Cyber AB Marketplace Guide: How to Find and Verify CMMC Providers
By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.
Published: June 12, 2026 · Last verified: June 12, 2026
This Cyber AB Marketplace guide exists to do one thing: help you use the official CMMC directory to find the right kindof provider — and confirm they’re actually legitimate — before you spend a dollar or sign a statement of work.
Here’s the bottom line. The Cyber AB Marketplace (at cyberab.org/Catalog) is the official, government-referenced directory of every authorized organization and credentialed individual in the CMMC ecosystem. It’s the official record of who holds which role. But a listing proves authorization— not fit, price, availability, independence, or quality. And one detail most guides published before 2026 still get wrong: in December 2025, ISACA — not the Cyber AB — took over individual CMMC credentialing as the new CAICO (Cybersecurity Assessor and Instructor Certification Organization).
If you read nothing else, read this table
| If you’re trying to… | Verify this first in the Marketplace | Don’t assume | Your next move |
|---|---|---|---|
| Get formally certified at Level 2 | An Authorized or Accredited C3PAO (the firm) plus its listed assessors | That an RPO, a consultant, or a software tool can certify you | Confirm status and the assessment team, and confirm there's no conflict of interest |
| Get ready for CMMC | An RPO (verify its listing), or an MSP/MSSP readiness firm (evaluate on its merits) | That readiness help can also issue your certification | Build your scope, SSP, and evidence — then bring in a separate assessor |
| Check a person's credentials | The individual's CCA / Lead CCA / CCP status | That an individual credential means the company is authorized | Confirm the person's affiliation with a listed C3PAO |
| Figure out what your contract needs | The level written into DFARS 252.204-7025 in your solicitation | That "Level 2" always means a third-party assessment | Confirm Level 2 (Self) vs Level 2 (C3PAO) with your contracting officer |
Terms defined as we go: C3PAO (CMMC Third-Party Assessment Organization), RPO (Registered Practitioner Organization), MSP/MSSP (Managed Security Service Provider), CCA (Certified CMMC Assessor), CCP (Certified CMMC Professional), SSP (System Security Plan), DFARS (Defense Federal Acquisition Regulation Supplement).
What is the Cyber AB Marketplace?
CMMC — the Cybersecurity Maturity Model Certification program — became a federal regulation on December 16, 2024, codified at 32 CFR Part 170. The program exists to verify that defense contractors protect two kinds of government data: Federal Contract Information (FCI), which is non-public information generated under a contract, and Controlled Unclassified Information (CUI), which is more sensitive unclassified information that requires safeguarding.
The Marketplace is where the ecosystem becomes real. It lists the firms that assess you, the firms that help you prepare, and the individuals who carry credentials — and it shows the role and status each one holds. That’s its job. It is a status directory. It is not a recommendation engine, a quality ranking, or a price comparison.
What does a Cyber AB Marketplace listing actually prove — and what does it not prove?
A Marketplace listing is necessary, but it isn’t sufficient — and the government’s own watchdog has said so. In January 2025, the DoD Office of Inspector General published an audit (Report No. DODIG-2025-056) of how assessment firms get authorized. The finding was blunt: the DoD had failed to effectively implement the process that authorizes third-party organizations to conduct Level 2 CMMC assessments. A C3PAO has to clear 12 separate requirements before it’s authorized — only two of those 12 were fully implemented. The OIG issued 10 recommendations.
This isn’t a reason to distrust C3PAOs as a group — it’s a reason to verify the specific one you’re considering. Confirm its current status, confirm the assessment team, confirm independence, and keep a record of what you saw. Two minutes of verification beats a failed engagement.
| The Marketplace can confirm | The Marketplace does not prove |
|---|---|
| The role displayed today (C3PAO, RPO, CCA, CCP, and so on) | That this is the right provider for your company |
| Organization vs. individual listing | Engagement quality or how good their assessors are |
| The status displayed today (Authorized, Accredited, Candidate) | Independence for your specific engagement |
| That a public profile exists at all | Price, scope inclusions, or what's bundled |
| A training or credential designation | Current availability or queue length |
| Affiliation clues between people and firms | A certification outcome — nobody can promise that |
Who runs the Cyber AB Marketplace, and who certifies CMMC assessors now?
This is the single most common thing outdated guides get wrong. For years, the Cyber AB did both jobs: it accredited the firms andcredentialed the people. That split at the end of 2025. Here’s the division of labor today:
The Cyber AB
Accredits and authorizes C3PAOs, registers the consulting roles (RPO, RP, RPA), runs the Marketplace/Catalog, and authorized ISACA as the CAICO.
ISACA (the CAICO)
Trains, examines, and certifies the individuals: the CMMC Certified Professional (CCP), the CMMC Certified Assessor (CCA) and Lead CCA, and the CMMC Certified Instructor (CCI).
DCMA DIBCAC
The Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center. It assesses the C3PAOs themselves and conducts the government-led Level 3 assessments.
C3PAO vs. RPO vs. RP vs. CCA: every Cyber AB Marketplace role, explained
We built the table below by reading the Cyber AB’s official role definitions and cross-checking the authority and conflict rules against 32 CFR Part 170. The column most other guides skip — “who credentials this now” — reflects the December 2025 ISACA transition.
| Role | What it is | What it can do | What it can’t do | Who credentials it now | How to verify it | #1 buyer mistake |
|---|---|---|---|---|---|---|
| OSC / OSA | Organization Seeking Certification (also "Organization Seeking Assessment") — the contractor being assessed, i.e. you | Pursue Level 1, 2, or 3; post results in SPRS | N/A — not a provider | N/A | You won't search for yourself | Assuming you're "FCI-only" before confirming whether CUI reaches you |
| RP | Registered Practitioner — an individual readiness consultant | Advise, implement, prepare you | Conduct or grant a certification assessment | Cyber AB | Search the person; confirm RP + firm affiliation | Reading "registered" as "certified assessor" |
| RPA | Registered Practitioner Advanced | Advise/implement at a higher demonstrated level | Conduct or grant a certification assessment | Cyber AB | Search the person; confirm RPA | Assuming RPA can certify you (it can't) |
| RPO | Registered Practitioner Organization — a readiness/consulting firm or MSP | Gap analysis, build your SSP and POA&M, implement controls, prep you | Conduct official assessments or issue CMMC status | Cyber AB | Search the firm; confirm RPO + that it employs at least one RP/RPA | Hiring an RPO and expecting it to certify you too |
| CCP | Certified CMMC Professional — foundational individual credential | Demonstrate CMMC knowledge; support an assessment team under a CCA | Make a final certification determination alone | ISACA / CAICO | Search the individual; confirm the credential | Treating a CCP as an assessor who can sign off |
| CCA | Certified CMMC Assessor — individual assessor credential | Perform Level 2 assessment work as part of a C3PAO team | Operate as a C3PAO solo; assess outside a C3PAO | ISACA / CAICO | Search the individual; confirm CCA + C3PAO affiliation | Confusing an individual CCA with an authorized C3PAO firm |
| Lead CCA | The senior assessor on a C3PAO team | Lead a Level 2 assessment and deliver the final determination | Act outside a C3PAO; certify a client they consulted for | ISACA / CAICO | Confirm Lead CCA + which C3PAO | Not confirming a Lead CCA will actually run your assessment |
| C3PAO | CMMC Third-Party Assessment Organization — the firm that conducts official Level 2 assessments | Conduct Level 2 (C3PAO) assessments and issue Certificates of CMMC Status | Assess an environment it built or remediated (conflict of interest) | Cyber AB authorizes; DIBCAC assesses the C3PAO | Search the firm; confirm Authorized/Accredited + listed assessors | Hiring your readiness firm to also be your C3PAO |
| CCI | Certified CMMC Instructor | Teach CMMC courses at their qualified level | Assess or certify your company | ISACA / CAICO | Training context — rarely relevant to OSCs | Over-weighting it when choosing a provider |
| Training / Publishing partners | Approved training providers and curriculum publishers (you'll see both legacy LTP/LPP and newer ATP/APP labels during the transition) | Deliver vetted training and curriculum | Assess or certify your company | CAICO / ISACA-vetted | Training context only | Confusing a training provider with an assessor |
See also: RPO vs. C3PAO — what’s the difference? · CMMC provider categories guide
Cyber AB Marketplace guide: how to verify a provider in 5 steps
Real defense contractors describe this directory as hard to use. On Reddit’s r/CMMC, contractors have vented that it’s tough to search and that results don’t always line up with the profile you clicked. So here’s the workflow we’d use.
Step 1: Go to the official directory
cyberab.org/Catalog. Not a third-party "marketplace," not the provider's own badge page.
Step 2: Search the exact legal name
(and any "doing business as" name). Common names produce noise — be precise.
Step 3: Confirm the role
Is the firm shown as a C3PAO, or only as an RPO, RP, CCP, or training role? People assume "they're on the Marketplace" means "they can assess me." Often it doesn't.
Step 4: Confirm the status
For a C3PAO you want Authorized or Accredited — not "Candidate," not "in process," and definitely not "pre-certified" (which isn't a real status).
Step 5: Check the people, then check for conflicts
For a C3PAO, look for listed CCAs and a Lead CCA. For an RPO, confirm it has at least one listed RP or RPA. For an individual, confirm their affiliation with a listed firm. Then apply the independence test.
See the full list of verified providers: Find an authorized C3PAO · C3PAO directory
What should you screenshot or save from the Cyber AB Marketplace?
Treat verification like a procurement control, not a formality. For each provider you seriously consider, capture and keep:
- The provider's legal name (and any trade name).
- The role and status, copied exactly as displayed.
- The profile URL and a dated screenshot (with time zone).
- The individual credentials you checked (CCA, Lead CCA, RP/RPA), and their firm affiliation.
- Whether the legal entity matches the one on your statement of work.
- The independence question you asked, and the provider's written answer.
- Your re-check date — and re-check before you sign, before kickoff, and again before your assessment window. Statuses change.
Authorized vs. accredited C3PAO — and why the listing isn’t the whole story
This is a detail almost no buyer guide explains, and it can quietly affect your timeline. The codified requirement is the 27-month ISO/IEC 17020 accreditation window in § 170.9. The Cyber AB has also described an interim reauthorization step in its Town Halls, after which a firm reauthorizes or moves into the formal accreditation program. You don’t need to memorize the mechanics. You need to ask one fair question: “Where are you on the 27-month accreditation clock, and what’s your plan?”
Pair that with the OIG audit from earlier, which found gaps in how the authorization process was implemented in its early days, and the takeaway is consistent: a listing tells you a firm cleared a bar at a point in time. Your job is to confirm it’s current, confirm the team, and confirm independence. See our Best C3PAO for CMMC Level 2 guide for a deeper evaluation framework.
How many providers are in the Cyber AB Marketplace right now?
We compiled the figures below from the Cyber AB’s own monthly Town Hall reports and a published March 2026 analysis of the full Catalog. We’re showing the trend on purpose: a single snapshot tells you less than the direction of travel.
| Metric | Jan 2026 | Feb 2026 | Mar 2026 |
|---|---|---|---|
| Authorized C3PAOs | 97 | 98 | 103 |
| Certified CMMC Assessors (CCAs) | 688 | 748 | 759 |
| Certified CMMC Professionals (CCPs) | 1,459 | 1,494 | — |
| Lead CCAs | 425 | 452 | — |
| Registered Practitioner Organizations (RPOs) | growing | 378 | — |
| Registered Practitioners (RPs) | ~2,000 | ticked up | — |
| Total active Marketplace listings | — | — | 5,732 |
| Unique organizations + individuals | — | — | 3,607 |
| Cumulative orgs with Level 2 certification | — | — | ~1,000 (≈1% of the DIB) |
How we compiled this: figures are drawn from the Cyber AB’s monthly Town Hall reports (January–March 2026) and a published March 2026 analysis of the full Catalog export. These are point-in-time counts. Confirm the live number in the Catalog before you rely on it.
And the queue does tighten on a date you can plan around. According to the DoD CIO’s CMMC office, the program is rolling out in four phases. Phase 1 runs November 10, 2025 through November 9, 2026 and leans on self-assessments. Phase 2 begins November 10, 2026 — and from that point, where applicable, DoD solicitations will require Level 2 (C3PAO) certification, though the Department may choose to defer a given contract’s Level 2 requirement to an option period. For many contractors handling CUI, that’s when self-attestation stops being enough. Readiness work takes months. If a third-party assessment is in your future, November 10, 2026 is the date to plan backward from. That’s not manufactured scarcity; it’s the published schedule. See our C3PAO wait times and assessment backlog guide for the queue data.
Does your contract require Level 2 (Self) or Level 2 (C3PAO)?
This is where a lot of money gets wasted — people buy a third-party assessment they didn’t need, or assume self-assessment is fine when the contract demands a C3PAO. DFARS 252.204-7025 became effective November 10, 2025. It’s a solicitation provision (it shows up before award) and it does one job: it puts you on notice of the CMMC level you’ll need to be eligible. The contracting officer selects from these four:
CMMC Level 1 (Self)
Annual self-assessment, for systems that handle FCI only.
CMMC Level 2 (Self)
Self-assessment against NIST SP 800-171 Revision 2, for certain CUI contracts.
CMMC Level 2 (C3PAO)
A third-party certification assessment by an authorized C3PAO.
CMMC Level 3 (DIBCAC)
A government assessment by DCMA DIBCAC, for the most sensitive programs.
The provision also asks you to list your CMMC Unique Identifier(s)— a CMMC UID is a 10-character alphanumeric identifier generated in SPRS for a CMMC assessment, covering the contractor information system(s) in that assessment’s scope.
| Your path | What it’s built on | What to verify in the Marketplace | Common mistake |
|---|---|---|---|
| Level 1 (Self) | The 15 basic safeguarding requirements in FAR 52.204-21 | Optional light readiness help; no C3PAO needed | Paying for a C3PAO assessment you don't need |
| Level 2 (Self) | The 110 requirements / 14 families of NIST SP 800-171 Rev. 2 | An RPO/MSP for readiness; no certification assessment unless the contract says so | Assuming "Level 2" always means a third party |
| Level 2 (C3PAO) | The same 110 requirements, verified by a third party | An Authorized/Accredited C3PAO plus its CCA/Lead CCA team | Contacting a C3PAO before your scope and evidence are ready |
| Level 3 (DIBCAC) | Level 2 plus 24 selected requirements from NIST SP 800-172 (Feb. 2021) | Advanced readiness; a Final Level 2 (C3PAO) status comes first, then a DIBCAC path | Treating Level 3 like "Level 2 plus a few extra controls" |
How do DFARS 252.204-7012, -7019, -7020, -7021, and -7025 fit together?
| Clause | Type | What it does | Where the Marketplace fits |
|---|---|---|---|
| 252.204-7012 | Contract clause | Safeguarding Covered Defense Information and cyber-incident reporting; requires NIST SP 800-171 on covered systems and 72-hour incident reporting | Foundational — predates CMMC; no Marketplace role |
| 252.204-7019 | Solicitation provision | To be eligible for award, you must have a current (≤3-year-old) NIST SP 800-171 DoD Assessment score posted in SPRS | No Marketplace role — this is your own self-/DoD score |
| 252.204-7020 | Contract clause | Government access for Medium/High NIST SP 800-171 DoD Assessments; SPRS posting; flow-down (subs need at least a Basic assessment within 3 years) | No Marketplace role |
| 252.204-7021 | Contract clause | Requires you to have and maintain the required CMMC status during performance | Use the Marketplace to verify the C3PAO that assesses you |
| 252.204-7025 | Solicitation provision | The contracting officer specifies the required CMMC level/assessment type before award | Tells you which provider category to verify |
How do CSPs, ESPs, cloud enclaves, MSPs, and GRC tools fit in?
Cloud Service Providers (CSPs)
If you process, store, or transmit CUI in a cloud environment, § 170.17 sets a hard bar: the CSP offering must be FedRAMP Moderate (or higher) authorized — or meet FedRAMP Moderate equivalency per DoD policy. This is the single most common place a "compliant" environment turns out not to be. Verify the FedRAMP status directly; don't take it on faith.
External Service Providers (ESPs) that aren't CSPs
For example, a managed IT or security provider. Under § 170.17, the ESP's role, its relationship to you, and the services it provides must be documented in your SSP and the ESP's customer responsibility matrix, and the services used to meet your requirements are assessed within your scope.
CUI enclaves and secure-collaboration tools
A purpose-built enclave can dramatically shrink your assessment scope by keeping CUI in one controlled boundary. Useful — but it's an implementation choice, not a certification.
GRC and evidence-management software
These help you build and maintain your SSP, POA&M, and evidence. They're a supporting layer, not the whole solution. Software does not, by itself, make you CMMC-certified.
MSPs / MSSPs
Strong readiness partners. They don't need a Marketplace listing to be the right fit — judge them on CUI experience, how their own security posture affects yours, and how cleanly they hand off to a separate assessor. If an MSP also claims to be an RPO, then verify that RPO listing.
Can the same provider prepare you and assess you?
The firm that knows your environment best is often the wrong firm to assess it. That feels inefficient. It isn’t. Independence is what gives your certification credibility and protects you from a conflict challenge.
So separate the work, and put it in writing. When you scope an engagement, get the provider to confirm: that it has not provided implementation or remediation services that would create a conflict for the assessment; that it will flag any actual or potential independence issue; and that it won’t represent readiness help as if it were a certification.
If you’re affected by this — say, you love your MSP and were hoping it could also certify you — don’t get stuck. Use your MSP for readiness, then bring in a separate assessor. We can help you map that handoff so neither relationship creates a problem.
How does the Cyber AB Marketplace work for primes and subcontractors?
The flow-down logic, in practice:
Sub handles FCI only:
Level 1 (Self) is typically the floor.
Sub handles CUI:
Level 2 is typically the floor; whether it's Self or C3PAO depends on the prime's requirement and the contract.
Prime requires Level 2 (C3PAO) and flows CUI down:
The sub typically needs Level 2 (C3PAO) as well.
Sub receives no FCI or CUI for the work:
No CMMC flow-down for that scope.
For primes, the Marketplace is also a verification tool for the partners and suppliers in your base. For subs, it’s how you confirm any readiness or assessment provider you bring in is real before the prime’s deadline lands on you. See our CMMC compliance guide for DoD subcontractors.
What if a provider isn’t listed in the Cyber AB Marketplace?
They claim "C3PAO" but aren't listed as Authorized/Accredited:
Stop. That's a serious problem.
They claim RPO/RP/RPA but aren't listed:
Ask them to reconcile it and show current status.
They're a software, GRC, or enclave vendor:
Marketplace listing may not apply; verify the product claims (and any FedRAMP or ESP documentation) on their own merits, and confirm your assessor will accept the evidence the tool produces.
They're an MSP/MSSP not claiming a Cyber AB role:
Judge them on technical fit, CUI handling, contracts, and how their own security posture affects yours. A capable MSP doesn't have to be Marketplace-listed to be the right readiness partner — but be clear-eyed that software and managed services don't, by themselves, equal CMMC certification.
What we actually verified
We’re a trade publication, not a government office, and we think you should be able to see our work. For this guide we:
- Read 32 CFR Part 170 on the eCFR, including § 170.9, § 170.14, § 170.17, and § 170.23, and confirmed CMMC Level 2 maps to NIST SP 800-171 Revision 2 (110 requirements, 14 families).
- Pulled the text of DFARS 252.204-7012, -7019, -7020, -7021, and -7025 from Acquisition.gov and confirmed the four-way level/assessment-type selection, the SPRS posting requirements, and the November 10, 2025 effective date.
- Confirmed the phased rollout (Phase 1: Nov 10, 2025–Nov 9, 2026; Phase 2 begins Nov 10, 2026) against the DoD CIO's CMMC pages.
- Confirmed the ISACA/CAICO transition (announced December 17, 2025, effective immediately; full transition completed by April 1, 2026) via ISACA's announcement, defense-trade reporting, and the Cyber AB's own site.
- Read the DoD OIG audit press release (DODIG-2025-056, January 2025) and confirmed the 12-requirement authorization process, the 10/2 split of responsibility, and the 10 recommendations directly from the OIG.
- Compiled the Marketplace counts from the Cyber AB's January–March 2026 Town Hall reports and a published March 2026 Catalog analysis.
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Sources we read
- 32 CFR Part 170 — CMMC Program (eCFR): § 170.9, § 170.14, § 170.17, § 170.23
- DFARS 252.204-7012, -7019, -7020, -7021, -7025; DFARS subpart 204.75 (Acquisition.gov)
- DoD CIO — CMMC program pages and phased-implementation schedule (dodcio.defense.gov)
- The Cyber AB — Marketplace/Catalog, Ecosystem Roles, and official notices (cyberab.org)
- ISACA — CAICO authorization announcement (December 17, 2025) and CMMC credentialing pages (isaca.org); defense-trade coverage of the transition
- DoD Office of Inspector General — Report No. DODIG-2025-056 press release (January 2025)
- Cyber AB Town Hall reports, January–March 2026, and a published March 2026 Catalog analysis
- NIST SP 800-171 Revision 2 (NIST CSRC)
Frequently asked questions about the Cyber AB Marketplace
Is the Cyber AB Marketplace the official CMMC directory?
Yes. It's the official directory of CMMC ecosystem roles and statuses, maintained by the Cyber AB and referenced by the DoD. Use it as the source of truth for who holds which role — but treat a listing as verification of status, not a ranking or endorsement.
Is the Cyber AB Marketplace free to use?
Yes. It's a public directory at cyberab.org/Catalog. There's no charge to search it or view listings.
What's the difference between the Cyber AB Marketplace and cmmcmarketplace.org?
The Cyber AB Catalog at cyberab.org is the official, DoD-referenced directory. Other "CMMC marketplace" sites are unaffiliated commercial directories. Always verify a provider's status in the official Catalog.
Who certifies CMMC assessors now?
ISACA. As the CAICO, ISACA administers the individual CMMC credentials — CCP, CCA, Lead CCA, and CCI — following its December 17, 2025 authorization, with full transition completed by April 1, 2026. The Cyber AB still authorizes the assessment firms (C3PAOs) and runs the Marketplace.
Can an RPO certify my company for CMMC?
No. An RPO (Registered Practitioner Organization) provides readiness and implementation support. Only an authorized or accredited C3PAO can conduct a Level 2 certification assessment.
Can a C3PAO help us implement controls and then assess us?
Treat them as separate engagements. The Cyber AB's rules state that an individual who helped implement for a company can't assess that same company, and 32 CFR § 170.9 requires C3PAOs to follow conflict-of-interest, Code of Professional Conduct, and ethics policies. Most contractors use one provider for readiness and a separate C3PAO for the assessment.
What does "Authorized C3PAO" mean — and is "Candidate C3PAO" enough?
"Authorized" means the firm can conduct Level 2 assessments now. "Candidate" means it's still in the authorization pipeline and cannot yet conduct certification assessments. Don't treat Candidate as Authorized.
What does "Accredited C3PAO" mean?
Accreditation is the ISO/IEC 17020-aligned status that a C3PAO must achieve and maintain within 27 months of authorization, per 32 CFR § 170.9. It's a higher bar than initial authorization.
Do Level 1 companies need to use the Marketplace?
Usually not for an assessment — Level 1 is a self-assessment path. A Level 1 company may still use the Marketplace to find light readiness help, but it generally doesn't need a C3PAO.
Do Level 2 (Self) companies need a C3PAO?
Not unless the contract specifies Level 2 (C3PAO). Level 2 (Self) and Level 2 (C3PAO) both map to NIST SP 800-171 Rev. 2 — the difference is who performs and reports the assessment. Your solicitation (via DFARS 252.204-7025) tells you which one applies.
Is CMMC Level 2 based on NIST 800-171 Rev. 2 or Rev. 3?
Revision 2 — 110 requirements across 14 control families — per 32 CFR § 170.14. Revision 3 does not apply to CMMC unless the DoD amends the rule through formal rulemaking.
What is a conditional CMMC status, and how long does it last?
A Conditional Level 2 (C3PAO) status can satisfy award eligibility, but any open POA&M must be closed out — and a closeout assessment passed — within 180 days of the conditional status date, or the status expires (32 CFR § 170.17).
How much does a Level 2 (C3PAO) assessment cost?
Industry estimates commonly fall in the roughly $30,000–$120,000 range, depending on size, complexity, and CUI scope — but that’s an estimate, not a quote. See our CMMC Level 2 cost guide and C3PAO assessment cost guide for sourced ranges, and never treat a Marketplace listing as a price.
How often should I re-check a provider's Marketplace status?
Re-check before you shortlist, before you sign, before kickoff, and again before your assessment window — and any time a schedule slips. Statuses can and do change.
What should I do if I can't verify a provider?
Don't sign based on an unverified claim. Ask for the exact legal name, the profile, and current status evidence. If it still doesn't add up, choose a different provider category or get a neutral, source-checked category match.
The Cyber AB Marketplace: a status directory, not a rating system
The Cyber AB Marketplace is the official place to confirm a CMMC provider’s role and status — but a listing proves authorization, not fit. Verify the badge, document what you saw, keep readiness and formal assessment in separate hands, and remember the role map changed at the end of 2025 when ISACA took over individual credentialing. If you already know the exact authorized C3PAO you want, you don’t need us — open the Catalog and confirm them in two minutes. If you’re still deciding which kindof provider you need, that’s where a source-checked match saves you the most time and risk.
Also relevant: Best C3PAO for CMMC Level 2 · C3PAO directory · RPO vs. C3PAO · CMMC provider categories · vCISO services for CMMC · NIST 800-171 gap analysis