Bedrock C3PAO

Self-Hosted DockerCAP v2.0 Compliant

The assurance layer of Bedrock Enclave. A self-hosted assessment platform for CMMC Third Party Assessment Organizations — designed by a CISSP/CISM practitioner with DoD assessment background.

CAP v2.0 Sections 3.19 - 3.20 Compliance

The CMMC Assessment Process (CAP) v2.0 requires assessment data to remain under the direct control of the C3PAO organization. Cloud-hosted SaaS where the vendor controls the infrastructure does not satisfy this requirement.

Bedrock C3PAO's self-hosted Docker container keeps assessment data inside the C3PAO's own DIBCAC-assessed environment.

Overview

Bedrock C3PAO is a self-hosted Docker container that C3PAO organizations deploy on their own infrastructure. It provides the complete CMMC assessment workflow — from engagement intake through findings documentation — while keeping all assessment data under the C3PAO's direct control.

Docker
Self-Hosted Container
CAP v2.0
Sections 3.19-3.20 Compliant
Your Infra
Data Never Leaves Your Control

Engagement Management

Accept, assign, and track assessment engagements

  • Accept or decline incoming assessment requests
  • Assign lead assessors and team members to engagements
  • Filter and manage engagements by status, date, and assessor
  • Full engagement detail view with organization context

Assessment Workflow

Control-by-control CMMC assessment interface

  • Walk through all 110 NIST SP 800-171r2 controls
  • Review contractor-submitted evidence and SSP documentation
  • Record findings with MET / NOT MET / NOT APPLICABLE determinations
  • Seamless data handoff from Bedrock CMMC contractor accounts

Findings & Documentation

Structured findings capture and report generation

  • Structured findings fields aligned with CAP requirements
  • Link findings to specific NIST 800-171r2 controls
  • Document remediation guidance and corrective actions
  • Assessment report generation for delivery to OSC
Why Self-Hosted Docker?
Regulation drives the architecture — not the other way around.

The Regulatory Requirement

CAP v2.0 Sections 3.19-3.20 require assessment data to remain under the C3PAO's direct organizational control. A SaaS platform where the vendor manages the infrastructure does not meet this standard.

Self-hosted deployment ensures the C3PAO — not a third-party vendor — maintains custody of all assessment artifacts.

How It Works

  • Single docker compose up deployment
  • Runs on your infrastructure (on-prem, VPS, or private cloud)
  • All data stored locally in your PostgreSQL instance
  • Receives engagement data securely from Bedrock CMMC customers
  • No assessment data leaves your environment
Built to Work with Bedrock CMMC

Seamless Handoff

Defense contractors using Bedrock CMMC can share their compliance posture directly with your Bedrock C3PAO instance. No email chains or manual exports.

Faster Assessments

Pre-organized evidence, SSP documentation, and control implementation status arrive ready for review — reducing your assessment prep significantly.

C3PAO Marketplace

List your organization on our marketplace to receive engagement requests from assessment-ready contractors already using Bedrock CMMC.

Browse the C3PAO Marketplace
Request a C3PAO Demo
Schedule a call to walk through the platform, deployment, and how Bedrock C3PAO fits your assessment workflow.
Request C3PAO DemoSee the Contractor Side