This page is dedicated to information that C3PAOs need to know. It will be filled out over time.
Please send suggestions if you see good information on a C3PAO topic.
Official guidance related to C3PAOs
The CMMC Assessment Process (interviews with Jeff Dalton)
CMMC C3PAO Stakeholder Forum
If you are a C3PAO or have applied to become a C3PAO, you are invited to the CMMC C3PAO Stakeholder Forum.
CMMC C3PAO Stakeholder Forum Charter:
Encouraging and facilitating consistency and understanding of the CMMC assessment process is critical to promoting and ensuring the ongoing integrity and credibility of CMMC certification. With participation from C3PAOs across the CMMC ecosystem, this forum facilitates communication and professional practices among its members, and educates Organizations Seeking Certification (OSCs), prospective C3PAOs, assessors, and others about the CMMC accreditation, assessment, and certification processes.
All members must meet the requirements of the CMMC-AB by achieving certification as a C3PAO or provide evidence of being a C3PAO applicant. Members agree to sign and abide by the CMMC Code of Professional Conduct.
This will be a combination support group and members organization to communicate as a whole with the CMMC Accreditation Body and DoD.
Invite link to the CMMC C3PAO Stakeholder Forum (This is a Discord forum)
For access to the forums and monthly meetings, you will need to verify your status either as a fully fledged C3PAO or as an applicant, or as a representative of the DoD or CMMC Accreditation Body / CAICO.
Once you are verified, please join us at the Thursday 12pm EST lunch chats (conference capability within the forum). Set up a meeting reminder on your calendar!
Big Rocks to prepare for as a C3PAO
$1000 to apply for C3PAO (non-refundable)
$2000 activation fee, once the application is accepted (annual)
$ (unknown) to have a CMMC ML3 certified information system (before starting work)
$ (unknown) to obtain ISO 17020 certification within ~2 years.
The DoD is being extremely restrictive and careful about foreign influence of C3PAOs.
Your public websites need to not violate the Code of Professional Conduct. (false advertising, mostly)
Operate an information system that meets CMMC ML3 requirements
Mature assessment processes and get new CMMC assessors on the same page
Build a complaint resolution process
Mature back-office processes to oversee assessments and quality-assurance
Support your assessors as they travel and start/stop projects for many clients over time
Undergo quality reviews and tag-along assessments by the CMMC-AB every year (probably)
Each assessment team member (which may include C3PAO staff) must be a ?U.S. Citizen? and achieve a favorably adjudicated Tier 3 suitability determination. *Update: As of 2/9/2021, we confirmed that the CMMC-AB Marketplace listings do not attest to the background check for Provisional Assessors. C3PAOs will need to confirm Tier-3 determination for staff using a different means.
Your assessment team members need to meet requirements for training and knowledge.