CMMC Readiness Assessment Services: What to Get Before a Formal Assessment

The bottom line, on one screen

For a Level 2 path, expect a real readiness engagement to run 6 to 20 weeks, cost $15,000 to $60,000+in advisory work (remediation is separate and is usually the largest line item on the full path), and deliver a defined package: a scoped CUI asset inventory, an SSP draft or refresh, a Plan of Action & Milestones (POA&M), a Supplier Performance Risk System (SPRS) score calculation, an evidence collection plan tied to NIST SP 800-171A objectives, and a prioritized remediation roadmap.

The one rule that catches contractors off-guard: under the Cyber AB CoPC v2.0, a Certified Third-Party Assessment Organization (C3PAO) — at the organizational level and the Assessment Team member level — cannot participate in your Level 2 certification assessment if it provided preparatory, advisory, or consulting work for any CMMC assessment of your organization within the prior three years. That's not a “same engagement” rule. It's a three-year look-back. We decode the rule in detail below.

If this is your situation, here's where to start

What CMMC readiness assessment services actually are

A CMMC readiness assessment service is a structured diagnostic engagement that determines how close your organization is to passing the formal assessment required by your applicable CMMC Level — before the official assessment by a C3PAO at Level 2, or by DCMA DIBCAC (the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center) at Level 3. It produces deliverables, not certifications.

Three things every real readiness engagement should accomplish:

First, it pins down your scope. A CUI/FCI data flow analysis identifies which assets process, store, or transmit covered information, then categorizes every in-scope system per 32 CFR § 170.19: CUI Assets, Security Protection Assets (assets that protect the CUI environment), Contractor Risk Managed Assets, Specialized Assets (Government Furnished Equipment, IoT, OT), and Out-of-Scope Assets. Scope determines evidence depth — and a miscategorized asset in either direction causes a finding.

Second, it produces a defensible documentation package. The minimum: SSP, POA&M, SPRS score calculation, evidence collection plan, and remediation roadmap. 32 CFR § 170.24(c)(2)(ii)(5) explicitly states that the absence of an up-to-date SSP at the time of assessment results in a finding that the assessment could not be completed due to incomplete information and noncompliance with the security requirements.

Third, it gives you a go / remediate / rescope decision. A real readiness assessment ends with a documented recommendation about whether you should schedule the formal assessment now, fix specific issues first, or rescope before doing either.

What it is not: a generic cybersecurity audit, a vulnerability scan, a policy template dump, or a tool dashboard.

Gap analysis, readiness assessment, mock assessment, self-assessment, C3PAO assessment, DIBCAC assessment — what the terms actually mean

These terms get used interchangeably by vendors but they mean different things in the CMMC ecosystem. A gap analysis identifies unmet controls. A readiness assessment is broader — it includes the gap analysis plus scoping, documentation, and a remediation roadmap. A mock assessment simulates a C3PAO assessment using the CMMC Assessment Process (CAP) methods of interview, examine, and test. A self-assessment is the formal Level 1 or Level 2 (Self) path the contractor conducts internally and posts to SPRS. A C3PAO assessment is the authorized independent third-party Level 2 certification. A DIBCAC assessment is the government-run Level 3 certification.

The methodology and findings matter for one reason: the C3PAO assessment scores at the security-requirement level. Under § 170.24, each of the 110 Level 2 security requirements results in a finding of MET, NOT MET, or N/A, and partial implementation is credited only in narrowly defined cases (the rule specifically cites multi-factor authentication as one). The gap between “almost compliant” and “MET” can be the difference between a Conditional status and a failed assessment.

The DCR Output-to-Rule Mapper: what a real readiness package delivers, with primary sources

A real readiness engagement delivers a structured set of artifacts, each tied to a specific regulatory or technical source. The Output-to-Rule Mapper below is original work by The Defense Compliance Report Editorial Team — assembled from the CMMC Program Rule, NIST publications, DFARS clauses, SPRS documentation, and the Cyber AB CMMC Assessment Process. If a provider can't tell you which of these outputs is in their scope, walk.

This mapper is what separates a real readiness engagement from a glossy report. We use it ourselves when we evaluate providers for our matching service. You can use the same structure to evaluate any prospective vendor: if their SOW doesn't enumerate these outputs by name with sources, the SOW isn't done.

Which DFARS clause triggered your CMMC readiness work?

Most contractors don't search for “CMMC readiness assessment services” out of academic interest. A specific contract clause, solicitation provision, or flow-down sent them looking. Five DFARS provisions plus one FAR clause do the actual work. Identifying yours is the first step in scoping the engagement.

If you see -7025 in a solicitation, -7021 is coming in the resulting contract. If your contract already has -7012 without -7021, you're in the pre-CMMC NIST SP 800-171 regime — the readiness work overlaps substantially but the assessment path differs. Bring the exact clause text (or clause number) into the readiness scoping conversation; don't paraphrase.

Who can perform a CMMC readiness assessment — and the three-year independence rule

Readiness assessments can be performed by Registered Provider Organizations (RPOs), non-RPO consultants, Managed Service Providers (MSPs) or Managed Security Service Providers (MSSPs), internal teams, or a C3PAO — with a critical caveat. Under the Cyber AB CoPC v2.0, a C3PAO at the organizational level and any of its Assessment Team members cannot participate in your Level 2 certification assessment if they provided preparatory, advisory, or consulting activities for any CMMC assessment of your organization within the prior three years. This is a three-year look-back, not a “same engagement” rule.

This is the rule that confuses everyone, including a lot of MSPs. Let's break it down precisely.

What the CoPC actually says

The Cyber AB CoPC v2.0 — the authoritative ethics document for the CMMC ecosystem — gives a concrete example: a consultant who served an organization preparing for a Level 1 self-assessment two years ago is precluded from serving on a C3PAO Assessment Team performing that organization's Level 2 certification assessment, until the three-year prohibition term has expired. The prohibition applies to the C3PAO as an organization and to all of its Assessment Team members. It covers any preparatory, advisory, or consulting activities for any type of CMMC assessment.

What it does notsay: that a C3PAO can never perform readiness-style work, or that a C3PAO that does readiness for Client A can't certify Client B. Several authorized C3PAOs run a readiness or pre-assessment practice and a certification practice as separable engagement lines. They simply don't take the same client into both within the three-year window.

The Cyber AB CMMC Assessment Process (CAP) adds another constraint: a C3PAO conducting any preparatory engagement cannot offer remediation advice, recommendations, or implementation support — doing so would prohibit the C3PAO from resuming the assessment for that OSC.

What this means practically

• If you hire an RPOfor readiness, there's no certification-assessor conflict downstream. RPOs are not certifiers.
• If you hire a C3PAO for readiness or mock work, that firm — and every assessor on the team — is now ineligible to participate in your Level 2 certification for three years. Fine — there are 100+ other authorized C3PAOs you can use for certification.
• If you hire an MSP or MSSP without RPO status, they can do readiness work, but verify they have CMMC-fluent personnel (Certified CMMC Professional, Registered Practitioner) rather than generic IT staff.
• Internal-only readiness is allowed but rarely sufficient at scale without an external pressure-test before the formal assessment.

Watch the words. “Pre-assessment,” “readiness,” “mock,” and “gap analysis” can be performed by a C3PAO within strict CoPC limits — but the moment that firm crosses into advisory or implementation work, the three-year clock starts on their ability to participate in your certification. If a vendor tells you they'll handle “everything, including the assessment,” that's the disqualifier. They either don't understand the rule or are hoping you don't.

Provider type decision matrix

No single provider category solves every CMMC readiness problem. RPOs and readiness consultants usually fit scoping, SSP, POA&M, and evidence work. MSSPs and MSPs fit operational control support — MFA, endpoint, logging, SIEM, incident response — and ongoing control operation. GRC platforms fit workflow and evidence tracking. CUI enclaves fit scope reduction. C3PAOs fit formal Level 2 certification assessments — and pre-assessment work only within strict CoPC limits.

For most contractors with a Level 2 path and limited internal CMMC fluency, the right combination is: an RPO for readiness + an MSSP/MSP for operational controls + a CUI enclave where it reduces scope + a separate C3PAO for certification. The wrong combination is any vendor offering all of those services as one bundle that ends with their own C3PAO doing your certification.

Do you need a readiness assessment for Level 2 (Self) vs. Level 2 (C3PAO)?

In almost every Level 2 case, yes — but the depth differs. A Level 2 self-assessment is conducted by your own team, posted to SPRS under § 170.16, and affirmed by your designated Affirming Official. A Level 2 C3PAO assessment is conducted by an authorized independent third party; results go through the CMMC instantiation of eMASS and transmit to SPRS under § 170.17. The control bar is the same — 110 NIST SP 800-171 Rev. 2 requirements evaluated against the assessment objectives in NIST SP 800-171A. Only the verifier and the submission path change.

Self-assessment is not a leniency. The scoring methodology in § 170.24, the SPRS posting, and the Affirming Official affirmation all carry contractual consequences if the posted representation is later found to be materially inaccurate. A clean readiness engagement before either path protects you from a posting you can't defend.

A practical distinction:

• For Level 2 (Self) organizations, readiness work often emphasizes SSP completeness, score calculation, evidence sufficiency for self-verification, and Affirming Official briefing. Mock assessment is recommended but not always required.
• For Level 2 (C3PAO) organizations, mock assessment using CAP methods is strongly recommended. The failure cost is much higher — a failed C3PAO assessment means paying for remediation, re-scheduling against finite C3PAO capacity, and a reassessment.

If your contract or solicitation specifies Level 2 (C3PAO), you cannot self-assess your way to certification. That status only comes from an authorized C3PAO and is reflected in DFARS 252.204-7021.

What a CMMC readiness assessment actually costs in 2026

Two cost realities apply here, and most pages blur them. The DoD's Federal Register estimates set a regulatory baseline for assessment and affirmation costs. The market for readiness engagements — the advisory work before the formal assessment — is separate, scoped to your environment, and falls in a $15,000 to $60,000+ range for Level 2 advisory work alone, per our review of public vendor pricing. Remediation is its own line item and is typically the largest single cost on the path to certification.

What the DoD itself estimated

The CMMC Final Rule (32 CFR Part 170) included a regulatory impact analysis filed with the Federal Register. These are the DoD's own estimates of compliance and assessment burden, expressed per entity:

Source: Initial Regulatory Flexibility Analysis filed with the CMMC Final Rule.

The DoD also disclosed its underlying C3PAO labor assumption: roughly 120 hours of C3PAO labor for a small-entity assessment and 200 hours for an other-than-small assessment, at an assumed rate of $260.28 per hour ($31,234 and $52,056 respectively).

These are regulatory estimates, not market quotes. They reflect what DoD modeled to justify the rule. Real-world C3PAO assessment quotes vary by scope, environment, geographic dispersion, evidence maturity, and scheduling pressure. Use the Federal Register numbers as a sanity-check anchor — if your quote diverges sharply in either direction, ask the provider why.

What the market charges for readiness advisory work

The DCR market ranges below are editorial estimates drawn from published vendor pricing across more than a dozen RPOs, consultants, and authorized C3PAOs operating in the readiness space, reviewed in Q1–Q2 2026. They are not official CMMC costs and should be treated as benchmarks, not quotes:

What drives the high end: multiple CAGE codes, multiple sites, legacy on-prem, no prior NIST 800-171 work, complex CUI flows with external partners, and aggressive timelines. What drives the low end: a single enclave, mature SOC 2 or ISO 27001 baseline, internal compliance staff, narrow CUI footprint.

What readiness quotes do not include

Almost universally, a readiness quote does not include:

• Remediation labor to close gaps the assessment identifies. This is typically the largest single cost on the full path.
• Tool purchases — SIEM, EDR, MFA, logging infrastructure, encryption at rest, mobile device management.
• Cloud migration to GCC High, AWS GovCloud, or another enclave.
• The C3PAO certification assessment itself — see the DoD estimates above.
• Ongoing managed services to sustain the controls after certification.

When you compare quotes, normalize against the same scope, the same Level, the same deliverables, and the same inclusion of remediation versus advisory-only.

Realistic timeline for a CMMC readiness assessment

Most small-to-midsize contractors complete a Level 2 readiness assessment in 4 to 12 weeks. Larger or low-maturity organizations take 12 to 20 weeks, sometimes longer. The duration is driven by environment complexity, scope of CUI, internal staff availability for interviews and evidence collection, and how much remediation is folded into the engagement.

Plan backward from the first solicitation, contract award, or option period that will require a posted SPRS score or certification status. Don't plan backward from “we want to be ready by year-end.” DoD program offices decide which solicitations get CMMC clauses during the phase-in, and that calendar drives your timeline.

Remediation work between Phase 3 and Phase 6 is almost always the longest interval — and it is not part of the readiness assessment price quote. Treat the readiness engagement as the diagnostic; budget separately for the implementation work that closes the gaps it finds.

The CMMC Final Rule and Phase timing — why readiness can't wait

The CMMC Program Rule (32 CFR Part 170) became effective December 16, 2024. The DFARS implementation rule (48 CFR) became effective November 10, 2025, launching Phase 1 of a four-phase rollout. Phase 2 — when Level 2 C3PAO requirements are intended to extend to applicable contracts as a condition of award — begins November 10, 2026.

In the Federal Register preamble, the DoD stated plainly that prospective contractors “should be actively preparing.” That's not corporate speak. The DoD wrote the rule, and the rule says start now.

The DoD estimated 8,350 medium and large entities will need to meet Level 2 (C3PAO) status as a condition of contract award. Multiply that against the current authorized C3PAO count and the assessor-to-contractor ratio is uncomfortable. That's not us creating urgency — that's the math of the rollout. Readiness engagements that take 6 to 20 weeks plus C3PAO scheduling against finite capacity mean Phase 2 is closer than the calendar suggests.

This is one of the rare cases where scarcity is real and not manufactured. The contracts your company bids on between now and Phase 2 will increasingly include CMMC clauses, and your eligibility window is finite.

Cyber AB Marketplace capacity snapshot

DCR Marketplace snapshot — sourced from the February and March 2026 Cyber AB Town Hall recaps. These numbers move every month; we re-verify quarterly and update this section against the most recent Town Hall before each refresh.

Source: Cyber AB Town Hall recaps, February and March 2026. Last source-verified by DCR Editorial: May 26, 2026.

First, the assessor pipeline is tight relative to the DIB. DoD estimated 8,350 entities will need Level 2 (C3PAO) status as a condition of award; the active assessor pool is a small fraction of what would be needed to certify all of them in a year. Booking against C3PAO availability is now part of the timeline math.

Second, the readiness side of the ecosystem (RPOs, CCPs, RPs) is larger and growing faster than the assessor side. There are more qualified people for the work that has to happen before certification than for the certification itself. That's good news for finding readiness support; it doesn't ease the C3PAO bottleneck.

The Cyber AB has also noted publicly that the more meaningful bottleneck has often been DIB readiness, not C3PAO supply. Most contractors that have not started have an unrealistic view of how much work the gap actually represents.

12 red flags when vetting a CMMC readiness provider

Most contractors signing a readiness engagement for the first time don't know what to challenge. Use these 12 flags as a disqualifier checklist. Each lists the claim, how to verify, and the source of truth. If a provider trips two or more, walk.

The 10-minute provider verification walkthrough

You can verify any prospective readiness provider in under ten minutes using the Cyber AB Marketplace and a short SOW review. The walkthrough has five steps: confirm Marketplace status, confirm personnel credentials, read the SOW for enumerated deliverables, confirm independence in writing, and pressure-test engagement history.

Step 1 — Confirm Marketplace status (2 minutes)

Go to cyberab.org/Marketplace. Search the firm name exactly as it appears on their proposal. Confirm the role listed: RPO, C3PAO (Authorized or Accredited — these are the active statuses under 32 CFR Part 170). If you can't find them, ask the provider for their Marketplace URL.

Step 2 — Confirm individual personnel (2 minutes)

Ask for the names of the personnel who will perform the work. Look each up on the Marketplace individuals listing. Confirm credentials: RP (Registered Practitioner), CCP (Certified CMMC Professional), CCA (Certified CMMC Assessor), Lead CCA. A team without at least one credentialed individual on an engagement above scoping work is a flag.

Step 3 — Read the SOW for enumerated deliverables (4 minutes)

A defensible SOW names the deliverables. Look for:

• “CUI/FCI scoping and asset inventory”
• “System Security Plan (SSP) draft or refresh”
• “Plan of Action & Milestones (POA&M)”
• “SPRS score calculation and posting plan”
• “Evidence collection plan mapped to NIST SP 800-171A objectives”
• “Prioritized remediation roadmap”
• “Independence statement” if the provider is a C3PAO

If the SOW says “advisory services” with no enumeration, push back.

Step 4 — Confirm independence in writing (1 minute)

If the provider is a C3PAO, the SOW should explicitly state that the firm will not perform your Level 2 certification assessment within the CoPC three-year window. If the provider is an RPO or consultant, ask whether they have a C3PAO they recommend or whether you should engage that independently.

Step 5 — Pressure-test recent engagement history (1 minute)

Ask: “How many Level 2 readiness engagements have you closed in the last 12 months? Can you provide two references at companies of similar size and environment?” The market is too young for vague answers to be acceptable.

What must be in your readiness assessment SOW

A well-scoped SOW names the deliverables, the assessment methodology, the personnel performing the work, the timeline, the payment structure, and an explicit statement of independence from any future C3PAO certification work within the CoPC three-year window. Anything less is an engagement letter, not a SOW.

Use the following as a checklist when reviewing any readiness proposal:

• Scope. Explicit reference to in-scope CUI/FCI flows, in-scope physical sites, the assessment boundary, included environment (on-prem, hybrid, cloud, enclave), and the exclusions.
• Standards. Explicit reference to NIST SP 800-171 Rev. 2 as the controlling control set for Level 2, the NIST SP 800-171A assessment objectives as the evaluation criteria, and the applicable CMMC Level.
• Methodology. CAP methods — interview, examine, test — and how the provider will collect and validate evidence.
• Deliverables.SSP, POA&M, SPRS score calculation, evidence catalog, prioritized remediation roadmap, Affirming Official briefing. Named.
• Personnel. Names and credentials (RP, CCP, CCA, Lead CCA) of every individual on the engagement.
• Independence. If the provider is an authorized C3PAO, explicit statement that they will not conduct your Level 2 certification assessment within the CoPC three-year window.
• Timeline. Phase milestones with dates.
• Payment structure. Fees, what triggers them, change order policy.
• Confidentiality and CUI handling. How they handle any CUI exposure during the engagement; their data residency and DFARS 252.204-7012 incident handling posture.
• Acceptance criteria. What constitutes acceptance of each deliverable.

Bring this checklist to every readiness conversation. The provider's reaction to it tells you most of what you need to know.

The honest limits of a readiness assessment

Here's the honest part. A CMMC readiness assessment is not required by 32 CFR Part 170. The rule doesn't say “thou shalt buy a readiness assessment.” The reason almost every contractor preparing for Level 2 should still buy one is operational, not regulatory: a formal C3PAO assessment can stall when scope, SSP, evidence, or ESP/CSP responsibilities aren't ready — and the C3PAO assessing you cannot turn into your remediation consultant mid-engagement without creating exactly the conflict the CoPC prohibits.

A readiness assessment also has real limits even when done well.

It is a diagnostic, not a guarantee. The CMMC scoring methodology in § 170.24 awards findings of MET, NOT MET, or N/A per security requirement, with partial credit allowed only in narrowly defined cases. A polished SSP without operating evidence will not pass. Walk in expecting the readiness engagement to start a 3–12 month implementation runway, not finish it.

The provider is grading your environment as it stands. They aren't responsible for the controls you haven't built yet. The roadmap they hand you is the work that has to happen between readiness and certification — and that work is yours.

POA&M latitude is narrow.Some requirements cannot be on a POA&M at all. Where a POA&M is permitted at Level 2, the rule sets a 180-day closeout window from the Conditional CMMC Status Date — after which the status becomes Final on closeout or fails. We get into specifics in the Edge cases section below.

Annual affirmations have personal accountability. A passing assessment is valid for up to three years, but the Affirming Official must sign annual affirmations of continuous compliance in SPRS, and DFARS 252.204-7021 requires current affirmations for contract eligibility. Material drift in your environment between affirmations can affect contract eligibility regardless of certification validity.

None of this is a reason to skip readiness. It's a reason to scope it correctly. The pivot: the right readiness provider builds an evidence package and remediation plan that takes these limits into account from day one. The wrong provider hands you a passing spreadsheet and disappears.

Edge cases we see most often

POA&M handling at certification

32 CFR § 170.21 allows POA&Ms for Level 2 only in narrow circumstances. Not every unmet requirement can go on a POA&M — some must be MET to receive a Conditional status. Where a POA&M is permitted, a Conditional CMMC Status can be issued, but the gaps must close within 180 daysof the Conditional Status Date or the certification will not become Final. Walking into a C3PAO assessment with a POA&M on a non-eligible requirement stops the assessment path: the POA&M will not qualify for Conditional status, and the requirement must be remediated.

Scope reduction via CUI enclaves

For many contractors, the highest-leverage move isn't implementing more controls — it's reducing what's in scope. Pulling CUI workflows into a single isolated enclave (GCC High, AWS GovCloud, a dedicated on-prem enclave) can shrink the assessment boundary dramatically. The tradeoff: the enclave adds operational complexity, FedRAMP-equivalent CSP documentation under DFARS 252.204-7012, and a customer responsibility matrix you have to maintain. It's not free, but for the right environment it's the fastest path to a defensible Level 2.

Flow-down to subcontractors under DFARS 252.204-7021

Under DFARS 252.204-7021, the contractor must insert the clause in subcontracts and other contractual instruments that will involve processing, storing, or transmitting FCI or CUI, and — prior to awarding such a subcontract — must ensure the subcontractor has the current CMMC certificate or current CMMC status appropriate for the information being flowed down (per 32 CFR 170.23). If you're a prime, build a sub inventory: who touches CUI, what status they need by award, what flow-down language you'll insert. If you're a sub, the question is which clause your prime will require and whether you have the runway. Either way, this is a readiness deliverable, not an afterthought.

Between annual affirmations: what changes invalidate

A CMMC status is current only as long as the underlying environment continues to comply. Material architectural or boundary changes — adding new CUI flows, replacing your MSP, changing enclaves, restructuring after an acquisition — can require a new assessment under the CMMC scoping guidance. Operational changes within an existing assessment boundary that follow the existing SSP are covered by annual affirmations. Build a change management process into your post-certification operations.

Level 3 readiness

Level 3 is DIBCAC-assessed, not C3PAO-assessed. It requires Final Level 2 (C3PAO) status first, then adds selected enhanced requirements from NIST SP 800-172. Readiness for Level 3 is substantially harder and is reserved for contractors supporting designated high-priority programs. If you're considering Level 3, expect the readiness scope, cost, and timeline to multiply.

MSPs and External Service Providers (ESPs) in scope

If your MSP, MSSP, hosting provider, or other ESP handles CUI or provides Security Protection Assets, they are in your CMMC scope. Per § 170.18, the use of the ESP, its relationship to the OSC, and the services provided must be documented in the OSC's SSP and described in the ESP's service description and customer responsibility matrix. Microsoft and AWS being FedRAMP-authorized covers the cloud side; it does not cover your organization's responsibilities. Assuming your MSP “handles CMMC” is one of the most common scoping mistakes.

Quote-scoping safely — what not to share

When you're soliciting quotes, the providers don't need your CUI to give you a defensible scope. Share: company size, prime-or-sub status, FCI/CUI exposure (without uploading actual covered information), likely Level, contract clauses you're working under (clause numbers, not contract documents), cloud environment, user counts, current SSP and SPRS status, target timeline, and the scope of help needed.

Do notshare via a public form: CUI itself, ITAR or export-controlled content, system architecture diagrams, vulnerability scan output, incident details, employee personally identifiable information, or full contract documents. Move that information into the provider's secure intake once you've narrowed your shortlist.

What we actually verified to write this

Market cost ranges in the cost section are DCR-observed editorial estimates aggregated from published vendor pricing reviewed in Q1–Q2 2026. They are not official CMMC costs.

If you find a factual error on this page, email corrections@thedefensecompliancereport.com. We update on a quarterly cadence and faster when a primary source changes.

Frequently asked questions

Is a CMMC readiness assessment required?

No. The CMMC Program Rule (32 CFR Part 170) does not require a readiness assessment. The reason most contractors preparing for Level 2 buy one anyway is operational: a formal C3PAO assessment can stall when scope, SSP, or evidence aren't ready, and the C3PAO cannot turn into your remediation consultant without creating a conflict of interest.

Can my C3PAO also perform my readiness assessment?

A C3PAO can perform limited readiness or mock work, but the Cyber AB CoPC v2.0 imposes a three-year prohibition on that C3PAO — at the organizational level and the Assessment Team member level — from participating in your Level 2 certification assessment if they provided preparatory, advisory, or consulting work for any CMMC assessment of your organization in the prior three years. Plan accordingly.

What's the difference between a gap analysis and a readiness assessment?

A gap analysis identifies unmet controls against a control set. A readiness assessment is broader: scope definition, gap analysis, SSP and POA&M work, evidence collection plan, SPRS support, and a remediation roadmap. A gap analysis is one component of a readiness assessment.

How long does a CMMC readiness assessment take?

Most small-to-midsize Level 2 readiness engagements run 4 to 12 weeks. Larger or low-maturity environments take 12 to 20 weeks. Remediation between readiness and certification is separate and typically takes another 3 to 12 months.

How much does a CMMC readiness assessment cost?

DCR-observed Level 2 readiness advisory work generally runs $15,000 to $60,000+ depending on size, environment, and starting maturity. The DoD's Federal Register estimates for Level 2 (C3PAO) certification assessment + affirmation are approximately $101,752 (small entity) and $112,345 (other-than-small entity). Remediation is separate from both numbers and is usually the largest single cost on the full path.

Do I need a readiness assessment for a Level 2 self-assessment?

Almost always, yes. Level 2 self-assessment uses the same control set as Level 2 (C3PAO) — 110 requirements per NIST SP 800-171 Rev. 2, evaluated against the assessment objectives in NIST SP 800-171A. The Affirming Official is personally affirming the posted score. A defensible SSP, score, and evidence package require readiness work regardless of who verifies.

Is NIST SP 800-171 Rev. 2 or Rev. 3 the controlling version for CMMC Level 2?

Revision 2. The CMMC Program Rule (32 CFR Part 170) incorporates Rev. 2. Rev. 3 has been published by NIST and may matter for future planning, but it is not the current CMMC Level 2 requirement set unless DoD amends the rule.

What if a prime is asking for a current SPRS score by a specific date?

Treat that as a readiness trigger. The SPRS posting reflects your NIST SP 800-171 score under DFARS 252.204-7019. A posted score that doesn't match an actual assessment can have contract eligibility consequences. Readiness work that calculates the score correctly and prepares the Affirming Official is the right response.

Can software make us CMMC compliant?

No. A GRC platform tracks compliance work; it doesn't perform it. An enclave reduces scope; it doesn't eliminate organizational responsibility. Software is a leverage multiplier on the underlying program — not a substitute for it.

Who is the Affirming Official?

The senior official designated by the contractor to submit annual affirmations of continuous compliance in SPRS under 32 CFR Part 170. The role replaces the earlier “senior company official” terminology and carries personal accountability for the accuracy of the affirmation.

What happens if I fail a C3PAO assessment?

Your assessment contract governs fees, but the regulatory outcome is clear: if the requirements are not MET and any POA&M does not qualify, the organization does not receive Final Level 2 status. Remediation, rescheduling, and a later assessment or POA&M closeout may be required.

Can a small subcontractor get away with Level 1 only?

Not if you process, store, or transmit CUI. Under 32 CFR 170.23, if a subcontractor will handle CUI in performance of a flow-down, Level 2 is the minimum. The required level is determined by the information you handle and the contract requirement, not by company size.

Related reading from The Defense Compliance Report

• Best CMMC Consultants for Defense Contractors (2026)
• CMMC 2.0 Compliance Guide for Defense Contractors