Peak InfoSec C3PAO Operations
This page is provided for Organizations Seeking Certification (OSC) who want to understand how Peak InfoSec operates as a CMMC 3rd Assessment Organization (C3PAO).
Mutual Nondisclosure Agreement (MNDA)
Prospective OSCs often wind up sharing sensitive information with our team. To help give them more confidence when speaking with us, Peak InfoSec always enters into a Mutual Nondisclosure Agreement (“MNDA”) with the prospective OSC.[1]
Peak InfoSec has adopted an industry standard MNDA as our standard MNDA, which we publish online to streamline the engagement process. We require prospective and current clients to accept the terms of that MNDA. To initiate the MNDA process, fill out the MNDA form on our NDA page, and we will countersign it as appropriate.
[1] Mandated per CMMC Assessment Process (CAP) v2.0, para P.19
The Business Side of Things
To streamline the engagement process, Peak InfoSec publishes the Services Terms online. Services are provided subject to the client accepting the Services Terms. The Services Terms, the Proposal, the Invoice, and, once executed by both Peak InfoSec and the client, the Order Form operate together to define the Agreement between the parties.
For more information, please see the legal pages.
Policies
- CMMC Level 2 Certification Appeals Policy: This ISO/IEC 7020:2012(E) based policy implements the C3PAO’s Appeals Policy and Procedure required by:
- 32 CFR 170.9(b)(13, 19, & 20)
- CyberAB CMMC Assessment Process (CAP) v2.0, paragraphs 2.5, 3.14, 3.23, 3.25, 3.26, 3.27, 3.28, and 4.16
Publicly Accessible Content to Review
The following content is provided pro bono, and no guarantees are made as to its ability to support an OSC going through a CMMC Leve 2 Certification Assessment:
- Mock Assessment at CEIC East 2024
- As the CMMC Churns | Your SSP Sucks, Seriously.: This Churns video explains how you can use our SSP templates
- As the CMMC Churns | The Three Types of Evidentiary Objects: This Churns video looks at the three main types of Examination Assess Objects enumerated in NIST SP 800-171A. This video also expounds on how to write an effective SSP.
- As the CMMC Churns | Assessors and Toddlers: This explains the Document Traceability Matrix
- As the CMMC Churns | Documenting Your Scope: How to create a scope diagram for your SSP
- Greenhorn’s Guide to Peak InfoSec’s Artifact Request List – 2025.00
Version History
| Version | Revision Date | Change Summary |
| 2025.01a | 2025-FEB-23 | Initial Version |
| 2025.01b | 2025-FEB-23 | Adding policy section |
Social Contact