Back to Products

Bedrock C3PAO

Self-Hosted DockerCAP v2.0 Compliant

The regulation-compliant assessment platform for CMMC Third Party Assessment Organizations.

CAP v2.0 Sections 3.19 - 3.20 Compliance

The CMMC Assessment Process (CAP) v2.0 requires that assessment data remain under the direct control of the C3PAO organization. Cloud-hosted SaaS platforms where the vendor controls the infrastructure do not satisfy this requirement.

Bedrock C3PAO's self-hosted Docker container is the only current government-regulation-compliant method for providing the digital assessment experience to C3PAO customers.

Overview

Bedrock C3PAO is a self-hosted Docker container that C3PAO organizations deploy on their own infrastructure. It provides the complete CMMC assessment workflow — from engagement intake through findings documentation — while keeping all assessment data under the C3PAO's direct control, as required by the CMMC Assessment Process.

Docker
Self-Hosted Container
CAP v2.0
Sections 3.19-3.20 Compliant
Your Infra
Data Never Leaves Your Control

Engagement Management

Accept, assign, and track assessment engagements

  • Accept or decline incoming assessment requests
  • Assign lead assessors and team members to engagements
  • Filter and manage engagements by status, date, and assessor
  • Full engagement detail view with organization context

Assessment Workflow

Control-by-control CMMC assessment interface

  • Walk through all 110 NIST SP 800-171r2 controls
  • Review contractor-submitted evidence and SSP documentation
  • Record findings with MET / NOT MET / NOT APPLICABLE determinations
  • Seamless data handoff from Bedrock CMMC contractor accounts

Findings & Documentation

Structured findings capture and report generation

  • Structured findings fields aligned with CAP requirements
  • Link findings to specific NIST 800-171r2 controls
  • Document remediation guidance and corrective actions
  • Assessment report generation for delivery to OSC
Why Self-Hosted Docker?
Regulation drives the architecture — not the other way around.

The Regulatory Requirement

CAP v2.0 Sections 3.19-3.20 require assessment data to remain under the C3PAO's direct organizational control. A SaaS platform where the vendor manages the infrastructure does not meet this standard.

Self-hosted deployment ensures the C3PAO — not a third-party vendor — maintains custody of all assessment artifacts.

How It Works

  • Single docker compose up deployment
  • Runs on your infrastructure (on-prem, VPS, or private cloud)
  • All data stored locally in your PostgreSQL instance
  • Receives engagement data securely from Bedrock CMMC customers
  • No assessment data leaves your environment
Built to Work with Bedrock CMMC

Seamless Handoff

Defense contractors using Bedrock CMMC can share their compliance posture directly with your Bedrock C3PAO instance. No email chains or manual exports.

Faster Assessments

Pre-organized evidence, SSP documentation, and control implementation status arrive ready for review — reducing your assessment prep significantly.

C3PAO Marketplace

List your organization on our marketplace to receive engagement requests from assessment-ready contractors already using Bedrock CMMC.

Learn About the C3PAO Marketplace
Interested in Bedrock C3PAO?
Schedule a discussion to learn about deployment, pricing, and how Bedrock C3PAO fits your assessment workflow.
Schedule A DiscussionSee the Contractor Side