Schellman is Now a CMMC 3rd Party Assessor Organization (C3PAO)

Schellman is Now a CMMC 3rd Party Assessor Organization

Happy New Year!  Schellman is excited to announce that prior to the holidays, we were approved as one of the first CMMC 3rd Party Assessor Organizations (C3PAO) by the CMMC Accreditation Body (CMMC-AB).  This service complements our leadership as the #2 provider of FedRAMP assessments and makes Schellman the first and only company in the world that is a licensed CPA firm, globally accredited Payment Card Industry Qualified Security Assessor (PCI QSA) company, ANAB and UKAS accredited ISO certification body, HITRUST assessor, FedRAMP 3PAO, and now CMMC C3PAO all under one single legal entity.

The CMMC program defines a standard set of practices and processes designed to protect controlled unclassified information (CUI) and federal contract information (FCI) within the DoD supply chain.  The standard, published earlier this year and with the first assessment guide released earlier in December, takes a tiered approach to certification based on the type of information handled by the contractor or supplier and the risks presented to DoD systems and information.

See Schellman’s previous publications on CMMC

We expect many questions from our clients related to Schellman as a C3PAO. We have prepared information below for some of the initial anticipated questions:

Is it FedRAMP 2.0?

No, CMMC is not another FedRAMP with broader scope.  The audit guide, recently published, reads that the focus of the assessors is on the practices and processes around protecting systems that house CUI.  So in that respect, we expect that this assessment will have a more of an ISO 27001 flavor than a FedRAMP one.

When can we start and how fast can I get certified?

At this time, only the companies permitted to undergo CMMC certification are those that fall under the initial DoD pathfinder contracts.  Those assessments are being prioritized by DoD and if you are a subcontractor on one of those contracts, the prime should inform you.  Additionally, all C3PAOs still have to undergo assessments of themselves by DoD which as of this date has not occurred for any C3PAO.

At this point, we estimate late Q2 or early Q3 for those not in the pathfinder program.  So, while we are as excited as you are about your certification, it is not something that can be completed until the DoD and CMMC-AB prioritize it.   As a result, we can not fully commit to dates for certification at this time.

Can you help us prepare?

No.  Similar to ISO and FedRAMP, Schellman will be an independent assessment only firm for CMMC.  We have found that not providing an advisory service has allowed Schellman to perform high-quality assessments, without conflict of interest, and often working alongside our clients and their consultants.  We are happy to point you in the direction of qualified consultants and RPOs.

How much does it cost?

The assessment guides were published just over a week ago and we are still getting updates and guidance from the CMMC-AB.  There are levels of certification based on the type of information accessed or stored by the contractor.  We expect that most of our clients will be either Level 1, which is for handling FCI, or Level 3 for handling CUI.  Levels 4 and 5 are likely to be specified by the DoD contracts you may participate in.  It is not correct to infer that one level is “better” than another as they have defined use-cases in the guidance.

Additionally - scope is critically important.  The number of systems that handle CUI, persons, locations, and applications all play into what gets covered by the audit.  A key role the RPO advisors are playing is to help define, if not limit, the scope of CUI and FCI in an environment.

In the meantime, please do not hesitate to reach out to us with questions.  We are always happy to schedule a consultation to discuss where you are and where we can assist.  Additionally, as we are actively involved with the CMMC-AB we will be sharing updates as we learn them.

Thank you for your continued support.

Doug Barbin
Principal and Cybersecurity Leader

Marci Womack
Director and CMMC Technical Lead

About the Author

Schellman Compliance

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit

More Content by Schellman Compliance
Previous Article
Prioritizing Privacy During a Pandemic
Prioritizing Privacy During a Pandemic

Schellman President Avani Desai discusses how organizations can maintain their focus on data privacy during...

Next Article
The Silver Linings of COVID
The Silver Linings of COVID

Despite the challenges of the pandemic, I believe that there are also silver linings to be found for all of...


First Name
Error - something went wrong!