Jim you are correct the C3PAO will need the ISO certification. This requirement came from the Department of Defense. Your timeline is also correctt (I believe).
Jim great question. I think I need more information but the shared our customer resposnibility matrix (I preferred S because CRM too established as tool name) covers all of the practices and if a third party meets, partially meets, or doesn’t cover. You then add information on top. The document responsibility is a lit of…