C3PAO Directory: Authorized Assessors for CMMC Level 2
What a C3PAO Is — and What It Isn’t
A Certified Third-Party Assessment Organization (C3PAO) is an organization authorized by the Cyber Accreditation Body (Cyber AB) to conduct formal CMMC Level 2 third-party assessments under 32 CFR Part 170. Only a C3PAO can produce the Final Level 2 CMMC Status that gets posted in the Supplier Performance Risk System (SPRS). No consultant, RPO, MSP, or GRC tool can produce that status — and no one can produce it without a C3PAO who is currently authorized and in good standing with the Cyber AB.
A C3PAO is nota readiness consultant. The Cyber AB’s CMMC Assessment Process (CAP) draws a clear line: if a C3PAO (or its affiliated practitioners) provided advisory services, SSP build-out, remediation assistance, or implementation help to a contractor, they may be conflicted from later assessing that same contractor. Hire your readiness consultant and your C3PAO separately.
Not ready for a C3PAO yet?
Most contractors need readiness work — a gap assessment, SSP, and evidence package — before engaging a C3PAO. Our path assessment tells you what type of provider to hire first.
Find your CMMC path →How to Find and Verify a C3PAO
The Cyber AB Marketplace is the live, authoritative source of truth for C3PAO authorization status. It is updated as C3PAOs gain or lose authorization, and it should be checked immediately before any contract is signed — not just once during the vendor evaluation phase.
- Go to marketplace.cyberab.org.
- Filter by Organization Type: C3PAO.
- Verify the organization’s status is Authorized (not Candidate, not Suspended).
- Note the organization’s listed Lead Certified CMMC Assessors (CCAs). The assessment team must include CCAs who are currently certified by the Cyber AB. Verify individual CCA status on the same Marketplace.
- Cross-check the organization name exactly. Some firms operate under related but distinct legal entities; confirm the contracting entity matches the Marketplace listing.
Re-verify authorization status at the point of contract execution. C3PAO authorizations can be suspended or revoked, and the Marketplace reflects current status in real time.
The Independence Rule: Why Your Readiness Consultant Cannot Be Your C3PAO
This is the most consequential rule most DIB contractors learn too late in the process. Under the Cyber AB CAP:
The Independence Constraint
If a C3PAO or any of its affiliated personnel (including individual CCAs) provided advisory services, readiness consulting, SSP build-out, remediation implementation assistance, or similar preparation services to an OSC (Organization Seeking Certification), that C3PAO may be conflicted from later assessing that same OSC for the assessment period that covers the consulting engagement.
In practice: if a firm holds both RPO credentials and C3PAO authorization and proposes to both prepare you and assess you, ask specific, documented questions about how they maintain the independence required by the CAP. A cosmetic separation between an “advisory team” and an “assessment team” at the same firm is not always sufficient. Get the answer in writing and verify it with the Cyber AB directly if in doubt.
The practical guidance: engage a separate RPO for readiness consulting and a separate C3PAO for the formal assessment. Choose your C3PAO early enough to confirm there is no conflict before starting readiness work.
The Assessment Process: What to Expect
| Phase | Who does it | What it produces |
|---|---|---|
| Readiness / gap assessment | RPO (not your future C3PAO) | SSP, POA&M, evidence package, SPRS score posture |
| CAP initiation | C3PAO + OSC | Signed CAP agreement, defined assessment boundary, scoping documentation |
| Level 2 assessment | C3PAO lead assessor team | Assessment findings, draft assessment report |
| CMMC AB quality review | Cyber AB | Approved assessment report |
| SPRS posting | DoD / CMMC PMO | Final Level 2 CMMC Status in SPRS |
Typical Cost and Timeline
C3PAO assessment costs vary significantly by contractor size, scope complexity, and number of sites. Ranges we have seen in 2026:
- Small contractor (1–50 employees, limited scope): $25,000 to $60,000 for the assessment engagement.
- Mid-size contractor (50–250 employees, multi-site): $50,000 to $120,000.
- Large or complex scope: $100,000+, depending on number of assessment objectives, sites, and system complexity.
Assessment timeline after CAP initiation: typically 4 to 16 weeks, depending on evidence readiness, site count, and C3PAO queue. C3PAOs with significant backlogs may have lead times of 3 to 6 months. Engage your C3PAO early — before you think you need them.
See CMMC Level 2 cost in 2026 for a full budget breakdown including readiness consulting, MSP/MSSP services, and the C3PAO assessment fee.
Authorized C3PAO Directory (Representative Listings)
The table below lists C3PAOs identified as authorized on the Cyber AB Marketplace at the time of our editorial verification. Authorization status changes; re-verify every firm directly on the Marketplace before engaging. The DCR Provider Directory will publish individually vetted C3PAO entries with expanded editorial notes once vetting is complete.
| Organization | Category | Practice Focus | Verified | Marketplace |
|---|---|---|---|---|
| A-LIGN | National compliance firm | Broad compliance (SOC 2, FedRAMP, CMMC); CMMC Level 2 assessment practice | May 27, 2026 | Verify → |
| Schellman & Company | IT compliance auditor | Specialized in IT audit, FedRAMP, and CMMC assessment; strong assessment methodology documentation | May 27, 2026 | Verify → |
| EY Coalfire | National advisory firm | Coalfire cybersecurity practice (EY-owned); early authorized C3PAO; large enterprise and mid-market CMMC assessments | May 27, 2026 | Verify → |
| CyberSheath Services International | Defense-focused cybersecurity | CMMC and DFARS compliance specialist for DIB contractors; assessment and advisory practices | May 27, 2026 | Verify → |
| TalaTek | Defense cybersecurity boutique | Defense and intelligence community cybersecurity; CMMC assessment practice with DIB specialization | May 27, 2026 | Verify → |
| Ardalyst | Defense cybersecurity boutique | CMMC-focused cybersecurity firm; assessment and readiness practice for defense industrial base | May 27, 2026 | Verify → |
| Moss Adams | Regional advisory firm (West) | Accounting and advisory firm with dedicated CMMC and cybersecurity practice; strong in aerospace and defense verticals | May 27, 2026 | Verify → |
C3PAO Types: Understanding the Market Landscape
| C3PAO Category | Practice Profile | Typical Capacity | Cost Band |
|---|---|---|---|
| Large national advisory firms | Broad cybersecurity practices; CMMC as one of many frameworks; support for very large or multi-site contractors | High — many assessment slots | $$$–$$$$ |
| Mid-size cybersecurity firms with CMMC practices | Dedicated CMMC teams; mix of assessment and readiness capacity (must be firewalled per CAP) | Moderate — queue times vary | $$–$$$ |
| Defense-specialized boutique assessors | Purpose-built CMMC assessment firms; often founded by former DoD or DIB practitioners | Limited — may have waitlists | $$–$$$ |
| Regional MSPs with C3PAO authorization | Managed services businesses that added C3PAO capability; must maintain CAP independence firewall from any consulting work | Limited — smaller capacity | $–$$ |
Questions to Ask a C3PAO Before Signing
- Are you currently listed as Authorized on the Cyber AB Marketplace?(Verify independently; do not rely on the C3PAO’s self-report.)
- Who will lead our assessment, and what is their CCA certification status? Verify the named CCA on the Marketplace before signing.
- Have any practitioners at your firm or its affiliates provided readiness consulting to our organization? This triggers the independence review.
- What does your current queue look like, and what is a realistic assessment start date? C3PAO capacity is limited; get a queue estimate in writing.
- What is your re-assessment policy if we receive Conditional Level 2 status?Conditional status requires all POA&M items to close within 180 days; confirm the C3PAO’s process for verifying POA&M closure.
- What does your SOW include and exclude? Confirm whether travel, evidence review time, and Cyber AB quality review fees are included in the quoted price.
Conditional vs. Final Level 2 Status
Under 32 CFR Part 170, a Level 2 C3PAO assessment can produce either a Final Level 2 or a Conditional Level 2 CMMC Status:
- Final Level 2: All 110 NIST SP 800-171 Rev 2 requirements are met. Status is valid for three years, subject to annual affirmations.
- Conditional Level 2: A minimum score of 88 out of 110 (80%) is achieved, all non-POA&M-eligible requirements are fully implemented, and remaining gaps are on a POA&M. Conditional status expires in 180 days; all POA&M items must close and be verified within that window to convert to Final status.
Not all CMMC gaps can be put on a POA&M. Certain weighted requirements are excluded from POA&M deferral by regulation. A C3PAO should be able to identify which requirements in your environment are POA&M-eligible and which are not, based on the Final Rule criteria.
Not sure if you’re ready for a C3PAO engagement?
Answer questions about your evidence package, SSP status, and timeline to understand what your next step should be.
Find your CMMC path →Related Guides
- CMMC Gap Assessment Services: Cost, Scope, Red Flags
- Best CMMC Consultants for Defense Contractors (2026)
- C3PAO Assessment Cost: $35K–$125K+ Quote Guide
- CMMC Level 2 Cost in 2026: Budget Ranges and Estimator
- CMMC Implementation Phases: Phase 1 and Phase 2 Explained
- CMMC Level 1 vs 2 vs 3: Which Applies to Your Contract
- CMMC Self-Assessment vs C3PAO: Which Path Is Right for You?
- CMMC for Aerospace Suppliers
- CMMC for Manufacturers: OT, CUI, and Multi-Prime Compliance
- CMMC for Small Defense Contractors
Verify your readiness before engaging a C3PAO
Our path assessment tells you whether you need readiness work first, a C3PAO queue position, or both — and routes you to the right provider type before you commit.
Find your CMMC path →