CMMC Triage & Recovery
CMMC Rescue Services: What to Do When Your CMMC Is Failing, Stalled, or Out of Time
“CMMC rescue services” is what defense contractors search when a CMMC effort has gone sideways— a failed assessment, a conditional certification quietly bleeding out its clock, a compliance requirement that just showed up in a new solicitation, a prime demanding a score you can’t defend, or a consultant who left you worse off than when you started.
Here’s the honest bottom line: what you actually need depends entirely on whichof those you’re facing, and the single fastest way to find out is the CMMC Rescue Triage Matrix below — before you call anyone.
The short version: if you failed or your score is too low, you need independent readiness and remediation — not your assessor. If your conditional status is running out, the fact that controls your fate is a hard 180-day window that does not reset, defined in 32 CFR § 170.21. If a bad score is already posted, that is a potential False Claims Act exposure, not just a compliance gap. Most “CMMC emergencies” are not assessment emergencies yet — they are clause, scope, evidence, or provider-category problems that can be triaged fast once you stop guessing.
Not sure which situation is yours? Jump to the CMMC Rescue Triage Matrix — it’s the first thing on this page for a reason.
First, the truth about “rescue” — and how we’ll route you
CMMC — the Cybersecurity Maturity Model Certification — is the Department of Defense program that verifies whether a contractor is actually protecting the government information it handles. FCI (Federal Contract Information) is non-public information generated for or provided by the government under a contract. CUI (Controlled Unclassified Information) is more sensitive government information that carries specific safeguarding requirements. The level you owe, and whether you can self-assess or need a third-party assessor, is set by your contract clause — not by a checklist or a sales call.
The right CMMC provider isn’t the same for every contractor. The category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category — before you talk to a single vendor.
Is this page for you?
| CMMC rescue makes sense if… | It’s not what you need if… |
|---|---|
| A prime or contracting officer gave you a CMMC deadline and no clear path. | You want someone to “certify” you without a real assessment. |
| Your prior consultant or MSP failed, disappeared, or delivered work you can't use. | You handle no FCI or CUI and there's no CMMC requirement — you just need the basics first. |
| You failed an assessment, or a gap review just showed your real score is far below what's posted. | You're already assessment-ready and only need to schedule a C3PAO. |
| Your SSP, SPRS score, evidence, or POA&M plan doesn't hold up. | You want legal interpretation of a clause — that comes from a federal-contracts attorney, not an article. |
| You don't know whether to call an RPO, an MSSP, a CUI enclave, a GRC platform, a C3PAO, or a lawyer first. | You've confirmed the clause, the level, and your readiness and just want a vendor list. |
CMMC rescue services: which emergency are you actually in?
Most off-track CMMC projects break in one of eight places: contract interpretation, CUI scope, documentation (the SSP), evidence, technical controls, assessment timing, a false or unsupported SPRS score, or a provider-category mismatch. The correct first move — and the right kind of provider — is different for each. Find your trigger in the matrix, then read the section that fixes it.
The CMMC Rescue Triage Matrix
| What just happened | What’s actually going on | Do not do yet | The rule that controls it | Your safe first move | Likely provider category |
|---|---|---|---|---|---|
| You failed a C3PAO assessment | One or more requirements came back NOT MET. If any is worth 3 or 5 points, it cannot be deferred. | Don’t rebook the assessment until you know which findings are fixable and which are disqualifying. | 32 CFR § 170.21, § 170.17 | Get an independent POA&M eligibility review from a firm different from your assessor; understand which gaps are disqualifying before you touch anything. | Independent RPO / MSSP (remediation) |
| You have conditional status and the clock is running | You have a fixed 180-day window that does not reset as you close items. | Don’t burn weeks before planning the closeout — assessment scheduling can be the constraint. | 32 CFR § 170.21(b) | Work backward from your Conditional Status Date now; prioritize closeout evidence; line up the closeout assessment early. | RPO / MSSP (closeout) + C3PAO (closeout assessment) |
| A CMMC requirement appeared in a new solicitation | The solicitation identifies the required level and status through the DFARS 252.204-7025 notice; DFARS 252.204-7021 requires you to have and maintain it. | Don’t promise “certified” or buy tooling before you confirm the required level and scope. | DFARS 252.204-7025, 252.204-7021 | Read the clause; identify required level and self-assess vs. C3PAO; run the fast diagnostic below before you call anyone. | RPO / RP (scoping + clause interpretation) |
| A prime or customer is demanding your SPRS score or docs | Flow-down pressure. Primes are gatekeeping bids on your posture. | Don’t send a score or affirmation you can’t support. | 32 CFR § 170.23 | Reconcile what your posted score is actually based on before you send anything. | RPO / MSSP (readiness + SSP/SPRS reconciliation) |
| A gap review shows your real score is far below your posted SPRS score | The highest-risk scenario: a materially false posted score isn’t just a gap — it’s potential liability. | Don’t quietly “fix and re-post” without understanding the exposure. | False Claims Act / DOJ Civil Cyber-Fraud Initiative (see below) | Talk to a federal-contracts attorney first; then remediate under their guidance. | Federal-contracts attorney + RPO / MSSP |
| You’re ready but can’t get a C3PAO slot in time | A supply bottleneck, not a readiness problem. | Don’t treat the assessment booking as your readiness plan. | See the assessment-supply snapshot below | Line one up now; verify authorization on the Cyber AB Marketplace; confirm your phase actually requires C3PAO yet. | C3PAO (schedule early) + confirm requirement timing |
| Your prior consultant or MSP failed you | Common. Perceived readiness rarely equals assessed readiness. | Don’t reuse the old scope, SSP, score, or evidence on faith. | Cyber AB CMMC Assessment Process (CAP) | Get an independent rescue review from a different firm than the one who’ll assess you. | Independent RPO / MSSP / vCISO |
| You just realized your CUI scope is wrong | Scope is the foundation. Too broad and it’s unaffordable; too narrow and you fail. | Don’t migrate everything to a new platform before you reduce scope. | 32 CFR § 170.19 | Map where CUI/FCI actually lives, who touches it, and what can be pulled out of scope. | RPO + CUI enclave / GCC High implementer |
Do not upload sensitive material into any web form— yours or anyone else’s. Keep CUI, drawings, controlled technical information, export-controlled data, credentials, full network diagrams, vulnerability reports, and contract attachments out of email and lead forms. Describe your situation in general terms only.
Here’s the one thing we’ll say plainly:a real CMMC rescue service cannot create valid certification overnight. If your scope, SSP, controls, evidence, or POA&M eligibility are broken, no legitimate firm can make that disappear by a deadline — and anyone who guarantees fast certification, or claims they can get you a C3PAO slot on demand, is a red flag.
Not sure whether this is a scope problem, an evidence problem, or a provider problem?Use Find My CMMC Path to map your required level, CUI scope, assessment type, and timeline to the right provider category before you request a single quote. Tell us where you’re stuck — not your CUI, drawings, or contract details.
Find My CMMC Path →Are you actually in a CMMC emergency — or just being pressured?
Whether you have a true emergency depends on the contract, the required level, the assessment type, the award timing, and whether a formal C3PAO assessment is actually required yet. A prime’s email can create panic, but under the current phased rollout, many contractors who feel behind still have a self-assessment path — not a certification deadline this week. Verify the source of the requirement before you spend a dollar.
A prime’s demand is not the same as a contract requirement. Before you react, get the exact language and check for the clauses that carry the obligation: DFARS 252.204-7012 (safeguarding CUI and 72-hour incident reporting), DFARS 252.204-7021 (the CMMC compliance clause), and the DFARS 252.204-7025 solicitation provision (where the contracting officer writes in the required level and status).
The phased timeline changes how urgent this really is. Phase 1 began and runs through ; during Phase 1, applicable contracts require Level 1 or Level 2 self-assessments as a condition of award, though contracting officers have discretion to require a third-party assessment on select contracts. Beginning in Phase 2 on , DoD plans to require Level 2 C3PAO certification as a condition of award for applicable CUI contracts — but the specific solicitation still controls. See our CMMC phases guide for the full schedule.
Run this fast diagnostic before you call anyone:
- Which clause and CMMC level are named in the solicitation or contract?
- Is this FCI only, CUI, or genuinely unclear?
- If Level 2, is it self-assessed or C3PAO-assessed?
- Is there a current SPRS score on file, and what is it based on?
- Has an annual affirmation been submitted, and by whom?
- Are you relying on a POA&M — and do you know if your gaps are even POA&M-eligible?
- Has a C3PAO been scheduled?
- Is your SSP (System Security Plan) complete and current?
- Is your CUI boundary actually defensible?
If you can’t answer half of these, that’s not a failure — it’s your rescue roadmap. Each unanswered question maps to a section below.
What happens if you fail a CMMC assessment (and can you fix it)?
A failed CMMC Level 2 assessment means one or more requirements came back NOT MET, and whether you can recover with a Plan of Action and Milestones (POA&M) depends entirely on the point value of what you missed. You can fix it — but not always the way people assume. Under the DoD scoring methodology in 32 CFR § 170.24, each of the 110 requirements is worth 1, 3, or 5 points, and the highest-value controls cannot be deferred.
Why a high score can still fail you
You can have 105 of your 110 controls met and still fail outright. To earn Conditional Level 2 status you need a score of at least 88 out of 110 (the 0.8 threshold in 32 CFR § 170.21), andevery requirement left on your POA&M must be worth only 1 point. Requirements worth 3 or 5 points must be fully met. So if a single 5-point control — multifactor authentication (MFA) is the textbook example — comes back NOT MET, you cannot put it on a POA&M, you cannot reach conditional status, and your score doesn’t save you.
There is exactly one narrow exception: SC.L2-3.13.11 (CUI encryption) may be placed on a POA&M if you are using encryption that simply isn’t yet FIPS-validated, in which case it scores as a 3-point gap rather than 5. That exception does not apply if you have no encryption at all.
The six requirements that block a POA&M rescue
Even among 1-point requirements, 32 CFR § 170.21(a)(2)(iii) bars six specific controls from ever appearing on a Level 2 POA&M:
- AC.L2-3.1.20External Connections (control connections to external systems)
- AC.L2-3.1.22Control Public Information (control CUI on publicly accessible systems)
- CA.L2-3.12.4System Security Plan
- PE.L2-3.10.3Escort Visitors
- PE.L2-3.10.4Physical Access Logs
- PE.L2-3.10.5Manage Physical Access
What a retake costs you in 2026
A failed assessment sends you back into a C3PAO queue behind everyone who booked while you were remediating. Meanwhile, primes are already asking subcontractors for documentation ahead of the Phase 2 deadline. In practical terms: your assessment slot, not just your readiness, can be the thing that locks you out. See our C3PAO wait times guide and what to do after a failed assessment.
So how do you actually fix it?
Failures are rarely about technology. The recurring causes are poor scoping, missing or generic documentation, thin evidence, and optimistic assumptions about readiness. The fix, in order: get an independent read of which findings are POA&M-eligible versus must-be-met; remediate the disqualifying controls first; reconcile your SSP and evidence so they tell one consistent story; then rebook the assessment or closeout. Critically, the firm that helps you remediate should not be the firm that assesses you.
If you failed or stalled, the fix is a different firm than the one who’ll assess you. Get matched to a readiness (RPO/MSSP) category that specializes in remediation — not a sales call.
Get matched to a readiness category →Conditional CMMC status and the 180-day clock: the trap most people miss
If you earned Conditional Level 2, you have 180 days from your Conditional CMMC Status Date to close every POA&M item and pass a closeout assessment — and that clock does not reset as you close items. Miss it and your Conditional CMMC Status expires: the POA&M closeout path is gone, standard contractual remedies apply, and you become ineligible for new awards requiring that level until you achieve a new CMMC Status. This is spelled out in 32 CFR § 170.21(b) and § 170.17. See our full conditional CMMC Level 2 closeout guide.
- The clock starts when results are posted not on the last day of your assessment week. The 180 days run from the Conditional CMMC Status Date — the date the assessment results are entered into SPRS or eMASS.
- It does not reset. Closing a POA&M item doesn't restart the timer. The single 180-day window covers all of it.
- You need a closeout assessment, not just remediation. For a Level 2 certification, an authorized C3PAO must perform the closeout assessment of the items you fixed. For a Level 2 self-assessment, you perform the closeout the same way you did the initial one. For Level 3, DCMA DIBCAC does it.
- Using the full window has a hidden cost. If it takes you all 180 days to close out, you've spent roughly six months of a three-year certification before you even reach Final status.
If your Conditional status expires during a contract’s period of performance, the rule warns that standard contractual remedies apply. That is not a soft deadline.
The terminology that confuses everyone: OPA vs. POA&M
Under 32 CFR § 170.4, an Operational Plan of Action (OPA)is a defined artifact for tracking temporary vulnerabilities or deficiencies — and it is not the same thing as a CMMC POA&M. The DoD reinforced this in its own FAQ: an OPA cannot be used to “rescue” a requirement that comes back NOT MET during an assessment. A NOT MET finding belongs on a formal POA&M, subject to the eligibility rules — you can’t route a late-breaking gap into an “operational process” to dodge a finding.
Working backward from your Conditional Status Date?Map your 180-day closeout plan — we’ll help you find a readiness partner for the closeout work and a C3PAO for the closeout assessment, kept properly separate.
Map your 180-day closeout plan →What evidence should be ready before you rebook or close out?
A CMMC assessment is won or lost in the documentation long before the assessor arrives, so the single best use of your remediation window is assembling a defensible evidence package. Whether you’re recovering from a failure or racing a 180-day closeout, the assessor evaluates what you can show, not what you can say. Get these artifacts in order before you rebook.
- System Security Plan (SSP).The master document that defines your system boundary and describes how each of the 110 NIST SP 800-171 Rev. 2 requirements is implemented. It is itself a required control (CA.L2-3.12.4) and cannot be deferred.
- Scope and CUI data-flow map.Where CUI and FCI enter, live, and move; who can access them; and which assets are in scope. Under 32 CFR §170.19, Level 2 scope includes CUI assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets.
- Asset inventorythat matches the SSP and the scope map — no orphan systems the assessor can find that you didn't account for.
- SPRS score worksheetthat reconciles to your actual implementation, so your SSP and your posted score tell one story.
- POA&M eligibility review —which open items are 1-point (deferrable), which are 3- or 5-point (must be met), and whether any of the six barred controls are in play.
- Control-owner evidencefor each requirement: the policy, the procedure, and the proof it's operating (screenshots, logs, configurations, tickets), with a named owner.
- ESP/CSP shared-responsibility matrix.For every external service provider and cloud service provider, who is responsible for which control, and the FedRAMP status where CUI is involved.
- A named affirmation owner —the senior official who will sign the annual affirmation and can stand behind the evidence.
Is a bad or overstated SPRS score a legal problem? (False Claims Act)
Yes — and this is the most serious situation on this page. If your contract requires an SPRS score (the DoD database where NIST SP 800-171 scores are posted) and you bill on that contract, a materially inaccurate score can expose you to False Claims Act liability — with no data breach required. If a gap assessment just revealed that your real posture is far below what’s posted, stop and get counsel before you remediate or re-post anything.
The most recent case — weeks old as of this writing
In June 2026, the DOJ announced that LOGZONE, Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144to resolve False Claims Act allegations tied to cybersecurity requirements in two Navy contracts. According to the DOJ, a DCMA assessment scored LOGZONE’s NIST SP 800-171 implementation at −170— near the bottom of the possible range of −203 to 110. Per the settlement agreement, LOGZONE had earlier reported a perfect self-assessment score of 110. The claims are allegations only, with no determination of liability. Read the announcement on justice.gov →
It’s a pattern, not a one-off
In March 2025, MORSECORP Inc. agreed to pay $4.6 millionto settle allegations that it submitted an SPRS score far higher than a third-party gap analysis later calculated, and then failed to correct it for about a year — the case was brought by the company’s own head of security as a whistleblower (justice.gov). The DOJ launched its Civil Cyber-Fraud Initiative in October 2021 to use the False Claims Act against contractors that misrepresent their cybersecurity, and it has produced a series of settlements since. See our False Claims Act CMMC risk guide.
Most contractors with an inaccurate score are not fraudsters — they trusted a bad self-assessment or an over-promising consultant. The exposure comes from knowingthe score is wrong and continuing to bill on it, or ignoring a much lower third-party result. That’s precisely why the safe move — the moment you discover a gap between your posted score and reality — is to bring in counsel before you remediate, because how and when you correct the record can matter as much as the correction itself.
If your posted score may be materially wrong, this is the one situation where you call a lawyer first, not a vendor.
Talk to qualified federal-contracts counsel before you hire a remediation vendor. If you still need help identifying the right technical remediation category after that, Find My CMMC Path is here — but the legal step is not one to skip.
Find My CMMC Path →What if you’re ready but can’t get a C3PAO slot before your deadline?
Sometimes readiness isn’t the problem — the assessor queue is. There are far fewer authorized C3PAOs than the defense industrial base will need, so scheduling has become a real constraint. The move is to line up your assessment early, verify the assessor’s authorization directly on the Cyber AB Marketplace, and confirm whether your contract’s phase actually requires a C3PAO yet.
State of the CMMC assessment ecosystem (GAO, as of late 2025 / early 2026)
| Metric | Figure | Why it matters to you |
|---|---|---|
| Authorized C3PAOs | 92 (as of December 2025) | The firms that can conduct a Level 2 certification assessment and issue a Certificate of CMMC Status |
| C3PAOs in the pipeline | 14 passed the DIBCAC assessment but aren't yet authorized; another 14 awaiting a DIBCAC assessment | Capacity is growing, but slowly |
| Credentialed assessors (CCAs) | 633, of whom 290 hold the Lead CCA designation (as of December 2025) | Assessment teams need qualified assessors, so real throughput is limited |
| Total marketplace entries | 5,300+ organizations and individuals (as of January 2026) | Most are consultants and RPOs — not authorized assessors |
| Size of the defense industrial base | ~200,000 companies, roughly three-quarters small businesses | Tens of thousands are expected to need Level 2, against fewer than 100 authorized assessors |
As of , ISACA fully assumed the role of the CMMC Assessor and Instructor Certification Organization (CAICO), which handles assessor and instructor credentials, while the Cyber AB continues to oversee the marketplace and C3PAO authorization.
Two things to do this week if the slot is your problem:First, verify any prospective assessor’s status yourself at cyberab.org — an assessment by an unauthorized firm doesn’t count. Second, confirm whether you actually need a C3PAO yet. Through Phase 1, Level 2 self-assessments satisfy most applicable contracts. See our guide to finding and verifying an authorized C3PAO.
Ready and just need the assessment?If you’re not sure you’re ready, start with readiness first — booking an assessment you’ll fail only burns your slot.
Check assessment readiness →Who actually fixes this? RPO vs. MSSP vs. C3PAO vs. GRC vs. CUI enclave
The “rescue” provider you need is set by your situation: readiness, remediation, SSP, POA&M, and SPRS work come from an RPO or MSSP; formal certification comes from a C3PAO; evidence and workflow help come from a GRC platform; and reducing what’s in scope comes from a CUI enclave. The one rule that overrides everything: the firm that prepares you generally cannot be the firm that assesses you. Confusing those two roles is the most common and costly procurement mistake we see. See our full CMMC provider categories guide.
The Provider Category Rescue Map
| Provider category | Best rescue use | Not the right call for | Verify before hiring | The artifact you should receive |
|---|---|---|---|---|
| RPO / RP (Registered Provider Organization / Registered Practitioner) | Scope, SSP, POA&M strategy, evidence, readiness planning, executive guidance | Issuing a CMMC certificate | Cyber AB Marketplace listing if they claim RPO/RP status; concrete deliverables; conflict disclosure | A scoped SSP, evidence register, and POA&M eligibility memo |
| MSP / MSSP (Managed Service Provider / Managed Security Service Provider) | Implementing and running technical controls: identity, endpoint, logging, access, network, backups, security operations | Interpreting your contract or performing the formal assessment | DIB/CMMC experience; who owns the architecture; evidence deliverables, not just tools | A shared-responsibility matrix and control-by-control evidence |
| vCISO / security engineering | Control ownership, governance, security roadmap, executive risk decisions | Formal certification | Named deliverables; reporting cadence; independence from whoever will assess you | A governance model and control-owner assignments |
| GRC platform (Governance, Risk, and Compliance software) | Evidence inventory, control mapping, SSP/POA&M workflows, assessment-package readiness | Being your entire CMMC solution — software alone does not implement controls | Exportability; mapping to NIST SP 800-171 Rev. 2; evidence retention and access control | An exportable, mapped evidence package |
| CUI enclave / secure collaboration | Reducing CUI scope, controlled file sharing and email, enclave strategy | Solving every enterprise-wide obligation automatically | The boundary; out-of-scope claims; how users work; ESP/CSP roles | An enclave boundary diagram and scoping rationale |
| GCC High / AWS GovCloud implementer | Cloud migration, identity, device management, logging, collaboration architecture for CUI | Certification by tool purchase alone | FedRAMP/CSP shared responsibility; customer-configured controls; the evidence they leave you | A configured environment with a documented control matrix |
| C3PAO (Certified Third-Party Assessment Organization) | The formal Level 2 certification assessment — when you're assessment-ready | Building and remediating your program and then assessing the same work | Authorized/accredited status on the Cyber AB Marketplace; scope; schedule; conflict boundaries | A certification assessment and Certificate of CMMC Status |
| Federal-contracts attorney | Clause interpretation, flow-down disputes, representations, false-score exposure | Technical remediation | Federal contracts and CMMC/DFARS experience; privilege boundaries | A counsel-reviewed communication and disclosure plan |
The conflict rule you cannot ignore
CMMC keeps preparation and assessment separate on purpose. The Cyber AB publishes and enforces a Code of Professional Conduct, and a C3PAO cannot assess an environment where it (or its assessors, affiliates, or subcontractors) provided the consulting that could compromise independence. Do not hire one firm expecting it to both remediate your environment and certify it. Require written conflict disclosure, and verify whether anyone on the assessment team had a hand in your readiness work.
A panicked contractor’s instinct is to call the assessor and ask them to “just get us through it.” An honest assessor will decline to also be your fixer. If a firm agrees to do both on the same engagement, they are either misunderstanding the rules or ignoring them — and either way, your certification is at risk.
Not sure which category you need first?Run Find My CMMC Path and we’ll match your situation to the right category — readiness, MSP/MSSP, GRC, enclave, C3PAO, or attorney — before you talk to a single vendor. Send us where you’re stuck, not your CUI or contract details.
Run Find My CMMC Path →Why your contract’s clause numbers changed in 2026 — and why it doesn’t get you off the hook
If you’re seeing unfamiliar DFARS clause numbers, that’s the Revolutionary FAR Overhaul (RFO), a governmentwide effort to streamline acquisition regulations that DoD began implementing through class deviations effective . The clauses that carry your core CMMC obligations — DFARS 252.204-7012 and 252.204-7021 — did not change, and neither did what you actually have to do. We read the DoD’s own class-deviation listing at acq.osd.mil to confirm the specifics.
- The standalone “Basic” NIST SP 800-171 self-assessment provision is being removed. The separate self-assessment-and-SPRS-posting mechanism that lived at DFARS 252.204-7019 is folded into the CMMC framework.
- The DoD Assessment Requirements clause is relocated to deviation numbering — DFARS 252.240-7997.The revised clause drops the “Basic” concept and defines only Medium and High assessments, both performed by the government.
- The FAR “Basic Safeguarding” clause content moves to deviation numbering — FAR 52.240-93(still the basis for CMMC Level 1’s 15 requirements).
- This is happening by class deviation, not by final rulemaking. The legacy clause numbers (DFARS 252.204-7019 and 252.204-7020) still appear in the codified regulations and in existing contracts. Expect to see both old and new numbers during the transition.
- DFARS 252.204-7012 and 252.204-7021 are unchanged. Safeguarding, 72-hour incident reporting, and the CMMC certification requirement remain in full effect.
The numbers may be a relabeling, but the obligation is not a reprieve. You still must implement all 110 NIST SP 800-171 Rev. 2 requirements, maintain an SSP, report incidents within 72 hours, and keep an accurate score in SPRS.
And yes — it’s still Revision 2, not Revision 3
CMMC Level 2 still maps to NIST SP 800-171 Revision 2— the 110 requirements across 14 control families. NIST published Revision 3 in May 2024, and GAO confirms DoD has not yet updated the CMMC program to incorporate it. Assessors are trained on Rev. 2, and SPRS scoring runs on Rev. 2. If a vendor is telling you to rebuild your whole program for Rev. 3 to “get compliant,” that’s not the current requirement. You can confirm the standard at NIST CSRC.
What should happen in the first 48 hours of a CMMC rescue?
The first 48 hours should reduce risk, not create new promises. Freeze any unsupported “compliant” or “certified” claims, gather the non-sensitive facts, confirm the clause and level, sketch your CUI scope, and inventory your SSP, score, and evidence — then decide which provider category to engage first. Nothing here requires spending money, and all of it makes your eventual quotes cheaper and more comparable.
| Window | Action | What you produce |
|---|---|---|
| 0–4 hrs | Freeze unsupported "certified/compliant" claims internally and externally | An internal rule: no new status representations until verified |
| 0–4 hrs | Capture the contract or prime request — without uploading CUI | A one-page requirement summary (clause, level, deadline basis) |
| 4–8 hrs | Identify required level, assessment type, and any CAGE/UEI/CMMC UID expectations | A requirement brief |
| 8–16 hrs | Map FCI/CUI, systems, users, ESPs/CSPs, and what's plausibly out of scope | A draft scope map |
| 16–24 hrs | Inventory SSP, current score, evidence, POA&M, and prior consultant deliverables | A rescue evidence ledger |
| 24–36 hrs | Identify non-deferrable blockers (3- and 5-point gaps; the six barred controls) | A blocker matrix |
| 36–48 hrs | Choose the provider category and assemble a non-sensitive quote packet | A provider-category decision |
What to send a provider — and what to never send
Providers can scope the work accurately from high-level facts. Give them: your required level, the deadline, your current assessment type, a general description of your FCI/CUI, the rough number of users and systems in scope, your cloud/IT environment, and the current state of your SSP, score, and evidence.
Never send— in an email, a form, or a shared drive — CUI, controlled technical information, drawings, export-controlled files, credentials, full network diagrams, vulnerability reports, customer contract attachments, proprietary source code, or sensitive incident data.
Turn your situation into an action plan in a few minutes.Start Find My CMMC Path — no CUI, no drawings, category match first.
Start Find My CMMC Path →What can realistically be fixed in 30, 60, or 90 days — and what can’t be rushed?
A rescue timeline depends on your starting maturity, your CUI scope, the size of your control gaps, the quality of your evidence, and how much scope you can safely reduce. Thirty days is often enough to stabilize scope and documentation; 60 to 90 days can support serious remediation if your environment is already close. What no honest provider can promise is valid Level 2 certification against an arbitrary date without first reviewing your scope, SSP, score, and evidence.
| Window | Realistic focus | Not realistic to promise |
|---|---|---|
| First 30 days | Verify the clause; correct scope; plan the SSP rebuild; inventory evidence; review POA&M eligibility; pick a provider category | Certification if major controls are missing |
| 31–60 days | Priority remediation; implement technical controls; clean up evidence; assign control owners; validate the score | Passing a formal assessment without mature evidence |
| 61–90 days | Readiness review; decide on C3PAO scheduling; prepare the executive affirmation; finalize the evidence package if mature | Overcoming a barred-control gap with paperwork alone |
A word on cost, because you’ll ask
DoD’s own cost estimates for CMMC assessments, cited by GAO, range from about $4,000 to roughly $118,000 depending on the assessment type— a Level 1 self-assessment sits at the low end, and a third-party Level 2 (C3PAO) certification assessment sits well above it. That range is the assessment itself. Readiness and remediation are separate and vary too much to quote generically. Our CMMC Level 2 cost guide goes deeper.
How do you avoid getting burned by a second CMMC rescue provider?
A trustworthy rescue provider will tell you what source controls the requirement, what category of work they do, what they will and won’t deliver, how they handle CUI, and whether they have any assessment conflict. Do not hire a second provider who can’t produce a source-backed scope, a deliverables list, an evidence plan, and a conflict disclosure.
Rescue-provider red flags
- "We can get you certified fast" without reviewing your scope
- No discussion of the contract clause or required level
- No CUI boundary work
- No SSP or evidence deliverables — just a dashboard
- No analysis of POA&M eligibility
- Any claim that buying a tool equals compliance
- No "do not submit CUI" warning in their intake
- Vague "Cyber AB preferred" or government-affiliation language
- The same firm blurring readiness and the formal assessment
- No named owner for your score and affirmation evidence
What a real rescue quote should include
Provider category; scope assumptions; deliverables; explicit exclusions; timeline assumptions; evidence outputs; CUI handling process; required tools or software; conflict disclosure; Cyber AB Marketplace status where relevant; any referral or compensation disclosure; and clear exit criteria.
The CMMC Rescue Quote Normalizer
Run every bid through the same columns and the comparison gets honest fast. Copy this into a spreadsheet and fill one row per provider. If a provider won’t fill it in, that’s your answer.
| Provider | Category | Scope assumptions | Deliverables | Exclusions | Timeline | Evidence outputs | CUI handling | Status / marketplace claim | Conflict disclosure | Price |
|---|---|---|---|---|---|---|---|---|---|---|
| — | — | — | — | — | — | — | — | — | — | — |
Compare categories before you compare vendors.Send only non-sensitive scope details through Find My CMMC Path, and we’ll help you map your situation to the provider category you should evaluate first.
Compare provider categories →What should you tell your prime, contracting officer, or customer while rescue is underway?
Communicate verified facts, not status claims you can’t support. State the clause you’re responding to, your current assessment or status position, your remediation path, and the evidence you’re building. For anything touching a contractual commitment, a flow-down dispute, or a formal representation, involve a qualified federal-contracts attorney before you put it in writing.
- Don’t say “certified” unless your status supports it.
- Don’t say “compliant” if your score or evidence doesn’t back it.
- Don’t send screenshots that misrepresent your scope or score.
- Keep CUI out of email and forms unless it’s authorized and properly protected.
- Keep technical remediation separate from legal representations.
Careful, non-CUI status update you can adapt (have counsel review before use as a contractual communication):
“We are reviewing the applicable CMMC/DFARS requirement, the required level, the assessment type, our FCI/CUI scope, and our current status record. We are validating our SSP and evidence package, and confirming POA&M eligibility, before making further status representations. We can provide a non-sensitive remediation timeline once that verification is complete.”
What we actually verified for this guide
We built this page from primary and authoritative CMMC sources — the regulation, the DoD, NIST, the DOJ, GAO, and the Cyber AB — not from vendor marketing. Here’s what we read, and when.
- Read 32 CFR § 170.21 and § 170.17 directly for the conditional-status score threshold, the POA&M point-value rules, the six barred controls, and the 180-day closeout — verified .
- Read the DFARS 252.204-7025 provision and 252.204-7021 clause on Acquisition.gov — verified .
- Confirmed the four-phase timeline against the DoD’s CMMC materials and the Federal Register acquisition rule — verified .
- Read the DOJ press releases for the LOGZONE settlement ($507,144, June 2026) and the MORSECORP settlement ($4.6 million, March 2025) — verified .
- Reviewed the DoD’s DFARS class-deviation listing for the Revolutionary FAR Overhaul changes — verified .
- Drew the C3PAO/assessor counts from GAO-26-107955 (published March 12, 2026); the ecosystem grows monthly, so re-verify against the Cyber AB Marketplace — verified .
- Confirmed CMMC Level 2 still maps to NIST SP 800-171 Revision 2 via NIST CSRC and GAO — verified .
Frequently asked questions
Are CMMC rescue services official CMMC assessments?
No. CMMC rescue services are readiness, remediation, scoping, documentation, evidence, technical implementation, or contract-risk triage. A formal Level 2 certification assessment is performed only by an authorized or accredited C3PAO under the Cyber AB CMMC Assessment Process, as established in 32 CFR Part 170.
Can a CMMC consultant certify my company?
No. No consultant, RPO/RP, MSP, MSSP, GRC platform, or CUI enclave provider can issue a CMMC certificate. They can prepare, remediate, document, and organize your evidence. Only an authorized or accredited C3PAO can conduct the formal Level 2 certification assessment, and — by conflict-of-interest rules — the firm that prepared you generally cannot be the one that assesses you.
Can a POA&M save a failed CMMC Level 2 assessment?
Only in limited cases. Under 32 CFR § 170.21, you can earn Conditional Level 2 status only if your score is at least 88 out of 110 and every POA&M item is worth 1 point (with one narrow encryption exception). Requirements worth 3 or 5 points, plus six specifically named controls, must be fully met — so if your gaps include those, a POA&M is not a rescue path.
How long do I have to close a POA&M?
180 days from your Conditional CMMC Status Date, and the clock does not reset as you close items. If you don’t pass a closeout assessment within that window, your Conditional CMMC Status expires: the POA&M closeout path is gone, standard contractual remedies apply, and you’re ineligible for new awards requiring that level until you achieve a new CMMC Status (32 CFR § 170.21(b)).
Can a wrong SPRS score really cause a legal problem?
Yes. If a contract requires an SPRS score and you bill on that contract, a materially false score can expose you to False Claims Act liability — no breach required. In June 2026, defense contractor LOGZONE agreed to pay $507,144 to resolve such allegations after a DCMA assessment scored its implementation at −170 (DOJ). If your posted score may be inaccurate, consult a federal-contracts attorney before you remediate.
Do I need a C3PAO right now, or is a self-assessment enough?
It depends on your contract’s phase and clause. Through Phase 1, which runs to , Level 2 self-assessments satisfy most applicable contracts, and contracting officers have discretion to require a C3PAO on select ones. Beginning in Phase 2 on , DoD plans to require Level 2 C3PAO certification in applicable CUI contracts — but the specific solicitation still controls, so check the clause in yours.
Why did my DFARS clause numbers change in 2026?
The Revolutionary FAR Overhaul, implemented through DoD class deviations effective , removed the standalone “Basic” self-assessment provision, relocated the DoD Assessment Requirements clause to deviation numbering (DFARS 252.240-7997), and moved the FAR “Basic Safeguarding” content to 52.240-93. Because this is by deviation ahead of formal rulemaking, the legacy numbers (DFARS 252.204-7019 and 252.204-7020) still appear in the codified regulations and existing contracts. Your core obligations didn’t change — DFARS 252.204-7012 and 252.204-7021 remain in effect (DoD class-deviation listing).
Is CMMC Level 2 on NIST 800-171 Revision 2 or Revision 3?
Revision 2. CMMC Level 2 maps to the 110 requirements in NIST SP 800-171 Rev. 2 across 14 control families. NIST published Rev. 3 in May 2024, but the current CMMC rule and SPRS scoring still run on Rev. 2, and assessors are trained on Rev. 2. Treat Rev. 3 as future planning, not today's requirement.
How much does a CMMC assessment cost?
DoD's own estimates, cited by GAO, put CMMC assessment costs between roughly $4,000 and $118,000 depending on the assessment type — a Level 1 self-assessment at the low end and a third-party Level 2 (C3PAO) certification assessment well above it. That is the assessment itself; readiness and remediation are separate and vary widely. Confirm current pricing directly with an authorized C3PAO.
What if I can't get a C3PAO slot before my deadline?
Line up your assessment early and verify the assessor’s authorization on the Cyber AB Marketplace. GAO reported 92 authorized C3PAOs as of December 2025 against a defense industrial base of roughly 200,000 companies, so scheduling can be a real constraint. Also confirm whether your contract’s phase actually requires a C3PAO yet — through Phase 1, a self-assessment may still be sufficient.
What should I submit through Find My CMMC Path?
Only non-sensitive details: your required level, general scope, timeline, current status, cloud or IT environment, and where your project is stuck. Never submit CUI, drawings, controlled technical information, credentials, contract attachments, or sensitive customer data.
Is The Defense Compliance Report affiliated with the Cyber AB or DoD?
No. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.
Get the right kind of help — in the right order
Rescue is a sequence, not a scramble. Confirm what your contract actually requires. Find out what your posted score is really based on. Learn whether your gaps are fixable by a POA&M. If your score may be wrong, call a lawyer before you touch it. If you need an assessment, get on a calendar early — and if you’re not ready, fix that first so you don’t burn your slot.
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Start with Find My CMMC Path →Keep reading
- Failed CMMC assessment: what to do next
- Conditional CMMC Level 2 certificate: POA&M closeout guide
- False Claims Act CMMC risk: what contractors need to know
- CMMC gap assessment services: what they include and cost
- SSP and POA&M services guide
- CMMC scoping guide: CUI, FCI, and asset categories
- C3PAO wait times and assessment backlog (2026)
- SPRS score: how it works and what to do if yours is wrong
- CMMC phases and deadlines
- CMMC Level 2 cost breakdown
- Find My CMMC Path
- My CMMC MSP Went Out of Business: 72-Hour Recovery Plan