You just learned your DoD contract requires CMMC certification. The RFP deadline is in 8 months. Can you make it?
Maybe. But probably not if you start tomorrow and expect to be done in 60 days. CMMC certification is a process with multiple phases, external dependencies, and a limited pool of assessors. Here is what a realistic timeline actually looks like in 2026.
The quick answer: 6-18 months
Most organizations take 6-18 months from "we need to do this" to "we're certified." The range is wide because the biggest variable is how much remediation work you need to do.
A company with solid security practices that just needs documentation might finish in 6 months. A company starting from scratch with significant gaps might need 18 months or more.
CMMC is the Cybersecurity Maturity Model Certification, a Department of Defense program that requires defense contractors to meet specific cybersecurity standards before handling certain government information. The certification validates that your organization has implemented the required security controls.
Here is how the timeline breaks down by phase.
Phase 1: Gap assessment (2-4 weeks)
Before you can fix gaps, you need to find them. A gap assessment compares your current security posture against the CMMC requirements.
For Level 2, that means evaluating your implementation of all 110 security controls from NIST SP 800-171. NIST 800-171 is the National Institute of Standards and Technology's publication that defines security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems.
What happens during gap assessment:
- Inventory of systems that process, store, or transmit CUI
- Documentation review of existing policies and procedures
- Technical control validation
- Interview with key personnel
- Classification of data (FCI vs CUI)
FCI stands for Federal Contract Information, which is information provided by or generated for the government under contract. CUI is Controlled Unclassified Information, a more sensitive category that requires enhanced protection. The type of information you handle determines whether you need Level 1 or Level 2 certification.
Deliverables you should expect:
- System Security Plan (SSP) baseline
- Gap analysis report showing compliant vs non-compliant controls
- SPRS score estimate
- Remediation roadmap with priorities
Your SPRS score is your Supplier Performance Risk System score, a numerical representation of your NIST 800-171 compliance status. It ranges from -203 to 110, where 110 means full compliance. DoD contractors must submit their SPRS score to the government, and it is used in contract award decisions.
A thorough gap assessment takes 2-4 weeks depending on your organization's size and complexity.
Phase 2: Remediation planning and execution (3-12 months)
This is the big variable. Remediation is where most of the time and money goes.
If your gap assessment shows you are missing 40 controls, you need to implement 40 controls. Some are quick configuration changes. Others require new tools, new processes, and organizational change.
The actual work varies wildly depending on where you're starting from. Organizations typically find themselves implementing MFA across systems that never had it, deploying EDR tools to endpoints that were running basic antivirus, and building out logging infrastructure that can actually capture what NIST 800-171 requires. Then there's the policy side—incident response procedures that exist on paper (or don't exist at all), access control policies that need to match reality, and configuration management processes that most small contractors have never formalized.
Why remediation takes so long:
- Budget cycles - Security tools cost money. Procurement takes time.
- Technical complexity - Some controls require architectural changes.
- Organizational change - People need to adopt new processes.
- Testing and validation - Controls need to actually work.
- Vendor dependencies - Waiting on third-party implementations.
| Remediation Scenario | Typical Duration |
|---|---|
| Minor gaps (less than 20 controls) | 3-4 months |
| Moderate gaps (20-50 controls) | 5-8 months |
| Significant gaps (50+ controls) | 9-12+ months |
The organizations that finish fastest either already have strong security programs or are willing to make significant investments in tools and personnel to accelerate remediation.
Phase 3: Documentation and evidence collection (4-8 weeks)
CMMC assessors do not take your word for it. They want evidence. Lots of evidence.
Every control needs documentation showing it exists, is implemented correctly, and is operating effectively. This is not just about having policies in a folder. It is about proving your controls work.
Documentation requirements:
- System Security Plan (SSP) - comprehensive document describing your security program
- Plan of Action and Milestones (POA&M) - tracking document for any remaining gaps
- Policies and procedures for each control family
- Technical configuration documentation
- Evidence of control operation (logs, screenshots, reports)
Evidence examples by control family:
| Control Family | Evidence Examples |
|---|---|
| Access Control | User access reviews, privilege assignments, account audit logs |
| Audit and Accountability | Log samples, retention policies, monitoring dashboards |
| Configuration Management | Baseline configurations, change records, vulnerability scans |
| Identification and Authentication | MFA enrollment reports, password policy screenshots |
| Incident Response | IR plan, test results, incident logs |
| System and Communications Protection | Encryption configurations, network diagrams, firewall rules |
Good documentation takes 4-8 weeks if you have been collecting evidence along the way. If you wait until the end, add more time.
Phase 4: Assessment scheduling (2-4 months wait time)
Here is where external dependencies hit you.
A C3PAO is a CMMC Third-Party Assessor Organization, an accredited company authorized to conduct CMMC assessments. There are a limited number of C3PAOs, and demand exceeds supply.
The market reality is challenging right now. There aren't enough accredited C3PAOs to meet demand, and the popular ones are booked months out. As more contracts require CMMC certification, this bottleneck is getting worse, not better.
When you're ready for assessment, expect to wait 2-4 months before an assessor can start. Some organizations report longer waits during peak periods—especially around fiscal year end when everyone's trying to meet contract deadlines.
The smart move is to start talking to C3PAOs before you're actually ready. Get on their radar early. Be flexible on dates—if you can accommodate their schedule instead of demanding specific weeks, you'll get in faster. Have your documentation organized when you reach out so they know you're serious. And don't overlook smaller or newer C3PAOs. They're just as qualified, and their queues are often shorter because everyone defaults to the big names.
Phase 5: The actual assessment (1-2 weeks)
The assessment itself is relatively quick compared to the preparation.
For Level 2 certification, assessors will review your documentation, interview personnel, and examine technical controls. They verify that what you documented actually exists and works.
The assessors will spend their time reviewing your documentation against NIST 800-171 requirements, interviewing people across your organization (not just IT—they want to talk to regular users too), and examining technical controls firsthand. They're validating that what you documented actually exists and works the way you said it does.
At the end, each control gets a determination: Met means you demonstrated compliance, Not Met means deficiencies were found and you'll need a Plan of Action and Milestones (POA&M) to address them, and Not Applicable means the control doesn't apply to your environment (which you'll need to justify).
If deficiencies come up—and for first-time assessments, they usually do—you'll have an opportunity to remediate and provide additional evidence before final certification. The goal isn't perfection on day one; it's demonstrating that you take security seriously and can fix issues when they're identified.
What slows things down
Based on typical CMMC preparation experiences, these are the most common blockers:
Scope creep. Your CUI boundary keeps expanding as you discover more systems that touch controlled information. Define your boundary early and stick to it.
Documentation debt. You implemented controls but never documented them. Now you are reverse-engineering evidence for things done months ago.
Key person dependencies. One IT admin knows everything, and they are on vacation, quit, or too busy. Distribute knowledge across your team.
Vendor delays. Waiting on your MSP to implement controls, waiting on software vendors to enable features, waiting on cloud providers to provide attestations.
Budget surprises. Gap assessment reveals you need tools you did not budget for. Security investments get delayed waiting for next fiscal year.
Leadership buy-in issues. Security team understands the urgency, but executives do not allocate resources until the contract deadline is imminent.
What speeds things up
Organizations that finish faster share common characteristics:
Start with a clear scope. Know exactly what systems are in scope before you begin. Smaller scope means less work.
Executive sponsorship. When leadership prioritizes CMMC, resources follow. Decisions happen faster.
Dedicated resources. Assign someone to own the CMMC project. Part-time attention produces part-time results.
Existing security maturity. If you already have ISO 27001, SOC 2, or FedRAMP, you have a head start on many controls.
Early C3PAO engagement. Talk to assessors before you are ready. Understand their expectations and timeline.
Parallel workstreams. Run remediation, documentation, and evidence collection simultaneously rather than sequentially.
Managed security services. Outsource what you cannot build. Managed detection and response, managed SIEM, security operations centers.
Level 1 vs Level 2: timeline differences
CMMC Level 1 is significantly faster than Level 2.
Level 1 characteristics:
- 17 practices (vs 110 for Level 2)
- Self-assessment allowed
- Annual self-assessment required
- For contracts involving only FCI
- No third-party assessment needed
Level 1 self-assessment can often be completed in 4-8 weeks if you have basic security practices in place. The main work is documentation and evidence collection, not remediation.
Level 2 characteristics:
- 110 practices aligned to NIST 800-171
- Third-party assessment required for most contractors
- Valid for 3 years
- For contracts involving CUI
- Significant preparation required
Level 2 is where the 6-18 month timeline applies. The third-party assessment requirement means you cannot shortcut the process.
How to know which level you need:
- Check your contract for DFARS clause 252.204-7012
- Look for CUI markings on information you receive from DoD
- Review your contract requirements document
- When in doubt, assume Level 2 if you handle anything beyond basic contract administration
Common mistakes to avoid
Mistake 1: Starting too late. The most common mistake. Organizations wait until the contract deadline is 6 months away, then discover they need 12 months of work.
Mistake 2: Underestimating remediation. Gap assessment says 60 controls need work. Organization assumes 2 months is enough. It never is.
Mistake 3: Ignoring the supply chain. Your subcontractors need CMMC too. If they are not ready, your certification does not matter.
Mistake 4: Treating documentation as an afterthought. Assessors cannot see inside your systems. They rely on documentation and evidence. Poor documentation fails assessments.
Mistake 5: Not defining CUI boundaries clearly. Vague boundaries mean expanded scope. Expanded scope means more controls to implement.
Mistake 6: Going it alone when you need help. CMMC is complex. Organizations without dedicated security staff often need external support to navigate the requirements.
Frequently asked questions
Can I self-assess for CMMC Level 1?
Yes. CMMC Level 1 allows annual self-assessment. You complete the assessment, affirm your compliance, and submit your results. No third-party assessor required. However, you must still implement the 17 practices and maintain evidence. False affirmation carries serious consequences including False Claims Act liability.
What if I miss my contract deadline?
This depends on your contracting officer and the specific contract. Some contracts have hard deadlines where non-compliance means disqualification. Others may allow temporary waivers or phased compliance. Communicate early and often with your contracting officer if you anticipate timeline issues. Waiting until the deadline to disclose problems is the worst approach.
How long is CMMC certification valid?
CMMC Level 2 certification is valid for 3 years. After certification, you must maintain compliance continuously. Significant changes to your environment may trigger reassessment. Level 1 requires annual self-assessment affirmation.
What is a SPRS score and why does it matter?
Your SPRS score is a number from -203 to 110 that represents your current implementation status of NIST 800-171 controls. A score of 110 means full implementation. Each unimplemented control reduces your score based on its security impact weighting. DoD contractors must submit their SPRS score to the Supplier Performance Risk System. Contracting officers use SPRS scores in source selection decisions. A low score can cost you contracts even before CMMC certification is required.
Can I get certified if I have a POA&M?
For CMMC Level 2, limited Plans of Action and Milestones may be acceptable, but this is changing. The current model emphasizes having controls fully implemented at assessment time. POA&Ms are generally reserved for minor deficiencies, not core security controls. Relying on POA&Ms as a strategy is risky. The goal should be full implementation before assessment.
Ready to start?
The best time to start CMMC preparation was 6 months ago. The second best time is now.
If you have a DoD contract requiring CMMC certification, begin with a gap assessment to understand your current state. Then build a realistic remediation plan with adequate time buffers. Do not assume you can compress an 18-month timeline into 6 months without significant resources.
We help defense contractors understand where they stand with CMMC. Our CMMC Boundary Snapshot gives you a clear picture of your FCI/CUI classification, system boundaries, gap analysis against all 110 NIST 800-171 controls, and estimated SPRS score. Ten business days, fixed price, no surprises.
For more on compliance timelines, see our guide on SOC 2 costs and timeline or learn about handling security questionnaires efficiently.
The bottom line
CMMC certification takes 6-18 months for most organizations. The timeline depends primarily on how much remediation work you need. Gap assessment takes 2-4 weeks. Remediation takes 3-12 months. Documentation takes 4-8 weeks. Assessor scheduling adds 2-4 months. The assessment itself is 1-2 weeks.
Start early. Define your scope clearly. Get executive buy-in. Engage assessors before you are ready. And do not underestimate the documentation requirement.
The organizations that succeed treat CMMC as a security improvement project, not a checkbox exercise. The controls exist because they improve security. Implementing them properly protects your organization and your DoD customers.