Schellman

Assessment firm authorized to perform CMMC Level 2 and Level 3 assessments.

Headquarters

Tampa, FL

Region

Tampa, FL · U.S.-wide

Last verified

May 14, 2026

Sources

2 cited

Listing position

Editorial · unranked

Vendor website

Visit ↗

Plain-English description

What this provider does

Schellman is a multi-discipline IT audit firm that, in addition to SOC, ISO, PCI, FedRAMP, and HITRUST work, performs CMMC Level 2 and Level 3 assessments as an authorized C3PAO. As a C3PAO they conduct certification assessments; they do not function as an RPO, MSP, or remediation partner.

Registered as / claimed status

Stated affiliations and certifications

What the vendor (or a third party) states about their formal status. Each line is anchored to its source.

Authorized C3PAO[01]

Why buyers hire them

What this provider is commonly used for

Formal CMMC Level 2 certification assessments aligned to NIST SP 800-171's 110 requirements.
[01]
Formal CMMC Level 3 assessments building on NIST SP 800-172.
[01]

Stated services

Services the vendor claims

CMMC Level 2 certification assessment[01]
CMMC Level 3 assessment[01]

What we don't know

Gaps in this record

Facts that could not be confirmed against a public source on the retrieval date. If you can point to an authoritative source for any of these, we'll update the record.

·Pricing for CMMC engagements is not published on the page we sourced.
·Founding year for Schellman is not stated on the cited page beyond '20+ years ago.'
·We have not independently verified Schellman's current placement on the CyberAB authorized C3PAO list.

Sources

[01]Schellman · CMMC assessment services
“We are excited to be one of the first authorized C3PAOs and the first authorized firm of our type that performs SOC, ISO, FedRAMP, PCI, and HITRUST services to be authorized to perform CMMC assessments. Level 2 is focused on the protection of CUI. It is the equivalent to NIST SP 800-171 and includes the 110 requirements from NIST 800-171.”
Retrieved May 13, 2026 · high confidence
[02]Schellman · C3PAO-Authorized CMMC & NIST 800-53 Compliance & Attestation | Schellman
“Federal Assessments — CMMC Assessment and Certification. We are excited to be one of the first authorized C3PAOs and the first authorized firm of our type that performs SOC, ISO, FedRAMP, PCI, and HITRUST services to be authorized to perform CMMC assessments as many of our clients also participate as defense contractors and subcontractors that are subject to DFARS and the associated requirements. What is CMMC? The Cybersecurity Maturity Model Certification (CMMC) is a new framework with the objective of securing federal contract information (FCI) and controlled unclassified information (CUI). Levels: CMMC Level 1 (17 NIST SP 800-171 requirements, self-assessment by DIB organizations); CMMC Level 2 (equivalent to NIST SP 800-171, 110 requirements); CMMC Level 3 (Levels 4 and 5 from CMMC 1.0; builds on the 110 requirements in Level 3 and NIST SP 800-171, includes a subset of requirements from NIST SP 800-172). Pricing: Fixed-Fee outcome-based pricing model; less than 5% of clients see scope-creep amendments; Low Overhead. CMMC Specialist: Marci Womack, Managing Director and leader in Schellman's CMMC practice.”
Retrieved May 14, 2026 · high confidence

Sources are the basis of every factual claim on this page. If the vendor has updated their site, the “last verified” date will lag. Re-check the vendor URL before relying on it.