CMMC Ecosystem by the Numbers: Inside the CyberAB Marketplace
Anna Fitzgerald
Senior Content Marketing Manager
Now that the Cybersecurity Maturity Model Certification (CMMC) program is no longer theoretical, the CMMC marketplace has exploded.
Since the final CMMC 48 CFR rule went into effect and CMMC requirements started appearing in DoD contracts, the compliance ecosystem of assessors, consultants, and service providers has continued to grow at an unprecedented pace. But is it fast enough?
The numbers tell a compelling story.
We pulled every single entry from the CyberAB Marketplace (the official CMMC ecosystem directory) as of March 2026 and analyzed the data. Here's what 5,732 marketplace entries reveal about the state of CMMC readiness.
By the numbers: A snapshot of the CMMC Ecosystem
As of March 2026, the CyberAB Marketplace listed 5,732 active entries representing 3,607 unique entities, including both individuals and organizations that hold one or more CMMC ecosystem roles.
Here's how they break down by role:
| Role | Count | Description |
|---|---|---|
| RP (Registered Practitioner) | 1,987 | Individual consultants certified to advise on CMMC |
| CCP (Certified CMMC Professional) | 1,557 | Professionals with demonstrated CMMC knowledge |
| CCA (Certified CMMC Assessor) | 764 | Authorized to conduct CMMC assessments |
| LCCA (Lead Certified CMMC Assessor) | 492 | Lead assessors who can run assessment teams |
| RPO (Registered Provider Organization) | 387 | Companies authorized to deliver CMMC consulting |
| RPA (Registered Practitioner Advanced) | 267 | Advanced individual practitioners |
| PI (Provisional Instructor) | 115 | Authorized CMMC training instructors |
| C3PAO (Certified Third-Party Assessor Org) | 103 | Organizations authorized to conduct official assessments |
| ATP (Authorized Training Provider) | 48 | Licensed to deliver CMMC training courses |
| APP (Authorized Publishing Partner) | 12 | Authorized to publish CMMC materials |
Investigating the CMMC assessor bottleneck: Is 103 C3PAOs enough for the entire DIB?
Perhaps the most striking finding: as of March 2026, there were 103 Certified Third-Party Assessor Organizations (C3PAOs) authorized to conduct official CMMC assessments. That’s not a lot considering that at least 80,000 of the organizations across the DIB are expected to need CMMC Level 2 certification.
There has been a lot written about the “assessor shortage,” mostly in the early stages of the CMMC rulemaking and rollout. However, now that we’re well into enforcement and getting closer to Phase 2, it’s become clearer that the real bottleneck is likely not C3PAO availability. It’s DIB readiness.
To date, approximately 1,000 organizations have achieved Level 2 certification, meaning DIB readiness has remained around 1%. You may be thinking: maybe organizations are ready but C3PAOs aren’t available to assess them? Let’s address that.
Based on numbers reported in the CyberAB townhall monthly recaps, we can see how Certified C3PAOs and CMMC Assessors, the credentialed individuals who actually lead and conduct official CMMC Level 2 assessments on behalf of a C3PAO, have grown alongside the number of Level 2 certified organizations over 6 months:
| Total Level 2 certifications | Net new Level 2 certifications | C3PAOs | CCAs | |
|---|---|---|---|---|
| October | 431 | 65 | 83 | 567 |
| November | 459 | 28 (-57%) | 88 (+6%) | 623 (+10%) |
| December | 559 | 100 (+257%) | 93 (+6%) | 635 (+2%) |
| January | 773 | 214 (+114%) | 97 (+4%) | 688 (+8%) |
| February | 896 | 123 (-43%) | 98 (+1%) | 748 (+9%) |
| March | 1,074 | 178 (+45%) | 103 (+5%) | 759 (+1%) |
Note that Cyber AB town halls typically take place on the last Tuesday of the month, so the numbers may not be exact for monthly totals, but are close approximates.
Two things stand out in this data.
First, ecosystem growth has been slow but steady. The ecosystem added 20 new assessor organizations over six months, a 24% increase. CCA growth has been even faster, rising 34% over the same period from 567 to 759.
Second, and more telling, monthly certification output has not matched the steady, predictable ecosystem growth of both C3PAOs and CCAs. Instead, it has oscillated wildly and sometimes dropped even as C3PAO and CCA counts grew steadily. The starkest example is November when net new certifications dropped 57% month-over-month, the sharpest single-month decline. Meanwhile, C3PAOs and CCAs grew 6% and 10% respectively, their strongest combined expansion in the same six-month period. February tells a nearly identical story: net new certifications fell 43% while the CCA pool grew 9%, its second-strongest month of growth. In both cases, the assessor ecosystem was expanding at its fastest pace precisely when certification output was shrinking.
If assessor availability were the constraint, you'd expect monthly certification output to track fairly closely with the size of the credentialed pool. More assessors = more assessments. But instead, the trendlines have appeared to move independently.
That's a strong signal that the bottleneck is clearly somewhere else.
Zooming in on March specifically makes the supply picture even clearer. Approximately 178 new Level 2 certificates were issued that month, with 759 CCAs capable of conducting assessments on behalf of 103 authorized C3PAOs, according to the March 2026 Cyber AB Town Hall.
So how much ecosystem capacity did those 759 CCAs actually represent compared to ecosystem utilization that those 178 new certifications represented? The answer depends on realistic assumptions about how assessors work, so we modeled three scenarios:
1. Upper bound:12% ecosystem utilization
If every credentialed CCA completed two solo assessments per month, the theoretical ceiling would be around 1,518. This is the most generous reading possible. It assumes 100% of CCAs are actively running live assessments with no time spent on advisory work, mock assessments, or scheduling gaps. It's a useful ceiling but not a realistic operating rate.
2. Conservative estimate: 59% ecosystem utilization
A Level 2 engagement typically requires a team of two to three CCAs and runs two to six weeks of active work. Dividing 759 CCAs into teams of roughly 2.5, and assuming each team completes one assessment per month, yields around 304 available assessment slots. This is probably the floor.
3. Best guess: 39% ecosystem utilization
It's unlikely that all 759 credentialed CCAs are running live assessments at any given time. Many work primarily in advisory, readiness consulting, or mock-assessment roles. Applying a 40% active deployment rate and assuming active assessors average 1.5 assessments per month produces roughly 455 monthly assessment slots. This is the most defensible estimate of real-world throughput.
Against any of these benchmarks, 178 certifications in March represents strikingly low utilization, ranging between 12% and 59%. Even under the most pessimistic view of assessor capacity, the ecosystem was little more than half utilized.
And this was not an anomaly. Average utilization across the six-month period has remained below 10% of upper-bound capacity. Even applying the more conservative team-based estimate, the ecosystem has consistently been utilized below half its realistic capacity.
The conclusion is hard to escape: the ecosystem has room for dramatically more assessments than the DIB is currently requesting.
So the true CMMC bottleneck isn't the number of assessors. It's a general lack of readiness across the DIB.
If you're planning your CMMC assessment, booking a C3PAO early should still be a top priority. Demand is expected to increase sharply as the Phase 2 deadline approaches, and the current slack in the system won't last forever. But your bigger priority should be finding a solution that can help you accelerate your readiness.
Recommended reading
CMMC Phase 2: What to Expect and How to Prepare [2026]
CMMC Compliance Kit
This free CMMC kit can help simplify your readiness work with templates and checklists from our team of in-house federal compliance experts.
Growth trajectory: How the CMMC ecosystem is accelerating year-over-year
Looking at when entities in the marketplace were founded reveals explosive recent growth:
| Year | New Entities | YoY Growth |
|---|---|---|
| 2019 | 180 | — |
| 2020 | 172 | -4.4% |
| 2021 | 174 | +1.2% |
| 2022 | 136 | -21.8% |
| 2023 | 220 | +61.8% |
| 2024 | 301 | +36.8% |
| 2025 | 346 | +15.0% |
After a dip in 2022 (likely due to uncertainty around the CMMC 2.0 rulemaking process), the ecosystem surged, growing 62% in 2023 and another 37% in 2024.
Growth continued in 2025, with 346 newly founded entities entering the ecosystem. While this represented a smaller YoY growth at 15%, it broke the record for highest single-year count.
Recommended reading
The CMMC 2.0 Rulemaking Process + 32 CFR & 48 CFR Status
Geography: Where are CMMC ecosystem entities located?
95.8% of marketplace entries are U.S.-based. No surprise there since CMMC is a DoD program. But where in the U.S. is telling:
| State | Entries |
|---|---|
| Virginia | 835 |
| Maryland | 637 |
| Florida | 508 |
| Texas | 340 |
| California | 288 |
| New York | 205 |
| Georgia | 174 |
| Alabama | 159 |
| Pennsylvania | 157 |
| Tennessee | 151 |
Virginia and Maryland together account for over 25% of all entries, a direct reflection of the DoD/intelligence community corridor around Washington, D.C. Alabama's strong showing (159 entries) reflects Huntsville's growing defense tech hub.
Internationally, the surprise runner-up is South Korea with 119 entries, almost certainly driven by the heavy U.S. military presence and the Korean defense industrial base's need to comply with CMMC for U.S. partnerships. Canada follows with 69, and the UK rounds out the top international presences.
Multi-role professionals in the CMMC ecosystem
Of the 3,607 unique entities, 1,212 (34%) hold multiple CMMC roles. The most common combinations:
- CCA + CCP + LCCA (the "triple-certified" assessors)” 341
- CCA + CCP (assessors who also hold the professional cert): 231
- RP + RPA (practitioners who've advanced their credentials): 190
- RP + RPO (individual practitioners affiliated with an RPO): 114
Recommended reading
What Is an RPO? CMMC Consultant Guide
What services does the CMMC ecosystem offer?
The marketplace entries list their service capabilities, revealing what the CMMC ecosystem actually does:
- Cybersecurity Consulting: 3,344 entries (58%)
- Assessment Services: 3,194 (56%)
- Governance, Risk & Compliance: 3,045 (53%)
- Security Program Development: 2,268 (40%)
- Security Awareness and Education: 2,259 (39%)
- Audit Services: 2,024 (35%)
- Virtual CISO: 1,978 (35%)
- Training: 1,746 (30%)
- Third-Party Risk Management: 1,639 (29%)
- Managed IT Security Services: 1,568 (27%)
What this means for DIB organizations seeking CMMC certification
The data tells a consistent story across every angle we examined: the CMMC ecosystem has more capacity than the DIB is using. There are enough assessors. There are enough consulting organizations. The geographic footprint is expanding. The credentialed professional pool is growing faster than certification output.
The constraint is contractor readiness and that's actually good news, because CMMC readiness is something you can control.
A few things worth keeping in mind as you plan:
- Don't mistake low ecosystem utilization for unlimited time to get assessment-ready. Current slack in the ecosystem won't last. Phase 2 will bring a surge in demand from contractors who have been waiting, and assessment slots that sit empty today will fill quickly. The contractors who move now will have their pick of C3PAOs and avoid the scheduling pressure that's coming.
- The readiness gap is the real risk. Of the 80,000-plus organizations expected to need Level 2 certification, fewer than 1,000 have it. That's not an assessor problem. It's a preparation problem. Most organizations underestimate how long it takes to get assessment-ready. Getting your documentation, controls, and SSP in order typically takes six to nine months from wherever your cybersecurity posture is today.
- Help is available. The marketplace lists nearly 2,000 Registered Practitioners and 387 RPOs ready to support readiness work. Assessment capacity (currently at 103 C3PAOs and 748 CCAs) is more than adequate for current demand. The ecosystem built to serve you is largely idle. Use it.
- Use technology to accelerate your timeline. Manual compliance preparation doesn't scale. Automating parts of the process can significantly speed up the process, helping you to deploy secure infrastructure, track your SPRS score to ensure you’re assessment-ready, and continuously monitoring your compliance posture, helping reduce the time and cost of your readiness and assessment process.
Recommended reading
Introducing Secureframe Defense: A Complete, End-to-End Solution for CMMC Compliance
Get assessment-ready before Phase 2 with Secureframe Defense
The window to prepare without time pressure is still open, but it's closing. Most Level 2 contractors take six to nine months to get assessment-ready, and that clock starts from wherever your cybersecurity posture is today.
Secureframe Defense automates every step of the process, from infrastructure deployment to documentation and continuous monitoring. It automatically performs a gap analysis against NIST 800-171, guides you through control implementation, generates your SSP and POA&M from your actual environment, and tracks your readiness with a real-time SPRS score so you know exactly where you stand before your C3PAO assessment begins. Contractors using Secureframe Defense have reached assessment-ready status in as little as four weeks.
Talk to a CMMC expert about fast-tracking your readiness before the Phase 2 queue fills up, or visit secureframe.com/cmmc to learn more.
Methodology
This analysis is based on a complete download of all 5,732 active entries from the CyberAB Marketplace (cyberab.org/Catalog) as of March 2026. Data was retrieved via the marketplace's public API endpoints and includes all entity types, geographic data, service capabilities, and year-founded information. Two entries (out of 5,734 total) returned errors and were excluded.
One platform. Complete CMMC readiness.
Anna Fitzgerald
Senior Content Marketing Manager
Anna Fitzgerald is a digital and product marketing professional with nearly a decade of experience delivering high-quality content across highly regulated and technical industries, including healthcare, web development, and cybersecurity compliance. At Secureframe, she specializes in translating complex regulatory frameworks—such as CMMC, FedRAMP, NIST, and SOC 2—into practical resources that help organizations of all sizes and maturity levels meet evolving compliance requirements and improve their overall risk management strategy.