C3PAO (Assessment Organizations)

This page is dedicated to information that C3PAOs need to know. It will be filled out over time.

Please send suggestions if you see good information on a C3PAO topic.


CMMC C3PAO Stakeholder Forum

If you work for a C3PAO, you are invited to the C3PAO Stakeholder Forum.

CMMC C3PAO Stakeholder Forum Charter:

Encouraging and facilitating consistency and understanding of the CMMC assessment process is critical to promoting and ensuring the ongoing integrity and credibility of CMMC certification.  With participation from C3PAOs across the CMMC ecosystem, this forum facilitates communication and professional practices among its members, and educates Organizations Seeking Certification (OSCs), prospective C3PAOs, assessors, and others about the CMMC accreditation, assessment, and certification processes. 

All members must meet the requirements of the CMMC-AB by achieving certification as a C3PAO or provide evidence of being a C3PAO applicant. Members agree to sign and abide by the CMMC Code of Professional Conduct.

This is a combination support group and members organization to communicate as a whole with the CMMC Accreditation Body and DoD. It is free, but only available to verified representatives of C3PAOs, the CMMC-Accreditation Body, or DoD CMMC PMO. We are in the process of nominating an advocacy council to represent C3PAOs as a whole to the DoD and CMMC-AB.

This forum is very valuable to C3PAOs that want to operate within standards. We have discussions on technical practice interpretations, assessing process maturity, and boundary and scope. You can get feedback and recommendations about contract language, insurances, and governance activities. We’ve had more than one event per month with C3PAO exclusive content such as meetings with the CMMC-AB, ISO 17020 preparation, and CMMC assessment lessons learned.

Invite link to the CMMC C3PAO Stakeholder Forum

This forum is hosted in Discord currently. The forum is a professional space where all members identify themselves by their full name and C3PAO affiliation. We have discussion channels about topics like insurance requirements, assessment procedures, information systems, ISO 17020, background checks, contracts, and conflict of interest. We also have weekly brunch meetings to share lessons learned.

Once you get registered, you will need to verify your status either as a representative of a C3PAO (applicant, candidate, approved, or accredited), or as a representative of the DoD or CMMC Accreditation Body / CAICO. Check the read-me channel for more instructions.

Once you are verified, please join us at the Thursday 12pm EST lunch chats (conference capability within the forum).

Thursday Brunch Meeting (Outlook .ics)

Set up a meeting reminder on your calendar!


Official guidance related to C3PAOs

Cyber-AB Website for C3PAOs

The CMMC Assessment Process (interviews with Jeff Dalton)

CMMC-AB Jeff Dalton – the CMMC Assessment Process – Part 1

CMMC-AB Jeff Dalton – the CMMC Assessment Process – Part 2

CMMC-AB Jeff Dalton – the CMMC Assessment Process – Part 3

Big Rocks to prepare for as a C3PAO

Costs:

$1000 to apply for C3PAO (non-refundable)

$2000 activation fee, once the application is accepted (annual)

$100,000 – $800,000 to have a CMMC Level 2 certified information system

$10,000+ to obtain ISO 17020 certification within ~2 years.

Background:

The DoD is being extremely restrictive and careful about foreign influence of C3PAOs.

Your public websites need to not violate the Code of Professional Conduct. (false advertising, mostly)

Processes

Operate an information system that meets CMMC Level 2 requirements

Mature assessment processes and get new CMMC assessors on the same page

Build a complaint resolution process

Mature back-office processes to oversee assessments and quality-assurance

Support your assessors as they travel and start/stop projects for many clients over time

Undergo quality reviews and tag-along assessments by the CMMC-AB every year (probably)

People

Each assessment team member (which may include C3PAO staff, especially IT staff) must be a U.S. Citizen and achieve a favorably adjudicated Tier 3 suitability determination.

Your assessment team members need to meet requirements for training and knowledge.

Articles and information useful to C3PAOs

ISO 17020 informational video from Oxebridge