The CMMC Ecosystem: A Structural Reference for Practitioners

The Four-Layer Model

The CMMC ecosystem is best understood as four layers operating together. The policy layer establishes the framework that governs Controlled Unclassified Information and its protection. The DoD layer implements the framework within the defense contracting context. The accreditation and certification layer, which now includes CyberAB and ISACA working in complementary roles following the CAICO transition, operates the assessment and practitioner ecosystem that delivers CMMC as a program. The enforcement layer operates across all three, providing the oversight and prosecutorial pathways that give the framework consequence.

Practitioners who hold the four layers in mind simultaneously are positioned to advise clients coherently. Practitioners who know only the layer they work in most directly produce advice that works in limited contexts and fails when questions cross layer boundaries. Client questions surface across the full ecosystem. A readiness client may ask about ISOO oversight. An assessment client may ask about SPRS score history. A compliance officer at a prime contractor may ask about DCSA and CMMC eMASS interaction. An assessment team member may ask about the split between CyberAB and ISACA in credential administration.

The Policy Layer

The policy layer sits at the executive branch level. The National Archives and Records Administration serves as Executive Agent for the Controlled Unclassified Information Program under Executive Order 13556, with the Information Security Oversight Office within NARA operating the specific oversight function. The implementing regulation is 32 CFR Part 2002, and the authoritative catalog of what qualifies as CUI lives in the CUI Registry maintained at archives.gov/cui.

The National Institute of Standards and Technology authors the technical standards that CMMC directly assesses against. NIST SP 800-171 Revision 2 is the current baseline with 110 security requirements, and Revision 3 was published in May 2024 with substantial structural changes pending integration into CMMC. Practitioners who treat NIST publications as primary reference material rather than as secondary guidance produce more defensible assessment preparation.

The DoD Layer

The Department of Defense operationalizes the policy layer within the defense contracting context. The Office of the Under Secretary of Defense for Acquisition and Sustainment owns the CMMC program. The CMMC Program Management Office operates it day-to-day, published the final rule at 32 CFR Part 170 effective December 2024, and maintains the authoritative Assessment Guides and Scoping Guides. The DoD Chief Information Officer holds broader cybersecurity policy authority that intersects CMMC at specific points including incident reporting and classified environment handling.

The Defense Counterintelligence and Security Agency operates the Defense Industrial Base Cybersecurity Assessment Center, commonly known as DIBCAC, which conducts NIST SP 800-171 assessments that predate CMMC and continue under interim equivalency arrangements for specific contractor scenarios.

The Accreditation and Certification Layer: CyberAB and ISACA

This is where the CAICO transition changes the practitioner-facing picture. CyberAB retains the accreditation function covering C3PAO accreditation, RPO registration, and RP and RPA credential issuance. ISACA was appointed as the Cybersecurity Assessor and Instructor Certification Organization effective December 2025, with full operational transition by April 1, 2026. ISACA now operates the CCP, CCA, and CCI credentials.

Practitioners interact with two organizations depending on which credentials they hold. Questions about RP and RPA credentials, RPO registration, or C3PAO accreditation go to CyberAB. Questions about CCP, CCA, and CCI credentials go to ISACA. Tier 3 investigations of alleged professional conduct violations go to CyberAB regardless of credential type. The credentials themselves carry the same recognition as before the transition, but the administrative infrastructure has moved.

C3PAOs, RPOs, and the Conflict of Interest Rules

C3PAOs perform Level 2 certification assessments. RPOs provide consulting, readiness, and implementation services. The separation between assessment and consulting is foundational to the ecosystem's integrity and is analogous to the separation between financial auditors and financial consultants enforced since Sarbanes-Oxley. A single organizational entity cannot both advise a client and assess whether the client has met the standard, because the conflict of interest would undermine the credibility of the assessment.

RPO registration is one valid structural arrangement for providing CMMC consulting services, but it is not the only one. Independent practitioners holding RP or RPA credentials can provide consulting services directly without RPO registration, either as sole proprietors or through firms they operate. The ecosystem accommodates both arrangements because clients have genuinely different preferences and requirements.

Operational Systems: SPRS and CMMC eMASS

The Supplier Performance Risk System receives contractor self-assessment scores against the NIST SP 800-171 control set. SPRS is accessed through the Procurement Integrated Enterprise Environment and records scores that are retained for extended periods and subject to retrospective review. Contractors have been submitting SPRS scores since late 2020, and those submissions form the basis for several of the False Claims Act settlements that practitioners should be familiar with.

CMMC eMASS is the specific deployment of the Enterprise Mission Assurance Support Service that captures CMMC assessment results. When a C3PAO completes a Level 2 assessment, the certification decision is recorded in CMMC eMASS, which contract officers reference when verifying certification status. The record is durable and historically persistent, with updates and corrections occurring through defined processes rather than informal contractor-side modifications.

The Enforcement Layer

The enforcement layer is what gives the framework consequence. ISOO operates as an oversight body with escalation capability through agency heads and the Department of Justice. The DoD Office of Inspector General conducts independent oversight that can surface compliance failures independent of the assessment cycle. The Department of Justice Civil Division is the federal enforcer of the False Claims Act and has pursued multiple cybersecurity-related actions including Georgia Institute of Technology ($875,000 in August 2024), MORSE Corp ($4.6 million in March 2025), and Raytheon Technologies ($8.4 million in October 2024).

Qui tam relators are a specific category of enforcement actor that practitioners need to understand. The False Claims Act allows private individuals with knowledge of fraud to file sealed complaints on the government's behalf, with relator shares ranging from 15 to 30 percent of recoveries. The incentive structure creates real discovery risk for contractors, and the pool of potential relators includes current employees, former employees, contractors, consultants, and members of the public.

The Lifecycle View

The entities and systems described above interact with contractors across a predictable lifecycle that spans years. Pre-solicitation includes framework understanding, control implementation, SSP documentation, and SPRS submission. Solicitation includes DoD applying CMMC level requirements based on contract information sensitivity. Award includes the contractor becoming legally obligated through DFARS clauses 7012, 7019, 7020, and 7021. Performance includes CUI handling, incident reporting within 72 hours, environment change management, and subcontract flowdown oversight. Assessment includes C3PAO engagement staffed by ISACA-credentialed CCP and CCA practitioners, preparation work under CyberAB-credentialed RP or RPA support, and certification recording in CMMC eMASS. Post-certification includes surveillance reviews, triennial reassessment, and continuous compliance obligations.

Enforcement is not a phase but a continuous overlay. At any point in the lifecycle, ISOO complaints, OIG audits, or qui tam filings can trigger investigations that produce findings, corrective action requirements, and in serious cases DoJ enforcement actions.

Why Practitioners Need the Full Map

Competent practice requires holding the full ecosystem map in mind even when daily work touches only a portion of it. Practitioners who have built the structural mental model answer client questions with accuracy and authority across the boundaries. Practitioners who have not done that work produce advice that is accurate in its narrow focus but incomplete when questions cross entity or layer boundaries.

The ecosystem will continue to evolve. NIST SP 800-171 Revision 3 is pending eventual integration into CMMC. The CAICO role held by ISACA will refine its operations over time as the transition matures. DoD policy around enforcement priorities evolves with administration transitions. Practitioners who understand the current structure are positioned to understand future changes as adjustments to a known framework rather than as unintelligible developments.