CMMC Third-Party Assessment Organization
Also known as: C3PAO
A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1 — Level 1 is exclusively self-assessed — and they are not used at Level 3, which is assessed by DIBCAC.
Related terms
- Cyber AB
The Cyber AB is the sole accreditation body for the CMMC ecosystem. It is responsible for authorizing and accrediting C3PAOs, Certified CMMC Assessors (CCAs), Certified CMMC Professionals (CCPs), and Registered Practitioners (RPs).
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- Defense Industrial Base Cybersecurity Assessment Center
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Defense Contract Management Agency (DCMA) component that conducts NIST SP 800-171 assessments and CMMC Level 3 assessments on DoD contractors. DIBCAC assessments are the highest assurance level in the program.