Selecting a C3PAO is one of the most consequential compliance decisions a defense contractor will make in 2026. CMMC Phase 2 enforcement begins November 10, 2026 — and with only 97 authorized C3PAOs serving an estimated 80,000 contractors, wait times for assessment scheduling are already 9–12 months, projected to reach 24–30 months by late 2026.
In January 2025, the DoD Inspector General released audit findings that revealed systematic credentialing failures across the C3PAOs they examined:
- 2 of 11 C3PAOs were authorized without a current signed C3PAO Agreement
- 4 of 11 were authorized without verifying quality control lead certifications
- All 11 of 11 were authorized without confirming that assessment teams included both a certified assessor and a certified quality control lead
“Without an effective third-party organization authorization process, there is a ripple effect of risks.” — Inspector General Robert P. Storch, DODIG-2025-046
Contractors have no standard tool for verifying C3PAO qualifications before committing to an assessment contract. Until now.
What’s Included
C3PAO Due Diligence Questionnaire (PDF) A structured 23-question interview guide organized into five sections: – Section A (5 questions): Core credential verification — the exact questions that exposed failures in the DoD IG audit, with scoring guidance, acceptable response standards, and red flag indicators for each – Section B (4 questions): Assessor team qualifications and certification currency – Section C (5 questions): Organizational credibility, client references, and conflict-of-interest controls – Section D (5 questions): Assessment process, evidence methodology, and POA&M handling – Section E (4 questions): Commercial terms and scheduling
C3PAO Comparison Tracker (Excel) Score up to 3 C3PAOs side-by-side: – Dropdown scoring (Pass / Caution / Red Flag) for all 23 questions – Conditional formatting: green for Pass, yellow for Caution, red for Red Flag – Automatic recommendation based on Section A (critical) findings – Response log tab for recording verbatim C3PAO answers – Reference guide tab with verification links and scoring key
Usage Guide (PDF) Step-by-step instructions for using the questionnaire and tracker together: – How to conduct the evaluation interview – How to verify responses independently via the Cyber AB Marketplace and assessor directory – How to interpret scores and what to do when all options have Red Flags – How to file your completed questionnaire as assessment evidence
README.txt Quick start guide and package contents overview.
Reviews
There are no reviews yet.