Question 1

What is a C3PAO?

Accepted Answer

A C3PAO is a service provider organization that the CMMC Accreditation Body (CMMC-AB) has accredited and authorized to conduct CMMC assessments and submits findings and recommendations to the CMMC-AB in order to certify that Organizations Seeking Certification (OSCs) comply with the CMMC maturity level (1 through 5) to perform in a given A&D contract.

Question 2

What’s the process and timeline for your company to hire a C3PAO?

Accepted Answer

If your organization needs to achieve CMMC certification, you will contract with a C3PAO to manage your assessment process. The CMMC Marketplace will be “the authorized training, credentialing and accreditation ecosystem” for researching potential C3PAOs, as only the CMMC-AB can license C3PAOs.

Question 3

What are C3PAOs likely to charge for assessments?

Accepted Answer

According to the Office of the Under Secretary of Defense for Acquisition and Sustainment’s CMMC FAQ page, “The CMMC assessment costs will depend upon several factors to include the CMMC level, the complexity of the DIB company’s network, and other market forces.” As a baseline, CMMC point person Katie Arrington estimates the cost for a CMMC Level 1 certification audit will be in the $3,000 to $5,000 range.

Question 4

How do you schedule our CMMC assessment?

Accepted Answer

Once the CMMC-AB begins authorizing C3PAOs, you’ll be able to schedule an assessment with your chosen C3PAO via the CMMC-AB portal (when available), which will be part of the CMMC Marketplace.

Question 5

Can your business become a C3PAO?

Accepted Answer

Becoming a C3PAO means your business is certified to employ Certified Assessors (CAs) to perform CMMC assessments and CPs to be part of an assessment team, led by a CA. The first hurdle is your business must be 100% US Citizen owned. Some other requirements include purchasing appropriate insurances (including Cyber Liability Insurance), undergoing an organizational background check, having an active DUNS, CAGE, and SAM.gov account, passing individuals’ background checks leading to the issuance of a U.S. Secret security clearance, lining up at least one CA at all times, signing the C3PAO license agreement and paying the activation fees ($3,000 for the first year).

Question 6

How do you prepare for a CMMC assessment?

Accepted Answer

Prior to scheduling a formal assessment with a C3PAO, OSCs need to prepare for their assessments. The major steps include documentation and institutionalization of the CMMC practices. Policies must be up to date, processes must enforce the policy, procedures must be performed in the frequency stated within the policy and/or processes, and objective evidence must be collected, validating your organization meets the expected cyber hygiene for the required CMMC Level.