C3PAOs Signal Maturity in CMMC Program – The Time to Act is Now


The first CMMC Third Party Assessor Organization (C3PAO) was announced and listed on the CMMC Marketplace earlier this month. There are at least 156 known organizations aspiring for C3PAO status to pass the full Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment at CMMC Level 3. Ardalyst is one of those companies.

The announcement of the newly authorized C3PAO comes on the heels of the recent Executive Order on Cybersecurity from President Biden and a Special Senate Hearing on CMMC and Cybersecurity in the Defense Industrial Base (DIB).

While there are sure to be changes as CMMC evolves, the program isn’t going away.  The biggest challenge now to CMMC is the establishment of C3PAOs and discussions about the cost of certification  As the C3PAO community grows, CMMC becomes more established, with more and more third-party assessments and certifications.

Continued certification of C3PAOs shows growing maturity in the CMMC program.

​“We are pleased to see the CMMC is releasing C3PAOs. Ardalyst has applied for the training in our effort to become C3PAO certified, and we continue to offer a phased approach to cyber maturity and CMMC certification,” said Michael Speca, Ardalyst co-founder and CEO. “These recent events should remind companies that the time to act is now. Internal initiatives for NIST 800-171 compliance typically take 12-18 months. Ardalyst works with you to align your business and cybersecurity strategy and get your organization compliant within 6-9 months. CMMC – or some form of compliance requirement – is coming. You need to be ready.”

CMMC is a unified security standard and a certification process developed by the U.S. Department of Defense (DoD) to protect the security of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). In accordance with recent updates to DFARS 252.204, the Office of the Under Secretary of Defense (OUSD) will begin a phased rollout requiring contractors to achieve CMMC certification. Once the rollout is complete, nearly all companies seeking to respond to DoD proposal requests will require CMMC certification.

The Defense Industrial Base (DIB) and the entire Defense Supply Chain (DSC) know that a Cybersecurity Maturity Model Certification (CMMC) security assessment is in their future. This assessment process, along with all the other components of the colossal CMMC rollout, pivots around one thing: a CMMC-AB’s Certified Third-Party Assessor Organization (C3PAO) that will be authorized to manage and perform the assessment process and the security assessment themselves.

“It is important to remember that your C3PAO and your Registered Provider Organization (RPO) should be different firms,” said Speca. “Businesses big and small need to look at CMMC like they do the accounting at their company. You should have accountants who prepare your financial statements and taxes and a different firm to audit them.”

What are C3PAOs and what do you need to know about them? Check out these FAQs:

What is a C3PAO?

A C3PAO is a service provider organization that the CMMC Accreditation Body (CMMC-AB) has accredited and authorized to conduct CMMC assessments and submits findings and recommendations to the CMMC-AB in order to certify that Organizations Seeking Certification (OSCs) comply with the CMMC maturity level (1 through 5) to perform in a given A&D contract. (Note: C3PAOs will not be considered “accredited” until the CMMC-AB has achieved ISO 17011 accreditation, which is expected by the end of FY22.)

The Certified Assessors, leading the assessment team, and Certified Professionals that will be authorized to participate in an assessment team tasked to conduct CMMC assessment services must each be aligned (as a 1099 contractor or employee) with a C3PAO.

What’s the process and timeline for your company to hire a C3PAO?

If your organization needs to achieve CMMC certification, you will contract with a C3PAO to manage your assessment process. The CMMC Marketplace will be “the authorized training, credentialing and accreditation ecosystem” for researching potential C3PAOs, as only the CMMC-AB can license C3PAOs.

Back in June 2020, the CMMC-AB opened registration for organizations wishing to become C3PAOs. That process has only recently been completed so currently there are only two officially authorized C3PAOs. There will be more, and the process for authorization will undoubtedly get quicker.

What are C3PAOs likely to charge for assessments?

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment’s CMMC FAQ page, “The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.” As a baseline, CMMC point person Katie Arrington estimates the cost for a CMMC Level 1 certification audit will be in the $3,000 to $5,000 range.

Costs will be higher depending on your environment’s scope and complexity, your CMMC level and “supply and demand” for available auditors. Thus, getting ready for CMMC certification sooner rather than later could help you save money.

Keep in mind also that C3PAOs will need to recoup their costs, which per CMMC-AB guidelines will include expenses to certify their own security postures to at least CMMC Level 3, plus achieve ISO 17021 certification, plus pay various CMMC-AB fees and also pay their Certified Assessors, who can be hourly contractors or employees with benefits.

In short, before conducting a single audit, each C3PAO will likely have invested $20,000 to $150,000 or more.

How do you schedule a CMMC assessment?

As the CMMC-AB authorizes more C3PAOs, you’ll be able to schedule an assessment with your chosen C3PAO via the CMMC-AB portal, which is part of the CMMC Marketplace.

Can your business become a C3PAO?

Becoming a C3PAO means your business is certified to employ Certified Assessors (CAs) to perform CMMC assessments and Certified Practitioners (CPs) to be part of an assessment team, led by a CA. The first hurdle is your business must be 100% US Citizen owned. Some other requirements include purchasing appropriate insurances (including Cyber Liability Insurance), undergoing an organizational background check, having an active DUNS, CAGE, and SAM.gov account, passing individuals’ background checks leading to the issuance of a U.S. Secret security clearance, lining up at least one CA at all times, signing the C3PAO license agreement and paying the activation fees ($3,000 for the first year).

In addition, potential C3PAOs will need to prove compliance with CMMC Level 3 or above, validating their ability to safeguard Controlled Unclassified Information (CUI) and perform audits at the appropriate CMMC Level.

How do you prepare for a CMMC assessment?

Prior to scheduling a formal assessment with a C3PAO, OSCs need to prepare for their assessments. The major steps include documentation and institutionalization of the CMMC practices. Policies must be up to date, processes must enforce the policy, procedures must be performed in the frequency stated within the policy and/or processes, and objective evidence must be collected, validating your organization meets the expected cyber hygiene for the required CMMC Level.

CMMC-AB Website for C3PAOs

Answers about C3PAOs, Assessors, and other CMMC Professional questions

Ardalyst’s primary goal is to help clients protect and expand their competitive edge to succeed in a highly competitive digital world. We have a passion for the work we do, working tirelessly to meet client needs and to make our industry smarter and more capable. By challenging common wisdom, sharing best practices and looking at problems differently, the Ardalyst team helps educate public and private institutions on how best to mature workforces, processes, and technologies to thrive and succeed in a rapidly changing environment.