C3PAO certification guide: How to become a CMMC Third-Party Assessment Organization

The Department of Defense CMMC program created a significant business opportunity for organizations ready to become authorized assessors. Approximately 120,000 defense contractors are expected to need Level 2 certification, according to ISACA CAICO director Todd Gagnon. With a limited number of authorized C3PAOs currently available, the demand far outstrips supply.

Organizations considering C3PAO authorization face a rigorous process, substantial investment and strict operational requirements. This guide walks through what it takes to become a C3PAO and whether it makes sense for your business.

Looking to earn your CCP or CCA? ISACA is now the CMMC Assessor & Instructor Certification Organization (CAICO). Learn more in our webinar with ISACA.

WATCH NOW

What does a C3PAO do?

A CMMC Third-Party Assessment Organization (C3PAO) conducts official CMMC Level 2 assessments for defense contractors. These organizations are the only authorized entities to conduct Level 2 certification assessments and issue Certificates of CMMC Status, which many defense contractors handling Controlled Unclassified Information (CUI) will need.

C3PAOs perform comprehensive assessments against the 110 NIST SP 800-171 security requirements that make up CMMC Level 2. Assessment teams review documentation, conduct technical testing, interview staff and evaluate evidence to determine if an organization meets compliance standards. The assessment results are submitted through the required CMMC systems and support a Conditional or Final Level 2 (C3PAO) CMMC status, depending on the assessment outcome and any eligible POA&M.

The role carries significant responsibility. C3PAOs must operate with complete independence and objectivity. They cannot provide consulting services to the organizations they assess, creating a clear separation between preparation and validation. This independence ensures the integrity of the CMMC program and protects national security by verifying that contractors genuinely meet cybersecurity requirements.

C3PAOs can only conduct Level 2 assessments.Level 1 assessments are annual self-assessments with annual affirmations. Level 3 assessments, reserved for the most sensitive programs, are conducted by government assessors through the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

C3PAO vs. RPO: Understanding the difference

The CMMC ecosystem includes both C3PAOs and Registered Practitioner Organizations (RPOs). These roles serve different functions and cannot overlap for the same client.

RPOs help organizations prepare for CMMC certification. They provide consulting, gap analysis, documentation support, policy development and remediation guidance. RPOs work with contractors throughout the preparation phase to get them assessment ready.

C3PAOs conduct the official assessments. They evaluate whether organizations meet CMMC requirements and support issuance of the appropriate CMMC status. C3PAOs cannot consult for organizations they assess to prevent conflicts of interest.

Some organizations operate as both RPOs and C3PAOs, serving different clients in each capacity. Clear documentation and strict conflict-of-interest checks ensure proper separation.

For more information on RPO services, see our RPO guide.

C3PAO requirements

Becoming a C3PAO requires meeting stringent organizational, personnel, infrastructure and operational standards set by the Cyber AB.

Organizational requirements

Your organization must maintain specific business qualifications:

• Established legal business entity (LLC, corporation or similar structure)
• U.S.-based with operations in the United States
• Valid CAGE code registered in SAM.gov
• Professional liability insurance with minimum $1 million coverage
• Errors and omissions insurance with minimum $1 million coverage
• Cybersecurity liability insurance with minimum $1 million coverage
• Cyber AB listed as additional insured on general liability policy
• Business in good standing with no conflicts of interest
• Financial stability demonstrated through business documentation

Organizations must pass an Experian background check. This screening verifies business legitimacy, financial health and absence of disqualifying factors.

The Defense Counterintelligence and Security Agency (DCSA) conducts Foreign Ownership, Control or Influence (FOCI) reviews every three years. These reviews ensure that no foreign entities can influence C3PAO operations or decisions. Publicly traded companies and those with international partnerships face additional scrutiny during FOCI assessments.

Personnel requirements

C3PAOs must identify and maintain an association with qualified cybersecurity professionals who hold active CMMC certifications. Minimum staffing includes:

• At least one Lead Certified CMMC Assessor (LCCA)
• At least one Certified CMMC Assessor (CCA)
• One quality assurance individual who also holds CCA certification
• Up to three authorized certifying officials who sign CMMC certificates

All assessment team members must obtain Tier 3 background investigations resulting in national security eligibility determinations. These investigations do not grant security clearances but establish eligibility to participate in CMMC assessment activities.

As of April 2026, ISACA administers CCP, CCA and LCCA certifications as the CMMC Assessor & Instructor Certification Organization (CAICO). Organizations can find CCA training through Approved Training Providers like Infosec Institute.

CCAs must meet baseline certification requirements under DoD 8140.03 Work Role 612 (Security Control Assessor) at intermediate or advanced proficiency levels. Qualifying certifications include CISSP, CISM and CISA, among others. LCCAs need five years of cybersecurity experience, five years of management experience and three years of assessment or audit experience.

The Cyber AB CEO, Matthew Travis, noted in December 2025 that approximately 600 certified CMMC assessors exist currently, with about half eligible to lead assessment teams. The program needs between 2,000 and 3,000 assessors to handle the anticipated assessment volume.

Infrastructure and technical capabilities

C3PAOs must demonstrate robust operational infrastructure:

• Secure facilities for assessment operations and data storage
• Assessment methodology documentation approved by Cyber AB
• Quality management system meeting ISO 17020 standards
• Data protection capabilities for handling CUI
• Secure communication systems for client interactions
• Comprehensive records management and retention systems
• Assessment tools and software platforms
• Evidence management capabilities
• Reporting and documentation systems

C3PAOs must obtain a Level 2 certification assessment. DIBCAC conducts these assessments every three years to verify that C3PAOs can protect the sensitive information they encounter during client assessments.

ISO 17020 accreditation

Within 27 months of authorization, C3PAOs must achieve ISO 17020 accreditation. This international standard for inspection bodies verifies competence, impartiality and consistent operation. The accreditation process includes audits of quality systems, assessment procedures, personnel qualifications and operational controls.

Step-by-step: How to become a C3PAO

The path to C3PAO authorization typically spans 18 to 36 months and requires systematic preparation.

Step 1: Build foundational capabilities (6–12 months)

Start by establishing your business entity and core capabilities. Form your legal structure, obtain necessary business registrations and secure your CAGE code. Hire Certified CMMC Assessors to build your assessment team. Develop your assessment methodology, documentation and quality management system. Establish secure infrastructure for operations and data management. Obtain required insurance policies with proper coverage limits.

Step 2: Submit application to The Cyber AB

Access the Cyber AB website and submit your initial application. Pay the $6,000 application fee. Provide business documentation, organizational structure information and preliminary details about your planned operations.

The Cyber AB reviews your application and conducts an organizational background check through Experian. You'll participate in an interview with The Cyber AB staff to discuss your capabilities and readiness.

Step 3: Pass FOCI review

Submit to the DCSA Foreign Ownership, Control or Influence review. This comprehensive investigation examines ownership structures, international partnerships and potential foreign influence. Organizations with foreign ownership or global operations may face extended review periods.

Step 4: Complete authorization requirements

Sign the C3PAO Agreement and Code of Professional Conduct. Schedule and pass your CMMC Level 2 assessment conducted by DIBCAC. This government-led assessment verifies that your organization can protect CUI and meet the standards you'll assess in others.

Submit verification of your insurance coverage with proper limits and endorsements. Identify your assessment team members, including your LCCA, CCA and quality assurance individual. Designate your authorized certifying officials.

Develop and submit your assessment appeals process for Cyber AB approval. Pay the $15,000 authorization fee.

Step 5: Achieve authorization

Once you meet all requirements, Cyber AB grants authorization and lists your organization in the C3PAO marketplace. You can begin scheduling and conducting CMMC Level 2 assessments immediately upon authorization.

Step 6: Achieve ISO 17020 accreditation (Within 27 months)

Work toward ISO 17020 accreditation. Engage an accredited certification body to conduct your audit. Implement quality systems that meet international standards for inspection bodies. Address any findings from audit activities. Maintain ongoing compliance with ISO requirements.

Total timeline

The complete process typically takes 18 to 36 months from initial decision to full authorization with ISO 17020 accreditation. Organizations with existing cybersecurity practices, qualified staff and strong infrastructure can move faster. Those building capabilities from scratch need more time to develop the necessary foundation.

Costs and investment

Becoming a C3PAO requires substantial financial investment in application fees, infrastructure, personnel and ongoing operations.

Initial costs (Estimates)

• Application fee: $6,000
• Authorization fee: $15,000
• Insurance (first year): $25,000 to $100,000
• CCA/LCCA certifications and training: $15,000 to $30,000
• Infrastructure and technology setup: $50,000 to $200,000
• DIBCAC Level 2 assessment: $30,000 to $75,000 (estimated)
• Legal and professional services: $25,000 to $75,000
• ISO 17020 accreditation: $25,000 to $75,000

Total initial investment: $200,000 to $500,000+

Actual costs vary based on organization size, existing capabilities and geographic location. Organizations with established cybersecurity practices and qualified staff can reduce some costs. Those building everything from scratch face higher expenses.

Annual operating costs (estimates)

• Insurance renewal: $25,000 to $100,000
• Staff salaries (assessors and support): $250,000 to $500,000+
• CCA/LCCA maintenance and continuing education: $10,000 to $25,000
• Technology platforms and tools: $25,000 to $75,000
• Marketing and business development: $50,000 to $150,000
• Facilities and overhead: $50,000 to $200,000
• ISO 17020 surveillance audits: $15,000 to $30,000

Annual operating costs: $425,000 to $1,000,000+

These estimates represent baseline operating expenses before revenue is generated. Actual costs scale with assessment volume, staff size and service offerings.

Revenue potential

C3PAO assessment pricing varies based on organization size, complexity and market conditions. Industry estimates for Level 2 assessments range from $15,000 to $90,000, with most falling between $25,000 and $50,000.

Assessment pricing depends on several factors:

• Scope and size of the organization being assessed
• Number of systems in the assessment boundary
• Geographic location and travel requirements
• Assessment duration and complexity
• Number of sites requiring evaluation

With 120,000 organizations expected to need Level 2 certification over the three-year phased implementation, the market opportunity is substantial. Each organization requires assessment every three years, creating ongoing demand.

C3PAOs conducting 50 assessments annually at an average fee of $35,000 would generate $1.75 million in revenue. Organizations that scale to 100 or more assessments can build significant businesses, though achieving this volume requires substantial assessor capacity and operational efficiency.

The C3PAO business model

C3PAOs operate in a highly regulated market with specific constraints and opportunities.

Market dynamics

As of early 2026, less than 100 authorized C3PAOs serve the Defense Industrial Base. The Cyber AB reports that just under 500 defense contractors have voluntarily achieved Level 2 certification so far. With enforcement now active following the November 10, 2025, DFARS final rule, demand will accelerate rapidly.

Geographic coverage gaps exist in many regions. Organizations can differentiate through industry specialization, regional focus or service quality. Some C3PAOs target specific sectors like aerospace, manufacturing or IT services. Others focus on small businesses or particular geographic markets.

Operational considerations

Assessment capacity determines revenue potential. Each assessment requires qualified assessors, time allocation and quality oversight. C3PAOs must balance assessment volume with quality standards to maintain Cyber AB authorization and client satisfaction.

Business development takes time and resources. Building reputation, establishing relationships and marketing services requires investment. Many C3PAOs partner with RPOs for referrals while maintaining proper independence.

Assessment timelines typically span 4 to 8 weeks from engagement through certification. Pre-assessment planning takes 2 to 4 weeks. On-site or remote assessment execution runs 1 to 2 weeks. Reporting and certification submission require 2 to 4 weeks.

Building your C3PAO team

Success requires qualified professionals across multiple disciplines:

Assessment Team:

• Lead assessors (LCCAs) to direct assessment engagements
• Assessors (CCAs) to conduct evaluation activities
• Technical specialists for specific domains
• Quality assurance reviewers
• Project managers for engagement coordination

Support Functions:

• Administrative staff for scheduling and documentation
• Business development for client acquisition
• Marketing professionals for market presence
• Operations managers for workflow optimization

Competitive compensation packages help attract and retain talent. Experienced assessors command premium salaries. Organizations developing CCAs internally can reduce recruitment costs but must invest in training and certification.

C3PAO assessment process overview

C3PAOs follow a structured assessment methodology approved by The Cyber AB:

• Pre-Assessment Phase includes client engagement, scope definition, evidence requests and timeline establishment. This phase typically runs 2 to 4 weeks.
• Assessment Execution involves document review, interviews, observation and technical testing appropriate to the assessment scope. This phase usually takes 1 to 2 weeks.
• Reporting Phase covers findings documentation, gap identification, recommendations development and Cyber AB submission. Organizations receive detailed reports of assessment results. This phase runs 2 to 4 weeks.
• Post-Assessment Support includes client debriefing, Plan of Action and Milestones (POA&M) guidance for conditional certifications and follow-up coordination.

Quality management and The Cyber AB oversight

C3PAOs operate under continuous Cyber AB oversight to maintain program integrity.

Quality management systems must meet ISO 17020 standards. Internal audits verify consistent application of assessment procedures. Peer reviews catch errors before final submission. Documentation standards ensure comprehensive records. Calibration procedures maintain assessor consistency.

C3PAOs remain subject to Cyber AB authorization and accreditation oversight. Cyber AB may conduct surveillance or renewal activities, review objective evidence, investigate formal complaints and initiate for-cause assessments when warranted. Organizations that fail to maintain standards face warnings, corrective action requirements, suspension or potential revocation of authorization.

Maintaining C3PAO status

Annual requirements include:

• Maintaining required insurance coverage
• Keeping assessment team members certified
• Annually signing the current C3PAO Agreement and Cyber AB Code of Professional Conduct
• Paying applicable Cyber AB fees
• Updating marketplace profile information
• Completing triennial DIBCAC Level 2 assessment
• Completing triennial FOCI review
• Maintaining ISO 17020 accreditation

C3PAOs must report significant changes in ownership, leadership or operations. Failure to maintain requirements can result in suspension or revocation of authorization.

Is becoming a C3PAO right for your organization?

Consider these factors when evaluating the opportunity.

Strengths to leverage:

• Existing cybersecurity assessment experience
• Qualified staff with relevant certifications
• Established client relationships in the defense sector
• Financial resources for substantial investment
• Operational infrastructure for assessment delivery

Challenges to address:

• High initial investment requirements
• Long timeline to authorization and revenue
• Competitive assessor recruitment and retention
• Strict independence and conflict requirements
• Ongoing compliance and quality obligations

Organizations with established cybersecurity practices, experienced staff and financial backing are best positioned to succeed. Those starting from scratch face longer timelines and higher costs, but can still build successful practices through systematic capability development.

Next steps

Organizations interested in C3PAO authorization should:

1. Assess current capabilities against C3PAO requirements
2. Develop a comprehensive business plan with financial projections
3. Begin building your CCA team
4. Establish required infrastructure and systems
5. Engage with Cyber AB to understand the application process
6. Visit the CMMC Marketplace to research authorized C3PAOs

Ready to build your CMMC expertise? Infosec Institute is an Approved Training Provider (ATP) offering CCA Boot Camp and CCP training for professionals pursuing CMMC careers.

The CMMC program creates significant opportunities for qualified organizations ready to make the investment. As enforcement accelerates and demand grows, authorized C3PAOs will play a critical role in securing the Defense Industrial Base.

Looking to earn your CCP or CCA? ISACA is now the CMMC Assessor & Instructor Certification Organization (CAICO). Learn more during our webinar with ISACA.