Apr 29th 2024

Goldilocks & The Three C3PAOs

Disclaimer: No C3PAOs were harmed in the making of this fairytale. However, Goldilocks did pick up a day drinking habit that led to several unintelligible LinkedIn postings and other questionable decisions.

Flipbook URL: https://www.flipbookpdf.net/web/site/f795ba07dbaeb1a70fd9dad2d619e76b4eac813f202401.pdf.html

Once upon a time... there was a girl named Goldilocks.

Goldilocks was assigned the duty to get her company compliant with

NIST 800-171 and pass a Cybersecurity Maturity Model Certification (CMMC) assessment.

Goldilocks took time to study NIST 800-171 and CMMC. She asked questions on Cooey COE Discord until she knew her stuff cold.

She knew what to do by first defining the “who” and “what” with her outstanding documentation skills.

She then worked with stakeholders to create evidence of “how” and “when” for the implementation of the controls under their control.

Goldilocks then started the process of looking for an authorized CMMC Third-Party Assessment Organization (C3PAO).

She looked on LinkedIn. She looked on YouTube. She even went to several conferences. Goldilocks kept looking until she came upon three C3PAOs.

Goldilocks sighed, “How will I ever know which C3PAO to work with?”

Goldilocks did her due diligence and came up with questions to ask.

Goldilocks spoke with the first C3PAO and asked her questions.

Her face frowned and she grumbled, “Oh my! This C3PAO is too technically incompetent!”

She decided she could not work with that C3PAO and proceeded to contact the second one on her list.

Goldilocks spoke with the second C3PAO and asked the same set of


Her face flushed red and she gasped, “This C3PAO is too batshit crazy!”

She deleted that C3PAO’s contact information, blocked their calls and sent their emails to the junk folder.

With hesitation, she contacted the third C3PAO. She reluctantly asked her questions.

However, her face lit up upon hearing this set of answers. With a smile on her face she exclaimed, “This C3PAO is just right! They also understand my business model and my technology stack!”

With confidence, Goldilocks signed a contract with the third C3PAO.

She had a positive CMMC assessment experience, where she went home with a passing assessment. Every prime contractor in the land wanted to work with her company.

Everyone lived happily ever after, at least for 3 years, until the next CMMC assessment…