C3PAOCMMC Third-Party Assessment Organization

Requirements for Authorization

To become a CMMC Third-Party Assessment Organization (C3PAO) an organization needs to complete the following steps:
 

1. Submit Application

2. Pay application fee ($6,000)

3. Pass Organizational Background Check via data provided to The Cyber AB by Experian

4. Successfully pass a DCSA FOCI review (must be completed every three years)

5. Complete interview with The Cyber AB

6. Sign the C3PAO Agreement and Code of Professional Conduct (CoPC)

7. Meet all authorization requirements

• Participate in a video call with The Cyber AB to confirm all authorization requirements are met
• Pass a CMMC Level 2 assessment conducted by DCMA DIBCAC (must be completed every three years)
• Provide The Cyber AB a valid CAGE code
• Identify and maintain an association with at least one (1) Lead CMMC Certified Assessor (LCCA), one (1) CMMC Certified Assessor (CCA), and one (1) quality assurance individual who is also a CCA.
• Identify up to three (3) authorized certifying officials who will be authorized to sign and issue Level 2 Certificates of CMMC Status on behalf of your organization
• Possess Assessment Appeals Process approved by The Cyber AB
• Pay authorization fee ($15,000)
• Provide verification of insurance
  • General Liability with CMMC Accreditation Body as an Additional Insured ($1M minimum)
  • Errors and Omissions Policy ($1M minimum)
  • Cybersecurity Liability Policy ($1M minimum)

To maintain your C3PAO status you must successfully complete ISO-17020 accreditation within twenty-seven (27) months of your authorization date.