Certified Third-Party Assessment Organizations

A C3PAO is an organizations where licensed assessors will come together hone their skills and register their licenses.  Each C3PAO will need to be certified by the CMMC-AB prior to deploying its assessors into the field.


The CMMC-AB has just been formed.  The anticipation of the impact of CMMC to the DIB (Defense Industrial Base is huge.  In order to provide a level playing field for all those involved there are some do's and don'ts that are important to follow at these early stages.



  1. When mentioning CMMC, always place the word DRAFT in front of it, so as not to mislead readers that the standard is complete and released.
  2. Share valid information about the CMMC standard acquired from this site or the Official DoD site located at https://www.acq.osd.mil/cmmc/index.html.
  3. Prepare your clients for CMMC by assessing under DFARS regulations and NIST 800-171 guidance.  It is the law and there is an increasing number of audits being performed right now, in 2020.
  4. Become an expert on CMMC by reading the standard, assessment guidance, and training materials that will be published on https://www.acq.osd.mil/cmmc/index.html.  These materials ARE NOT YET AVAILABLE as the standard is not complete and released.  Familiarize now.  Actively prep later.


  1. Do not state that you are an expert on CMMC.  You are not.  The standard was released as v1.0 on  31 January 2020.  No C3PAO is currently certified.  No assessors have received CMMC-AB accredited training.  
  2. Currently, DFARS regulation requires self-assessments under NIST 800-171 guidance.  Do not focus on future requirements (CMMC) at the expense of current requirements.
  3. Do not charge clients for workshops, seminars, and training that promise CMMC compliance.  Instead, help the supply DoD community prepare with NIST 800-171a preparation and assessments.  For companies that expect to be CMMC Level 1 and 2, prepare with best practices as captured in the CMMC model and appendix which is available here.
  4. Do not sell tools that promise CMMC compliance with certainty.  The CMMC-AB will create standards for tool producers to use.  For now, ensure that any tools promoted focus first on completed and released standards or best practices.
What we don't know...   

We don't know when you will be able to register to become an official C3PAO.  Think Q2 2020,  but there is much work to complete before that registration and certification process will be available.

We don't know yet know the rules for what it takes to be a C3PAO in good standing.

We don't know the fees or details associated with the process.  The CMMC-AB is a nonprofit.  Our fees will reflect the costs of providing an independent, national organization with a leading-edge customer experience.

But wait. We are just getting started. 

Come back here often for detail and sign up below for alerts and emails. 

There is much to come, we will provide information as we build it.


C3PAO Subscribe

For information about the CMMC-AB program delivered right to your inbox, subscribe below.  Your contact details may be shared with assessors, once they become licensed, as their licenses will be required to be associate with a C3PAO.

CMMC (Cybersecurity Maturity Model Certification) Accreditation Body