CMMC Third-Party Assessor Organization
A C3PAO authorized to manage the assessment process.
C3PAO is authorized to enter into a contract to deliver CMMC assessments with:
- Assessed organization
- Certified CMMC assessors
- C3PAO is listed on AB directory
- C3PAO is provided in AB Accreditation Logo
- CMMC Assessment Standard
- Assessment Method
- Other job-aids as they become available will be provided.
Requirements for Certification*
- Sign the C3PAO License Agreement
- Provide verification of insurance (minimum coverage amounts to be determined)
- General Liability with CMMC Accreditation Body as a Named Insured
- Errors and Omissions Policy
- Cybersecurity Breach Policy
- Pay application fee
- Pay C3PAO activation fee (good through 12/31/2021)*
- Be subject to an Organizational Background Check via data provided to the CMMC-AB by Dun & Bradstreet and have a DUNS number
- Maintain an association with at least one RP, CP, PA or CA (30-day grace period applies)
- Be 100% U.S. Citizen business owned, or successfully complete a FOCI background investigation if company is public, an ESOP, or a global partnership.
- Complete a CMMC Level 3 assessment
- ISO 17020 Certification
There will be a grace period of 27 months from date of registration for C3PAOs to achieve ISO 17020 Accreditation
- Obtain a CMMC Level 3 Certification
IMPORTANT The CMMC-AB is developing the process for CMMC C3PAO ML-3 certification. Details will be published on this website when complete.**
- Foreign Ownership
The DoD is focusing on US Ownership only at this time. Check back soon for more information.
* Normally certification is renewed annually. The first 300 applicants receive an extended-term expiring on 12/31/2021.
** These requirements must be met prior to scheduling the C3PAO's first assessment engagement on the CMMC-AB website.
To Perform Assessments at any Maturity Level:
C3PAO CMMC Maturity Certification
- C3PAOs shall not be accredited to conduct CMMC assessments until achieving CMMC Level 3 certification themselves because assessment results will need the same protection as CUI.
Assessment Data Storage Infrastructure
- If a C3PAO uses an external cloud service provider to store, process or transmit CUI, the C3PAO shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) High baseline , and ensure that any gaps between FedRAMP High and CMMC Level 3 have been addressed.
- If a C3PAO selects services from an external cloud service provider that have not been FedRAMP authorized, the C3PAO is responsible for the independent assessment of the cloud service provider and providing this assessment information to DCMA as part of their CMMC Level 3 assessment.
Assessment Team Composition
- Provide assessment team members with active NAC, DHS Suitability or Other DoD Accepted Clearance
- The CMMC-AB will be authorized to sponsor clearances for those organizations that do not currently contract with the U.S. government. Details will be announced when available.
Registrations Are Now Open
Initial Fees - Due Now
- Application Fee- $1,000 (non-refundable)
Activation Fee - Due Upon Acceptance
- Activation Fee – $2,000
Ongoing Fees - Beginning 1 Jan 2022
- Annual Maintenance – $2,000
CMMC-AB Refund Policy
- Application fees are non-refundable or transferable.
- Refunds for any fee, except Application fees, requested within 30 days shall be fully refundable upon review and approval by the CMMC-AB.
- Exam fees paid shall only be transferable to another named person from the same organization only if related services have not commenced.
All fees outside of the above stated Refund Policies are non-refundable. All fees are subject to change.