The only way to be sure that the Organization you are going to work will follow the defined process is to identify the correct appraised identity within the organization. That means to say that when an Assessment is conducted for CMMI SCAMPI C, B or A and â€œOrganizational Unitâ€ (OU) is identified that goes under assessment. This OU can represent an Organization if it is involved with Software Development and Maintenance activities, a Department, a Location, a Program or a Logical Section of a Company.
This is the condition with proceeding with the Formal SCAMPI Assessment (A, B or C) that an OU has to be identified for Assessment and projects are selected from that OU only.
This means that only the projects within that organization have been assessed for ML3 and should be in compliance to CMMI ML3 if that OU successfully achieve it.
Now if we come to our original question of the vendorâ€™s processes being ML3 compliant. We can be sure, that if that vendor is serious about processes and you are dealing with same OU that undergone the assessment and have achieved the ML3 within the last three years, they will follow processes and will provide quality products and services.
SEI also maintains database of the Successful Assessed Organization at their website, known as Published Appraisal Results – https://sas.sei.cmu.edu/pars/. You can check for organizations and OUs who have not kept their appraisal confidential at the given link.
In case OU is different than the assessed one then please beware about the results.