Do I Need a Certified Third-Party Assessment Organization (C3PAO) Under CMMC 2.0?

CMMC 2.0

The DoD recently released its framework for the next model in CMMC compliance and audits–CMMC 2.0. This revision is expected to streamline the compliance process and trim some of the extraneous requirements from the framework, helping contractors in the DoD supply chain better meet their requirements without introducing unnecessary challenges or redundancies. 

One of the more important aspects of CMMC certification is the inclusion of third-party audits. With the introduction of CMMC 2.0, these requirements have changed to make certification easier for contractors without sacrificing security. 

What is a C3PAO?

Even though we’ve seen the publication of the new, tentative CMMC 2.0 standards, it’s important to note that CMMC version 1.0 is still relatively young. As such, there are still plenty of organizations pursuing certifications under version 1.0 even today, and that includes certification as a C3PAO.

A C3PAO is a third party auditing company that provides auditing services for security contractors working towards their CMMC certification. A security firm is authorized to operate as a C3PAO by the CMMC Accreditation Board (CMMC-AB). Once accredited as a C3PAO that company is listed on the CMMC-AB Marketplace, a website that lists official C3PAOs that security contractors can contact. 

However, serving as a C3PAO is a significant responsibility, so the CMMC-AB has a multistep process for these security firms before they become C3PAOs. This process includes:

  • Application for Candidacy: The CMMC-AB makes applying easy, offering applications for candidacy on their website. It also includes providing key documents, including signing a License Agreement and providing proof of specific kinds of cybersecurity insurance. The application also requires a $1,000 application fee and a $2,000 activation fee. Once the organization pays these fees and provides documentation, they are considered a Candidate C3PAO. 
  • Approval for C3PAO Status: At this stage, the CMMC-AB begins to perform Organizational Background Checks on the C3PAO. This includes using the organization’s DUNS number to perform a background check. Furthermore, the Candidate C3PAO must demonstrate that they have hired at least one individual to help organizations prepare for CMMC assessment and that they are 100% owned by U.S. Citizens. Finally, the organization must undergo a CMMC Level 3 audit.
  • Authorization: After all the background checks and audits, the Candidate C3PAO must, as its final step, show the CMMC-AB that it is capable of maintaining CMMC compliance and performing audits. This means showing that they have the right staff and personnel to continue serving in their potential capacity as a third-party assessor. This also entails getting ISO 17020 certified within 1-2 years of when they first registered. 

Becoming a C3PAO isn’t easy, and as such, these assessors serve as an essential part of the CMMC process. 

Does My Organization Need a C3PAO under CMMC 2.0?

cmmc 2.0

Not every organization applying for certification under CMMC 2.0 will require a C3PAO audit. 

CMMC 1.0 (the current version) stated that every contractor seeking CMMC certification had to undergo assessment through a C3PAO, with no exceptions. This process is costly and, depending on the demands of the audit, time-consuming. 

To support streamlining of the process, the DoD has adjusted audit requirements based on the new Maturity Level structure. 

  • At Level 1, the organization applying for certification can forgo C3PAO audits instead of self-attesting compliance through standardized documentation and reporting. Self-assessments are an annual occurrence. 
  • At Level 2, the organization will most likely require a triennial assessment through a C3PAO, including their initial certification audit. Under certain circumstances, a contractor working towards Level 2 certification can opt for the annual self-assessment. The CMMC-AB will determine what organizations can choose this path on a case-by-case basis. 
  • At Level 3, all organizations must have been certified by a C3PAO and undergo triennial assessments. 

Can I Use a C3PAO to Consult on CMMC Certification?

The CMMC-AB has strict rules on conflicts of interest between C3PAOs and their clients. The entire point of having a third-party assessment system is to ensure that audits are public, fair, and conducted professionally with the utmost rigor. 

With that in mind, the CMMC-AB restricts how C3PAOs and clients can interact officially during the certification process. That’s why they included a secondary designation, Registered Provider Organization (RPO), for security firms that can support contractors for their CMMC audits. 

An RPO, unlike a C3PAO, doesn’t provide auditing services. Instead, the RPO can help the contractor by providing consulting and advisory services before their audit. An RPO will have trained CMMC experts on staff to support their clients, but they cannot provide actual auditing services. 

Under CMMC guidelines, a security firm can serve as both an RPO and a C3PAO, but never to the same client. That is, if they provide advisory services to a client as an RPO, they cannot then perform audits on that client towards CMMC certification. 

Will I Need to Comply with CMMC 2.0 Today?

No. Currently, the DoD included CMMC version 1.0 requirements only into select agency RFPs, and security companies were only beginning to achieve their C3PAO status. According to the DoD Acquisition and Sustainment Office website, the department “does not intend to approve the inclusion of a CMMC requirement in any contract before the completion of the CMMC 2.0 rule making process.”

This means that those organizations currently working towards CMMC as part of a contract will continue to do so, and security firms undergoing the process for C3PAO approval will also continue to do so. However, the full switch to CMMC 2.0 as a DoD requirement will happen after the framework is finalized in the next 9-24 months. 

Preparing for CMMC 2.0 with Lazarus Alliance

The shift to version 2.0 can seem jarring, and many contractors wonder where they stand in the process. The truth is that this evolution of the standard will help make the process easier for both C3PAOs and their clients, and it serves as a much-needed revision of the standard. 

Whether you are currently working through CMMC version 1.0 or planning your path to version 2.0, call Lazarus Alliance. We can help you navigate DoD cybersecurity compliance effectively and efficiently. 


Want to Learn More About CMMC and CMM 2.0 Compliance?

Call Lazarus Alliance at 1-888-896-7580 or fill our this form. 

Download our company brochure.

Lazarus Alliance


Click to access the login or register cheese