Authorized and accredited C3PAOs are responsible for conducting the assessments of DIB companies’ unclassified networks and issuing appropriate CMMC certificates based on the results of the assessments.
Authorized C3PAOs must meet DOD requirements and a subset of the ISO/IEC 17020, Conformity Assessment – Requirements for the Operation of Various Types of Bodies Performing Inspection requirements, prior to being authorized to conduct assessments and issue certifications. The CMMC-Accredited Body (AB) can authorize C3PAOs to conduct CMMC assessments prior to the C3PAO achieving accreditation.
Accredited C3PAOs must meet all DOD requirements and achieve full compliance with ISO/IEC 17020. C3PAOs must be accredited by the CMMC-AB within 27 months of registration.