CMMC Third-Party Assessor Organization

Infographic showing the characteristics of a C3PAO

A C3PAO authorized to manage the assessment process.

Icon representing "benefits"


C3PAO is authorized to enter into a contract to deliver CMMC assessments with:

  • Assessed organization
  • Certified CMMC assessors

Partnership Kit

  • C3PAO is listed on AB directory
  • C3PAO is provided in AB Accreditation Logo

Official Tools

  • CMMC Assessment Standard
  • Assessment Method
  • Other job-aids as they become available will be provided.

Icon representing "requirements"


Requirements for Certification*

  • Sign the C3PAO License Agreement
  • Provide verification of insurance (minimum coverage amounts to be determined)
    • General Liability with CMMC Accreditation Body as a Named Insured
    • Errors and Omissions Policy
    • Cybersecurity Breach Policy
  • Pay application fee
  • Pay C3PAO activation fee (good through 12/31/2021)*
  • Be subject to an Organizational Background Check via data provided to the CMMC-AB by Dun & Bradstreet and have a DUNS number
  • Maintain an association with at least one RP, CP,  PA or CA (30-day grace period applies)
  • Be 100% U.S. Citizen business owned, or successfully complete a FOCI background investigation if company is public, an ESOP, or a global partnership.
  • Complete a CMMC Level 3 assessment
  • ISO 17020 Certification
    There will be a grace period of 27 months from date of registration for C3PAOs to achieve ISO 17020 Accreditation
  • Obtain a CMMC Level 3 Certification
    IMPORTANT The CMMC-AB is developing the process for CMMC C3PAO ML-3 certification. Details will be published on this website when complete.**
  • Foreign Ownership
    The DoD is focusing on US Ownership only at this time. Check back soon for more information.

* Normally certification is renewed annually. The first 300 applicants receive an extended-term expiring on 12/31/2021.
** These requirements must be met prior to scheduling the C3PAO's first assessment engagement on the CMMC-AB website.

To Perform Assessments at any Maturity Level:

C3PAO CMMC Maturity Certification

  • C3PAOs shall not be accredited to conduct CMMC assessments until achieving CMMC Level 3 certification themselves because assessment results will need the same protection as CUI. 

Assessment Data Storage Infrastructure

  • If a C3PAO uses an external cloud service provider to store, process or transmit CUI, the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline , and ensure that any gaps between FedRAMP High and CMMC Level 3 have been addressed.
  • If a C3PAO selects services from an external cloud service provider that have not been FedRAMP authorized, the C3PAO is responsible for the independent assessment of the cloud service provider and providing this assessment information to DCMA as part of their CMMC Level 3 assessment.

Assessment Team Composition

  • Provide assessment team members with active NAC, DHS Suitability or Other DoD Accepted Clearance
  • The CMMC-AB will be authorized to sponsor clearances for those organizations that do not currently contract with the U.S. government. Details will be announced when available.

Icon representing "journey"


Infographic showing the journey to become a C3PAO

icon with gears representing the fee schedule

Registrations Are Now Open

Initial Fees - Due Now

  • Application Fee- $1,000 (non-refundable)

Activation Fee - Due Upon Acceptance

  • Activation Fee – $2,000

Ongoing Fees - Beginning 1 Jan 2022

  • Annual Maintenance – $2,000

CMMC-AB Refund Policy

  • Application fees are non-refundable or transferable.
  • Refunds for any fee, except Application fees, requested within 30 days shall be fully refundable upon review and approval by the CMMC-AB. 
  • Exam fees paid shall only be transferable to another named person from the same organization only if related services have not commenced.

All fees outside of the above stated Refund Policies are non-refundable. All fees are subject to change.

Get In Touch

Please contact us if you have any questions, suggestions, or concerns (such as ethical concerns) regarding the CMMC-AB ecosystem. Due to high demand, there may be a delay of several days before our team responds.