace of assessors. To you: The place you verify a C3PAO is real before signing anything. Not their job: Assessing companies or consulting - the AB accredits assessors, it does not assess you.

CAICO - Certifies the individuals in the ecosystem - CCP and CCA training and examination. To you: The credential mill behind the people who show up on your assessment team. Not their job: Anything organization-level.

C3PAO - CMMC Third-Party Assessment Organization - the accredited firm you engage for a Level 2 certification assessment. To you: The organization you actually hire; they run the assessment and submit results. Not their job: Consulting for you - conflict-of-interest rules separate advising from assessing the same organization.

CCA / CCP - Certified CMMC Assessor / Certified CMMC Professional - the certified individuals who staff C3PAO assessment teams. To you: The people examining your SSP, interviewing your owners, and testing your mechanisms. Not their job: Freelance certification outside a C3PAO engagement.

RPO / RP - Registered Practitioner Organizations and Registered Practitioners - Cyber AB-registered consultants. To you: Preparation help: gap work, documentation, readiness. (CMMC Operator publishes documentation; consultants adapt it with you.) Not their job: Assessing or certifying anyone - registration is not assessment authority.

Your side of the table

Prime contractors - The companies flowing DFARS clauses down the supply chain. To you: They check SPRS, ask for your level, and increasingly gate subcontracts on it. Not their job: Certifying you - a prime’s questionnaire is diligence, not a certificate.

ESPs / MSPs / MSSPs - External service providers whose people, processes, or technology touch your scope. To you: Part of your assessment conversation: their responsibilities land in your SSP and shared-responsibility documentation. How to vet one. Not their job: Making your scope their problem - responsibility can be shared; accountability stays yours.

You (the OSC/OSA) - The organization seeking certification or assessment. To you: Own the scope, the SSP, the evidence, the POA&M, and the annual affirmations - no one in this list does it for you. Not their job:

Companion references: the acronym glossary, controls list, key dates, and the DFARS clause guide - or browse the full reference shelf.