If your company does business with Saudi Aramco -- or plans to -- you have almost certainly encountered the term CCC. The Cybersecurity Compliance Certificate is not optional. It is a mandatory gate that every third-party vendor must pass before Aramco will onboard them, renew a contract, or even allow access to Aramco-connected systems. This guide walks through what the certificate involves, how it is structured, and why the infrastructure behind your compliance posture matters far more than most vendors expect.
The Origin of Aramco CCC: Why It Exists
Saudi Aramco operates the world's most valuable energy infrastructure. A single cybersecurity incident in its supply chain could disrupt global oil markets, compromise sensitive exploration data, or endanger operational technology systems controlling refineries and pipelines. Aramco introduced the Third Party Cybersecurity Standard (SACS-002) to establish a minimum cybersecurity baseline for every company that connects to its network, processes its data, or provides outsourced IT services.
SACS-002 is not a suggestion. It is a contractual obligation embedded in Aramco's procurement process. Vendors that fail to obtain the CCC lose their eligibility to bid on contracts, and existing vendors that let their certificate lapse risk contract termination. The standard is maintained and updated by Aramco's Cybersecurity Compliance Division, and audits are conducted by Aramco-authorized assessors.
CCC vs. CCC+: Two Tiers of Certification
SACS-002 defines two certificate levels based on the type of services a vendor provides:
- CCC (Cybersecurity Compliance Certificate) -- applies to vendors classified as General or Network Connectivity providers. These vendors must satisfy the 24 general controls defined in the standard. CCC is the baseline tier.
- CCC+ (Enhanced Cybersecurity Compliance Certificate) -- applies to vendors classified as Outsourced Infrastructure, Customized Software, or Critical Data Processors. These vendors must satisfy the 24 general controls plus up to 62 additional specific controls depending on their classification. CCC+ is substantially more demanding and typically requires dedicated infrastructure.
Most small and mid-size vendors serving Aramco fall into classifications that require CCC+. If you host, process, or have access to Aramco data beyond simple email correspondence, you are almost certainly in CCC+ territory. For a deeper dive into the differences, see our detailed comparison in the CCC vs. CCC+ guide.
The Five Vendor Classifications
SACS-002 groups all third-party vendors into five classifications. Your classification determines which controls you must implement and which certificate tier you need. Understanding your classification is the first step in scoping your compliance project.
| Classification | Description | Certificate Required |
|---|---|---|
| General | Vendors providing non-IT goods or services with minimal digital interaction with Aramco systems. Examples include office supply vendors or logistics companies with basic email contact. | CCC |
| Outsourced Infrastructure | Vendors hosting or managing IT infrastructure on behalf of Aramco, including cloud providers, managed service providers, and data center operators handling Aramco workloads. | CCC+ |
| Customized Software | Vendors developing, maintaining, or deploying custom software that interfaces with Aramco systems, databases, or APIs. Includes ERP integrators and bespoke application developers. | CCC+ |
| Network Connectivity | Vendors with direct or VPN-based network connections to Aramco systems, including ISPs providing dedicated links and companies with site-to-site tunnels to Aramco networks. | CCC |
| Critical Data Processor | Vendors that store, process, or transmit Aramco classified data -- including financial records, employee data, engineering schematics, or exploration data. This is the most scrutinized classification. | CCC+ |
Important: A single vendor can fall into multiple classifications simultaneously. If you provide managed hosting and develop custom software for Aramco, you must satisfy controls for both Outsourced Infrastructure and Customized Software -- which means the union of all applicable specific controls under CCC+.
SACS-002 Control Areas: What the Standard Actually Requires
The SACS-002 standard organizes its controls into clearly defined domains. Understanding these domains helps you map your existing security posture to the standard and identify gaps before the audit.
General Controls (24 Controls -- All Vendors)
Every vendor, regardless of classification, must implement these controls. They cover foundational cybersecurity hygiene:
- TPC-1: Governance and Risk Management -- You must have a documented cybersecurity policy, a designated cybersecurity officer, and an annual risk assessment process. The policy must be reviewed and approved by senior management.
- TPC-2: Access Control and Authentication -- Password policies must enforce minimum 8-character passwords with special characters, 12-password history, 90-day maximum age, 10-attempt lockout, and 15-minute screen saver timeout. Multi-factor authentication is required for all cloud-based access.
- TPC-3: Asset Management and Password Protection -- Every IT asset must be inventoried and password-protected. No system should be accessible without authentication.
- TPC-6: Protective Technology -- Firewalls must be enabled on all endpoints. Anti-virus software must be installed with daily signature updates and bi-weekly full system scans. DDoS protection is required for internet-facing systems.
- TPC-8 through TPC-10: Email Security -- SPF technology must be configured on mail servers, SPF records must exist in DNS, and all business communication must use a private email domain (no Gmail, Yahoo, or other free services).
- TPC-52: Data Protection in Transit -- All data transmitted over networks must be encrypted using SSH, FTPS, HTTPS, TLS, or IPSec. This includes internal transfers between your systems.
- Communication and Awareness -- Employees must receive cybersecurity awareness training, and the organization must have an incident response plan documented and tested.
- Response and Recovery -- You must have a documented incident response procedure that includes notification timelines, escalation paths, and post-incident review processes.
Specific Controls (Up to 62 Additional Controls -- CCC+ Vendors)
CCC+ vendors face additional controls tailored to their classification. These extend the general controls into deeper technical territory:
- Network segmentation and micro-segmentation for Outsourced Infrastructure providers
- Secure software development lifecycle (SSDLC) requirements for Customized Software vendors
- Data classification and handling procedures for Critical Data Processors
- Encryption at rest requirements for any vendor storing Aramco data
- Privileged access management with session recording and just-in-time access provisioning
- Backup and disaster recovery with defined RPO/RTO targets and documented test results
- Vulnerability management with regular scanning and defined remediation SLAs
- Logging and monitoring with centralized log collection, retention policies, and alerting capabilities
The Infrastructure Challenge Most Vendors Underestimate
Here is where most CCC compliance projects go sideways. Vendors read the SACS-002 standard, draft policies, and prepare documentation -- then discover that the majority of the 24 general controls (and nearly all of the specific controls) require technical implementation, not just written policies.
Consider what a typical small or mid-size enterprise (SME) must deploy to satisfy just the general controls:
- A private email domain with SPF, DKIM, and DMARC records properly configured -- which means running or subscribing to a business email service, not using
@gmail.com - A firewall on every endpoint, configured with documented rulesets that can be exported for auditor review
- An anti-virus solution with centralized management showing daily update logs and bi-weekly scan reports
- VPN infrastructure with IPSec encryption for any remote access to company systems
- MFA on all cloud-based services -- email, file storage, remote desktop, admin panels
- Encrypted file transfer capabilities using SFTP or FTPS rather than plain FTP or email attachments
- A screen saver lock enforced at 15 minutes across all workstations via group policy or MDM
- Password policies enforced at the system level, not just documented in a handbook
For an SME with 20-50 employees, building and maintaining this infrastructure from scratch is a significant project. You need a mail server or managed email service, a firewall appliance or cloud firewall, a VPN concentrator, an endpoint protection platform, a file hosting solution with encryption, and the expertise to configure all of it correctly. Then you need to produce audit evidence -- screenshots, configuration exports, policy documents -- proving every control is implemented.
The reality: Most vendors spend more time and money building compliant infrastructure than they do on the policies and documentation combined. The infrastructure is the compliance.
Why Pre-Built Compliant Infrastructure Changes the Equation
This is precisely why purpose-built CCC-compliant infrastructure packages exist. Instead of assembling a dozen different services, configuring each one to meet SACS-002 specifications, and producing your own audit documentation, you deploy a single integrated environment where every component is already configured to meet the standard.
A well-designed CCC infrastructure package should include:
- Private email hosting with SPF, DKIM, DMARC, and MFA pre-configured
- Managed firewall with audit-ready rule exports
- VPN with IPSec encryption for remote access
- Encrypted file hosting (SFTP/FTPS) replacing insecure file sharing
- Endpoint protection with centralized reporting
- Remote desktop (RDP) with MFA and session policies enforced
- DDoS protection for internet-facing services
- Pre-generated audit evidence templates mapped to each TPC control
This approach transforms CCC compliance from a multi-month infrastructure project into a deployment measured in days. Your team focuses on the governance controls -- policies, risk assessments, training -- while the infrastructure controls are handled by the platform.
The Audit Process: What to Expect
Once you have implemented the required controls, the CCC audit process follows a structured path:
- Self-assessment: You complete Aramco's self-assessment questionnaire, mapping your controls to each TPC requirement and attaching evidence.
- Document submission: Policies, procedures, screenshots, configuration exports, and training records are submitted to the Aramco-authorized assessor.
- Technical review: The assessor reviews your evidence against SACS-002 requirements. They may request additional documentation or clarification.
- Remediation (if needed): If gaps are identified, you receive a findings report with a remediation timeline. You must close findings and resubmit evidence.
- Certificate issuance: Once all controls are verified, Aramco issues the CCC or CCC+ certificate. The certificate is valid for a defined period (typically one to two years) and must be renewed.
Common Reasons Vendors Fail the CCC Audit
Based on patterns across the Aramco vendor ecosystem, these are the most frequent causes of audit failure:
- Using free email services -- Gmail, Yahoo, or Outlook.com addresses for business communication violate TPC-10 immediately
- Missing SPF/DKIM records -- Even vendors with private domains often lack properly configured DNS records for email authentication
- No MFA on cloud services -- Especially common on email, file sharing, and remote desktop access
- Firewall not enabled or not documented -- The control is satisfied only when you can produce configuration evidence
- Anti-virus without centralized reporting -- Individual endpoint installations without a management console cannot produce the daily update and scan reports the auditor needs
- Unencrypted file transfers -- Using plain FTP, email attachments, or consumer cloud storage (Google Drive, Dropbox) for business files
- Password policies not enforced technically -- Having a policy document is not enough; the system must enforce complexity, history, and lockout requirements
Getting Started: Your Path to CCC Compliance
The path to Aramco CCC certification does not have to be overwhelming. Start by identifying your vendor classification, scope the applicable controls, and then make a critical decision: build the infrastructure yourself or deploy a pre-built compliant environment.
For most SMEs, the pre-built approach saves months of work and eliminates the risk of misconfigured infrastructure causing audit failures. The governance work -- writing policies, conducting risk assessments, training employees -- still requires your attention, but it is far more manageable when the technical controls are already in place.
For a detailed look at how CCC and CCC+ differ in practice, read our CCC vs. CCC+ comparison.
Skip the Infrastructure Headache
MassiveGRID's Aramco CCC-Compliant Infrastructure Package delivers every technical control required by SACS-002 in a single managed deployment. Private email with SPF/DKIM/DMARC, managed firewall, IPSec VPN, encrypted file hosting, endpoint protection, MFA-enforced RDP, and DDoS protection -- all pre-configured with audit evidence documentation ready for your assessor.