C3PAO Shopping
From where we sit on the buyer's side of a C3PAO engagement, the questions CMMC L2 clients bring to the table are almost always the same two: What does it cost & when can you start? Those are fair questions but they don't protect you.
The CyberAB session this afternoon included a slide with a set of questions to ask a C3PAO that also included 1. operating locations (having assessors near your business keeps costs down if a site visit is needed), 2. fee structure (what do you owe if the assessment cannot move forward or if it takes longer than anticipated), & 3. sector experience (familiarity with businesses like yours can make the assessment a lo easier).
Then three questions at the bottom of the slide, set apart in bold, that most OSAs never think to ask:
1. When does your DIBCAC three-year assessment period expire?
The so what: A C3PAO has to itself pass a DIBCAC assessment of its own environment to become & stay authorized. That assessment carries a validity window. If a C3PAO's own DIBCAC standing lapses, its ability to deliver certifications is in question. You care because an assessor whose own clock is near expiry may lose standing during or after your engagement, putting the validity of your certification at risk.
2. Is there anything in your corporate future that would affect your FOCI status?
The so what: Authorization in the DIB depends on a non-disqualifying FOCI determination from DCSA, reassessed every three years. This question probes pending acquisitions, investment, or ownership changes. Under 32 CFR 170, a C3PAO must report any change to its SF 328 within 15 business days, & a disqualifying determination pulls authorization. So a corporate event on their side, one you have no visibility into & no control over, can strand your assessment mid-cycle.
3. How many months are left in your 27-month Authorization period?
The so what: Separate from the DIBCAC clock. A C3PAO's authorization from the accreditation body runs on a defined term. The slide names 27 months. If few months remain, you risk starting an engagement with an assessor whose authorization expires before your certification is complete or before a needed follow-on step. You care because you need the assessor authorized through the full lifecycle of your engagement, not just at kickoff.
That's the buyer-side read the checklist doesn't give you. You can prepare well, scope well, pass well, & still get stranded if the assessor's own authorization runs out mid-cycle or their corporate standing shifts under them. Their clock is your risk.
When we vet a C3PAO for a client, continuity sits next to competence. We want to know the assessor will still be standing / still authorized, on the other side of the engagement.