One of the most common sources of confusion for Aramco vendors beginning their compliance journey is understanding the difference between the CCC (Cybersecurity Compliance Certificate) and the CCC+ (Cybersecurity Compliance Certificate Plus). Both are issued under the SACS-002 Third Party Cybersecurity Standard, both cover the same set of TPC controls, and both are valid for two years. Yet the assessment process, cost, and effort involved differ significantly. Choosing the wrong path wastes time and money. More importantly, pursuing the wrong certificate can delay your ability to bid on or maintain Aramco contracts.
This guide explains the five vendor classifications that determine which certificate you need, the practical differences between the CCC and CCC+ assessment processes, and what both paths mean for your infrastructure requirements.
The Five Vendor Classifications
Aramco classifies its third-party vendors into five categories based on the nature of the services they provide and the level of access they have to Aramco's systems and data. Your classification determines whether you need a CCC or CCC+, and in some cases, which specific TPC controls apply to your assessment.
1. General Requirement
This classification applies to vendors who provide general goods or services to Aramco without direct access to Aramco's internal systems or networks. Real-world examples include trading companies supplying industrial materials, catering and facilities service providers, office supply vendors, and transportation and logistics companies.
These vendors handle Aramco data primarily through email communication, document exchange, and potentially invoicing and procurement systems. Their exposure to Aramco's cyber risk is lower, but they still handle commercial data that requires protection.
Certificate required: CCC
2. Outsourced Infrastructure
Vendors in this classification manage or maintain infrastructure on Aramco's behalf or in support of Aramco operations. Examples include IT service management companies, facilities maintenance firms with access to building management systems, managed security service providers, and telecommunications infrastructure operators.
These vendors often have administrative or privileged access to systems that support Aramco operations, making them a higher-risk category from a cybersecurity perspective.
Certificate required: CCC
3. Customized Software
This classification covers vendors who develop, customize, or maintain software applications used by Aramco. Real-world examples include ERP system developers and integrators (SAP, Oracle implementations), custom web application developers, mobile application developers for Aramco-facing tools, and software companies building or maintaining operational technology (OT) applications.
Software vendors have access to application code, databases, and often test environments that may contain production-like data. The security of their development environment directly affects the security of the delivered software.
Certificate required: CCC
4. Network Connectivity
Vendors with direct network connections to Aramco's infrastructure fall into this classification. This includes companies connected to Aramco via site-to-site VPN, vendors with dedicated leased lines to Aramco facilities, remote access providers with persistent connections to Aramco networks, and partners using Aramco's extranet or supplier portals with network-level integration.
Network connectivity vendors represent the highest infrastructure risk because a compromise of their network could provide a direct path into Aramco's environment. This classification triggers the most stringent assessment requirements.
Certificate required: CCC+
5. Critical Data Processor
This classification applies to vendors who process, store, or have access to Aramco's critical or sensitive data. Examples include accounting and audit firms handling Aramco financial data, risk assessment and insurance companies, legal firms with access to contractual and litigation data, and HR service providers processing Aramco employee information.
Critical data processors are assessed at the CCC+ level because a data breach at these vendors could have direct financial, legal, or reputational consequences for Aramco.
Certificate required: CCC+
Which Classification Needs Which Certificate
The following table provides a clear reference for determining your certification path based on your vendor classification:
| Vendor Classification | Certificate Required | Assessment Method | Typical Vendor Examples |
|---|---|---|---|
| General Requirement | CCC | Remote self-assessment | Trading companies, service providers, suppliers |
| Outsourced Infrastructure | CCC | Remote self-assessment | IT management, facilities maintenance, MSPs |
| Customized Software | CCC | Remote self-assessment | ERP developers, web app builders, integrators |
| Network Connectivity | CCC+ | On-site audit by authorized firm | VPN-connected vendors, leased line users |
| Critical Data Processor | CCC+ | On-site audit by authorized firm | Accounting firms, risk assessors, legal services |
Important Rule: If your organization falls under multiple classifications and one requires CCC+ while another requires CCC, you only need to obtain the CCC+. The CCC+ supersedes the CCC, so a single CCC+ certificate satisfies both requirements. You do not need to obtain both certificates.
CCC vs CCC+: Key Differences
While both certificates are based on the same SACS-002 standard and cover the same TPC controls, the assessment process differs in several important ways:
| Feature | CCC | CCC+ |
|---|---|---|
| Assessment method | Remote self-assessment with evidence submission | On-site audit conducted by an Aramco-authorized assessment firm |
| Assessor | Vendor completes self-assessment; evidence reviewed remotely | Independent authorized auditor performs on-site verification |
| Evidence review | Documentation and screenshot review | Live system inspection + documentation review |
| Physical verification | Not required | Auditors physically inspect systems, data centers, and security controls |
| Validity period | 2 years | 2 years |
| TPC controls assessed | All applicable TPC controls | All applicable TPC controls (same scope) |
| Cost | Lower (no third-party audit fees) | Higher (authorized audit firm engagement required) |
| Timeline | Typically 2-4 weeks for assessment completion | Typically 4-8 weeks including scheduling, on-site visit, and report |
| Remediation process | Address findings and resubmit evidence | Address findings and schedule re-verification (may require additional on-site visit) |
What CCC+ Means for Your Infrastructure
If your vendor classification requires CCC+, the on-site audit component means your infrastructure must withstand live inspection. This is a fundamentally different challenge from a remote self-assessment where you control which screenshots and exports the assessor sees.
During a CCC+ on-site audit, assessors will:
- Inspect network configurations live: They will log into your firewalls, VPN gateways, and network devices to verify configurations match your documented evidence. Any discrepancy between submitted documentation and actual configuration is an immediate finding.
- Test access controls in real time: Assessors may request that a user demonstrate the login process, including MFA verification, to confirm that controls are functioning as documented rather than merely configured.
- Review security monitoring dashboards: They will examine your SIEM, logging infrastructure, and alert configurations to verify that security events are being captured, correlated, and acted upon.
- Verify physical security: For on-premises infrastructure, assessors will inspect physical access controls, environmental monitoring, and facility security measures.
For vendors classified under Network Connectivity, the VPN and remote access infrastructure receives particularly close scrutiny. Assessors will verify IPSec VPN configurations, test network segmentation between the vendor network and Aramco-facing systems, and review remote access logging in detail. Our secure remote access compliance guide covers these requirements in depth.
The Infrastructure Requirements Are the Same
Here is the critical point that many vendors miss: whether you need CCC or CCC+, the underlying infrastructure security requirements are identical. The TPC controls do not change between certificate levels. What changes is how those controls are verified.
This means that a vendor pursuing CCC should implement the same security controls as a vendor pursuing CCC+. The self-assessment option does not mean lower security standards. It means a different verification method. If you implement controls to a CCC standard and later need to upgrade to CCC+ because your Aramco relationship changes (for example, you establish a direct network connection), your infrastructure should already be compliant. The only change should be the assessment process, not a retrofit of security controls.
For a comprehensive overview of all SACS-002 infrastructure requirements and how they apply regardless of certificate level, see our complete Aramco CCC compliance guide.
When Your Classification Changes
Vendor classifications are not permanent. Your relationship with Aramco may evolve, and when it does, your classification and certificate requirement may change. Common scenarios include:
- Adding VPN connectivity: A General Requirement vendor that establishes a site-to-site VPN to Aramco transitions to the Network Connectivity classification and needs a CCC+.
- Expanding data access: An Outsourced Infrastructure vendor that begins processing Aramco financial data transitions to Critical Data Processor and needs a CCC+.
- Reducing scope: A Network Connectivity vendor that decommissions its VPN link and reverts to email-only communication may be reclassified to General Requirement, needing only a CCC at next renewal.
Classification changes do not require waiting for your current certificate to expire. If your relationship with Aramco changes, you should proactively reassess your classification and obtain the appropriate certificate. Operating under the wrong classification creates compliance risk for both you and Aramco.
For details on how classification changes affect the renewal process, see our guide on renewing your Aramco CCC certificate.
Choose the Right Path with the Right Infrastructure
Understanding whether you need CCC or CCC+ is the first step in your compliance journey. Regardless of which certificate you require, MassiveGRID's CCC-compliant infrastructure package provides the same robust security controls that satisfy both assessment methods. For CCC vendors, the package generates the evidence documentation needed for a successful remote self-assessment. For CCC+ vendors, the infrastructure is built to withstand live on-site inspection with configurations that match documentation exactly.
Explore the full compliance package to see how MassiveGRID supports both CCC and CCC+ certification paths, or contact our compliance team to discuss your specific vendor classification and certification requirements.