Home Resources Choosing a C3PAO
Pre-Assessment · 11-minute read · Vendor selection

Choosing a C3PAO

Roughly 85 organizations are currently authorized to conduct CMMC Level 2 assessments. They are not interchangeable — methodology, vertical experience, scheduling availability, and pricing vary considerably. This is the guide to selecting the right one for your engagement.

What a C3PAO Is

A Certified Third-Party Assessment Organization (C3PAO) is an entity authorized by the Cyber AB (the CMMC Accreditation Body) to perform Level 2 assessments against the CMMC standard. C3PAOs employ Certified CMMC Assessors (CCAs) and Certified CMMC Professionals (CCPs) who execute the actual assessment work. The C3PAO produces the Report on Conformity (ROC) that DoD's CMMC PMO uses to grant or deny certification.

C3PAOs are independent of the contractor — they cannot also be your remediation consultant or your IT services provider on the same engagement. The Cyber AB enforces conflict-of-interest restrictions to preserve the assessment's independence. A handful of organizations offer both consulting and C3PAO services, but they cannot do both for the same client engagement.

Approximately 100 C3PAOs are authorized as of early 2026 (the count was 98 in February 2026 and 103 in March 2026, with new authorizations issuing periodically). The full directory is the Cyber AB Marketplace, which is the only authoritative source for the C3PAO list — check the live count there before relying on any number quoted here.

The Cyber AB Marketplace

The Marketplace lists every authorized C3PAO with their authorization status, contact information, and (for the more transparent ones) information about industry verticals served, geography, and current scheduling availability.

What the Marketplace listing tells you:

  • Authorization status: Whether the C3PAO is "Authorized" (provisionally cleared to perform assessments) or "Accredited" (the higher bar requiring a successful track record). For most contractors during the program rollout, Authorized is sufficient — Accredited is rare.
  • Years in operation: How long the organization has been an authorized C3PAO. Newly authorized organizations may be excellent assessors but have limited assessment track record.
  • Industry verticals: Whether the C3PAO has experience in your industry segment (aerospace primes, electronics manufacturing, software, services, etc.). Not all C3PAOs are interchangeable across verticals.
  • Geography: Some assessments require on-site work; the C3PAO's location affects travel cost and scheduling.

What the Marketplace listing does not tell you:

  • Pricing — you must request a quote
  • Scheduling availability — you must inquire directly
  • Methodology specifics — these vary across C3PAOs and require interview to discover
  • Independent quality reviews — there is no published rating system, no public assessment outcome statistics

Building a Shortlist

Begin with the Marketplace. Filter for C3PAOs that have authorized status, have been in that status for at least a year if possible, and indicate experience in your industry vertical. Aim for an initial list of 5–8 candidates.

Beyond the Marketplace, consider:

  • References from your prime. If you are a sub, your prime has likely been through a Level 2 assessment or has a list of C3PAOs they trust. Ask. Their experience with specific C3PAOs is more reliable than any directory listing.
  • Industry associations. NDIA, AIA, and similar associations sometimes publish member experiences with C3PAOs (often anonymously). PSI/Public Spend Forum and similar industry communities discuss C3PAO experiences.
  • Your remediation consultant. If you have engaged a CMMC consultant for remediation, they will have observed multiple C3PAOs and can offer informed referrals — though watch for conflicts of interest if the consultant also does C3PAO work.
  • Avoid the cheapest. The lowest bid in CMMC assessments is usually a signal of inexperience or under-scoping rather than efficiency. The market price for a Level 2 assessment is well-understood; outliers below the range tend to disappoint.

From the shortlist of 5–8, narrow to 2–3 finalists who will receive your detailed RFI or interview attention.

Questions to Ask

Treat the C3PAO selection like any other significant vendor selection: structured questions, comparable answers, documented evaluation. The questions below cluster into experience, methodology, scheduling, pricing, and conflict of interest.

Experience and qualifications

  1. How many Level 2 assessments has your organization completed in the last 12 months? In what industry verticals?
  2. Have you assessed organizations of comparable size and CUI exposure to ours? Can you describe (anonymously) one or two engagements similar to ours?
  3. Who would be the lead assessor on our engagement? What is their CCA certification status, and how many assessments have they personally led?
  4. How many CCAs and CCPs do you currently have on staff? What is your bench depth if our scheduled assessor becomes unavailable?
  5. What experience do your assessors have with our specific tech stack — M365 GCC High, AWS GovCloud, Azure Government, the specific enclave platform we use?

Methodology and approach

  1. How do you approach scoping? Do you accept the scope as defined in our SSP, or do you conduct an independent scoping evaluation?
  2. What is your evidence collection methodology — pre-submitted document review, on-site evidence walkthroughs, technical observations? In what mix?
  3. How do you conduct interviews? Group interviews, one-on-one, scripted, conversational?
  4. How do you handle disagreement on a finding? What is your process for the contractor to dispute or clarify before findings are finalized?
  5. Do you provide preliminary daily debriefs during the assessment, or only a closing-conference summary?
  6. How long does it take from the closing conference to the final ROC delivery?

Scheduling

  1. What is your current lead time to scheduled assessments? When could you start a scoping discussion if we engaged you next month?
  2. What is the typical assessment duration for an organization of our size?
  3. Are assessments performed entirely remotely, entirely on-site, or hybrid? What drives the choice?
  4. What rescheduling provisions exist if a key assessor or contractor stakeholder becomes unavailable?

Pricing and contract terms

  1. What is your pricing model — fixed fee, time and materials, hybrid? What is the typical price range for an assessment of our size?
  2. What is included in the base fee, and what are common scope add-ons that drive the final price up?
  3. Are travel costs included or billed separately?
  4. What happens if our environment changes during the assessment (a system added, a process changed)? How are change orders priced?
  5. What is your reassessment pricing if we fail or receive a conditional certification and need to re-engage you?

Conflict of interest

  1. Have you provided any consulting, remediation, or implementation services to our organization in the past three years?
  2. Do any of your subsidiaries or affiliates provide such services to organizations like ours?
  3. Does your assessor selection process exclude assessors with prior consulting relationships with the contractor?
  4. How do you handle the conflict-of-interest declaration required by the Cyber AB?

Red Flags

Reasons to remove a C3PAO from your shortlist

  • Promises certification. No C3PAO can guarantee certification — the C3PAO's recommendation drives the certification status (subject to PMO administrative review and posting via eMASS/SPRS), and the recommendation depends on the actual assessment evidence. A sales pitch that includes "we'll get you certified" is misleading at best.
  • Offers to also do remediation. The Cyber AB prohibits this for the same engagement. If a C3PAO suggests they can help you remediate findings and then assess you, walk away — they are either misunderstanding the rules or willing to violate them.
  • Refuses to identify the lead assessor. The lead assessor's experience and approach matter more than the C3PAO's brand. A C3PAO unwilling to commit a specific assessor to your engagement, or to discuss their qualifications, is hiding something.
  • Will not provide references. References may be anonymized for confidentiality, but a C3PAO that has performed dozens of assessments should be able to describe (without naming) recent comparable engagements.
  • Pricing well below market. A Level 2 assessment in the $30K range when the typical price is $80K–$120K is a signal of inexperience or under-scoping. Both produce bad outcomes.
  • Rushed timelines. A C3PAO offering to start "next week" when other reputable C3PAOs are quoting 4–6 month lead times is either over-promising or has no other clients — neither is reassuring.
  • Vague methodology. "We follow the CMMC assessment methodology" without a specific description of evidence approach, interview structure, and finding handling suggests they have not yet developed a mature practice.
  • No conflict-of-interest declaration. Reputable C3PAOs lead with their conflict-of-interest disclosure. If you have to ask, it's a red flag.
  • Disparages your remediation consultant or other vendors. The C3PAO's role is to assess what's there, not to opine on your other vendor relationships. Sales-driven negativity about competitors is unprofessional.

What an Engagement Looks Like

A typical Level 2 C3PAO engagement runs through the following phases. Your engagement may compress or expand any phase depending on size and complexity.

PhaseTypical durationWhat happens
1. Initial inquiry & scoping 2–4 weeks Initial calls, NDA exchange, high-level scope discussion, preliminary fee estimate. The C3PAO confirms it has assessor capacity and no conflict of interest.
2. Contracting 2–6 weeks Statement of work negotiation, master service agreement execution, deposit payment. Larger contractors may run through legal and procurement, lengthening this phase.
3. Pre-assessment readiness review (optional) 1–4 weeks Pre-assessment readiness reviews are typically delivered through an affiliated but separate entity (e.g., a Registered Practitioner Organization rather than the C3PAO itself), to preserve assessor independence under the Cyber AB Code of Professional Conduct. Same-firm pre-assessment + assessment is generally not permitted. This is a "go / no-go" check before formal assessment fees commit.
4. Document submission & review 2–4 weeks Contractor submits SSP, POA&M, policy documents, network diagrams, and supporting evidence to the C3PAO via secure transfer. C3PAO assessors conduct desk review and prepare interview question sets.
5. Assessment fieldwork 1–3 weeks (calendar) The on-site (or remote-equivalent) assessment week or weeks. Opening conference, document walkthroughs, interviews by control family, technical observations, daily status meetings, draft findings discussions, closing conference. See the Assessment Day Playbook for hour-by-hour detail.
6. ROC drafting & QA 2–4 weeks Lead assessor drafts the Report on Conformity. C3PAO internal QA review. Contractor receives draft for factual review (not for negotiation of findings).
7. ROC submission to CMMC PMO 1–2 weeks Final ROC delivered to the contractor and submitted to the CMMC PMO with the C3PAO's certification recommendation. PMO administrative review.
8. Certification status recorded 2–8 weeks The C3PAO uploads the assessment results to eMASS (DoD's compliance system), and the certification status is posted to SPRS. The C3PAO's recommendation is determinative subject to PMO administrative review. Conditional certification (with eligible open POA&M items) requires closure within 180 days.

Total elapsed time from initial inquiry to certification is commonly 4–8 months for an organization that comes to the C3PAO ready. Organizations that need substantial remediation discovered during the readiness review or document submission phases often take 12–18 months from initial inquiry to certification.

Pricing and Scope

C3PAO pricing for Level 2 assessments commonly falls in these ranges (subject to substantial variation by size, complexity, and geography):

  • Small contractor (under 50 employees, narrow CUI scope): $50,000 – $90,000
  • Mid-size contractor (50–500 employees, defined enclave): $80,000 – $150,000
  • Larger contractor or complex scope (multiple sites, multiple enclaves, hybrid environments): $120,000 – $250,000+

The DoD's published cost estimate of ~$105K–$118K covers the full 3-year certification cycle (the triennial C3PAO assessment plus two annual affirmations), not a single year. For small contractors specifically, the DoD's small-entity analysis estimates the C3PAO assessment at approximately $76,743, with planning and preparation around $20,699, reporting around $2,851, and annual affirmations around $1,459 each year (~$4,377 over the 3-year cycle) — totaling approximately $104,670 across the three years. Use these as planning ranges; actual fees vary by contractor scope and C3PAO.

What drives variation:

  • Number of in-scope users, endpoints, and applications
  • Number of physical sites requiring assessment
  • Complexity of cloud and external service relationships (each requires CRM review)
  • Number of subcontractors with CDI-handling relationships
  • Travel distance for on-site work
  • Quality of pre-assessment documentation (cleaner submissions reduce assessor hours)

Note that the C3PAO assessment fee is typically only 20–30% of total certification cost. Remediation, technology investment, consulting (if used), staff time, and potential platform changes (M365 commercial to GCC High migration, for example) account for the remainder. Plan for total certification cost in the $50K–$200K range for small to mid-size contractors.

Reading the Statement of Work

The C3PAO's SOW defines what you're paying for. Read it carefully and confirm:

  • Scope. The exact in-scope environment as the C3PAO understands it. If the SOW says "the contractor's CUI environment as described in the Pre-Assessment Questionnaire," confirm that questionnaire matches your actual scope.
  • Deliverables. The Report on Conformity is the primary deliverable. Some C3PAOs include a Customer Action Report (CAR) or similar pre-final report; others do not. Confirm what you'll receive and when.
  • Assessor identity. Whether the SOW names specific assessors or only the C3PAO entity. Specific assignment is preferable.
  • Change-order pricing. Hourly rates for additional work, the threshold above which change orders apply, and the approval process.
  • Travel and expenses. Whether travel is included, capped, or billed at cost.
  • Reassessment terms. Pricing for follow-on assessment if the initial assessment results in conditional certification or denial.
  • Termination terms. What happens if you terminate the engagement before completion, and what portion of the deposit is refundable.
  • Confidentiality and data handling. How the C3PAO will safeguard the SSP, evidence, and CUI it receives during the assessment. The C3PAO is itself subject to handling requirements when you transmit CDI to them.
  • Conflict-of-interest declaration. The signed COI statement should be incorporated into or attached to the SOW.

After You Choose

Once you've selected a C3PAO and signed the SOW, the engagement enters the document submission and pre-assessment phases. Use the time productively:

  • Confirm scoping. The C3PAO will confirm the scope as described in your SSP. Have your CUI inventory and boundary documentation ready and current.
  • Audit your evidence package. Walk through every control family and confirm the evidence you've assembled is current, accessible, and matches your SSP statements. See the evidence library guide.
  • Brief your team. The personnel who will be interviewed need to know what to expect. See the Assessment Day Playbook for interview preparation.
  • Coordinate logistics. Conference room, network access, escort procedures for any on-site work, and any required clearances or visitor approvals.

The work between SOW signing and assessment fieldwork is often where late-stage gaps surface. Use the time to find them while there is still time to remediate, rather than have the C3PAO find them in fieldwork.

Authoritative References

Cyber AB Marketplace
The authoritative directory of authorized C3PAOs, CCAs, CCPs, and Registered Practitioner Organizations
The Cyber AB
The CMMC Accreditation Body — accreditation rules, assessor certification, and complaint procedures
DoD CIO CMMC Program Office
Authoritative source for CMMC certification requirements and PMO certification decisions
CMMC Assessment Process (CAP)
The Cyber AB's documented assessment process — defines the methodology C3PAOs are expected to follow
Cyber AB Code of Professional Conduct
The ethics rules C3PAOs and individual assessors are bound by — including conflict of interest restrictions
DoD CMMC Implementation Cost Estimates
Pentagon's published cost analysis for Level 2 C3PAO assessments — a useful baseline for budget conversations

Next steps: Once a C3PAO is engaged, prepare for the assessment itself with the Assessment Day Playbook and audit your evidence library. After certification, see Maintaining Your Certification for the operational picture.