Where is the official list of C3PAOs?

The authoritative list of Certified Third-Party Assessment Organizations (C3PAOs) is maintained by the Cyber AB (Cybersecurity Assessor and Instructor Certification Body) at cyberab.org/marketplace. This is the only source the Department of Defense recognizes for assessment authority. Lists hosted on third-party sites are not authoritative and may be out of date.

How many C3PAOs are authorized as of May 2026?

The Cyber AB marketplace lists fewer than 70 fully-authorized C3PAOs as of May 2026. The number has grown steadily since Phase 1 began in November 2025 but has not kept pace with the demand from contractors who must hold a Level 2 certification by the Phase 2 effective date of November 10, 2026. Lead times of 6 to 12 months for assessment scheduling reflect this capacity constraint.

How do you evaluate a C3PAO before signing an engagement?

Six selection criteria matter. First, authorization status on cyberab.org -- only Authorized C3PAOs can perform assessments. Second, current scheduling lead time -- ask for the next available assessment slot, not the average. Third, prior assessment experience in your industry vertical. Fourth, geographic coverage and travel cost model -- some assessors quote fixed fee, others bill expenses. Fifth, sample SSP (System Security Plan) and POA&M (Plan of Action and Milestones) deliverables they have produced. Sixth, references from at least three completed assessments of similar-sized organizations.

Can my MSP perform a CMMC C3PAO assessment?

No. An MSP (Managed Service Provider) can prepare you for an assessment, document your System Security Plan, close POA&M items, and provide ongoing managed security services that maintain compliance. The assessment itself must be performed by an independent Authorized C3PAO. An MSP that also holds C3PAO authorization cannot assess clients it serves -- a separation of duties is required to preserve assessment independence.

What does a C3PAO Level 2 assessment cost?

Published assessment fees range from $25,000 to $120,000 for small organizations (under 50 endpoints with single-site scope), depending on the C3PAO firm, scope complexity, and travel requirements. Larger or multi-site organizations should expect proportional increases. The assessment fee is separate from gap remediation costs, MSP managed security services, and any required tooling purchases. Most contractors underestimate the total readiness cost by a factor of 3 to 5.

← Back to Insights

Which C3PAOs Are on the Cyber AB Marketplace? A Practical Guide for SDVOSB Contractors

May 13, 2026 CMMC

The Cyber AB (Cybersecurity Assessor and Instructor Certification Body) operates the authoritative marketplace of Certified Third-Party Assessment Organizations (C3PAOs) at cyberab.org/marketplace. Every CMMC (Cybersecurity Maturity Model Certification) Level 2 assessment under DFARS 252.204-7021 must be performed by a firm listed there. With Phase 2 enforcement starting November 10, 2026, and current scheduling lead times running 6 to 12 months, choosing a C3PAO is one of the most consequential decisions a small prime or SDVOSB (Service-Disabled Veteran-Owned Small Business) sub will make in 2026. For background on the broader compliance timeline, see What Is the CMMC Enforcement Timeline for Small Primes and Subs? and the pillar guide on CMMC Compliance for Small Defense Contractors.

Small contractors who treat the C3PAO selection as a vendor commodity decision usually pay for that mistake twice -- first in scheduling delay, then in assessment findings that require rework. This guide walks through where to find the marketplace, what authorization tiers mean, the six selection criteria that matter, and the questions to ask before signing an engagement letter.

Where Is the Official Cyber AB Marketplace?

The Cyber AB marketplace is at cyberab.org/marketplace. It is searchable by organization name, geographic location, and authorization tier. The marketplace is the only source the Department of Defense and the DoD CIO CMMC program office recognize as authoritative. Third-party aggregator lists and search results outside the Cyber AB site are not authoritative and frequently include firms that have applied for but not yet received authorization.

The marketplace distinguishes between several roles:

Authorized C3PAO: a firm that has completed the Cyber AB assessment of its own organization, passed background and ownership reviews, and is currently authorized to conduct CMMC Level 2 assessments of other contractors. This is the tier that matters for selection. Authorized C3PAOs can assess and award certifications.
Candidate C3PAO: a firm in the application or remediation pipeline. They cannot assess clients. They are listed for transparency, not for engagement.
Authorized Assessor (CCA, CCP): individuals who hold Certified CMMC Professional or Certified CMMC Assessor credentials and perform assessment work on behalf of a C3PAO. Assessors are not standalone C3PAOs; they must be affiliated with one.
Registered Practitioner Organization (RPO): a firm authorized to provide consulting and readiness services. RPOs cannot conduct assessments. The distinction matters: an RPO can prepare you, but cannot certify you.

Filter for Authorized C3PAO when shopping for an assessment. As of May 2026 the count of fully-authorized C3PAOs is in the high 60s. The list grows monthly but slowly -- becoming a C3PAO requires the firm to pass its own Level 2 assessment plus pass the Cyber AB organizational review, which can take 18 months end to end.

The Six Selection Criteria That Matter

Vendor selection conversations with C3PAOs tend to focus on price and availability. Those matter, but they are not the only criteria, and they are not the most important. Six factors should drive the decision.

1. Authorization status (current, not pending)

Verify the firm appears on cyberab.org as Authorized C3PAO on the day you sign. Authorization can be suspended or revoked. The screenshot you took six months ago is not evidence of current status. Pull a fresh marketplace listing in the engagement letter exhibit and include the date.

2. Lead time to scheduled assessment (next available, not average)

Ask for the specific calendar date the firm can begin on-site or remote assessment work. "Six to twelve weeks" is not an answer -- it is a marketing range. The answer should be a specific week, and it should be documented in the engagement letter as a not-to-exceed scheduling commitment. If the C3PAO will not commit to a date, treat it as a soft no.

3. Industry vertical experience

A C3PAO that has assessed 40 small primes in your industry vertical knows where the typical findings cluster. A C3PAO that has assessed 4 retail businesses and 0 defense industrial base small primes will spend assessment time learning your environment, on your clock. Ask for the number of completed assessments in your vertical and the typical SSP (System Security Plan) length they have seen. SSPs from defense industrial base small primes typically run 60 to 120 pages. SSPs from other verticals can be wildly different. The C3PAO should be able to talk fluently about the contour of the SSP for your kind of organization.

4. Geographic coverage and travel cost model

Some C3PAOs quote a fixed-fee assessment that includes travel and incidentals. Others quote the assessment hours and bill travel separately at cost plus markup. For small organizations with a single site, the difference is rarely material. For organizations with multiple sites or remote workforce that requires on-site sampling, the difference can be a five-figure cost variance. Get the travel model in writing.

5. Sample SSP and POA&M deliverables

Request anonymized samples of the System Security Plan and Plan of Action and Milestones (POA&M) the C3PAO has produced as part of prior assessments. The quality and rigor of these documents is a strong signal. A C3PAO whose sample SSP is a 12-page generic checklist will produce a 12-page generic assessment report. A C3PAO whose sample SSP is 80 pages with control-by-control detail, evidence references, and exception handling will produce a defensible certification.

6. References from completed assessments

Ask for three references from completed CMMC Level 2 assessments of organizations similar in size to yours. Talk to all three. The questions to ask the reference are simple. Did the C3PAO communicate clearly through the engagement? Did findings come as a surprise, or were issues flagged early enough to address before final report? Did the firm meet the scheduling commitment? Would the reference engage them again for re-certification in three years? Honest answers to those four questions will reveal more than any pricing comparison.

What an MSP relationship adds to the C3PAO conversation

An MSP (Managed Service Provider) that holds Registered Practitioner Organization (RPO) status and has documented experience with NIST SP 800-171 implementation can dramatically compress the readiness work that precedes a C3PAO assessment. The MSP cannot conduct the assessment -- separation of duties prevents that -- but they can document the SSP, drive POA&M closure, and provide the continuous monitoring evidence the assessor will demand. The relationship is sequential: MSP for readiness and ongoing compliance, C3PAO for the formal assessment. Confusing the two roles is one of the most common procurement mistakes small primes make.

Questions to Ask Before You Sign the Engagement Letter

Before committing to a C3PAO, work through this checklist. Each question maps to a specific risk that small contractors have encountered in 2025-2026 assessment cycles.

What is your current authorization status as of today, and can I see a screenshot from cyberab.org? The authorization can change between engagement letter and assessment date.
What is the specific calendar week assessment work will begin? Not a range. A date.
How many CMMC Level 2 assessments have you completed in my industry vertical? Defense industrial base, professional services, manufacturing, software -- the answer matters.
Will the same lead assessor staff the engagement from kickoff through report delivery? Continuity matters. A handoff mid-engagement degrades quality.
How is travel billed -- fixed-fee or cost-plus, and what is the assumed travel scope? Get the assumptions in writing.
Can I see anonymized sample SSP and POA&M deliverables from a prior assessment? Documentation quality predicts assessment quality.
What is the policy for findings and remediation during the assessment window? Some C3PAOs allow remediation during assessment with re-test; others do not. Know this before kickoff.
What happens if I fail the first attempt? Re-assessment policies and fees vary widely. Confirm before signing.
Will you accept evidence collection through a managed security service provider relationship? If the MSP is doing the continuous monitoring, the C3PAO needs to be comfortable with that evidence chain.
What is the report turnaround time after on-site or remote assessment work concludes? Industry standard is 30 days. Some firms take 60.

Common Mistakes Small Primes Make in C3PAO Selection

Pattern recognition from 2025-2026 assessment cycles surfaces four recurring mistakes:

Selecting on price alone. The lowest-priced C3PAO is rarely the highest-quality, and rework after a failed assessment costs far more than the price differential between firms.
Selecting too late. Contractors who start C3PAO selection conversations in Q3 of the assessment year find the better firms fully booked. Start the conversation 9 to 12 months ahead.
Treating the engagement letter as boilerplate. The engagement letter is the contract that governs scope, schedule, deliverable quality, and failure remediation. It deserves the same scrutiny as any other professional services agreement.
Confusing RPO with C3PAO. Some firms hold both authorizations. The firm you engage to prepare your environment cannot also conduct your assessment. Separation of duties is a Cyber AB requirement.

Where Does TDS-IS Fit in This Conversation?

Trinity Data Solutions & IT Services is an SDVOSB that supports small defense primes and SDVOSB subcontractors through the readiness phase that precedes a C3PAO assessment. Our work includes NIST SP 800-171 gap assessment, System Security Plan drafting, POA&M closure, continuous monitoring through managed security services, and assessment coordination with the C3PAO you choose. We do not perform C3PAO assessments -- separation of duties prevents that -- but we know the marketplace, we have working relationships with several Authorized C3PAOs across DoD verticals, and we can shorten your readiness timeline measurably. See the TDS-IS capability statement for our DoD CMMC service scope, NAICS code coverage, and past performance.

Need a partner for CMMC Level 2 readiness before you engage a C3PAO?

TDS-IS works with small defense primes and SDVOSB subcontractors on NIST SP 800-171 gap assessment, SSP drafting, POA&M closure, and the managed security services that satisfy continuous monitoring requirements. We are an SDVOSB with active DoD exposure. We are familiar with the C3PAO marketplace and can help you scope the engagement letter before you sign it.

Request Our Capability Statement