CMMC Reassessment After Failure: Recertification, the 180-Day Clock, and What Happens Next

You opened the assessment results expecting a pass. You got a list of NOT MET findings instead — and now a prime, a contracting officer, or your own boss is going to ask what it means for the contract. Here’s the part most teams get wrong in the first hour: CMMC reassessment after failureis not one path. It’s several, and the rule treats them in completely different ways.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

Which situation are you actually in? (start here)

Find the row that matches what you were told. Each one points to a different clock, a different assessor, and a different next move.

Don’t panic-buy a provider yet. The single most valuable thing you can do in the first hour is classify your result precisely — everything downstream, including how much you’ll spend, depends on it.

CMMC reassessment after failure: what a failed assessment actually means

Failing a CMMC assessment rarely means one clean thing.You can receive a Conditional status with a 180-day fix-it window, “No Status” because a non-deferrable requirement was missed, “No Score” because the assessment couldn’t be completed, or an expired status after a missed closeout. Each outcome carries a different deadline, system of record, and contract consequence under 32 CFR Part 170. The first job after a bad result is to classify it precisely.

CMMC — the Cybersecurity Maturity Model Certification — is the Department of Defense program that verifies whether a contractor protects FCI (Federal Contract Information) and CUI (Controlled Unclassified Information). Most contractors who touch CUI land at Level 2, which maps to all 110 NIST SP 800-171 Revision 2 requirements. Level 2 assessments result in a formal status, not a pass/fail stamp — and that distinction is the whole thing.

The CMMC Failure Recovery Matrix

Built from 32 CFR 170.17, 170.21, 170.16, and 170.18. DCMA DIBCAC = Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center.

CMMC reassessment after failure vs. recertification: which path is yours?

Contractors often say “recertification after failure,” but CMMC uses more specific paths.If you hold Conditional status, your next event is a POA&M closeout. If you didn’t qualify, it’s remediation and a new assessment. A material change to your environment can trigger a reassessment, and a disputed finding goes to appeal — not remediation.

“Recertification” is searcher shorthand. In the rule, the path you’re actually on has a precise name, and naming it correctly is what keeps you from buying the wrong help:

• POA&M closeout — the follow-up assessment that re-checks only your open items, if you hold Conditional status.
• New assessment — a full re-do, if you didn’t qualify for Conditional status or your Conditional status lapsed.
• Reassessment after significant change — triggered when your environment changes in ways the original assessment didn’t cover.
• Annual affirmation — the senior-official attestation that keeps a current status valid between assessments. See our guide on CMMC annual affirmation requirements.
• Appeal — for disputing a finding or assessor conduct, not for fixing gaps.

Use the term that matches your result, because the clock, the cost, and the assessor are different for each one. For a side-by-side comparison of the self-assessment and C3PAO paths, see our guide on CMMC self-assessment vs. C3PAO.

Did you fail, or did you receive Conditional CMMC Status?

Conditional CMMC Status is not a failure. It means you met the score threshold and had only eligible POA&M items left, and you have 180 days to close them. “No Status” and “No Score” are different outcomes: No Status means you didn’t qualify for a certificate (a low score or a non-deferrable gap), and No Score means the assessment couldn’t be completed at all — including when the System Security Plan is marked NOT MET (32 CFR 170.21).

This is the single most important classification on the page, because it’s where money gets wasted. Teams hear “we have findings” and assume they failed, then go shopping for a full re-do they don’t need. Or they hear “Conditional” and treat it like a grace period, then burn the clock.

SPRS (Supplier Performance Risk System) is the DoD system where Level 2 self-assessment scores and status information are posted so contracting officers can verify them. Learn more on our SPRS score overview.

The “No Score” outcome deserves a flag: the rule is blunt. An organization must have a System Security Plan — control CA.L2-3.12.4— in place at assessment. Per 32 CFR Part 170, the absence of an up-to-date SSP results in a finding that “an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204-7012.” The SSP isn’t just another scored control. Without it, the assessor can’t finish, and your technical posture is irrelevant.

If you’re sorting out Conditional status and POA&M closeout specifically, see our companion guide on the Conditional CMMC Level 2 certificate and POA&M closeout rules.

The 180-day closeout clock: how much time you really have

For Level 2 and Level 3 Conditional status, you have 180 days from your Conditional CMMC Status Date to remediate every NOT MET item and pass a POA&M closeout assessment, which re-checks only the items on your POA&M (32 CFR 170.21). The clock starts the day your results post to SPRS or eMASS, it does not reset when you close items, and if it expires your Conditional status is gone and you re-enter the full-assessment queue. Treat 180 days as a hard ceiling, not a runway.

Three mechanics inside this rule matter more than the headline number.

A simple way to manage the window, working backward from Day 180:

Can you still fix it before the result is final?

Sometimes the result isn’t locked yet. During the assessment and for up to 10 business days after the active assessment period — until the Assessment Findings Report is delivered — a NOT MET requirement can be re-evaluated if you produce additional evidence that doesn’t change other MET scores (32 CFR 170.17(c)(2)). After that, you can file a formal appeal with the same C3PAO, adjudicated by a quality reviewer who wasn’t on your assessment team.

This is the section that can save a contractor weeks. Before you accept a NOT MET as final, check whether either of these doors is still open.

Be honest with yourself about what an appeal is for. It challenges assessor error or conduct — not “we disagree with the requirement,” not “we fixed it afterward,” and not “the control is expensive.” If your real problem is open gaps, your time is better spent remediating than appealing.

Why you can score 105 out of 110 and still fail

The total score doesn’t save you. To earn Conditional Level 2, your score must be at least 88 of 110 (the 0.8 threshold in 32 CFR 170.21), andevery deferred item must be worth only 1 point — no 3- or 5-point requirement may go on a POA&M, and six specific 1-point requirements can’t be deferred either. Miss one non-deferrable control — multifactor authentication is the classic example — and you can fail outright with an otherwise strong environment.

The six specific 1-point controls that are barred from a POA&M no matter what (per 32 CFR 170.21(a)(2)(iii)(A)–(F)):

These are program-integrity and CUI-boundary controls. Without an SSP, without control of your external connections and public-facing systems, without basic physical protection of CUI — your compliance picture isn’t defensible regardless of how few points they’re “worth.” The POA&M is a tool for closing a short tail of minor gaps — not a strategy for deferring real work.

The gap that sinks otherwise-capable teams is usually evidence quality, not missing technology — a control that’s genuinely running but can’t be proven still scores NOT MET.

What a CMMC reassessment actually costs

Your reassessment cost is driven less by averages than by which state you’re in. A POA&M closeout re-checks only your open items, so it typically costs less than a full assessment; a No Status result or an expired Conditional status means paying for a full Level 2 assessment again. For scale, DoD’s Final Rule estimates a small contractor’s Level 2 C3PAO assessment plus initial affirmation at about $101,752, or roughly $104,670over three years. Knowing your state is worth more than any cost average, because it determines whether you’re buying a partial closeout or a full do-over.

What DoD estimated (primary source). In the 32 CFR Part 170 Final Rule analysis, DoD puts a small contractor’s Level 2 C3PAO assessment plus initial affirmation at about $101,752 — including a roughly $31,234 C3PAO assessment-engagement line item — and about $104,670 over the full three-year cycle. (Other-than-small entities are modeled with a larger C3PAO engagement line, around $52,056.) DoD’s commonly cited range across company sizes is $105,000–$118,000. Important caveat: those figures cover assessment, affirmation, and engagement activities only — they deliberately exclude readiness and remediation.

What the market charges (industry estimates). Based on C3PAO and managed-service pricing reviewed in 2026, the C3PAO assessment fee alone commonly runs $30,000–$75,000, varying with scope, company size, and region. Remediation commonly runs $10,000 to $150,000 or more depending on starting maturity. Treat these as planning ranges and confirm a fixed scope in writing. We keep a running breakdown on our CMMC Level 2 cost page.

Cost allowability (whether CMMC costs are reimbursable): the DFARS CMMC rule doesn’t resolve this; it points to FAR 31.201-2, meaning your contracting officer and accounting team determine it case by case. Don’t assume you can pass these costs through.

Who performs your closeout or reassessment — and who legally can’t be the same firm

The party that re-assesses you depends on level and path: a Level 2 self-assessment closeout is performed by your own organization, a Level 2 certification closeout by an authorized or accredited C3PAO, and a Level 3 closeout by DCMA DIBCAC (32 CFR 170.21). A readiness or remediation firm can help you fix the gaps, but it cannot also be the C3PAO that assesses you. That separation is a rule, not a preference.

After a failure, your first hire is almost always a readiness/remediationcategory — an RPO (Registered Provider Organization) or RP (Registered Practitioner), a CMMC-focused MSSP or MSP, or a GRC platform and CUI enclave. The C3PAO comes back only to re-test. Routing a just-failed remediation lead to a C3PAO “to fix it and then assess it” is exactly the conflict the rule is built to prevent.

What to do in the first 24 hours — and the 180-day recovery plan

The first 24 hours after a failed or conditional result are for classification, preservation, and deadline control— not panic-buying another provider. Identify your formal result, preserve the full assessment record, map each NOT MET item to POA&M eligibility, calculate your 180-day clock if Conditional status applies, and keep remediation work separate from formal assessment work.

Your first-24-hours checklist:

1. Save everything: the results briefing, the POA&M items, your Conditional Status Date, the assessed scope, CAGE codes, the CMMC unique identifier, and your evidence artifacts and hashes. (The rule requires you to retain hashed assessment artifacts for six years from the CMMC Status Date — start that discipline now.)
2. Name your result precisely: Conditional, No Status, No Score, expired, or a result you intend to appeal.
3. Pin the root cause: score threshold, a non-deferrable control, a missing SSP, evidence quality, technical implementation, scope, or a contract deadline.
4. Calculate your 180-day deadline if you’re Conditional.
5. Don’t ask your C3PAO to prescribe the fix in a way that compromises its independence.
6. Decide whether you need counsel before you communicate status to a prime or contracting officer.
7. Build a remediation owner list — one named person per open item.

A word on timing: 32 CFR Part 170 took effect December 16, 2024, and DFARS 252.204-7021 became effective November 10, 2025, opening Phase 1 (Nov. 10, 2025 through Nov. 9, 2026), with Phase 2 enforcement beginning November 10, 2026.DoD generally leads with the right self-assessment requirement in Phase 1 — but it can require a Level 2 C3PAO assessment at its discretion even now, and if a solicitation or contract requires a current CMMC status, a stalled or failed assessment can already cost you an award, option, or extension.

Capacity is finite: as of the March 2026 Cyber AB Town Hall, the ecosystem had roughly 103 authorized C3PAOs and about 759 certified assessors, with only about 1,000 organizations certifiedagainst a Defense Industrial Base where at least 80,000 are expected to need Level 2. The honest read isn’t that the assessor pool will sink you — it’s that demand will spike as Phase 2 approaches and your own readiness is the real bottleneck. Book early, but fix the root cause first.

What changes by level: Level 1, Level 2 Self, Level 2 C3PAO, and Level 3

Level and assessment type change almost everything about recovery: whether a POA&M is even allowed, who performs the closeout, where results are posted, and what contract consequence follows. Level 1 is an annual self-assessment with no POA&M permitted; Level 2 is self-assessed or C3PAO-assessed depending on the contract; Level 3 requires a Final Level 2 first and is assessed by DCMA DIBCAC, not a C3PAO (32 CFR 170.16–170.18).

What happens to your contract if Conditional status expires?

If you don’t successfully close out within 180 days, your Conditional status expires. Under 32 CFR 170.17, if that happens during contract performance, standard contractual remedies may apply, and you become ineligible for additional awards requiring that level (or higher) until you achieve a new CMMC status. DFARS 252.204-7021 separately requires you to have and maintain the current CMMC status for systems that process, store, or transmit FCI or CUI. This is the point where a compliance problem becomes a contract problem.

An expired status does not automatically terminate your contract by itself. What the rule says is that standard contractual remedies may apply and that you become ineligible for additional awards at that level until you achieve a new status. The practical significance depends on whether you’re mid-performance, whether the clause is in your contract, and whether the affected systems actually handle FCI or CUI for that work. Those are determinations for your contracting officer and counsel, not a website. For a deeper look at non-compliance consequences, see our guide on CMMC non-compliance penalties.

A short decision tree to size your exposure:

• Are you in the proposal stage, or already under contract?
• Is the CMMC clause (DFARS 252.204-7021) actually in the contract?
• Do the affected systems process, store, or transmit FCI or CUI for that work?
• Is the issue an expired Conditional status, a stale affirmation, a failed closeout, or a changed environment?
• Has a prime flowed down a requirement to you as a subcontractor?
• Has the contracting officer asked for proof of status?

Edge cases: self-assessment, Level 3, significant change, and subcontractors

A few common situations shift the recovery path. A failed Level 2 self-assessment is fixed by you (remediate, re-self-assess, re-post to SPRS); a significant change to your environment can trigger a reassessment even after a clean result; DFARS 252.204-7021 allows DoD to require a rare reassessment despite a current status if there are indications of cybersecurity or compliance issues; and a subcontractor’s failed status can affect a prime’s ability to use it on CUI work.

How SPRS, eMASS, the CMMC UID, and affirmations fit into recovery

Recovery isn’t finished until the correct result is reflected in the correct system of record and backed by the required affirmation. Level 2 self-assessment results live in SPRS; C3PAO and DIBCAC certification results are handled in CMMC eMASS and transmitted to SPRS; and DFARS 252.204-7021 requires a current status plus annual affirmations for covered systems.

For a Level 2 self-assessment, your SPRS entry includes the CMMC Level, the CMMC Status Date, the assessment scope, your CAGE code(s), the overall score, and POA&M usage and compliance status. For a Level 2 C3PAO assessment, the C3PAO submits results into CMMC eMASS — including your SSP name, date, and version, the result for each requirement, POA&M usage, and artifact-hashing data — and eMASS transmits to SPRS.

One detail to watch: any systems notrepresented by the CMMC unique identifier (UID) you provide for a solicitation can be treated as non-compliant for processing, storing, or transmitting FCI or CUI during performance. And a final status isn’t self-sustaining — it has to be paired with the senior official’s affirmation after the assessment, after any closeout, and annually thereafter. If your environment has drifted to the point where you can’t honestly affirm, that’s a counsel conversation before you attest, not after.

Frequently asked questions

Sources we read for this guide

• 32 CFR Part 170 — CMMC Program rule, including §170.16, §170.17, §170.18, §170.21, and §170.24. Underlying rule: 89 FR 83214 (Oct. 15, 2024).
• DFARS 252.204-7021, 252.204-7012, and 252.204-7020 (Acquisition.gov).
• NIST SP 800-171 Revision 2 and NIST SP 800-171A (June 2018), incorporated by reference in 32 CFR Part 170; NIST SP 800-172 (NIST CSRC).
• Cyber AB CMMC Assessment Process (CAP) and Cyber AB Appeals Process.
• DoD CIO CMMC Frequently Asked Questions; DoD CIO CMMC Assessment Guide — Level 2 and Scoping Guide — Level 2.
• Supplier Performance Risk System (SPRS) documentation.
• Capacity figures: Cyber AB Town Hall reporting (March 2026).

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This article is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your required level, not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney. Last reviewed June 2026 · Last verified June 2026. See our editorial standards and corrections policy.

Need help deciding what type of CMMC provider you need?