Gray Hat Security (GHS) logo

Critical Vendors · On-Site Audit · SACS-210

Aramco CCC+ Certification: SACS-210 Requirements for Critical Vendors (2026)

July 7, 2026 · 9 min read · GHS Security Team Aramco CCC+ SACS-210 Critical Vendors

Quick Answer

CCC+ is the higher-assurance tier of Aramco's Cybersecurity Compliance Certificate program, required for third parties classified as Network Connectivity (a direct network link into Aramco systems) or Critical Data Processor (handling Aramco's most sensitive data). It is assessed against the same SACS-210 control baseline as standard CCC.

The difference is verification: standard CCC uses remote validation of a self-assessment; CCC+ requires a full on-site audit by an Authorized Audit Firm, with deeper evidence sampling and technical validation. Both tiers carry the same two-year validity period.