Certificate Types
Saudi Aramco's CCC Program offers two types of cybersecurity compliance certificates, each designed for different vendor risk classifications:
CCC (Self-Assessment, Verified Remotely)
For General Requirements, Outsourced Infrastructure, and Customized Software classifications.
- Company completes self-compliance assessment
- Authorized Audit Firm verifies remotely
- 100% compliance required for issuance
- Certificate valid for 2 years
CCC+ (On-site Assessment by Audit Firm)
For Network Connectivity and Critical Data Processor classifications.
- Authorized Audit Firm conducts on-site assessment
- Physical security & infrastructure verification
- If both CCC & CCC+ apply, only CCC+ accepted
- 100% compliance required for issuance
- Certificate valid for 2 years
Validity & Renewal
- CCC is valid for two years from the issuance date.
- New contract with different classification — If your company is awarded a new contract that involves a cybersecurity classification type not covered in the current valid certificate, a new certificate needs to be obtained and submitted.
- Prior to expiry — Your company needs to submit a new CCC before the end of the two-year validity period to maintain continuous compliance.
Submission to Saudi Aramco
After receiving your certificate from the Authorized Audit Firm:
- 1. Collect documents — Obtain both the Third Party Cybersecurity Compliance Certificate and the Cybersecurity Compliance Report from the Authorized Audit Firm.
- 2. Submit via e-Marketplace — Submit both documents to Saudi Aramco through the e-Marketplace system.