What is a C3PAO?

What is a C3PAO?

C3PAOs (CMMC Third-Party Assessor Organizations) are accredited by the CyberAB, the accreditation body for CMMC. CyberAB is an entity that exists beyond the boundaries of the U.S. Department of Defense. The primary role of a C3PAO is to conduct assessments on companies to ensure they meet the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) standards. The CMMC framework comprises several levels of cybersecurity practices and processes that a contractor must adhere to, to be considered secure enough to handle controlled unclassified information (CUI) and federal contract information (FCI).

Why Are C3PAOs Important?

C3PAOs are central to the initiative of protecting Controlled Unclassified Information, or CUI.  A C3PAO is the only entity that can complete a CMMC assessment. Once CMMC becomes a formal published rule, a C3PAO’s assessment and the subsequent CMMC certification will determine whether a company is eligible to execute contracts with the Department of Defense and/or “prime” contractors who work directly with the DoD.

How a C3PAO Becomes a C3PAO

For an organization to become a C3PAO, it must undergo a stringent accreditation process by the CyberAB as well as DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center), proving that it has the necessary expertise, tools, and impartiality to assess other companies accurately. This includes demonstrating compliance with the highest levels of cybersecurity practices themselves before they can evaluate others. CyberAB outlines the requirements for C3PAO accreditation on its website, but it is important for contractors to know that C3PAOs must go through intense screening as well as a few actual assessments before CyberAB officially names them a C3PAO.

How to Select a High-Quality C3PAO

As Robert McVay, Smithers Information Security Services cybersecurity expert, notes in the January/February issue of Defense and Munitions, there are a few key elements to look for when choosing a C3PAO. 

-    When did the business start? As a new rule, CMMC will be attracting a lot of new entrepreneurial ventures, but it is best to select a company that has been around for a some time and has gained experience and expertise. 

-    Does the C3PAO issue other certifications? Not only can this benefit you if you are seeking multiple certifications, but it also illustrates a depth of knowledge on the part of the assessor.

-    Does the C3PAO promise remediation or consultation services? If so, you do not want to select that company. Even though bundling assessment services with remediation or consultation sounds smart, it is actually against the rules for a C3PAO to be involved on more than the assessment facet of a relationship. If a C3PAO does offer consultation to your business, choose a different C3PAO to conduct the actual assessment.

Smithers, on the cusp of celebrating a century in business, can offer certifications in several ISO standards as well as NIST SP 800-171. Smithers is also a C3PAO candidate and will be ready to assess organizations when CMMC becomes a requirement. 

If you would like to learn more about C3PAOs or if you are interested in an assessment quote from Smithers, contact us today. 

Show Policy

Latest Resources

See all resources