The math of the CMMC rollout is stark. The Department of Defense expects roughly 80,000 defense-industrial-base organizations to need CMMC Level 2 certification by the end of the phased rollout in November 2028. As of this writing, cumulative final Level 2 certifications number on the order of 1,000 — a little over one percent of the need. Phase 2, which writes third-party certification requirements into new contracts containing CUI, begins November 10, 2026.
Certification can only be performed by an authorized C3PAO (CMMC Third-Party Assessment Organization). Our register currently tracks 82 of them, compiled from public listings. That is the entire supply side of a market with tens of thousands of buyers on a deadline.
The official Cyber-AB marketplace lists who is authorized — and little else. No capacity signal, no price band, no org-size fit, no wait time. Contractors are left cold-calling down an alphabetical list while assessors triage inbound they can’t serve.
ZeroTrustCMMC is the useful version of that list:
- The register — every authorized C3PAO and notable RPO, source-cited, with permalinks and CSV/JSON export.
- The directory — the same organizations with the commercial fields the official list omits, populated as assessors provide them. Sponsored placement is always labeled and never affects ordering.
- The capacity tracker — one chart: certifications issued against the 80,000 needed, updated monthly from Cyber-AB Town Hall figures.
- The quote router — one form, matched to assessors by state, size, and capacity.
This brief will ship when there is something worth saying — assessment volume milestones, authorization changes, rule changes — and not otherwise.