ARMORY
BEGIN
Assessments

How to Choose a C3PAO for Your CMMC Level 2 Assessment

8 min read · Published May 16, 2026 · Updated May 16, 2026

Short answer: A C3PAO (CMMC Third-Party Assessor Organization) is the only entity authorized to certify your company at CMMC Level 2. Pick one by (1) verifying they appear on the Cyber AB marketplace as "Authorized C3PAO," (2) confirming the lead assessor is a Certified CMMC Assessor (CCA), (3) asking how many Joint Surveillance Voluntary Assessments they've completed, and (4) getting a fixed-fee quote tied to your asset count and locations, not hours. Expect $30k–$100k for a typical small-contractor assessment.

What a C3PAO actually does

A C3PAO sends a team of Certified CMMC Assessors (CCAs) and a lead assessor to evaluate your environment against the 110 NIST 800-171 controls plus the CMMC assessment objectives. They review your SSP, sample evidence, interview personnel, and observe systems. The output is a CMMC Level 2 certification (3-year validity) or a finding with a 180-day window to close gaps.

How to verify authorization

  1. Go to cyberab.org/marketplace.
  2. Filter by "Authorized C3PAO." Only these are allowed to issue certifications. "Registered Practitioner Organizations" (RPOs) and consultants are not the same thing.
  3. Confirm the assessor proposed for your engagement is listed as a CCA, not a CCP (Certified CMMC Professional — fine for consulting, not for the lead assessor role).

Questions to ask before signing

  • How many CMMC Level 2 (or JSVA) assessments have you completed end-to-end?
  • Who is the named lead assessor, and what's their CCA ID?
  • What's your average finding rate, and what are the top 3 issues you see?
  • Do you offer a pre-assessment readiness review? (Most do, but it cannot be the same firm that issues the certificate.)
  • What's the rework cost if we need a 180-day re-assessment?
  • How do you scope cloud enclaves, especially shared-tenant SaaS?

Realistic pricing (2026)

  • Micro-shop (1 location, 1 enclave, <25 users): $25k–$45k
  • Small (1–2 locations, 25–75 users): $45k–$80k
  • Medium (multi-site, 75–250 users): $80k–$200k+

Add travel, re-assessment fees, and ConMon evidence packaging. The cheapest quote is rarely the best — under-scoped assessments fail more often.

Red flags

  • "We guarantee you'll pass" — no C3PAO can ethically promise an outcome.
  • The same firm sold you the SSP and now wants to assess you. Independence is required.
  • No named lead assessor in the proposal.
  • Hourly-only pricing with no cap. Demand fixed fee or a not-to-exceed.
  • Pressure to skip a readiness review when you know you have gaps.
Mentioned in this guide

Frequently asked questions

Can my IT MSP do the assessment?
No, unless they happen to also be an Authorized C3PAO (rare). MSPs and consultants help you prepare; only a C3PAO certifies.
How long does a Level 2 assessment take?
Onsite/remote evidence work is typically 1–2 weeks for a small contractor, with another 2–4 weeks for the C3PAO to finalize the report and Cyber AB to issue the certificate.
What happens if I fail?
You enter a 180-day remediation window. You close gaps, the C3PAO re-tests the affected controls, and the certificate issues. Failing the re-test means starting over.
Is the certificate transferable across subsidiaries?
No. CMMC certificates are issued to a specific assessment boundary (CAGE codes + facilities). Add a subsidiary and you typically need a delta assessment.
Related guides
Ready to act?

Run a free NIST 800-171 gap analysis

See where you stand on the 110 controls in under 10 minutes. No card, no consultant.

BEGIN ASSESSMENTMore guides