This post is to announce that this week we finished up the active Phase 2 engagement portion of our C3PAO certification for CMMC Level II. If I understand the process, (that's a big "if"), our assessor has disengaged from Boarhog to perform QA on their determinations and that might take 10 days, or so I'm told. We'll learn of our grade at some point, but we do feel confident that we didn't fail outright since we didn't experience any -5 point hit on a control that can't be addressed in a POA&M, as that would have ended the assessment with a failure grade then and there. I think we're good to go, and if so we'll likely make the November 10th deadline for C3PAO certification. It'll be a differentiator until such time that everyone handling CUI is C3PAO, but indications are that won't be for some time. There are many thousands of companies who require a C3PAO certification but currently there are less than a couple hundred companies certified by the government to be C3PAO assessors.
For those of you who will need a C3PAO but have yet to prepare and then contract with an independent third party assessor, time is running out. I signed our Master Solutions Agreement with our assessor on January 9th 2026, about half a year ago. I'm not asserting it always takes this long to complete the C3PAO, but it took us that long.
Take care, be well, and good luck!
No comments:
Post a Comment