Skip to main content
background

Organization Seeking Certification (OSC)

An Organization Seeking Certification (OSC) is a defense contractor or subcontractor that is undergoing or preparing for a CMMC Level 2 or Level 3 certification assessment. The OSC is the entity whose cybersecurity practices are evaluated by a C3PAO during the CMMC Assessment Process (CAP), and the term distinguishes certified assessment candidates from organizations that only require CMMC Level 1 self-assessment.

  • glossary
  • What Is an Organization Seeking Certification (OSC)?

What Is an Organization Seeking Certification (OSC)?

Organization Seeking Certification (OSC) is a term used within the CMMC ecosystem to identify defense contractors that are preparing for or undergoing a formal CMMC Level 2 or Level 3 certification assessment. OSCs are a subcategory of Organizations Seeking Assessment (OSAs), which is the broader term that also includes organizations pursuing Level 1 self-assessments. The OSC designation specifically applies to organizations that will be assessed by a C3PAO or DIBCAC for certification.

OSC vs. OSA: Understanding the Distinction

An Organization Seeking Assessment (OSA) is any entity undergoing a CMMC assessment at any level, including Level 1 self-assessments. An OSC specifically refers to organizations pursuing Level 2 or Level 3 certification through a third-party or government assessment. This distinction matters because OSCs face more rigorous assessment requirements, must work with accredited C3PAOs, and receive formal certification that is recorded by the Cyber AB.

OSC Responsibilities During Assessment

As an OSC, the organization has specific responsibilities throughout the CMMC Assessment Process. Before the assessment, the OSC must define the CMMC Assessment Boundary, prepare and provide the System Security Plan (SSP) and Plan of Action and Milestones (POA&M), organize evidence artifacts for each of the 110 NIST SP 800-171 practices, designate a point of contact for the C3PAO assessment team, and ensure relevant personnel are available for interviews during the assessment.

Preparing as an OSC

Organizations that know they will need CMMC certification should begin preparation well in advance of their assessment. Key preparation activities include conducting an internal gap assessment against NIST SP 800-171, remediating identified gaps and implementing missing controls, performing a mock assessment or readiness review, documenting all controls in the SSP with supporting evidence, and training employees on security practices and their roles during the assessment. Many OSCs engage Registered Practitioner Organizations (RPOs) or consultants to assist with readiness preparation before the C3PAO assessment.