The DoD put the CMMC framework in place to verify through independent assessment that organizations handling Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) meet its cybersecurity requirements. Only C3PAOs on the Cyber-AB’s monthly list of authorized organizations can conduct an official Level 2 assessment. Level 3 assessments are government-led and performed by DIBCAC.

C3PAOs have demonstrated their competency to assess other companies against the CMMC standard, have passed a strict vetting process, and have earned official approval to perform the Level 2 assessment function.

Level 3 (“expert”) assessments are a different story. They’re government-led and conducted exclusively by the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBAC), and not C3PAOs.

Here’s what you need to know about Level 3:

• Rarity: Level 3 applies to fewer than 1% of defense contractors. Only those supporting high-risk programs require protection against advanced persistent threats (APTs).

• Pre-requisite: You must achieve a final Level 2 certification from a C3PAO before pursuing Level 3.

• Additional requirements: Level 3 adds 24 NIST SP 800-172 (APT resilience) practices on top of the 110 NIST SP 800-171 practices required for Level 2.

• Assessment cadence: Level 3 assessments take place every three years with annual affirmations.

For most defense contractors handling CUI, Level 2 certification is the goal, so focus your energy there first. 

A 3PAO (Third-Party Assessment Organization) operates within the FedRAMP program, conducting third-party cloud service assessments. The letters in C3PAO stand for "Certified" Third Party Assessment Organization, so that "C" differentiates the two. Never use a 3PAO for a CMMC C3PAO assessment or vice versa.

An RPO operates as a security consultant and readiness organization that can help your company prepare for the CMMC certification process and provide gap assessments, but they can never conduct the formal CMMC assessment themselves. Only a C3PAO can officially certify your Level 2 compliance. One helps you get ready, while the other decides if you actually made the cut.

The Cyber-AB’s site hosts a list of currently authorized C3PAOs. This official list serves as the place to start when researching what a C3PAO is and finding a provider to perform your organization's assessment. 

The list changes frequently as organizations earn new accreditations monthly, undergo temporary suspensions during quality reviews, move from "candidate" to "authorized" status, or rarely, withdraw. That’s why verifying a provider’s current authorization status is important before signing any contracts.

• Verify provider status before you sign any contracts. 

• Use the list as a resource to identify which C3PAOs fit your situation best. A C3PAO that specializes in large aerospace contractors may not suit a smaller, specialized IT services provider.

• Track changes if you have an assessment coming up in the future. Set calendar reminders to check the list again as your assessment date approaches.

• Conducting thorough assessments: They review your cybersecurity practices, documentation, training records, and technical controls against CMMC Level 2 requirements.

• Verification: C3PAOs must "look under the hood" to ensure that controls not only exist but also function as intended.

• Submitting assessment results: After completing an assessment, C3PAOs submit the results and all relevant documentation to the Cyber-AB.

• Maintaining detailed records: C3PAOs maintain detailed records of their work, assessment results, and communications with clients.

• Operating with independence: C3PAOs must avoid conflicts of interest that could compromise the assessment's objectivity.

• Helping to explain: While C3PAOs don't coach you or help you prepare, they can serve as important translators when requirements aren't clear, or your team needs help in understanding the "why" behind certain CMMC requirements.

• Meeting accreditation standards: C3PAOs must maintain ISO 17020 certification. This international standard makes sure C3PAOs follow rigorous quality management processes and maintain the technical expertise needed to evaluate complex cybersecurity controls against NIST SP 800-171 and other CMMC requirements.

The DoD requires independent verification by an authorized C3PAO for Level 2 certification. While you can use an RPO to prepare, only a C3PAO can actually certify your compliance. Think of it this way: RPOs help you study for the exam, but C3PAOs administer it.

It’s worth noting that if you’re one of the rare contractors eventually requiring Level 3, you’ll still need to pass a C3PAO Level 2 assessment first. Level 3 is reserved for select, high-risk DoD programs and is assessed by DIBAC only after you’ve achieved Level 2 certification. 

Choosing the right C3PAO provider is critical to a smooth and successful assessment process. Here are the key factors to consider when evaluating potential providers.

Experience with similar organizations

The right provider should understand the nuances of your industry, product, processes, and environment.

Geographic coverage

Some situations may require a C3PAO with a local presence.

Assessment approach

C3PAOs vary in how they approach their assessment process. Some focus on relationships and collaboration. Some go by-the-book and keep things formal. 

Availability and scheduling

C3PAOs work with limited capacity. If you're working with a tight timeline, make sure your C3PAO can accommodate you, or you may face a long wait.

Communication style

During the assessment, your C3PAO becomes your closest partner in the process. Ask about their communication style, clarity, and responsiveness.

With full CMMC implementation in 2025, the need for C3PAO assessments will jump dramatically as every DoD contract requires certification. This growing demand will expand the C3PAO marketplace significantly, so expect to see more authorized providers entering the field, along with increased specialization. Some C3PAOs will focus on specific industries like aerospace or IT services, while others may specialize in particular company sizes. This specialization will give contractors more options but will also require more careful vetting to find the right fit.

Becoming a C3PAO requires commitment and technical expertise. Organizations must meet several stringent requirements:

• U.S. ownership: Your organization must be 100% U.S.-citizen owned or pass a Foreign Ownership Control or Influence (FOCI) investigation.

• CMMC Level 2 compliance: Your organization must achieve CMMC Level 2 certification.

• ISO 17020 certification: You must obtain ISO 17020 accreditation indicating competence in performing inspections and assessments.

• Qualified personnel: Your team must include Certified CMMC Professionals (CCPs) and Certified Assessors (CCAs).

• Insurance coverage: Maintain adequate liability, errors and omissions, and cybersecurity breach policies.

• Background checks: The Cyber-AB conducts organizational background checks to verify the lack of foreign influence.

• Annual fees: Be prepared to pay ongoing fees to maintain C3PAO status.

Huntress's managed security platform offers managed threat detection and response to protect endpoints, servers, and identities, helping you identify and remediate security gaps before your C3PAO Level 2 assessment. Huntress provides the detailed documentation C3PAOs need to see, helping you shave weeks off of your preparation process and days off of your assessment. By strengthening foundational controls, Huntress supports your overall cybersecurity posture, whether you’re preparing for Level 2 or building for an eventual Level 3 assessment. Book a demo today to see how Huntress helps you achieve certification.