Cyber AB Authorized C3PAO · DIBCAC Assessed
Authorized CMMC Level 2 C3PAO assessments
August Schell is an authorized CMMC Third-Party Assessment Organization. Our all-W-2, in-house Lead CCAs run the formal CMMC Level 2 certification assessment against the 110 controls of NIST SP 800-171 — so your certification holds up where it counts.
Readiness check
Are you ready to be assessed?
Six questions. Two minutes. A score and a straight answer.
Start the check →01The mandate
If you handle CUI, certification is no longer optional
CMMC Level 2 is the Department of Defense’s bar for any contractor that stores or processes Controlled Unclassified Information. It is verified by a third-party assessment — not a self-attestation.
Behind every contract requirement is the actual mission: protecting the warfighter. CMMC exists because adversaries target the defense supply chain — and your certification is the proof your part of it is defended.
02The path
Mock, remediate, certify
Most organizations come to us for the two-step path, and it’s the one we recommend: a full dress rehearsal, gap remediation with your RPO, then the assessment that counts.
Mock assessment
Your insurance policy
A full dry run against all 110 NIST SP 800-171 controls. You get a clear Met / Not Met report with the evidence behind each result — so you know exactly where you stand before the assessment that counts.
Remediate with your RPO
Independence is the point
By Cyber AB rules, the C3PAO that assesses you cannot tell you how to fix gaps — that independence is what makes your certificate credible. You close gaps with your RPO: ours, or your own.
Certification assessment
The one that counts
The formal CMMC Level 2 assessment — faster, because you reuse the evidence from your mock. Pass, and your certification is recorded in SPRS, valid for three years with an annual affirmation.
Payment is 50% on execution, 50% on report delivery. Final scope depends on environment size and complexity; your starting-at pricing arrives with our first reply.
Request a C3PAO assessment03The assessment
What we assess, and how
We evaluate all 110 NIST SP 800-171 controls — documentation, people, and technology — backed by objective evidence.
04Readiness check
Are you ready to be assessed?
Six questions, two minutes. You’ll get a readiness score and a straight answer on whether to book the assessment, run a mock first, or start with advisory.
Does your organization store or process CUI?
Assessment-ready
Book the assessment.
05Prepare or certify
Two roles, kept independent.
Think of it like your taxes: an RPO is the accountant who prepares your return — and can sit beside you in the audit. A C3PAO files it. Cyber AB rules keep the two independent.
If you need preparation
RPO — readiness & advisory
Scoping, readiness assessment, gap analysis, NIST SP 800-171 remediation, and managed CUI enclaves. We get you audit-ready, and we can sit with you through the assessment itself.
CMMC RPO & Readiness Advisory →If you’re ready to certify
C3PAO — certification assessment
The formal CMMC Level 2 assessment, performed by our all-W-2, in-house Lead CCAs. This page. This is the assessment that goes on record in SPRS.
Request a C3PAO assessment →Conflict of interest, handled honestly. If August Schell provided you RPO, advisory, or remediation services in the last three years, Cyber AB rules prevent us from performing your certification assessment — we’ll coordinate an independent C3PAO. Need preparation first? Start with RPO & Readiness Advisory.
06Why timing matters
The calendar is not on your side
There is no single grace-period deadline that protects you — the pressure arrives contract by contract.
A prime can require it today
Prime contractors can require your CMMC certificate as a condition of staying in their supply chain — “produce it or you’re out.” That demand can land before any government deadline does.
Assessor capacity is the bottleneck
A limited bench of authorized C3PAOs serves the entire defense industrial base — and we hold a limited number of assessment slots each month. Our calendar books ahead. Organizations that start now get assessed first; organizations that wait join a queue.
The process takes months, not weeks
Between assessment work and the government and Cyber AB review that follows, plan for at least three months end-to-end — longer if a mock surfaces gaps to remediate.
07Why August Schell
The team that assesses you works here
No 1099 subcontractors on your assessment. The Lead CCAs who evaluate your environment are August Schell employees — and they’ll still be here for your three-year recertification.
- Authorized C3PAO — authorized by the Cyber AB following a DIBCAC assessment.
- Registered RPO — the same firm can prepare you or certify you (never both), with the conflict-of-interest line drawn exactly where the Cyber AB draws it.
- ISO 9001 certified — our assessment practice runs on an audited quality management system.
- Rockville, Maryland — 1700 Rockville Pike, Suite 405, in the heart of the federal corridor.
08The bench
Assessment leadership
A C3PAO is required to field a minimum of three CCAs, including two leads. The majority of our assessment team are Lead CCAs — high-credential assessors who have spent careers inside federal security programs.






09FAQ
Common questions
What is a C3PAO?
A CMMC Third-Party Assessment Organization authorized by the Cyber AB to perform formal CMMC Level 2 certification assessments. August Schell is an authorized C3PAO — authorized by the Cyber AB following a DIBCAC assessment.
What’s a CMMC mock assessment?
A full dry run against all 110 NIST SP 800-171 controls that produces a Met / Not Met report with evidence — so you find and fix gaps before the certification assessment. It’s our most-requested service.
Why can’t my C3PAO also fix my gaps?
Independence. The firm that certifies you can’t have remediated the environment it’s grading — that’s a Cyber AB conflict-of-interest rule. Your RPO handles remediation.
How long does it take?
Plan for at least three months: roughly 4–8 weeks of assessment work plus government and Cyber AB review.
How long is certification valid?
Three years, with an annual affirmation recorded in SPRS.
What’s the most common reason organizations fail?
Showing up without a complete SSP, poorly defined scope, or policies that don’t match actual practice.
Do you work with smaller businesses?
Yes. Most defense suppliers facing CMMC Level 2 are small and mid-size businesses, and the assessment scopes to your environment and size — you don’t pay for scope you don’t have.
How soon can you start?
We take a limited number of assessments each month and the calendar books ahead. Tell us your target date and we’ll tell you what’s realistic — the earlier you reach out, the easier it is to hold a slot.
10Request
Request a C3PAO assessment
Tell us where you stand. The right team — certification or readiness — replies within one business day with next steps and your starting-at pricing.
