CMMC Timeline: Real Assessment Timelines from Our Experience
Posted: March 11, 2026 to Compliance.
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's framework for verifying that defense contractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) according to NIST SP 800-171 standards. CMMC 2.0, finalized in the December 2024 federal rule, establishes three levels of certification, with Level 2 requiring an independent third-party assessment for contractors handling CUI. Based on our experience preparing over 40 defense contractors for CMMC, realistic timelines range from 8 to 18 months from initial gap assessment to certification, not the 3 to 6 months that some consultants promise.
Key Takeaways
- The average CMMC Level 2 preparation takes 12-18 months for organizations starting from scratch and 8-12 months for those with existing NIST 800-171 programs
- The 110 security requirements in NIST 800-171 Rev 2 require both technical controls and extensive documentation; documentation alone accounts for 40-60% of preparation time
- C3PAO (Certified Third-Party Assessment Organization) assessment scheduling has a 3-6 month backlog as of early 2026 due to limited assessor capacity
- The single largest cause of timeline delays is underestimating the scope of CUI in the environment, which forces mid-project boundary expansions
- Organizations that complete a thorough scoping exercise before starting remediation save an average of 4 months compared to those that scope while remediating
The CMMC 2.0 Landscape in 2026
CMMC 2.0 became enforceable through DFARS clause 252.204-7021, with phased implementation beginning in mid-2025. By March 2026, the following conditions apply:
- Level 1 (Self-Assessment): Required for all contractors handling FCI. 15 basic security requirements. Self-attestation in the Supplier Performance Risk System (SPRS)
- Level 2 (Third-Party Assessment): Required for contractors handling CUI. 110 security requirements from NIST SP 800-171 Rev 2. Assessed by a C3PAO
- Level 3 (Government-Led Assessment): Required for the most critical CUI programs. 110+ requirements with enhanced controls from NIST SP 800-172. Assessed by DCMA DIBCAC
Most contractors reading this guide need Level 2, which is where the timeline complexity lives.
Realistic Timeline: Level 2 Certification
Phase 1: Scoping and Gap Assessment (Months 1-3)
This phase determines everything that follows. Shortcuts here guarantee delays later.
Month 1: CUI Scoping
The first and most critical step is defining where CUI lives in your organization. CUI is any information that the government has identified as requiring safeguarding, marked with CUI banners, or described in contract DD Form 254s and CDRLs.
What we assess:
- All systems that store, process, or transmit CUI (including email, file shares, cloud services, mobile devices)
- All people who access CUI (including subcontractors)
- All physical locations where CUI is accessed or stored
- Network boundaries and data flows involving CUI
Common scoping mistakes that add months:
- Forgetting about email: if CUI is discussed via email, your entire email system is in scope
- Ignoring personal devices: if anyone has ever accessed CUI from a personal phone or laptop, BYOD is in scope
- Missing subcontractors: your subcontractors who handle CUI must also be CMMC-certified
- Overlooking cloud services: OneDrive, Google Drive, Dropbox, any cloud system touching CUI is in scope
Month 2-3: Gap Assessment
With the scope defined, assess your current posture against all 110 NIST 800-171 requirements. This produces:
- A scored assessment (out of 110 points, posted to SPRS)
- A detailed gap analysis identifying every unmet requirement
- An estimated remediation cost and timeline for each gap
- A Plan of Action and Milestones (POA&M) for gaps that cannot be closed immediately
In our experience with 40+ assessments, the average organization starting from scratch meets 35-55 of the 110 requirements. Organizations with an existing information security program typically meet 60-85 requirements.
| Starting Posture | Requirements Met | Typical Gap Count | Remediation Time |
|---|---|---|---|
| No formal security program | 35-55 | 55-75 gaps | 12-18 months |
| Basic security (AV, firewall, passwords) | 55-70 | 40-55 gaps | 10-14 months |
| Existing NIST 800-171 program | 70-90 | 20-40 gaps | 6-10 months |
| Mature security program (SOC 2, ISO 27001) | 85-100 | 10-25 gaps | 4-8 months |
Phase 2: Remediation (Months 3-12)
Remediation is the longest phase and the one most often underestimated. It involves both technical controls and documentation.
Technical Remediation (Months 3-9)
The most common technical gaps and their typical implementation timelines:
| Control Area | Common Gap | Implementation Time | Typical Cost |
|---|---|---|---|
| Multi-factor authentication | No MFA or incomplete MFA | 2-4 weeks | $3-$8/user/month |
| Encryption at rest | Unencrypted endpoints and servers | 2-6 weeks | $0-$5/device (BitLocker/LUKS are free) |
| Audit logging | No centralized logging or SIEM | 4-8 weeks | $5,000-$25,000/year |
| Network segmentation | CUI on flat network | 4-12 weeks | $2,000-$20,000 (firewall/VLAN config) |
| Endpoint detection (EDR) | No EDR or basic AV only | 2-4 weeks | $5-$12/endpoint/month |
| Vulnerability management | No regular scanning | 2-4 weeks | $2,000-$10,000/year |
| Backup and recovery | No tested backup or missing encryption | 2-6 weeks | $500-$5,000/month |
| Access control | Shared accounts, excessive privileges | 4-8 weeks | Minimal (process changes) |
| Incident response | No plan or untested plan | 2-4 weeks | $5,000-$15,000 (consulting) |
| Physical security | Inadequate server room controls | 2-8 weeks | $1,000-$10,000 |
Documentation (Months 4-10)
CMMC assessors evaluate documentation as heavily as technical controls. You cannot pass with good technology but poor documentation.
Required documentation:
- System Security Plan (SSP): The master document describing how you meet each of the 110 requirements. Typically 80-200 pages. This is the single most important document for your assessment
- Plan of Action and Milestones (POA&M): Documented plan for any requirements not yet fully met, with specific remediation dates
- Network diagram: Current, accurate, showing CUI boundaries, security zones, and data flows
- Hardware/software inventory: Every system in the CUI environment
- Policies and procedures: Written policies for each NIST 800-171 control family (14 families, 40+ individual policies)
- Training records: Evidence that all CUI-handling personnel completed security awareness training
- Incident response plan: Documented and tested within the past 12 months
- Configuration management plan: Standards for system configurations (STIGs, CIS Benchmarks)
- Risk assessment: Documented risk assessment of the CUI environment
Documentation takes 300-600 hours of focused work for a typical small contractor. This is where most timelines blow out because technical staff underestimate the writing and review effort required.
Phase 3: Pre-Assessment Preparation (Months 10-14)
Internal Assessment (Month 10-11)
Before engaging a C3PAO, conduct a mock assessment using the CMMC assessment methodology. Walk through every requirement as if a real assessor were asking questions:
- Can you show me where this control is implemented?
- Can you show me the documentation that describes this process?
- Can you demonstrate that this control has been operating consistently for at least 90 days?
That last question is critical. CMMC assessors verify that controls have been consistently implemented, not just recently deployed. A SIEM installed last week does not satisfy the audit logging requirement. Assessors look for 90+ days of consistent operation.
Evidence Collection (Month 11-12)
Organize all evidence into a structured repository. For each of the 110 requirements, you need:
- Policy/procedure document reference
- Technical implementation evidence (screenshots, configuration exports, tool outputs)
- Operational evidence (logs, reports, test results showing consistent operation)
Phase 4: C3PAO Assessment (Months 13-16)
Scheduling (3-6 month lead time)
As of March 2026, there are approximately 50 accredited C3PAOs serving the entire defense industrial base. Scheduling an assessment requires 3-6 months of lead time. Begin outreach to C3PAOs during Phase 2 remediation.
Assessment Process (2-4 weeks)
The C3PAO assessment follows a structured methodology:
- Week 1: Document review. The assessor examines your SSP, POA&M, policies, and evidence packages
- Week 2: On-site assessment. Assessors interview personnel, observe controls in operation, and verify technical implementations
- Week 3: Assessment report preparation by the C3PAO
- Week 4: Results delivered. Pass, conditional pass (with POA&M items), or fail
Conditional Pass
A conditional pass means you met most requirements but have a limited number of POA&M items that must be resolved within 180 days. This is common and acceptable; the assessor's report specifies exactly which items need remediation and the deadline for completion.
Phase 5: Certification and Maintenance (Month 14+)
CMMC certification is valid for 3 years. During that period, you must:
- Maintain all 110 controls continuously
- Conduct annual self-assessments
- Update your SPRS score if your posture changes
- Report security incidents to DIBCAC within 72 hours
- Close any conditional POA&M items within 180 days of assessment
Common Timeline Killers
1. Scope Creep (Adds 2-6 Months)
Mid-project discovery that CUI is in more places than initially identified forces re-scoping, additional remediation, and updated documentation. Prevention: invest heavily in Phase 1 scoping.
2. Documentation Delays (Adds 2-4 Months)
Technical teams prioritize implementation over documentation. The SSP sits half-written for months. Prevention: assign a dedicated documentation resource or engage a consultant for writing support.
3. Cloud Service Provider Gaps (Adds 1-3 Months)
Discovering that your cloud provider does not meet FedRAMP Moderate baseline (required for CUI in cloud systems) forces a migration. Prevention: verify cloud provider compliance status during scoping.
4. Subcontractor Non-Compliance (Adds 3-6 Months)
If your subcontractors handle CUI, they must also achieve CMMC certification. Their timeline becomes your constraint. Prevention: include CMMC requirements in subcontractor agreements and begin tracking their progress early.
5. C3PAO Availability (Adds 2-4 Months)
Limited C3PAO capacity creates scheduling bottlenecks. Prevention: begin C3PAO outreach 6 months before you expect to be assessment-ready.
Cost Overview
| Cost Category | Small Contractor (10-25 people) | Mid-Size Contractor (25-100 people) |
|---|---|---|
| Gap assessment | $10,000 - $25,000 | $25,000 - $50,000 |
| Technical remediation | $15,000 - $50,000 | $50,000 - $150,000 |
| Documentation (SSP, policies) | $15,000 - $40,000 | $30,000 - $75,000 |
| Ongoing security tools | $12,000 - $36,000/year | $36,000 - $120,000/year |
| C3PAO assessment | $25,000 - $50,000 | $50,000 - $100,000 |
| Total (Year 1) | $77,000 - $201,000 | $191,000 - $495,000 |
These numbers are significant, but they must be weighed against the value of DoD contracts. A single DoD contract often exceeds the total CMMC investment by 10-100x.
How PTG Can Help
Petronella Technology Group has prepared over 40 defense contractors for CMMC compliance since the framework's initial release. Craig Petronella holds CMMC Registered Practitioner credential RP-1372, and our team includes experienced assessors who know exactly what C3PAOs look for.
Our CMMC compliance service covers the full lifecycle: scoping, gap assessment, remediation planning, technical implementation, SSP writing, mock assessment, and C3PAO coordination. We also provide ongoing compliance monitoring for the 3-year certification period.
For Raleigh-area defense contractors, we offer on-site assessment and remediation support. See our CMMC consultant page for local service details.
Call 919-348-4912 or visit petronellatech.com/contact/ to schedule a CMMC readiness briefing.
About the Author: Craig Petronella is the CEO of Petronella Technology Group, Inc., a CMMC Registered Practitioner (RP-1372) with over 30 years of cybersecurity experience. Craig has guided dozens of defense contractors through the CMMC preparation process and is a recognized authority on DIB cybersecurity compliance. He hosts the Petronella Technology Group podcast and has authored books on cybersecurity frameworks.
Frequently Asked Questions
How long does CMMC Level 2 certification take?
Based on our experience with 40+ contractors, CMMC Level 2 certification takes 8 to 18 months from initial gap assessment to passing the C3PAO assessment. Organizations with existing NIST 800-171 programs and mature security controls are at the shorter end. Those starting from scratch should plan for 12 to 18 months.
Can I get CMMC certified in 3 months?
It is highly unlikely for Level 2. Even if your technical controls are already in place, the documentation requirements (SSP, policies, procedures, evidence collection) take 3 to 4 months of dedicated effort. Additionally, assessors look for evidence that controls have been operating consistently for at least 90 days. Consultants promising 3-month certification are either cutting corners on documentation or underestimating your current gaps.
How much does CMMC Level 2 cost?
Total first-year costs range from $77,000 to $201,000 for small contractors (10-25 people) and $191,000 to $495,000 for mid-size contractors (25-100 people). This includes gap assessment, remediation, documentation, ongoing security tools, and the C3PAO assessment fee. Ongoing annual costs for maintaining compliance run $12,000 to $120,000 depending on organization size.
What happens if I fail the C3PAO assessment?
Failing the assessment means you cannot include CMMC Level 2 certification in contract proposals. You can remediate the identified gaps and schedule a reassessment. There is no penalty for failing beyond the cost of reassessment and the time delay. Most C3PAOs will identify specific deficiencies that need remediation, giving you a clear path forward.
Do I need CMMC if I only handle FCI, not CUI?
If you only handle FCI (Federal Contract Information), you need CMMC Level 1, which requires meeting 15 basic security practices and submitting a self-assessment. No third-party assessment is needed for Level 1. However, many contractors handle both FCI and CUI, or their contracts are expected to include CUI in the future, making Level 2 the prudent preparation target.
Can I use POA&Ms to pass the assessment with gaps?
CMMC 2.0 allows a limited number of POA&M items at the time of assessment. You can receive a conditional certification with open POA&Ms, but the items must be fully remediated within 180 days. Not all requirements are eligible for POA&M; certain critical controls must be fully met at the time of assessment. Your assessor will clarify which items qualify.
How do I choose a C3PAO?
Select a C3PAO based on: experience with your industry segment, availability that aligns with your timeline, geographic proximity (for on-site assessment logistics), references from similar-sized organizations, and clear pricing. The Cyber AB website (cyberab.org) maintains a marketplace of accredited C3PAOs. Begin outreach 6 months before your target assessment date.
{
"@context": "https://schema.org",
"@type": "FAQPage",
"mainEntity": [
{
"@type": "Question",
"name": "How long does CMMC Level 2 certification take?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Based on experience with 40+ contractors, CMMC Level 2 takes 8 to 18 months from gap assessment to C3PAO certification. Organizations with existing NIST 800-171 programs are at the shorter end; those starting from scratch should plan 12-18 months."
}
},
{
"@type": "Question",
"name": "Can I get CMMC certified in 3 months?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Highly unlikely for Level 2. Documentation alone takes 3-4 months, and assessors verify that controls have been operating for at least 90 days. Consultants promising 3-month certification are likely cutting corners."
}
},
{
"@type": "Question",
"name": "How much does CMMC Level 2 cost?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Total first-year costs range from $77,000 to $201,000 for small contractors (10-25 people) and $191,000 to $495,000 for mid-size contractors (25-100 people), including gap assessment, remediation, documentation, tools, and C3PAO assessment."
}
},
{
"@type": "Question",
"name": "What happens if I fail the C3PAO assessment?",
"acceptedAnswer": {
"@type": "Answer",
"text": "You cannot include CMMC Level 2 in contract proposals until you remediate and reassess. There is no penalty beyond reassessment cost and time delay. Most C3PAOs identify specific deficiencies for clear remediation."
}
},
{
"@type": "Question",
"name": "Do I need CMMC if I only handle FCI, not CUI?",
"acceptedAnswer": {
"@type": "Answer",
"text": "FCI only requires Level 1: 15 basic practices with self-assessment. No third-party assessment needed. However, many contractors handle both FCI and CUI, making Level 2 the prudent target."
}
},
{
"@type": "Question",
"name": "Can I use POA&Ms to pass the assessment with gaps?",
"acceptedAnswer": {
"@type": "Answer",
"text": "CMMC 2.0 allows limited POA&M items for conditional certification, with 180 days to remediate. Not all requirements qualify for POA&M; certain critical controls must be fully met at assessment time."
}
},
{
"@type": "Question",
"name": "How do I choose a C3PAO?",
"acceptedAnswer": {
"@type": "Answer",
"text": "Select based on industry experience, availability, geographic proximity, references, and clear pricing. The Cyber AB marketplace lists accredited C3PAOs. Begin outreach 6 months before your target assessment date."
}
}
]
}
![AI-Powered SOC: How Artificial Intelligence Is Transforming Security Operations Centers in 2026 [Video + Guide]](https://petronellatech.com/inc/modules/Blog/images/icons/1310.webp){kind=icon}
