CMMC Level 2 C3PAO Assessment | August Schell

Cyber AB Authorized C3PAO · DIBCAC Assessed

Authorized CMMC Level 2 C3PAO assessments

August Schell is an authorized CMMC Third-Party Assessment Organization. Our all-W-2, in-house Lead CCAs run the formal CMMC Level 2 certification assessment against the 110 controls of NIST SP 800-171 — so your certification holds up where it counts.

Readiness check

Are you ready to be assessed?

Six questions. Two minutes. A score and a straight answer.

Start the check →
30+ years
Federal & defense experience
U.S. based & U.S. owned
All W-2
In-house Lead CCAs
1 of 9
Cyber AB firms holding both RPO + C3PAO with more than 10 years in business
ISO 9001
Certified quality system

01The mandate

If you handle CUI, certification is no longer optional

CMMC Level 2 is the Department of Defense’s bar for any contractor that stores or processes Controlled Unclassified Information. It is verified by a third-party assessment — not a self-attestation.

Behind every contract requirement is the actual mission: protecting the warfighter. CMMC exists because adversaries target the defense supply chain — and your certification is the proof your part of it is defended.

110
NIST SP 800-171 controls assessed at CMMC Level 2
3 years
Certification validity, with an annual affirmation in SPRS
Today
A prime can require your CMMC certificate as a condition of staying in their supply chain — right now

02The path

Mock, remediate, certify

Most organizations come to us for the two-step path, and it’s the one we recommend: a full dress rehearsal, gap remediation with your RPO, then the assessment that counts.

1

Mock assessment

Your insurance policy

A full dry run against all 110 NIST SP 800-171 controls. You get a clear Met / Not Met report with the evidence behind each result — so you know exactly where you stand before the assessment that counts.

2

Remediate with your RPO

Independence is the point

By Cyber AB rules, the C3PAO that assesses you cannot tell you how to fix gaps — that independence is what makes your certificate credible. You close gaps with your RPO: ours, or your own.

3

Certification assessment

The one that counts

The formal CMMC Level 2 assessment — faster, because you reuse the evidence from your mock. Pass, and your certification is recorded in SPRS, valid for three years with an annual affirmation.

Payment is 50% on execution, 50% on report delivery. Final scope depends on environment size and complexity; your starting-at pricing arrives with our first reply.

Request a C3PAO assessment

03The assessment

What we assess, and how

We evaluate all 110 NIST SP 800-171 controls — documentation, people, and technology — backed by objective evidence.

Documentation
Your System Security Plan, policies, and procedures — examined for completeness and for whether they match actual practice. An incomplete SSP is the most common reason organizations fail.
People
Interviews with your staff to confirm controls are operationalized — not just written down.
Technology
Technical controls tested for consistent implementation, backed by objective evidence.
Timeline
Plan for at least three months end-to-end. Our assessment work runs roughly 4–8 weeks — intake, review, interviews, testing — and the government and Cyber AB review that follows adds time on top.
Remote or on-site
All-cloud environments can be assessed remotely. If you store or process CUI on-premises, that location comes into scope and typically requires an on-site visit; travel is billed separately at federal per-diem rates.

04Readiness check

Are you ready to be assessed?

Six questions, two minutes. You’ll get a readiness score and a straight answer on whether to book the assessment, run a mock first, or start with advisory.

Question 1 of 6Routing

Does your organization store or process CUI?

0Readiness

Assessment-ready

Book the assessment.

05Prepare or certify

Two roles, kept independent.

Think of it like your taxes: an RPO is the accountant who prepares your return — and can sit beside you in the audit. A C3PAO files it. Cyber AB rules keep the two independent.

If you need preparation

RPO — readiness & advisory

Scoping, readiness assessment, gap analysis, NIST SP 800-171 remediation, and managed CUI enclaves. We get you audit-ready, and we can sit with you through the assessment itself.

CMMC RPO & Readiness Advisory →

If you’re ready to certify

C3PAO — certification assessment

The formal CMMC Level 2 assessment, performed by our all-W-2, in-house Lead CCAs. This page. This is the assessment that goes on record in SPRS.

Request a C3PAO assessment →

Conflict of interest, handled honestly. If August Schell provided you RPO, advisory, or remediation services in the last three years, Cyber AB rules prevent us from performing your certification assessment — we’ll coordinate an independent C3PAO. Need preparation first? Start with RPO & Readiness Advisory.

06Why timing matters

The calendar is not on your side

There is no single grace-period deadline that protects you — the pressure arrives contract by contract.

i

A prime can require it today

Prime contractors can require your CMMC certificate as a condition of staying in their supply chain — “produce it or you’re out.” That demand can land before any government deadline does.

ii

Assessor capacity is the bottleneck

A limited bench of authorized C3PAOs serves the entire defense industrial base — and we hold a limited number of assessment slots each month. Our calendar books ahead. Organizations that start now get assessed first; organizations that wait join a queue.

iii

The process takes months, not weeks

Between assessment work and the government and Cyber AB review that follows, plan for at least three months end-to-end — longer if a mock surfaces gaps to remediate.

07Why August Schell

The team that assesses you works here

No 1099 subcontractors on your assessment. The Lead CCAs who evaluate your environment are August Schell employees — and they’ll still be here for your three-year recertification.

30+
Years serving federal and defense missions
U.S. based & U.S. owned
1 of 9
Cyber AB firms holding both RPO and C3PAO with 10+ years in business
All W-2
In-house Lead CCAs on every certification assessment
50/50
Payment terms — half on execution, half on report delivery
  • Authorized C3PAO — authorized by the Cyber AB following a DIBCAC assessment.
  • Registered RPO — the same firm can prepare you or certify you (never both), with the conflict-of-interest line drawn exactly where the Cyber AB draws it.
  • ISO 9001 certified — our assessment practice runs on an audited quality management system.
  • Rockville, Maryland — 1700 Rockville Pike, Suite 405, in the heart of the federal corridor.
Cyber AB Authorized C3PAO seal PRI Registrar ISO 9001 certified seal

08The bench

Assessment leadership

A C3PAO is required to field a minimum of three CCAs, including two leads. The majority of our assessment team are Lead CCAs — high-credential assessors who have spent careers inside federal security programs.

Tim Judy
Tim Judy
Chief Information Security Officer
Leads the assessment practice and reviews every public claim this firm makes. 20+ years in DoD cybersecurity.
Lead CCA · CISSP
Mike Baca
Mike Baca
Chief Information Officer
Former NSA cybersecurity instructor; leads CMMC program implementation.
Lead CCA · CISSP-ISSEP
Freddy Cook
Freddy Cook
Director, Risk Management Programs
Former Endpoint Security Branch Chief at DISA — he has stood on the government side of the programs CMMC defends.
Lead CCA · CISSP
George Simmons
George Simmons
Cloud Security & Authorization
Former DoD technical lead to the FedRAMP Joint Authorization Board; led DISA’s cloud authorization program across IL4–IL6.
CCA (Lead CCA pending) · CISSP-ISSEP
Alonzo Booker
Alonzo “Cory” Booker
Director, Managed Services
Runs assessment delivery end to end, from scoping call to final report.
CCP
Rica Opoku
Rica Opoku
ISSO & Certified CMMC Assessor
Named ISSO over August Schell’s Azure VDI CUI enclave and a Certified CMMC Assessor. Instrumental in ASE’s January 2026 DIBCAC C3PAO Level 2 certification — owned SSP integrity, evidence packaging, and control validation across all 110 NIST SP 800-171 Rev. 2 requirements.
CCA · CCP · RP · Security+ · CISA & CISSP (in progress)

09FAQ

Common questions

What is a C3PAO?

A CMMC Third-Party Assessment Organization authorized by the Cyber AB to perform formal CMMC Level 2 certification assessments. August Schell is an authorized C3PAO — authorized by the Cyber AB following a DIBCAC assessment.

What’s a CMMC mock assessment?

A full dry run against all 110 NIST SP 800-171 controls that produces a Met / Not Met report with evidence — so you find and fix gaps before the certification assessment. It’s our most-requested service.

Why can’t my C3PAO also fix my gaps?

Independence. The firm that certifies you can’t have remediated the environment it’s grading — that’s a Cyber AB conflict-of-interest rule. Your RPO handles remediation.

How long does it take?

Plan for at least three months: roughly 4–8 weeks of assessment work plus government and Cyber AB review.

How long is certification valid?

Three years, with an annual affirmation recorded in SPRS.

What’s the most common reason organizations fail?

Showing up without a complete SSP, poorly defined scope, or policies that don’t match actual practice.

Do you work with smaller businesses?

Yes. Most defense suppliers facing CMMC Level 2 are small and mid-size businesses, and the assessment scopes to your environment and size — you don’t pay for scope you don’t have.

How soon can you start?

We take a limited number of assessments each month and the calendar books ahead. Tell us your target date and we’ll tell you what’s realistic — the earlier you reach out, the easier it is to hold a slot.

10Request

Request a C3PAO assessment

Tell us where you stand. The right team — certification or readiness — replies within one business day with next steps and your starting-at pricing.

Add your name.
Add your company.
Add your work email so the right team can reach you.
Tell us what you’re trying to accomplish.

Prefer email? c3pao@augustschell.com · or call (301) 838-9470