FOR IMMEDIATE RELEASE

Shellproof Security Authorized by the Cyber AB as a C3PAO

Authorization adds certified CMMC Level 2 assessment capacity to the Defense Industrial Base ahead of the November 2026 CMMC Phase 2 timeline.

GREENVALE, NY, June 22, 2026. Shellproof Security, a cybersecurity firm focused on CMMC compliance and vCISO advisory for the Defense Industrial Base, today announced that it has been authorized by the Cyber AB as a Certified Third-Party Assessment Organization (C3PAO) within the Cybersecurity Maturity Model Certification (CMMC) Program. Shellproof will be listed as an Authorized C3PAO in the CMMC Marketplace.

As an Authorized C3PAO, Shellproof is qualified to conduct official CMMC Level 2 certification assessments for Organizations Seeking Certification (OSCs) across the defense supply chain. The designation reflects a structured evaluation of Shellproof's security posture and the qualifications of its assessment personnel.

Why This Matters for the Defense Industrial Base

The CMMC Program, established by the U.S. Department of Defense under DFARS, protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) held by contractors and manufacturers. Beginning in November 2026, an increasing share of DoD contracts will require contractors to hold a valid CMMC certification at the level specified in the contract.

The volume of contractors requiring certified assessments far exceeds the assessor capacity currently available in the market. Authorized C3PAOs are the only organizations permitted to deliver official CMMC Level 2 certification assessments. Shellproof's authorization adds qualified, structured assessment capacity to the DIB at the moment the defense supply chain needs it most.

A Word on Independence

The integrity of the CMMC Program depends on the independence of the assessor. Cyber AB program rules prohibit a C3PAO from assessing an organization to which it has provided CMMC consulting or remediation services.

Shellproof operates its assessment function separately from its advisory and remediation work. Shellproof does not assess organizations it has consulted into readiness. This separation protects the contractor, the certification, and the program itself. Contractors engaging Shellproof for readiness advisory and contractors engaging Shellproof for certification assessment are served through distinct, independent functions.

Executive Perspective

“Authorization is not a credential we collect. It is capacity the Defense Industrial Base needs. Our role as a C3PAO is to deliver clear, defensible assessments that hold up to scrutiny, while preserving the independence the program requires. For contractors handling CUI, the November 2026 deadline is the moment to move from intent to evidence.”

Mark Jackolski, Managing Partner and Chief Strategy Officer, Shellproof Security

About Shellproof Security

Shellproof Security helps defense contractors and manufacturers in the Defense Industrial Base achieve and sustain compliance with CMMC, NIST 800-171, and DFARS requirements. As an Authorized C3PAO, Shellproof delivers official CMMC Level 2 certification assessments through an independent assessment function, while its advisory practice provides CMMC readiness and vCISO services to organizations preparing for certification. Shellproof's mission is to secure the businesses that strengthen the nation.

Media and CMMC inquiries:

Visit shellproofsecurity.com or view Shellproof's listing in the CMMC Marketplace.