Resource Guide — Assessment

What Is a C3PAO? How to Choose the Right CMMC Assessor

There are about 90 authorized C3PAOs for tens of thousands of contractors who need CMMC Level 2. Assessment slots are scarce and getting scarcer. Here's everything you need to know about finding, choosing, and working with a C3PAO.

What C3PAOs Do

A C3PAO (Certified Third-Party Assessment Organization) is an organization authorized by the CMMC Accreditation Body (Cyber AB) to conduct official CMMC assessments. When you need Level 2 certification, a C3PAO sends a team of Certified CMMC Assessors (CCAs) to evaluate your security environment against all 110 NIST 800-171 controls.

C3PAOs don't do consulting — they can't help you prepare for your assessment and then assess you. That would be a conflict of interest. They're strictly assessors. If a company tells you they can both help you achieve compliance and certify you, that's a red flag.

Key Distinction

C3PAOs conduct assessments. Registered Practitioner Organizations (RPOs) provide consulting to help you prepare. You need an RPO (or independent consultant) to help you get ready, then a C3PAO to certify you. These are different entities with different roles.

How Many C3PAOs Exist — And Why That's a Problem

As of early 2026, there are approximately 90 authorized C3PAOs. Compare that to the roughly 80,000–100,000 defense contractors who will eventually need CMMC Level 2 certification. That's a severe capacity problem.

Each C3PAO assessment takes weeks. A typical assessment for a 20–50 person contractor involves several days of on-site (or virtual) interviews, evidence review, and technical validation. With each C3PAO handling dozens of assessments per year, the total industry capacity falls far short of total demand.

The result: wait times. Most C3PAOs are already booking 6–12 months out. As CMMC Phase 2 and Phase 3 contract requirements come into force, that wait time will grow. If you need certification by a specific date — for a contract renewal or a new contract bid — you need to book your C3PAO assessment now, even if your remediation work isn't complete yet.

Booking your C3PAO is like booking a popular venue — you secure the date first, then do the work to be ready for it. By the time you've finished remediation, the assessment slots you needed will be gone if you wait.

How to Find a C3PAO

The Cyber AB Marketplace (cyberab.org/marketplace) is the official directory of authorized C3PAOs. It's publicly searchable and shows current authorization status. Never hire an assessment organization that doesn't appear on the Cyber AB Marketplace — only authorized C3PAOs can issue CMMC certificates.

When searching the marketplace, you can filter by assessment type, industry experience, and location. You can also contact multiple C3PAOs directly to request proposals — don't just go with the first one you find.

What to Look for When Choosing a C3PAO

Not all C3PAOs are the same. Here's what differentiates them:

Industry Experience

A C3PAO that has assessed machine shops, defense electronics manufacturers, or MRO operations will assess your environment much more efficiently than one assessing its first manufacturing client. Ask: have they assessed companies in your industry? How many? Can they provide references?

Company Size Experience

Assessing a 15-person defense subcontractor is very different from assessing a 500-person prime. A C3PAO that primarily works with large contractors may overbuild your assessment scope and overcharge accordingly. Find one that regularly works with companies your size.

Current Backlog and Availability

Ask directly: what's your current assessment backlog? When can you schedule an assessment starting within the next 3–6 months? A C3PAO booked 18 months out isn't useful if you need certification in 12 months.

Assessment Methodology

Some C3PAOs are entirely remote (virtual assessments). Others do on-site. Some do a combination. Remote assessments can work well but require strong documentation. On-site assessments allow assessors to observe physical controls and conduct impromptu interviews. Know what you're getting.

Pre-Assessment Consultation

Some C3PAOs offer a preliminary consultation or readiness review (for a fee) before the formal assessment. This can help you identify remaining gaps without the full assessment cost. Understand what this service includes and whether it's done by assessors who will be separate from your final assessment team.

What a CMMC Assessment Actually Looks Like

Many contractors are nervous about assessments because they don't know what to expect. Here's the typical process:

  1. Kickoff and documentation review — The assessment team reviews your System Security Plan (SSP), all 14 policy documents, and supporting evidence packages. This often happens remotely before the main assessment event.
  2. Technical interviews — Assessors interview your IT staff, security personnel, and often regular employees. They ask how things are actually done — not just what your policies say. "Walk me through what happens when a new employee starts" is a typical question.
  3. Technical validation — Assessors run their own scans or review scan results, check system configurations, verify MFA is actually enforced, verify encryption is actually enabled. They're not just reading documents.
  4. Physical walkthrough — If on-site, they walk through your facility and verify physical controls: server room locks, visitor sign-in procedures, screen placement, clean-desk compliance.
  5. Finding review and scoring — Assessors document each control as Met, Not Met, or Not Applicable. Findings are reviewed with you before final scoring.
  6. Results and certification — If all critical controls are met (and any POA&M items are approved), the C3PAO submits results to CMMC and you receive your certificate. Conditional certification is possible with open POA&M items.

Cost of Assessment by Company Size

Company SizeTypical Assessment CostDuration
10–25 employees$18,000–$35,0002–5 assessment days
26–75 employees$30,000–$60,0004–8 assessment days
76–200 employees$50,000–$100,0007–14 assessment days
200+ employees$80,000–$200,000+2–6 weeks

Assessment costs scale with your environment's complexity — number of systems, number of locations, number of people in scope — not just headcount. A 50-person company with a tight CUI enclave (15 people in scope) may pay less than a 30-person company with everyone in scope.

Need help finding the right C3PAO for your operation?

Take our free readiness check to see your SPRS score, identify gaps, and get C3PAO-ready documentation.

Start Free Readiness Check →

Frequently Asked Questions

No. C3PAOs are assessment organizations — they evaluate compliance, they don't build it. If a C3PAO offers to both help you achieve compliance and then assess you, that's a prohibited conflict of interest under CMMC rules. You need an RPO (Registered Practitioner Organization) or independent consultant for preparation, and a separate C3PAO for the assessment.

Check the Cyber AB Marketplace at cyberab.org/marketplace. Only organizations that appear there as authorized C3PAOs can legally conduct CMMC assessments and issue certificates. If an organization claims to be a C3PAO and doesn't appear in the Cyber AB Marketplace, do not hire them for your official assessment.

No, not for CMMC Level 2. Self-attestation is only available for CMMC Level 1. Level 2 requires an assessment by an authorized C3PAO (or in limited cases, a government-conducted assessment for specific programs). The whole point of CMMC Level 2 was to move beyond self-attestation because self-attestation wasn't working — too many contractors were signing compliance they didn't have.

A failed assessment (score below 110 out of 110, with critical deficiencies) means you cannot receive a CMMC certificate. You'll receive a list of findings, remediate them, and then schedule a new assessment. This is expensive — you pay for the assessment regardless of outcome. This is why thorough preparation (gap assessment, remediation, mock assessment) before your official assessment is worth the investment.

CMMC Level 2 certificates are valid for three years. After three years, you need a reassessment by a C3PAO to renew your certification. You're also required to continuously maintain your security controls and report any major changes to your environment that might affect your compliance posture. A major breach, significant infrastructure change, or organizational change may require early reassessment.

A C3PAO is the organization — the company authorized to conduct CMMC assessments. A CCA (Certified CMMC Assessor) is an individual who works for or with a C3PAO and is credentialed to perform assessments. When a C3PAO sends an assessment team, that team is made up of CCAs. The C3PAO is accountable for the assessment results; the CCAs are the people doing the work.

Start the assessment process before your contract requires it.

Our free readiness check identifies your readiness level and connects you with consultants who know C3PAOs in your sector.

Start Free Readiness Check →

2 minutes. No email required to see results.

Or see pricing & packages →

Related Guides

Beginner Guide
CMMC for Beginners: Everything You Need to Know
Cost Guide
CMMC Certification Cost in 2026
Resource Guide
CMMC Level 2 Checklist: All 110 Controls