Booking a C3PAO in 2025: How to Choose (and What to Do Before You Call)

First things first: only choose an Authorized C3PAO

CMMC Level 2 certification assessments must be performed by an Authorized C3PAO listed on The Cyber AB Marketplace (not just “candidate”). Anything else is a self-assessment.

Who does what by level (quick clarity)

• Level 1: self-assessment. See the official Level 1 guide.
• Level 2: may be self-assessment or third-party certification depending on the solicitation/phase; certification assessments are performed by Authorized C3PAOs. See the Level 2 guide.
• Level 3: government-led (DIBCAC) assessment layered on top of Level 2.

Where we are in the rollout (timing matters)

DoD has confirmed a four-phase implementation over ~3 years starting 60 days after the final 48 CFR acquisition rule publishes. Phase 1 begins with self-assessments appearing in select contracts.
The companion DFARS rule (48 CFR) is now in OIRA review (RIN 0750-AK81)—received July 22, 2025—so clauses can start surfacing soon after publication.

Shortlist criteria (what to ask before you book)

• Authorization status: Confirm they’re listed as Authorized on The Cyber AB Marketplace (not merely “candidate”).
• Relevant scope experience: Do they routinely assess orgs like yours (manufacturing with CUI vs. pure services; cloud vs. on-prem)?
• Scheduling reality: What’s the earliest start? Expect calendars to tighten as Phase 1 solicitations land.
• Assessment approach: Evidence sampling method, interview plan, remote vs. onsite, comms cadence.
• Cost transparency: Fixed fee vs. T&M, what’s included (readiness touchpoints, re-tests), payment milestones.

What to prep before you call

• Defined scope: Where FCI/CUI is created, processed, stored, transmitted (systems, users, sites).
• Evidence pack: Current policies/procedures, inventories, user lists, MFA configs, logging/EDR samples, vuln history.
• SPRS & DFARS alignment: Confirm your NIST 800-171 score in SPRS and understand the DFARS clauses your primes will flow down:
  • DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment), plus SPRS portal/info: SPRS & NIST 800-171 info in SPRS. ‍
  • DFARS 252.204-7021 (CMMC Requirements).
• Open POA&Ms: List aged findings with owners/dates and risk justifications.

Timeline reality check

CMMC requirements phase in: Phase 1 starts with Level 1 and some Level 2 self-assessments, expanding over three years to full implementation. Plan backwards from your target solicitations to avoid award delays. U.S. Department of Defense

Where Privaxi fits (and why that’s easier)

Privaxi does the heavy lifting so you don’t have to “shop assessors” or juggle artifacts:

• Readiness sprints: scoping, gap remediation, and an assessor-ready evidence pack
• Assessor coordination: we manage outreach, availability, and logistics with an Authorized C3PAO
• Stay audit-ready: ongoing control health, artifacts, and fixes via Compliance as a Service
• CMMC expertise: strategy and prep via our CMMC services

Start CMMC Level 2 with Privaxi—scope, gaps, evidence, and Authorized C3PAO coordination handled.
‍

Book a call today!