What is a C3PAO?

    A CMMC Third Party Assessment Organization, or C3PAO, is an organization authorized by the CMMC Accreditation Body (CMMCAB) to conduct, and deliver CMMC assessments after entering into contract with an Organization Seeking Compliance (OSC).

    4 Minutes Read

    The Cybersecurity Maturity Model Certification (CMMC) was established as a standard set of federal cybersecurity practices to ensure that organizations in the Defense Industrial Base (DIB) are able to properly secure sensitive data such as CUI, CTI, FCI, ITAR data and more. Assisting DoD contractors in finding the appropriate provider for their needs, the CMMC Accreditation Body (CMMC-AB) opened up applications for several initial certifications: CMMC Third-Party Assessor Organizations (C3PAOs), Certified CMMC Professionals (CCPs), Certified CMMC Assessors (CCAs), Registered Provider Organizations (RPOs), Registered Practitioners (RPs) and Licensed Partner Publishers (LPPs). While each of the aforementioned certification types have a unique role in helping organizations along their compliance journey, this article focuses solely on the C3PAO role.

    What is a C3PAO?

    A CMMC Third Party Assessor Organization, or C3PAO, is an organization authorized by the CMMC-AB to conduct, and deliver CMMC assessments after entering into contract with an Organization Seeking Compliance (OSCs). The CMMC-AB has defined two key roles for organizations who both advise and assess contractors as they work to align to the unique requirements of the CMMC.

    To help you in the process of gaining CMMC compliance, you'll likely need help from, both, a C3PAO and an (RPO). Cybersecurity practitioners and technical advisors, known as RPOs, assist organizations in the pre-assessment process by providing CMMC guidance and support to OSCs. Typically, this can include pre-assessment, information system configuration, and updated or newly authored documentation and policies. Though a C3PAO can also be an RPO, the C3PAO cannot provide RPO related services to an OSC they are assessing to avoid obvious conflicts of interest. 

    DIB contractors who come in contact with Federal Contract Information (FCI) and/or Controlled Unclassified Information (CUI) in their information systems will eventually encounter the DFARS 7021 clause in their contract(s), and consequently need to undergo a CMMC assessment to attain certification prior to the recompete of the contract.

    All contracts with the DoD will have this clause by 2025; therefore, it's important to check future RFIs, RFQs and RFPs for mention of CMMC or directly including DFARS 7021. Once you determine the appropriate level for your organization based upon existing or future contracts, a C3PAO can examine your organization based upon the applicable domains and practices based upon the desired level. As of this writing - C3PAOs are yet to be fully permitted to assess any and all OSCs.

    Once permitted, a C3PAO can enter into contracts for assessments with the OSC, or may be brought in under contract on behalf of a CCA. For more on identifying which level of CMMC compliance your organization needs, click here.

    How to Become a C3PAO

    After signing initial paperwork and paying all fees, a C3PAO is on its way to officially provide assessments to contractors seeking certification. The full process to become a C3PAO also requires the following:

    • The organization must be 100% US-citizen owned or complete a Foreign Ownership Control, or Interest (FOCI) background investigation if the company is public, an ESOP, or a global partnership
    • A successful completion of an audit for at least CMMC Level 3 compliance
    • Subject to an Organizational Background Check by the CMMC-AB via Dun & Bradstreet and have a DUNS number
    • Be registered in the CMMC-AB Marketplace
    • Possess an ISO 17020 certification

    In addition, the organization must carry a general liability policy with the CMMC-AB named among the insured, an errors and omissions policy, and a cybersecurity breach policy. The organization must also maintain an association with at least one RP, CCP, PA or CCA. Lastly, the organization also pays an annual fee of $3,000 USD to maintain its certification.

    Note: If a C3PAO uses an external Cloud Service Provider (CSP) to access, store, or process any CUI data, they must ensure that the CSP meets FEDRAMP High standards, or that any gaps are addressed. If the CSP does not meet those standards it is the responsibility of the C3PAO to independently assess the CSP and provide that assessment to the Defense Contract Management Agency (DCMA) as part of their CMMC Level 3 assessment.

    How to Select a C3PAO For a CMMC Assessment

    One of the first logical means in selecting or vetting a C3PAO is checking if the organization is listed in the CMMCAB.org directory; it is also useful if the organization is showcasing their AB Accreditation logo on materials, or their website. The ideal C3PAO would also have an established background of NIST 800-171, DFARS 7012, and other relevant federal cybersecurity mandates.

    Beyond these more obvious considerations, OSCs should view potential vendors through these additional lenses:

    • How many assessments have they completed?
      • A more experienced C3PAO might be able to conduct a thorough assessment in less time, which ultimately benefits your organization if in a shortened timetable. In 2021, most C3PAOs will have conducted very little, but subsequent years will be more telling. 

    • How many organizations have they worked with in your specific industry or situation (manufacturing, biotech, foreign parent company, etc)?
      • The additional expertise can also ensure that any nuances relative to your industry aren't overlooked or misunderstood. Many companies that are completely on-premises or their infrastructure is solely in the cloud may prefer a C3PAO with experience assessing similar OSCs.

    • What is the promised delivery timeline? Somewhat similar to the initial point, what is the C3PAO's backlog and projected assessment schedule.
      • If you need a certification prior to their ability to perform an assessment, then you will need to look elsewhere.

    • How much do they charge for the assessment?
      • Pricing in the marketplace is mostly to be determined at this early stage. Nevertheless, we know the costs associated with becoming a C3PAO and the average salaries for skilled cybersecurity professionals. Assuming a forty-hour, five day onsite assessment, estimates could range between $15,000 - $25,000 USD, with pricing variance due primarily to location and expertise. Significantly higher or lower estimates may warrant additional scrutiny.

    Lastly, your leadership may request some of the credentials of the individuals conducting the actual assessment to distinguish between two firms. A certified C3PAO will provide assessment team members with active NAC, DHS Suitability or other DOD-accepted clearances as a foundation. However, a C3PAO with individuals holding additional credentials (CISSP, Microsoft Certified Professional, etc.) may have greater appeal.

    In the process of searching for a C3PAO, be aware that there are some fraudulent organizations who have been offering assessments well before the certification process had even been completed. These fraudulent organizations often offer better than average pricing or promise timelines that are not realistic. As Stacy Bostjanick, director of CMMC policy in the Office of the Under Secretary of Defense for Acquisition and Sustainment admonishes, "If you really want to ensure that you’re getting the right information, you need to go with people who have had the CMMC-AB training and have a certification through them."

    The Future for C3PAOs

    As of Q2 FY2021, 53 C3PAOs have been certified, with 355 organizations currently awaiting certifications from the CMMC-AB. 

    The CMMC-AB’s standardized accreditation process for this role should help more organizations in the DIB progress in their journey towards CMMC compliance, ultimately strengthening the security that protects our nation and helps each of the organizations in the DIB to reliably support the DoD.

    For more on C3PAOs and their impact on the DoD supply chain, check out this session from a recent Cloud Security and Compliance (CS2) Virtual event where multiple CMMC-AB authorized C3PAOs answered questions on the certification process.




    Jay Jones