C3PAO Wait Times and CMMC Assessment Backlog 2026: What’s Real, What’s Hype, and When to Book

Quick decision: where you stand and what to do now

Not sure which row is you? That’s the question that decides everything below — jump to the slot-timing framework to map your situation.

What are C3PAO wait times and the CMMC assessment backlog in 2026?

There is no official, published “you will wait X months” figure for any contractor. Assessment providers commonly report booking lead times of 6 to 12 months for in-demand assessors, and some industry voices project far longer scenarios as Phase 2 approaches — but those are market estimates, not regulated timelines. Your real wait depends less on a national average and more on your own readiness, your CUI scope, and which authorized C3PAOs have genuine availability for your environment.

We’ll say the uncomfortable part plainly, because no vendor selling you an assessment will: nobody publishes a real, universal C3PAO wait time. DoD and The Cyber AB define the assessment process, the certification levels, the phase schedule, and the rules assessors must follow. They do not publish a queue length. So when you see a confident “expect 18 months” or “24 to 30 months,” ask where the number came from. Almost always it traces to a single vendor’s pipeline or a back-of-envelope projection — useful as a signal, dangerous as a fact.

Here’s what the market is actually reporting, with the source and the caveat attached to every line. Treat these as field reports, not regulatory data — they vary because the underlying situations vary:

Now the part that reframes everything. The 2026 “backlog” is really two different problems wearing one scary headline — and confusing them is the costliest mistake you can make.

The first problem is real and happening now: by CyberSheath’s State of the DIB report (October 2025), only about 1% of the defense industrial basewas fully prepared for the CMMC final rule. Most of the “waiting” you hear about isn’t companies stuck in line for assessors — it’s companies that can’t be assessed yet because their scope, documentation, and evidence aren’t ready. That’s a readiness backlog, and on the public data it’s the binding constraint for most contractors today.

The second problem is real but mostly ahead of us: at full phase-in, DoD’s own model expects roughly 118,289 companiesto need a Level 2 (C3PAO) certification (more on that number below), against the ~100 authorized C3PAOs we have today. That’s a genuine assessor-supply crunch— and it’s exactly what GAO flagged. But it bites as readiness improves and the phase-in advances, not all at once in mid-2026.

The mistake almost everyone makes is treating the second problem’s frightening numbers as if they describe the first problem’s reality — then either panic-booking a slot they’re not ready for (which wastes it and risks a failed assessment) or freezing entirely. Neither is the right move. The right move is to figure out which problem is actually yours. The rest of this page does exactly that.

The real capacity math: C3PAOs, assessors, and the demand behind the headlines

As of December 2025, GAO reported The Cyber AB had authorized 92 C3PAOs; the May 2026 Town Hall snapshot showed about 104, supported by roughly 988 certified assessors. Against that, DoD’s own DFARS analysis projects 337,968 total impacted entities at full phase-in, about 35% of them — roughly 118,289 — needing a Level 2 (C3PAO) certification. The supply is small and the long-run demand is enormous, which is exactly why GAO warned DoD has not planned for a capacity shortfall. But current monthly output (about 178 certifications in March 2026) shows the system is not maxed out today.

This is the section we built this page around, because it’s the one thing the panic articles get wrong in both directions. Let’s separate supply, demand, and what’s actually flowing through the pipe — all sourced.

Supply: how many assessors exist, and how many are needed

The Cyber AB authorizes the C3PAOs and credentials the assessors. The count has climbed steadily: 88 authorized C3PAOs in November 2025, 92 by December 2025 (the figure GAO cited from DoD officials), 97 in January 2026, 98 in February, 103 by March, and roughly 104by the May 2026 Town Hall. Certified CMMC Assessors (CCAs) — the credentialed individuals who actually perform assessments on a C3PAO’s team — grew from 688 in January to 759 in March to roughly 988by May 2026. That’s real progress. It is also nowhere near enough by the program’s own reckoning: in December 2025, Cyber AB CEO Matthew Travis publicly estimated about 600 certified assessors then existed, roughly half eligible to lead a team, and said the program needs 2,000 to 3,000 assessorsto handle anticipated volume. Read that again — the ecosystem’s own leader says it needs to roughly triple to quintuple its assessor pool.

Demand: where the scary “118,000” actually comes from

You’ve probably seen “76,000,” “80,000,” “100,000,” even “118,000 contractors need certification.” Most pages cite one of those as gospel and never source it. Here’s the truth, straight from the rules:

• DoD’s September 10, 2025 DFARS final rule estimates 337,968 total impacted entities (primes and subcontractors) at full phase-in, including roughly 229,818 small entities.
• Of that total, DoD’s Year-4 model projects the level mix at roughly 62% Level 1, 2% Level 2 (Self), 35% Level 2 (C3PAO), and 1% Level 3. Do the math: 35% of 337,968 is about 118,289 — and thatis where “118,000” comes from. It isn’t invented. It’s DoD’s own estimate of how many companies will eventually need a third-party Level 2 certification.
• A separate, earlier cut in the 32 CFR Part 170 final rule (October 2024) estimated 8,350 medium and large entitieswould need Level 2 (C3PAO) as a condition of award. That’s a narrower slice (medium and large specifically), which is why it’s so much smaller.

So the denominator depends entirely on what you’re counting. The honest framing: about 118,289 is the full-phase-in Level 2 (C3PAO) population in DoD’s own model — a destination, not a 2026 reality.

The DCR capacity-pressure snapshot

Put supply and demand side by side and the picture clarifies. We assembled this from the primary sources above and labeled what each figure is, so you can see what’s official, what’s a Cyber AB snapshot, and what’s our calculation.

The pressure ratios — read them as signals, not forecasts. Divide the full-phase-in demand (118,289) by today’s supply and you get roughly 1,137 Level 2 (C3PAO) companies per authorized C3PAO, or about 120 per certified assessor. These are deliberately crude: they compare a long-run destination against today’s supply, which will grow. They are nota wait-time prediction. What they tell you is simpler and more useful — the gap between where demand is heading and where supply sits now is large enough that DoD’s own auditor called it out.

The throughput reality — why “the system is maxed out” is wrong today. Here’s the counterweight to the panic, and it’s the part the fear-marketing leaves out. In March 2026, the entire ecosystem produced about 178 certifications. Even a conservative read of capacity — hundreds of assessors doing a fraction of what they theoretically could — sits well above that. If assessors were the wall right now, that monthly number would be pinned at the ceiling. It isn’t. On the public data, the binding constraint in mid-2026 is how few companies are ready to walk through the door, not how few doors there are. That’s our read of the evidence, and it’s the read that should shape your timing.

If you’ve read this far and you’re still not sure whether youare genuinely ready to be assessed or whether you still have readiness work to do, that’s the most important question on this page — and it determines everything else.

Do you actually need a C3PAO assessment — or just a Level 2 self-assessment?

Not every Level 2 contractor needs a C3PAO. CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, but the required assessment type — Level 2 (Self) or Level 2 (C3PAO) — is set by your contract. In DoD’s own Year-4 entity model, Level 2 (Self) is only about 5% of the projected Level 2 population, so most CUI work will require a C3PAO — but a self-assessment never satisfies a C3PAO requirement, and paying for a C3PAO you don’t need is wasted money.

Before you worry about a backlog, confirm you’re even in the line. This is the cheapest mistake to fix and the most expensive to ignore.

CMMC has three levels. Level 1 (15 basic safeguards from FAR 52.204-21) protects Federal Contract Information (FCI) and is an annual self-assessment. Level 2 protects Controlled Unclassified Information (CUI) and is built on the 110 requirements of NIST SP 800-171 Revision 2, organized into 14 control families and measured against the 320 assessment objectives in NIST SP 800-171A. Level 3 protects the most sensitive CUI and is assessed by the government (DIBCAC). The fork that matters for backlog risk sits inside Level 2:

Why this matters for the question that brought you here: a contractor who only needs Level 2 (Self) may be feeling backlog panic for nothing. A contractor who needs Level 2 (C3PAO)and waits too long can hit a genuine award problem — because under the DFARS rule, contracting officers verify your current CMMC Status and annual affirmation in SPRS as a condition of award, option exercise, or extension when the clause applies (48 CFR 204.7503). A “scheduled assessment” is not a status. Read your solicitation and flow-down language — or have someone read it — before you spend a dollar on assessment.

What’s the November 10, 2026 deadline really — and will you miss it if you start now?

Phase 1 of the CMMC rollout began November 10, 2025, and runs through November 9, 2026, requiring mostly Level 1 and Level 2 self-assessments at award (with Level 2 C3PAO at DoD’s discretion). Phase 2 begins November 10, 2026, when DoD intends to require Level 2 (C3PAO) certification as a condition of award for applicable solicitations — though DoD may delay that requirement to an option period instead. It is not a single national cutoff; the requirement appears in applicable new solicitations and contracts, so your real deadline is tied to the specific contracts you’re chasing.

The date everyone is circling in red is November 10, 2026. Here’s the phased schedule, set by the DFARS final rule and 32 CFR § 170.3(e):

Two nuances change how you should read that deadline. First, Phase 2 is nota date on which every defense contractor must hold a certificate. It’s the date DoD begins inserting the Level 2 (C3PAO) requirement into applicable new solicitations and contracts— and DoD retains discretion to apply it at award or push it to an option period. If you’re not bidding on a contract that carries the requirement, November 10, 2026 is not your wall. If you are, your wall is that contract’s award (or option) date — which can land with little notice. Second, the requirement expands to option exercises in Phase 3, so “we already have the contract” is not permanent cover.

Now the honest scenario math. Many practitioner and provider estimates put readiness work in the 6 to 18 monthrange — scoping, gap analysis, remediation, documentation, and evidence collection — depending on your scope and starting maturity. DoD’s phase-in creates the calendar pressure; DoD does not publish a universal readiness duration. If you’re starting from low maturity in mid-2026 with a contract that will require Level 2 (C3PAO) at a Phase 2 award, the math is tight. Not impossible — tight. That’s a “compress readiness and reserve a slot early” situation, not a “panic” situation. If you’ve already done a recent NIST SP 800-171 self-assessment and your gaps are small, you’re in much better shape and your real task is documentation and scheduling.

When should you book your C3PAO slot?

Book early only when you’re genuinely assessment-ready. If you’re ready, start C3PAO conversations now and lock a slot roughly 3–6 months out. If you’re mid-remediation, soft-hold a slot 4–9 months out aligned to when your POA&M work finishes. If you haven’t started, do not book an assessment yet — get readiness help first, because a slot you’re not ready for is worse than no slot. Always work backward from any contract award date through the assessment, the 180-day POA&M closeout window, and the eMASS-to-SPRS upload.

This is the decision the whole page is built to help you make, so here’s the framework we’d use, by where you actually stand:

Use this as a worksheet right now.Find your row, note your queue-risk band, and take the matching next step below. A generic AI summary can tell you “C3PAOs may be busy.” It can’t take your award date, your scope, and your evidence maturity and tell youwhether to book, prepare, or escalate. That’s what the framework above does — work through it for your specific situation.

What actually causes most C3PAO delay — and the “false start” trap most contractors miss

Most avoidable delay happens after you engage an assessor, not before. The biggest culprits are “false starts” — booking an assessment when your System Security Plan (SSP) doesn’t actually describe how your controls are implemented, or you’re missing a Customer Responsibility Matrix (CRM) for your cloud and managed-service providers — plus sloppy scope and underestimating POA&M closeout. None of those are assessor-supply problems. All of them are things you control before you book.

Here’s a counterintuitive truth from the people who run these assessments: the first “backlog” many contractors hit isn’t the C3PAO calendar. It’s their own evidence backlog. And the most expensive version is the false start— when an organization books a slot, then learns in pre-assessment that it isn’t ready, and the engagement stalls. The CMMC Assessment Process is blunt about this: if the Lead CCA determines you aren’t sufficiently prepared, they suspend the assessment — and they’re barred from giving you remedial advice on how to fix it, because doing so would conflict them out of resuming. In plain terms: show up unready and you can lose both the slot and the assessor.

Two things cause most false starts. First, an SSP that doesn’t describe implementation — contractors often implement controls reasonably well but write an SSP that doesn’t explain howeach requirement is met in their specific environment, and an assessor can’t validate what the document doesn’t describe. Second, a missing or weak CRMfor External Service Providers (your cloud platform, your managed IT or security provider) — if a provider handles part of your 320 assessment objectives but you can’t document who owns what, the assessment can’t proceed cleanly.

Scope is the third driver. Pressure-test your CUI boundary early. A boundary that wasn’t thought through — CUI quietly sitting in email, endpoints, file shares, an ERP, CAD files, or a supplier’s system — expands what gets assessed, which expands cost and timeline.

How the C3PAO assessment timeline works, start to finish

End to end, most contractors spend 6–18 months on readiness, then the assessment fieldwork runs roughly one to three weeks. Pass outright and you reach Final Level 2 (C3PAO). Land with qualifying gaps and you get Conditional status with up to 180 days to close a POA&M, followed by a closeout assessment, the C3PAO’s quality review, and the eMASS-to-SPRS upload that makes your status official. After that, you affirm annually and re-certify every three years.

A C3PAO assessment isn’t a single event; it’s a pipeline, and delay can live in any stage. Here’s the whole thing, with where the risk actually sits:

What needs to be ready before you take a slot

Use this as your gate — booking before these are real is how you waste the slot:

• A current, system-specific SSP that describes how each requirement is actually implemented
• A defined assessment scope — CUI assets, security protection assets, specialized assets
• All CAGE codes tied to the systems being assessed, and a CMMC UID in SPRS for each FCI/CUI system
• A CUI asset inventory and a documented CRM for every External Service Provider in scope (including FedRAMP authorization or equivalency where it applies)
• Policies and procedures implemented, not merely drafted
• Technical evidence: configurations, logs, screenshots, tickets, scan results
• Control owners identified and available for interviews
• A clear-eyed view of your POA&M exposure — what isn't met, and whether it's even POA&M-eligible
• No independence conflict with your chosen assessor (see below)

What it costs — and is the backlog driving prices up?

DoD’s own cost analysis in the 32 CFR Part 170 final rule estimates a Level 2 (C3PAO) three-year cycle at roughly $105,000 for a small business and about $118,000 for a larger (other-than-small) business — versus roughly $37,000 to $49,000 for a Level 2 (Self) cycle. Critically, those figures cover only assessment, certification, and affirmation activities — not the cost of implementing the controls — so your real all-in number is higher. Tight timelines tend to raise total cost, which is one more reason readiness-first beats panic-booking.

Source: DoD regulatory cost analysis, 32 CFR Part 170 final rule, Federal Register, October 15, 2024. Figures rounded.

Two honest caveats, both straight from the rule. First, these are DoD modeling estimates, not quotes you’ll get from a C3PAO; your actual number depends on scope, cloud and MSP complexity, and how much remediation you need. Second — and this is the part that misleads nearly every small business — DoD’s numbers explicitly exclude the cost of implementing the 110 security requirements, because the rule assumes that work was already required under DFARS 252.204-7012 and FAR 52.204-21. So the “$105,000” you’ll see quoted everywhere is the assessment cost, not the get-compliantcost. Real all-in budgets, including remediation, routinely run well beyond it. The genuine “backlog tax” isn’t a higher sticker price for the assessment — it’s the premium you pay for compressing a 12-month readiness effort into three months.

Can the same firm prepare you and assess you? The independence rule that can disqualify your assessment

No. Under The Cyber AB’s Code of Professional Conduct — which 32 CFR § 170.9 requires every C3PAO and assessor to follow — a C3PAO and every member of its assessment team are prohibited from assessing an organization they provided preparatory, advisory, or consulting services to within the previous three years, for any type of CMMC assessment. That means your readiness consultant, MSP, MSSP, GRC vendor, or enclave provider generally cannot also be your assessor. Keep readiness help and formal assessment in separate hands.

This is one of the most expensive mistakes you can make, because it can invalidate your assessment path — and a lot of vendors are fuzzy about it. The CMMC Code of Professional Conduct (CoPC) v2.0, published by The Cyber AB alongside the December 2024 final rule, prohibits a C3PAO, Certified CMMC Professional (CCP), or CCA from participating in a CMMC assessment of an organization for which they performed “any preparatory, advisory, or consulting activities… to prepare the organization for any CMMC assessment within 3 years.” The prohibition applies to the C3PAO as an organization and to every assessment team member, and it covers all CMMC assessment types. During the assessment itself, the C3PAO and team may not provide advice, implementation help, or recommendations.

Think of the roles as separate functions, and staff them separately:

• RPO / readiness provider: prepares you (gap analysis, SSP, scoping)
• MSP / MSSP: implements or operates controls; supports GCC High and secure-cloud environments
• GRC / enclave provider:structures your evidence and workflow, or reduces scope (a supporting layer — not a complete CMMC solution; software alone does not satisfy CMMC)
• C3PAO: assesses and certifies (and only this)
• DIBCAC: assesses Level 3

Red flags that should stop you cold: “we’ll fix your gaps and certify you,” “guaranteed pass,” “use our platform and we’ll get you certified,” “no need to verify our Cyber AB status,” or any reluctance to discuss prior consulting relationships. The Code of Professional Conduct also bars C3PAOs from offering guarantees about assessment results. Anyone promising a certification outcome is telling you something the rules forbid them to promise.

And one more honest point, since you’re worried about the calendar: no one can move you up a C3PAO’s schedule — not a consultant, not a broker, not us. The CMMC Assessment Process is explicit that The Cyber AB and DoD don’t recommend or broker introductions to specific C3PAOs; assessors schedule on their own capacity. What a good partner cando is help you get ready faster so you’re not wasting a slot, and help you find an authorized assessor with genuine availability for your scope.

How to choose and verify a C3PAO before you sign

Check the Cyber AB Marketplace on the day you engage — it’s the public registry of authorized C3PAOs and credentialed professionals, and Level 2 certification assessments must be performed by an authorized or accredited C3PAO. Treat “candidate,” “in process,” or “almost certified” as not sufficient. Then confirm the firm has named assessors with real availability on your timeline, genuine experience in your CUI environment, and no independence conflict with your readiness work.

Finding the earliest slot is the wrong goal. Finding the earliest credibleslot — with an authorized assessor who can actually assess your environment without a conflict — is the right one. A bad assessment fit costs more than a later date.

How to check the Cyber AB Marketplace before you sign

The Cyber AB Marketplace is the public registry of authorized and accredited C3PAOs, certified assessors, training providers, and Registered Practitioner Organizations. Do this, in order: (1) search the firm by name; (2) confirm its listing shows authorized or accredited C3PAOstatus — not “candidate” or “RPO only”; (3) note whether it’s listed as Authorized (interim status) or Accredited(the ISO/IEC 17020 standard C3PAOs must reach within 27 months); (4) confirm it covers Level 2 certification assessments; and (5) screenshot the listing with the date for your file. If a firm claims a status that doesn’t appear in the Marketplace, treat that as a stop sign — an assessment by an unauthorized organization will not count.

Then ask these questions before you sign anything:

Two situations that need a different play: prime pressure, and starting late

If your prime is demanding a C3PAO date you can’t yet hit, don’t promise a certification you don’t have — give them a precise status package and push for clause clarity. If you’re starting late, your first move is usually rapid scoping and readiness triage, not an assessment slot; the right sequence is readiness/RPO/MSP first, C3PAO second.

When a prime is leaning on you for a date

Primes are responsible for verifying that subcontractors hold the required CMMC Status before award where the clause flows down (32 CFR § 170.23), so the pressure is real. But promising a certification you don’t have is the worst possible move — a status statement that conflicts with your SPRS posting or annual affirmation can create serious legal and contractual exposure, including under the civil False Claims Act, which the Department of Justice has used to pursue contractors over cybersecurity attestations. Have counsel review any status representation before you send it.

When you’re already late

Late is not helpless. If you handle CUI and have no scoped SSP or evidence package, an assessment slot is almost never your first move — rapid scoping and readiness triage are. A workable two-week triage: pull the solicitation/flow-down and identify the required CMMC Status (day 1); locate your FCI and CUI and where they live (day 2); determine whether Level 2 (Self) or Level 2 (C3PAO) is likely (day 3); draft or update your assessment scope (days 4–5); review SSP and evidence maturity (days 6–7); map ESP/CSP dependencies (day 8); check POA&M exposure (day 9); verify provider independence constraints (day 10); contact C3PAOs for real availability if Level 2 (C3PAO) is likely (day 11); engage readiness/RPO/MSP support if your evidence is immature (day 12); build your prime-facing status package (day 13); and decide — assess, remediate, narrow scope, or escalate the contract question (day 14).

Level 3 candidates and the backlog

If you’re heading for Level 3, treat Final Level 2 (C3PAO) as a prerequisite — and a compounding timing risk. Under 32 CFR § 170.18, Level 3 requires you to first achieve Final Level 2 (C3PAO), then pass a separate assessment by DCMA’s DIBCAC against 24 enhanced requirements selected from NIST SP 800-172 (the February 2021 version). You face two calendar dependencies, not one.

Level 3 stacks on top of Level 2: you need a Final Level 2 (C3PAO) certification covering the Level 3 scope before DIBCAC will assess you. So the C3PAO backlog matters to you twice over — your Level 2 certification is the gate to your Level 3 assessment.

One precision point that trips people up, and that we want to get exactly right: NIST published SP 800-172 Revision 3 in May 2026, superseding the February 2021 version. That does not change CMMC. Level 3 is still assessed against the 24 requirements DoD selected from the February 2021 SP 800-172, as written in 32 CFR § 170.18, and Level 2 is still assessed against NIST SP 800-171 Revision 2— unless and until DoD amends the rule through formal rulemaking. NIST publishing a revision tells you where the framework is heading, not where it is today. Don’t let a vendor talk you into preparing against Rev. 3 baselines; CMMC assessments still run against the current ones.

What we verified for this page

We separate four kinds of claims here: verified regulatory facts, government-documented capacity evidence, Cyber AB process requirements, and market-reported wait-time estimates. We label which is which, because on a topic this expensive you deserve to see what’s sourced, what’s calculated, and what still needs checking before you act.

Verified to primary or authoritative sources (as of June 11, 2026)

• 32 CFR Part 170 — the C3PAO definition (§ 170.4); CMMC levels, phase structure (§ 170.3(e)), Level 2 and Level 3 requirements, Conditional status, the 180-day POA&M window (§§ 170.17, 170.21), eMASS-to-SPRS transmission, annual affirmations, flow-down (§ 170.23), and the C3PAO conflict-of-interest/Code-of-Conduct obligations (§§ 170.9, 170.8(b)(17)). Effective December 16, 2024.
• DFARS final rule (252.204-7021 clause; 252.204-7025 solicitation provision) — effective November 10, 2025; the 337,968 / ~229,818 small-entity demand estimates and the Year-4 level mix (~35% Level 2 C3PAO ≈ 118,289), confirmed directly in the September 10, 2025 rule.
• GAO-26-107955 (March 12, 2026) — the 92-C3PAO December 2025 count and the formal finding that DoD has not documented a plan for an ecosystem-capacity shortfall.
• CMMC Code of Professional Conduct v2.0 — the three-year consulting/advisory prohibition.
• NIST CSRC — SP 800-171 Rev. 2 as the controlling Level 2 baseline; the February 2021 SP 800-172 as the controlling Level 3 source, superseded by Rev. 3 in May 2026 (which CMMC has not adopted).
• 32 CFR Part 170 cost analysis (Federal Register, October 15, 2024) — the rounded Level 2 (C3PAO) and Level 2 (Self) three-year estimates, which exclude control-implementation costs.
• CyberSheath State of the DIB (October 2025) — the ~1% readiness figure.

Needs manual re-verification before you rely on it

• The current Cyber AB Marketplace count of authorized/accredited C3PAOs and assessors. We use the May 2026 Town Hall snapshot here; the newest Town Hall supersedes it, and the live Marketplace is the source of truth for any individual firm.
• Current real C3PAO availability — only direct outreach gives you that.
• Any named provider's status, which must be verified in the Marketplace on the day you engage.
• Cost ranges, which reflect DoD modeling and market conditions at time of publication.

We re-check phase dates, rule text, Cyber AB Marketplace status, and capacity signals at least quarterly, and monthly during the Phase 2 rollout.

Frequently asked questions