The Aramco CCC+ (Cybersecurity Compliance Certificate Plus) is the enhanced certification tier required for vendors classified as Network Connectivity or Critical Data Processors under SACS-210 โ Saudi Aramco’s updated Third-Party Cybersecurity Standard (February 2026). Unlike the standard CCC, CCC+ mandates a full on-site audit by an Aramco-authorized audit firm. Failure to hold a valid CCC+ blocks your company from the Aramco supplier portal, contract participation, and project onboarding โ with no grace period.
๐ On This Page
- What Is the Aramco CCC+?
- CCC vs CCC+: What’s the Difference?
- Who Needs CCC+ Under SACS-210?
- SACS-210: What Changed from SACS-002?
- The 33 General Requirements
- CCC+-Specific Controls
- The On-Site Audit: What Auditors Check
- Common Reasons CCC+ Audits Fail
- CCC+ Timeline
- How GHS Prepares You for CCC+
- Frequently Asked Questions
What Is the Aramco CCC+?
The Aramco CCC+ is the higher of two certification tiers in Saudi Aramco’s Cybersecurity Compliance Certificate (CCC) Program. It is issued exclusively by Aramco-authorized audit firms after a verified on-site assessment of your organization’s cybersecurity controls, infrastructure, and documentation.
The CCC+ applies to vendors whose services expose Aramco’s most sensitive assets โ its corporate network and critical data. For these organizations, a remote self-assessment is insufficient. Auditors physically visit your facilities to verify that controls are not just documented, but deployed, operational, and functioning as claimed.
The CCC+ is valid for two years from the issuance date, provided your vendor classification has not changed during that period.
A vendor without a valid CCC+ cannot be registered in Aramco’s supplier portal, cannot bid on new contracts, and cannot continue existing contract activities once the certificate lapses. There is no grace period upon expiry. Contract suspension is automatic.
CCC vs CCC+: What’s the Difference?
| CCC | CCC+ | |
|---|---|---|
| Who it applies to | General vendors, outsourced infrastructure, customized software | Network connectivity vendors, critical data processors |
| Audit method | Remote self-assessment, validated by authorized firm | Full on-site inspection by authorized audit firm |
| Control scope | 33 General Requirements (SACS-210) | General Requirements + classification-specific controls |
| Auditor access | Reviews documentation package remotely | Inspects live systems, real-time configurations, access controls |
| Supersedes | โ | Supersedes CCC; if both apply, only CCC+ is accepted |
| Validity | 2 years | 2 years |
If your classification triggers both CCC and CCC+, you submit only the CCC+ application. The CCC+ is accepted in place of the standard CCC โ you do not need both certificates.
Who Needs CCC+ Under SACS-210?
Your organization requires CCC+ if it falls into either of these two SACS-210 classifications:
1. Network Connectivity
Your infrastructure has direct network links to the Saudi Aramco Corporate Network. This includes:
- Leased-line connections to Aramco facilities
- SSL VPN or site-to-site VPN tunnels into Aramco systems
- Remote access services enabling staff to reach Aramco’s intranet
- Any equipment bridging your network with Aramco’s operational or corporate network
2. Critical Data Processor
Your organization processes, stores, or transmits data that Aramco classifies as critical or sensitive. This includes:
- Companies handling Aramco financial, operational, or project data
- Cloud service providers hosting Aramco-scoped workloads
- Data centers processing or co-locating Aramco information
- Analytics, AI, or BI vendors working with Aramco datasets
New vendors establish classification during Aramco supplier portal registration. Existing vendors initiate a review with their Aramco department contact, completing the Third Party Classification Template and the Third Party Classification Confirmation Letter. Misclassification is the most common cause of compliance project failures โ never self-assign your classification.
SACS-210: What Changed from SACS-002?
SACS-210, released February 2026, is the successor to the SACS-002 standard. The transition window closes 26 August 2026 โ after which all renewals are assessed against SACS-210.
Certificates issued under SACS-002 remain valid until renewal. At renewal, SACS-210 requirements apply in full. If your renewal window is approaching, preparation must begin immediately.
Expanded General Requirements
SACS-002 contained 24 general controls. SACS-210 expands this to 33 controls (TPC1.1โTPC1.33), reflecting stronger governance expectations and NCA alignment.
Dedicated OT Security Section
A new standalone OT section introduces five OT-focused controls for vendors providing industrial automation, SCADA, or process control services.
Stronger NCA ECC Alignment
SACS-210 formally aligns with NCA ECC 2:2024 and PDPL. Compliance gaps tolerated under SACS-002 are now explicitly addressed and auditable.
Higher Evidence Standards
Auditors apply stricter scrutiny to evidence quality. Policies that exist but are not operationally implemented will be flagged as non-compliant findings under SACS-210.
The 33 General Requirements Every Vendor Must Meet
All Aramco vendors โ including those requiring CCC+ โ must first satisfy the 33 General Requirements (TPC1.1โTPC1.33). These form the mandatory baseline from which classification-specific controls are added for CCC+ vendors.
Governance & Risk Management (TPC1.1โ1.4)
Documented cybersecurity policy approved by senior management. Designated cybersecurity officer. Annual formal risk assessment process.
Asset Management (TPC1.5โ1.9)
Maintained inventory of all hardware, software, and data repositories in Aramco scope. Assets classified by sensitivity and business impact.
Access Control & MFA (TPC1.10โ1.14)
MFA enforced on all systems handling Aramco data. RBAC with least-privilege enforcement. Immediate access revocation upon off-boarding.
Endpoint Security (TPC1.15โ1.18)
EDR deployed on all devices in scope. AES-256 full-disk encryption. Centralized patch management with defined remediation SLAs.
Network Security (TPC1.19โ1.22)
Firewall deployment and configuration on all endpoints. Network segmentation for Aramco-scoped systems. SPF, DKIM, DMARC on corporate email domains.
Incident Response (TPC1.23โ1.26)
Documented IR plan with defined escalation procedures. Mandatory Aramco notification within 24 hours of a confirmed incident affecting scoped systems.
Data Protection & Backup (TPC1.27โ1.30)
Encryption in transit (TLS, IPSec, FTPS, HTTPS). Offline or air-gapped backups tested at defined intervals with recovery verification.
Audit Logging & Monitoring (TPC1.31โ1.33)
Centralized, tamper-protected logs covering auth events, privilege escalations, and system changes โ retained per Aramco minimum periods.
CCC+-Specific Controls: Network Connectivity & Critical Data
Beyond the 33 General Requirements, CCC+ vendors must implement controls specific to their classification. These go substantially further than the baseline.
๐ Network Connectivity Controls
Aramco-connected infrastructure must be logically or physically isolated from your general corporate network. Aramco-scoped traffic must never traverse non-scoped systems.
All connectivity to the Aramco Corporate Network must use approved encrypted protocols (IPSec, SSL/TLS). Unencrypted connections are non-compliant and will be flagged on-site.
VPN gateways must be hardened, continuously monitored, and subject to formal change management. Live configurations must be reviewable by auditors during the on-site assessment.
All remote sessions into Aramco environments must generate complete, tamper-proof session logs retained for the required minimum period.
Where staff access Aramco systems remotely, individual user accounts with MFA are mandatory. Shared or generic accounts are immediate non-compliance findings.
๐ฆ Critical Data Processor Controls
All Aramco data must be classified and handled per Aramco’s policy. Storage locations, access paths, and transmission routes must be formally documented and evidenced.
All Aramco-scoped data stored in your environment must be encrypted at rest using AES-256 minimum. Encryption must be verifiable by auditors inspecting live storage systems.
Systems hosting or processing Aramco data require documented DDoS mitigation capabilities, formally evidenced with configuration records and service agreements.
Aramco data must be stored within approved geographic boundaries unless explicitly approved by Aramco otherwise. Cloud region configuration must be verified on-site.
Aramco data must be securely destroyed per NIST 800-88 standards upon contract end or data lifecycle completion. Sanitization records are required as audit evidence.
The CCC+ On-Site Audit: What Auditors Actually Check
This is the defining difference between CCC and CCC+. An authorized audit firm sends qualified assessors to your premises โ they do not review a documentation package remotely. Here is what they examine:
Auditors request access to your Active Directory or identity management system to verify that MFA policies are enforced, user account lists match your access register, and all terminated employee accounts have been fully revoked.
Assessors review firewall rule sets, routing tables, and VLAN configurations to confirm that network segmentation between your Aramco-scoped and non-scoped environments is implemented โ not just documented.
A sample of endpoints will be checked for EDR deployment, encryption status, patch levels, and local firewall enablement. Random sampling means every device in scope must be compliant.
Auditors verify that centralized logging is operational, that log retention periods are correctly configured, and that log files are protected against tampering or unauthorized deletion.
Assessors interview IT staff and the designated cybersecurity officer to verify that documented policies are understood and practiced โ not just filed. A policy no one can explain is a finding.
For Network Connectivity vendors, auditors validate VPN configurations, confirm encryption is active on all tunnels, and check whether remote access session logging is generating records in real time.
Every claim in your self-assessment report is cross-checked against what auditors observe on-site. Inconsistencies between documented controls and live configurations result in non-compliance findings that must be remediated before the certificate is issued.
Common Reasons CCC+ Audits Fail
Based on GHS’s experience preparing Aramco vendors for CCC+ assessments, these are the most frequent causes of audit failure at the CCC+ tier:
The most critical CCC+ finding. Documentation shows a segmented network; the live configuration shows flat routing between Aramco-scoped and general systems. Auditors check the routing table, not the diagram.
MFA is deployed but users can bypass it. Auditors check enforcement settings in your identity management platform, not whether MFA is available as an option.
A single VPN account shared by multiple engineers, or a service account used for remote access, is an immediate non-compliance finding. Every remote user must have an individual, MFA-protected account.
VPN or remote access session logging is documented as a control but not operationally generating logs โ or logs are not being retained for the required minimum period. Auditors verify logs are real, current, and tamper-protected.
Auditors routinely compare HR records of terminated employees against active user accounts. Residual accounts are a consistent finding โ and one that is entirely preventable.
Vendors using public cloud for Aramco-scoped workloads without completing cloud-specific control requirements โ tenant isolation, sovereign controls, access governance โ consistently fail CCC+.
When auditors interview IT staff, they ask how controls are implemented day-to-day. Staff who cannot describe the incident response process or MFA enrollment procedure signal a policy created for the audit, not one that is operationalized.
CCC+ Timeline: How Long Does It Take?
| Phase | Activity | Typical Duration |
|---|---|---|
| 1 | Classification Confirmation โ Complete Third Party Classification Template with Aramco department | 1โ3 weeks |
| 2 | Gap Assessment โ GHS assesses all applicable CCC+ controls against your live environment | 1โ2 weeks |
| 3 | Technical Remediation โ Implement missing controls, harden systems, produce documentation | 6โ14 weeks |
| 4 | Audit Firm Engagement โ Select authorized firm, sign contract, schedule on-site assessment | 2โ4 weeks |
| 5 | On-Site Assessment โ Authorized firm conducts full on-site inspection | 2โ5 days |
| 6 | Findings Remediation โ Close any non-compliance findings raised by the auditor | 2โ6 weeks |
| 7 | Certificate Issuance โ Authorized firm issues CCC+ once all controls are verified | 1โ2 weeks |
Total estimated time: 4 to 7 months from gap assessment to certificate issuance, assuming structured preparation. Organizations with no prior compliance baseline should plan toward the upper range.
How GHS Prepares You for CCC+ Certification
Gray Hat Security โ CCC+ Engagement Model
GHS is a Saudi cybersecurity consulting firm headquartered in Riyadh, specializing in Aramco CCC and CCC+ compliance for vendors across all classification tiers.
We work with your Aramco department contact to complete the Third Party Classification Template accurately โ preventing the misclassification that cascades into failed audits.
We assess all 33 General Requirements plus every applicable Specific Requirement for your classification. You receive a prioritized findings report with clear remediation actions.
Our engineers implement the technical controls you are missing: network segmentation, MFA enforcement, VPN hardening, EDR, log infrastructure, and encryption. We implement โ not just advise.
We produce the complete SACS-210-aligned documentation set: cybersecurity policy, AUP, asset inventory, risk register, incident response plan, and all supporting forms.
Before the authorized firm arrives, GHS conducts a full pre-audit simulation โ testing live systems against every control auditors will check, and briefing your IT staff on interview responses.
If the authorized firm raises findings, GHS manages the full remediation cycle โ implementing fixes, updating evidence, and coordinating resubmission to close your certificate.
