CMMC Assessment Checklist
Download our CMMC assessment checklist!
Quick Answer: Smithers is officially authorized by the Cyber AB to conduct CMMC Level 2 assessments—meaning defense contractors can now work directly with us to achieve the CMMC Certification required to compete for and retain DoD contracts. Authorization required passing a government-led DIBCAC assessment, rigorous background checks, and meeting strict federal standards that fewer than 100 organizations in the country have met.
The demand for CMMC Certification has never been more urgent. Since November 10, 2025, when the Department of Defense's final DFARS rule took effect, cybersecurity compliance has shifted from a recommendation to a contractual requirement. Defense contractors handling Controlled Unclassified Information (CUI) must now obtain Level 2 certification from a Cyber AB-authorized C3PAO—or risk losing contract eligibility altogether.
We are proud to announce that we have achieved that authorization. This means that defense contractors across the country can now come directly to us for the third-party assessments required to earn and maintain their CMMC Certification. Here is what our authorization means, how we earned it, and why it matters for your organization.
A Certified Third-Party Assessment Organization (C3PAO) is the only type of entity permitted to conduct official CMMC Level 2 assessments and issue Certificates of CMMC Status. Authorization is granted exclusively by the Cyber AB—the official accreditation body for the CMMC program—and listed organizations appear in the Cyber AB Marketplace.
As of early 2026, fewer than 100 authorized C3PAOs exist to serve the roughly 80,000 to 120,000 defense contractors the DoD estimates will need Level 2 CMMC Certification. That gap between supply and demand makes authorized C3PAOs a critical resource for the Defense Industrial Base (DIB). Contractors who delay engaging an authorized assessor are already encountering scheduling backlogs stretching months into the future.
Our authorization allows us to evaluate organizations against all 110 security controls from NIST SP 800-171 Revision 2—distributed across 14 control families—and submit certified results through the required CMMC systems. Contractors who score a minimum of 88 out of 110 points receive Conditional Level 2 status, with 180 days to close outstanding findings. Those who meet all requirements receive Final Level 2 status, valid for three years.
Earning C3PAO authorization is not a simple credentialing process. The Cyber AB and the Department of Defense impose overlapping requirements designed to ensure that only organizations with demonstrated cybersecurity competence—and verified integrity—can certify others. Here is what the process entails.
C3PAOs must be U.S.-based legal entities with a valid CAGE code registered in SAM.gov. Our organization underwent an Experian background check conducted by the Cyber AB, which screens for financial health, business legitimacy, and any disqualifying factors. We also completed a Foreign Ownership, Control or Influence (FOCI) review by the Defense Counterintelligence and Security Agency (DCSA). This review—which repeats every three years—ensures that no foreign entity can influence our operations or assessment decisions.
Every member of our assessment team has obtained a Tier 3 background investigation resulting in a national security eligibility determination. These are not cursory checks. They are the same level of investigation used to establish eligibility for sensitive government work. We also maintain minimum $1 million in professional liability, errors and omissions, and cybersecurity liability insurance, with the Cyber AB listed as an additional insured on our general liability policy.
On the personnel side, our team includes a Lead Certified CMMC Assessor (LCCA) and multiple Certified CMMC Assessors (CCAs)—the qualified professionals required to plan, execute, and review every CMMC Certification assessment.
One of the most rigorous steps in the C3PAO authorization process is passing a CMMC Level 2 assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)—a specialized team within the Defense Contract Management Agency (DCMA).
Before any C3PAO can certify contractors, the DoD requires that the C3PAO first demonstrate it can protect the sensitive information it will encounter during assessments. DIBCAC evaluates the C3PAO's own cybersecurity environment against the same 110-control framework that C3PAOs use to assess others. This government-led assessment repeats every three years and serves as an ongoing verification that authorized C3PAOs maintain the cybersecurity posture required to handle assessment data securely.
Passing our DIBCAC assessment means that the U.S. government has independently verified our internal security practices. It is not a certification we awarded ourselves—it is an external validation by federal assessors operating under DoD authority.
We are also working toward ISO/IEC 17020 accreditation, the international standard for inspection bodies that verifies competence, impartiality, and consistent operation. The Cyber AB requires authorized C3PAOs to achieve this accreditation within 27 months of authorization.
For years, defense contractors self-attested their compliance with cybersecurity requirements under DFARS clause 252.204-7012. The problem was accuracy. Many contractors overstated their compliance while CUI remained vulnerable, and the DoD had no independent means of verification.
CMMC 2.0 changed that. The final rule, published in the Federal Register on September 10, 2025, formally integrated CMMC requirements into defense contracts through DFARS clauses 252.204-7021 and 252.204-7025. As of Phase 2, beginning November 10, 2026, C3PAO certification becomes mandatory for all Level 2 contracts. By November 2028, CMMC compliance applies to all contracts requiring the handling of FCI or CUI.
The stakes are real. Contracting officers verify CMMC status in the Supplier Performance Risk System (SPRS) before awarding contracts. Non-compliant contractors cannot be awarded new contracts or maintain existing ones when option periods require compliance verification. Organizations that misrepresent compliance face exposure under the False Claims Act. Industry analysts project that between 33,000 and 44,000 defense companies—roughly 15 to 20 percent of the DIB—could exit the defense market by 2027 if they cannot meet CMMC requirements.
For most contractors handling CUI, the path to CMMC Certification runs directly through an authorized C3PAO assessment. There is no workaround.
The Cyber AB's own data shows a nearly 200% increase in CMMC Level 2 Certified organizations over the last six months. Prime contractors are actively building preferred supplier lists populated by CMMC-certified partners and removing non-certified vendors from consideration. Early certification does not just satisfy a compliance checkbox—it signals cybersecurity maturity and positions your organization for contract growth.
Our authorized C3PAO status means your assessment results carry full weight in the Cyber AB system. We conduct assessments with independence and objectivity, following a structured methodology covering pre-assessment scoping, evidence review, staff interviews, technical testing, and post-assessment reporting. We do not offer remediation consulting to organizations we assess—a deliberate separation required by the Cyber AB's Code of Professional Conduct and the ISO/IEC 17020 standard, ensuring that every assessment we deliver is impartial.
For smaller organizations navigating CMMC Certification for the first time, that clarity matters. You will know exactly what we evaluate, how we evaluate it, and what a passing result requires.
The path to CMMC Certification does not have to be opaque or overwhelming. With an authorized C3PAO, you have direct access to assessors who have met the same rigorous federal standards applied to the contractors they evaluate. Our DIBCAC-verified security environment, Tier 3 background-cleared assessment team, and Cyber AB authorization represent a level of credentialed accountability that only a fraction of organizations in the country can offer.
Assessment availability is limited. With roughly 80,000 to 120,000 organizations expected to require CMMC Certification and fewer than 100 authorized C3PAOs to serve them, scheduling delays are already common. Engaging early is the most effective way to protect your timeline.
Ready to begin your journey toward CMMC Certification? Request a quote today or contact our team to schedule your assessment and secure your place in the Defense Industrial Base.
A C3PAO (Certified Third-Party Assessment Organization) is the only type of entity authorized by the Cyber AB to conduct official CMMC Level 2 assessments and issue Certificates of CMMC Status. Beginning Phase 2 on November 10, 2026, C3PAO certification becomes mandatory for most contracts involving Controlled Unclassified Information. Self-assessment is no longer sufficient for the majority of defense contractors handling CUI.
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) evaluates the C3PAO's own cybersecurity environment against all 110 CMMC Level 2 security controls. Passing this government-led assessment confirms that the C3PAO can protect the sensitive data it encounters during client assessments. DIBCAC reassesses authorized C3PAOs every three years.
Most organizations should budget six to twelve months for the full process, which includes scoping, gap assessment, remediation, and the formal C3PAO assessment. According to DoD estimates, the total cost of Level 2 certification—including preparation, remediation, assessment fees, and annual affirmations—runs approximately $105,000 to $118,000 for most organizations.
No. C3PAOs are prohibited from offering remediation consulting to organizations they assess. This independence requirement, enforced through the Cyber AB Code of Professional Conduct and ISO/IEC 17020 standards, ensures assessment results are objective and credible.
Contractors without the required CMMC Certification cannot be awarded DoD contracts or maintain existing contracts when option periods require compliance verification. Non-compliance also creates exposure under the False Claims Act if cybersecurity compliance is misrepresented in contract documentation.