As a critical part of the Cybersecurity Maturity Model Certification (CMMC) Ecosystem, the CMMC Third Party Assessor Organization (C3PAO) contracts with the Organizations Seeking Certification (OSC); coordinates the assessors; schedules assessments and manages the assessment process. 

Assessments conducted and certifications awarded during the Provisional period can become finalized certifications after the DoD Rule is finalized.  If there are changes to the requirements a “Delta” assessment by the same C3PAO may be required to be awarded a final three year certification.