CMMC Assessors: Choosing a C3PAO

Everything you need to know about selecting an accredited C3PAO for your CMMC Level 2 assessment: fees, selection criteria, red flags, and questions to ask. Updated 26 March 2026.

Types of CMMC Assessment Organisations

TypeLevelRequiredTypical Fee

C3PAO

Certified Third-Party Assessment Organization

Level 2Yes, for Level 2 formal certification$30,000 - $200,000+

DIBCAC

Defense Industrial Base Cybersecurity Assessment Center

Level 3Yes, for Level 3 (no commercial substitute)Government-led (no commercial fee)

Registered Practitioner (RP)

Registered Practitioner

Level 1 + PreparationOptional but recommended for preparation$150 - $350/hr

RPO

Registered Provider Organization

Level 1 + PreparationOptionalVaries by engagement

C3PAO

C3PAOs are the only organisations authorised to conduct and certify CMMC Level 2 assessments. They employ Certified CMMC Assessors (CCAs) who must maintain active credentials. C3PAOs are listed on the Cyber AB Marketplace.

DIBCAC

DIBCAC assessments are conducted directly by the DoD and cannot be performed by commercial C3PAOs. DoD selects which contracts require Level 3. You cannot self-select Level 3 certification.

Registered Practitioner (RP)

Registered Practitioners are individuals certified by the Cyber AB to provide CMMC consulting and advisory services. They can help with gap assessments, SSP development, and pre-assessment readiness. They cannot conduct formal assessments.

RPO

RPOs are organisations that employ Registered Practitioners. They provide advisory and consulting services for CMMC preparation but cannot conduct formal Level 2 or Level 3 assessments.

What Drives C3PAO Assessment Fees

C3PAO fees range from $30,000 for small, well-prepared contractors to $200,000 or more for large, complex environments. These factors have the most impact:

Number of UsersHigh impact

More users means more accounts to review, more training evidence to check, and more access control testing.

Number of AssetsHigh impact

Every laptop, server, and cloud service in scope adds to testing time. Reducing scope through network segmentation lowers costs.

Number of LocationsHigh impact

On-site visits add travel costs and time. Multi-site organisations may face $10k to $40k in additional travel-related fees.

Complexity of CUI EnvironmentHigh impact

Organisations with complex data flows, multiple enclaves, or cloud-heavy environments require more assessor time.

Quality of SSP DocumentationMedium impact

Well-prepared SSPs reduce assessor document review time. Incomplete or inaccurate SSPs can add 20 to 40 hours of assessor time.

Number of POA&M ItemsMedium impact

Large POA&M backlogs require additional assessor time to evaluate and may trigger conditional certification processes.

C3PAO Demand and LocationMedium impact

C3PAOs in high-demand periods or located far from your facility may command premium rates.

How to Evaluate a C3PAO

Accreditation Status

Critical

Verify the C3PAO is currently listed as active on the Cyber AB Marketplace (cyberab.org). Accreditation can lapse. Always check before signing a contract, not just during initial research.

Assessor Credentials

Critical

Ask how many Certified CMMC Assessors (CCAs) will be assigned to your assessment and verify their current credentials via the Cyber AB Marketplace. Some C3PAOs have limited credentialed staff and rely heavily on trainees.

Industry Experience

High

Assessors familiar with your industry will understand the specific ways your organisation processes CUI. A defence electronics manufacturer and a defence logistics firm face different challenges. Ask for sector-specific case studies.

Assessment Methodology

High

Ask the C3PAO to walk you through their assessment process: how they handle document review, interviews, and evidence testing. A well-documented methodology reduces surprises and protects both parties.

Fee Structure and Scope

High

Get a detailed scope-of-work before signing. Fees vary based on system count, user count, site visits, and practice count. Cheaper is not always better; underscoped assessments may not produce a valid certificate.

POA&M Policy

Medium

Understand how the C3PAO handles Plan of Action and Milestones (POA&M) items. CMMC allows a limited POA&M window post-assessment. Confirm the C3PAO's approach to conditional certifications.

Timeline and Availability

High

Top C3PAOs have 6 to 12 month backlogs. Ask for a realistic assessment start date and build that into your project plan. Avoid C3PAOs who promise unrealistically fast timelines.

References

Medium

Request references from at least two clients who completed assessments in the past 12 months. Ask those references specifically about communication, responsiveness, and how the C3PAO handled disputed findings.

Red Flags to Avoid

  • xC3PAO is not listed on the official Cyber AB Marketplace
  • xAssessment fee quoted with no scope documentation
  • xGuarantees a passing score before assessment begins
  • xAssessment timeframe significantly faster than competitors
  • xNo dedicated CCA named to your engagement
  • xOffers to conduct both consulting and the formal assessment without disclosing conflict
  • xCannot provide evidence of completed assessments for reference clients
  • xPressure to sign quickly without time to review the contract
  • xNo written methodology or assessment plan provided
  • xAssessors lack domain-specific technical knowledge in your industry

Questions to Ask Your C3PAO

Ask these questions before signing an engagement contract. How a C3PAO answers reveals their professionalism and fit for your organisation.

  1. 1How many Certified CMMC Assessors (CCAs) will be assigned to my assessment?
  2. 2What is your current Cyber AB accreditation status and when does it next expire?
  3. 3What is your assessment process from engagement to final report?
  4. 4How do you handle a situation where we disagree with a finding?
  5. 5What is your POA&M policy and what qualifies for conditional certification?
  6. 6How many Level 2 assessments has your organisation completed?
  7. 7What is the full fee including travel, evidence review, and report writing?
  8. 8What is your realistic availability for assessment start?
  9. 9Do you offer any remediation consulting, and how do you manage conflicts of interest?
  10. 10What documentation will we receive at the end of the assessment?

Where to Find Accredited C3PAOs

The official source for accredited C3PAOs is the Cyber AB Marketplace at cyberab.org. You can filter by services offered, location, and sector expertise. Only organisations listed there are authorised to conduct and certify CMMC Level 2 assessments.

Cyber AB Marketplace

cyberab.org - The official CMMC accreditation body marketplace listing all active C3PAOs, RPOs, and RPs.

SPRS (Supplier Performance Risk System)

sprs.army.mil - Where assessment scores and affirmations must be submitted. Create your account early.

CMMC Documentation

dodcio.defense.gov/CMMC - Official DoD CMMC documentation, rulemaking, and programme updates.

NIST SP 800-171

csrc.nist.gov - The foundational NIST publication underpinning CMMC Level 2 requirements.