When Disclosure Isn't Enough: COI Hygiene for Multi-Service RPOs

Multi-service RPOs don’t fail conflict-of-interest rules by being dishonest. They fail by being disorganized.

The discipline a solo consultant needs to keep clean is light. They take an engagement, they remember they took it, and they decline assessment work that touches the same client for the next three years. The mental model fits inside one person’s head. The discipline a multi-service RPO needs is different in kind, not just in degree. Every consulting engagement the firm signs creates a shadow that follows specific team members across the calendar, and under Cyber AB CoPC v2.0 Article III § 3.3, the shadow also attaches to the firm as an organization. Every assessment opportunity that comes in has to be checked against every shadow currently in force. The firm that runs this on individual recall is going to miss something. The question isn’t whether. It’s when.

This piece is for RPO leaders who already understand the rules and now have to operationalize them across a growing book of business. The frame is firm-level practice, not regulatory critique. The regulation is what it is. The opportunity is in how you build around it.

The Three-Year Wall, Operationally

The boundary that matters most for a multi-service firm sits in 32 CFR § 170.8(b)(17)(ii)(G), which reads: “Prohibit CMMC Ecosystem members from participating in the Level 2 certification assessment process for an assessment in which they previously served as a consultant to prepare the organization for any CMMC assessment within 3 years.” Cyber AB CoPC v2.0 § 2.2(d) carries the same prohibition. Two operational facts make the wall broader than the bare text suggests.

First, the prohibition covers consulting for any CMMC level, not just Level 2. The CoPC’s own example, in Article III § 3.3, names exactly this: a consultant who prepared an OSC for a Level 1 self-assessment is blocked from a Level 2 certification team for that OSC until the three-year window closes. The fact that the assessment level and the consulting level differ does not reset the clock.

Second, the prohibition reaches the firm. CoPC § 3.3 states that the prohibition “applies to the C3PAO as an organization as well as to all of its Assessment Team members.” Multi-service firms cannot solve a consulting-to-assessment conflict by swapping practitioners. If the firm consulted for an OSC, the firm itself is out of the certification assessment for that OSC for three years. The wall runs in one direction by design. The point is to prevent assessors from grading their own prior work.

A single consulting engagement creates a specific block. Practitioner A consulted for OSC X from January through April. Both Practitioner A and the firm cannot participate in a Level 2 certification assessment for OSC X until April, three years later. That’s the formal reading. The operational reading is broader. The firm now needs to track that block continuously, against every assessment opportunity that comes through the door, for three years. Lose track of it once and the firm either declines work it was free to take or accepts work it wasn’t.

Multiply the single engagement by the firm’s actual consulting volume. A firm with twelve active consulting clients and rolling engagements has dozens of blocks running at any given moment, each on its own timer, each attached to a specific practitioner and to the firm. The math gets unmanageable fast if it lives in anyone’s head.

The COI Calendar

What the firm needs is a calendar. Not a spreadsheet someone updates when they remember. A working data structure that captures, for every engagement the firm signs:

• Which OSC the engagement is with
• Which practitioners worked on it
• What scope the work covered
• When the engagement closed
• When the three-year window opens for that combination

When an assessment opportunity comes in, the firm queries the calendar. The query is structural: does this OSC have any open blocks involving the firm or any of our currently available practitioners? The answer is a list. If the list is non-empty, the engagement is closed to the firm regardless of staffing. If the list is empty, the engagement is clean.

Running this on memory or on tribal knowledge is the failure mode the three-year rule was written to prevent. The firms still doing it that way are not necessarily compromised yet. They’re just not yet caught.

Why “Different Practitioner” Is the Wrong Workaround

A reading of the regulation that some firms try out is that the consultant prohibition attaches to the individual, so routing the assessment to a different practitioner solves the conflict. CoPC v2.0 § 3.3 forecloses this reading directly. The prohibition extends to the firm as an organization. A firm that consulted for an OSC cannot route a certification assessment of that OSC to a different staff member and claim the conflict has been managed. The wall is organizational.

The reasoning behind the organizational extension matters. The firm itself has a financial interest in the OSC continuing to engage. That interest doesn’t disappear when the assessment is staffed by a different team member. It also matters that the firm built a working understanding of the OSC’s control environment during the consulting engagement. That knowledge sits inside the firm, not just inside the individual practitioner who held the relationship. Staffing rotation cannot erase it.

The pragmatic implication is that the firm-vs-individual question, where it still has room to operate, is narrower than people sometimes hope. Within the three-year wall, the rule reaches the firm. Outside the three-year wall, individual disclosure may suffice for engagements where the firm has no continuing financial position. Documenting the reasoning at the time of every decision matters more than relying on memory later. A firm that can show its work is a firm that can defend its judgment.

Structuring Engagements to Minimize Future Conflicts

The decisions that determine your future conflicts get made at engagement scoping, not at assessment intake. This is where the discipline pays off.

Scope consulting work narrowly. The narrower the scope, the easier the conflict-check later. An engagement that says “the firm helped OSC X prepare specific policies for AC and CM domains in Q1 2026” is precise enough to evaluate. An engagement that says “the firm advised OSC X on their CMMC readiness” is not. The first description gives a future conflict-check a clear yes-or-no. The second description forces every future check to assume the worst.

Document scope clearly inside the engagement file. The COI calendar lives or dies on the quality of the underlying records. A scope sentence written carefully at intake saves a judgment call later when a related opportunity comes in.

Be deliberate about which team members participate in which engagements. While the three-year wall reaches the firm, individual practitioner history still matters for related questions like scope of knowledge transfer between engagements and disclosure obligations in adjacent work. A firm that distributes consulting work strategically across the team has more flexibility on adjacent matters, even where the firm-level wall is in force. Cross-training and engagement rotation are COI infrastructure, not just team development.

Maintain visibility into the team-member assignment side of the calendar. Knowing which OSC has a block is half the picture. Knowing which practitioner the block attaches to is the other half. The COI policy should make this query trivial.

The Conversation With OSCs Who Want One Firm for Everything

OSCs often arrive at the firm wanting a single relationship for all of it. Get me ready. Then certify me. The firm has to explain why that’s not how the program works. The conversation goes better when the firm leads with the rule’s logic rather than treating it as an apology.

The rule exists for the OSC’s benefit. The whole structure of CMMC assessment rests on the assessor being demonstrably independent of the work being assessed. An OSC certified by their consultant is certified by someone with a direct financial interest in their passing. The credential means less under that arrangement, both formally and in the eyes of every prime contractor downstream who’s evaluating the cert.

The right offer to the OSC is a service mix that respects the boundary. Consulting now, with a clear handoff to a partner firm for the certification assessment when the time comes. The firm that explains this calmly, before the OSC has emotionally committed to the wrong arrangement, comes out of the conversation looking like a steward of the program rather than a vendor protecting its own ground. Partnership networks among RPOs and C3PAOs exist for exactly this purpose. The firms that use them well make the constraint into a value proposition.

Closing

Disclosure, on its own, doesn’t reach the substance of these conflicts. The financial interest doesn’t disappear because the OSC was told about it. The three-year wall doesn’t bend because the practitioner offered to be careful. The CoPC and the CFR are written the way they are because regulators concluded that some conflicts can be transparent and managed, and others have to be structurally removed. For firms that run both consulting and assessment practices, the structural removal happens at the calendar, the scoping conversation, and the team assignment, not at the disclosure form.

For deeper context on the disclosure-versus-recusal line, see our disclosure vs recusal guide. For the broader ethical framework, see the COPC five principles decision tree. For how the actors in the ecosystem relate, see CMMC ecosystem roles explained and RPO vs MSP vs C3PAO.

The firms still running COI off memory will eventually meet a situation memory can’t hold. The discipline isn’t optional. The infrastructure makes it routine.