How long does a CMMC audit take?

The active C3PAO assessment is often measured in days, with practitioners commonly reporting 3 to 5 business days for a small-to-mid-size scope, while the full engagement spans a few weeks once you count scheduling, document submission, the assessment days, and the final report. Neither 32 CFR Part 170 nor the Cyber AB assessment process fixes a number of days; both define phases, and larger scopes take longer.

Can you get CMMC certified in 90 days?

Ninety days can be realistic for a mature Level 1 path or a mature Level 2 (Self) path, and occasionally for Level 2 (C3PAO) if the organization is already assessment-ready and has a slot reserved. It is generally not realistic for a cold-start Level 2 (C3PAO) contractor handling CUI with no SSP or evidence in place.

Does using a POA&M extend or shorten my CMMC certification?

A Plan of Action and Milestones can support Conditional status only where the remaining items are eligible and the weighted score is at least 80%, and it must be closed out within 180 days. It does not extend your certification; because the three-year recertification clock starts from the Conditional status date, using the full 180 days leaves roughly 2.5 years of full certification before re-assessment. Level 1 does not permit POA&Ms.

Is CMMC based on NIST SP 800-171 Rev. 2 or Rev. 3?

Current CMMC Level 2 under 32 CFR Part 170 maps to NIST SP 800-171 Revision 2. Revision 3 was finalized in May 2024 but has not been adopted into CMMC; until DoD amends the rule, Revision 2 remains the controlling baseline.

Can our MSP also be our C3PAO?

Generally not for the same engagement. Under the Cyber AB's rules, a C3PAO must identify, document, and mitigate conflicts of interest, and it cannot proceed with an assessment if a conflict cannot be sufficiently mitigated, so a firm that prepared you usually cannot also assess that same work. Verify each provider's role and independence before engaging.

How early should we schedule a C3PAO?

Start C3PAO conversations once your scope and readiness path are credible, but do not treat a scheduled assessment as a substitute for finishing the work. Because assessors have commonly been booking months out, the slot is part of your timeline. Confirm current lead times directly with authorized or accredited C3PAOs, since availability changes constantly.

Does buying GCC High or a CUI enclave make us CMMC certified faster?

A properly designed enclave or a government cloud like GCC High can reduce or stabilize your CUI scope, which can shorten the timeline, but it does not by itself create CMMC status. You still need correct scoping, control implementation, an SSP that matches reality, evidence, a shared-responsibility matrix, and the required assessment path.

Check your CMMC readiness pathReadiness Checklist

How Long Does CMMC Certification Take?

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.

Last verified: June 15, 2026. Source basis: 32 CFR Part 170, DFARS 252.204-7021, DFARS 252.204-7025, FAR 52.204-21, NIST SP 800-171 Revision 2, NIST SP 800-172, and the Cyber AB Assessment Process. Educational research — not legal, contractual, or compliance advice. We are not affiliated with the Department of Defense, the Cyber AB, or any U.S. government agency.

How long does CMMC certification take? For most defense contractors pursuing a Level 2 (C3PAO) certification — the path an authorized third-party assessor signs off on — plan on 6 to 18 months, from the day you start scoping to the day your result posts to the government’s contractor database (SPRS). Level 1, the lightest path, can be done in weeks. Level 3, the heaviest, runs well past a year. Your real number turns on three things: the level your contract requires, how ready you are when you start, and how long it takes to get an assessor on your calendar.

Here’s the part that blows up almost every timeline, and the reason vendor promises sound better than they pan out: the assessment itself is the shortest part of the whole thing. The audit takes days. Getting ready for it takes months. And once you pass, staying certified is a three-year commitment with a check-in every year. Below, we break down the real clock for each path — with every rule-based number sourced to the regulation that controls it, and every planning estimate labeled as what it is.

CMMC certification timeline at a glance

Scope FCI/CUI

Gap Assessment

Remediation

SSP & Evidence

Self or C3PAO

SPRS Status

Annual Affirmation

CMMC path	Fastest realistic	Common range	Starting from scratch	What usually controls the clock
Level 1 (Self)	2–6 weeks	1–2 months	2–3+ months	Confirming FCI-only scope; basic safeguards documented
Level 2 (Self)	1–3 months	3–6 months	6–12 months	The 110 requirements, an accurate SSP, your SPRS score
Level 2 (C3PAO)	3–6 months	6–12 months	9–18+ months	Scope, remediation, evidence, and the assessor's calendar
Level 3 (DIBCAC)	6–12+ months after Final Level 2	12+ months after Final Level 2	Not a cold-start path	A passing Level 2 (C3PAO) result must come first

The fastest/common/cold-start columns are DCR editorial planning ranges for budgeting and leadership conversations — not government guarantees or vendor quotes. The regulation sets the assessment requirements, the status cycles, the annual affirmation, and the closeout windows; your actual timeline depends on scope, maturity, and evidence.

Want your number, not a range?

The CMMC Readiness Checklist maps all 14 NIST SP 800-171 control families so you can see where you stand against the 110 requirements before you spend a dollar on a vendor.

CMMC Readiness Checklist →Level 2 Checklist (110 requirements) →

Which “how long” are you actually asking?

There are three different timelines hiding inside “how long does CMMC certification take,” and confusing them is the single most expensive mistake we see. The assessment is measured in days. Getting ready for it is measured in months. And the certificate’s validity is measured in years — three of them, with an annual affirmation in between.

The assessment clock (days). The active Level 2 third-party assessment — interviews plus evidence review — is often measured in days; for a small-to-mid-size scope, practitioners commonly report 3 to 5 business days. That's the part everyone pictures. It's the smallest slice.

The readiness clock (months). Scoping, closing control gaps, writing a System Security Plan (SSP), gathering evidence, and a practice run. This is where 80%+ of your calendar goes, and it's the part you actually control.

The validity clock (years). Once earned, a Final Level 2 or Level 3 certification is valid for three years, and your Affirming Official has to file an annual affirmation of continued compliance in between. CMMC is not a one-and-done.

For more on the steps themselves, see our CMMC certification process guide.

How long does CMMC certification take by level?

CMMC has three levels, and the level your contract names is the first thing that sets your clock. Level 1 (for Federal Contract Information only) is the shortest path because it covers the fewest requirements and you assess yourself. Level 2 (for Controlled Unclassified Information) is the timeline most contractors are really asking about, and it splits into a self-assessment path and a third-party path. Level 3 is not a starting point — the rule requires you to hold a passing Final Level 2 (C3PAO) status first.

Key definitions: FCI (Federal Contract Information) — triggers Level 1. CUI (Controlled Unclassified Information) — triggers Level 2 (or Level 3). C3PAO — a company authorized or accredited by the Cyber AB to perform official Level 2 assessments. DIBCAC — the DCMA body that runs Level 3 assessments.

The DCR CMMC certification timeline matrix

This separates what the rule fixes from what your maturity drives, across all four paths.

CMMC path	When it applies	Who assesses	Official baseline	Fixed rule clock	If mature	If partial	If cold start	First move
Level 1 (Self)	FCI only	You (self-assessment)	FAR 52.204-21 (15 basic safeguarding requirements)	Annual self-assessment + annual affirmation; no POA&Ms allowed	2–6 wks	1–2 mo	2–3+ mo	Confirm FCI-only scope; document the 15 safeguards
Level 2 (Self)	CUI, where contract allows self-assessment	You (self-assessment)	NIST SP 800-171 Rev. 2 (110 requirements)	Every 3 years + annual affirmation; Conditional status can require 180-day POA&M closeout	1–3 mo	3–6 mo	6–12 mo	Run a real 110-requirement gap assessment before buying tools
Level 2 (C3PAO)	CUI, where contract requires third-party assessment	An authorized/accredited C3PAO	NIST SP 800-171 Rev. 2 (110 requirements)	Every 3 years + annual affirmation; Conditional status can require 180-day POA&M closeout	3–6 mo	6–12 mo	9–18+ mo	Get readiness help before booking the assessment if evidence is thin
Level 3 (DIBCAC)	Most sensitive CUI / highest-risk programs	DCMA DIBCAC (government)	Final Level 2 (C3PAO) first, then 24 selected from NIST SP 800-172	Every 3 years + annual affirmation; requires a Final Level 2 (C3PAO) first and every 3 years to maintain	6–12+ mo after Final L2	12+ mo after Final L2	Not a cold-start path	Confirm the Level 3 requirement; build from a Final Level 2 base

Methodology: the “official baseline” and “fixed rule clock” columns are sourced to 32 CFR Part 170, FAR 52.204-21, and NIST. The maturity ranges are DCR editorial planning estimates, not regulation-stated durations.

Two common factual errors on competing pages: Level 1 maps to FAR 52.204-21’s 15 basic safeguarding requirements — not 17. And CMMC Level 2 maps to NIST SP 800-171 Revision 2, not Revision 3. Revision 3 was finalized in May 2024, but DoD has not adopted it into CMMC. Build your program against Rev. 2 today.

Level 1: weeks to a couple of months

Level 1 is the fastest CMMC path because it applies only to FCI, covers 15 basic safeguarding requirements from FAR 52.204-21, and is satisfied by an annual self-assessment plus an affirmation — no third party required. A company that already runs basic IT hygiene (access control, antivirus, patching) and can document it might finish in two to six weeks. One hard rule: Level 1 does not allow POA&Ms — every requirement must be met at the time you self-assess. Compare paths at CMMC Level 1 vs Level 2.

Level 2 (Self): a few months, even though you grade your own work

Level 2 (Self) applies when a contract permits a self-assessment for CUI, and it still maps to all 110 requirements in NIST SP 800-171 Rev. 2 — the word “self” does not make it lightweight. Plan three to six months for a typical contractor; the long poles are an SSP that matches reality, a defensible SPRS score, and evidence for each requirement. You assess yourself, post results to SPRS, and submit an affirmation. The distinction between self and C3PAO is set by the contract clause, not your preference. See RPO vs C3PAO: which do you need?

Level 2 (C3PAO): the 6-to-18-month path most people mean

When people ask how long CMMC certification takes, they almost always mean Level 2 with a C3PAO assessment, and for most contractors that’s a 6-to-18-month project. A mature, well-scoped organization with a small cloud enclave can reach assessment in roughly three to six months; a cold-start company handling CUI across on-prem systems should plan nine to eighteen-plus. When the assessment is done, the C3PAO enters the result into the government’s eMASS system, which flows into SPRS — and that SPRS entry is the deliverable your contracting officer checks. See the full CMMC levels breakdown.

Level 3: an advanced path, not a first project

Level 3 is for the most sensitive CUI and is assessed by the government’s DIBCAC, but you cannot start it cold — the rule requires a Final Level 2 (C3PAO) status for the Level 3 scope first. On top of the 110 Level 2 requirements, Level 3 adds 24 selected requirements from NIST SP 800-172, and you have to keep a Level 2 (C3PAO) assessment current every three years to maintain Level 3. Treat it as a second program that begins after Level 2 maturity — generally 18–24+ months from a standing start.

How long does CMMC Level 2 certification take, step by step?

A Level 2 (C3PAO) timeline is the sum of eight or nine phases, and only one of them is the assessment.The phases are: confirm the requirement, scope your CUI, run a gap assessment, remediate, build the SSP and evidence, do a readiness (mock) assessment, schedule the C3PAO, get assessed, and — if you don’t earn a perfect score — close out a POA&M. Where you land in 6–18 months depends almost entirely on how much of the work is already done when you start.

Phase	What happens	Mature program	Partial / some gaps	Cold start
1. Confirm the requirement	Identify level, assessment type, deadline, SPRS/CAGE access	a few days	1–2 wks	1–2 wks
2. Scope FCI/CUI	Map assets, users, systems, data flows, external providers	1–2 wks	2–4 wks	4–6 wks
3. Gap assessment	Measure current state against the 110 requirements	2–3 wks	4–8 wks	2–6 mo
4. Remediation	Implement and fix the missing controls (the long pole)	4–8 wks	3–6 mo	6–12+ mo
5. SSP + evidence	Write an SSP that matches reality; collect artifacts	2–4 wks	4–8 wks (often parallel)	8–12 wks
6. Readiness / mock	Validate evidence before the real thing	1–2 wks	2–4 wks	3–5 wks
Readiness subtotal		~3–4 months	~7–11 months	~12–18 months
7. Schedule the C3PAO	Reserve an assessment slot (see the queue section)	varies	varies	varies
8. The assessment	Interviews, evidence review, findings, report	often 3–5 days	often 3–5 days	5+ days
9. Closeout (if needed)	Convert Conditional to Final	up to 180 days	up to 180 days	up to 180 days

The pattern is consistent across every credible source and our own read of the rule: remediation is the long pole, and scoping is the most underestimated phase.Companies routinely discover that CUI lives in more places than they thought — email, file shares, a vendor’s system, an engineer’s laptop — and every place you find it either has to be secured or pulled out of scope.

What actually controls your CMMC timeline?

Your timeline is governed by three forces at once: the rules that are fixed by regulation, the readiness work you control, and the market reality of assessor availability.The fixed rules — three-year cycles, annual affirmations, the 180-day closeout — are the same for everyone. The readiness work is where you have the most leverage. The C3PAO calendar is the one that surprises contractors who wait until they’re “ready” to start looking.

Where it slips	What it sounds like internally	Why it costs time	The fix
Scope is fuzzy	"CUI is probably just in that one folder."	Scope expands mid-project; you can't assess what you can't define	Map CUI data flows and users before buying anything
The SSP is a template	"We have an SSP from a consultant."	Assessors test the real system, not the document; mismatches read as gaps	Rewrite the SSP around how work actually happens
Evidence is talk, not artifacts	"We can explain it on the call."	A Level 2 assessment runs on objective evidence, not narration	Build an evidence library by control family
Identity / logging gaps	"We need to roll out MFA and central logging."	Technical controls take time to deploy and validate	Prioritize IAM, MFA, and logging early
External provider blind spot	"Our MSP handles that."	Shared responsibility has to be documented, not assumed	Build a responsibility matrix for every external provider
C3PAO booked late	"We'll call one when we're ready."	A slot may be months out; ready doesn't mean assessed	Start C3PAO conversations once your readiness path is credible

Cloud and external provider note: If a cloud service processes, stores, or transmits your CUI, it generally has to be FedRAMP Authorized at Moderate (or higher), or meet FedRAMP Moderate equivalency under DoD policy. Any external service provider (ESP) that handles part of your environment has to be documented in your SSP with a Customer Responsibility Matrix, and those in-scope services get assessed alongside yours. See GCC High and CMMC for enclave options.

The single biggest lever on your timeline is starting readiness now and getting in a C3PAO queue before you’re fully ready.

Our checklist walks the 14 control families and the evidence each one expects.

Download the CMMC Readiness Checklist →Compare provider categories →

How long does the C3PAO assessment itself take — and is the assessor shortage real?

In practice, the active C3PAO assessment is often measured in days — practitioners commonly report 3 to 5 business days for a small-to-mid-size scope — while the full engagement, counting scheduling, document submission, the assessment days, and the final report, usually spans a few weeks. Neither 32 CFR Part 170 nor the Cyber AB assessment process sets a fixed number of assessment days; they define phases, and a bigger or more complex scope takes longer.

Two mechanics from the rule are worth knowing. First, after the active assessment ends, an assessor may re-evaluate a requirement that was scored NOT MET — during the assessment and for up to 10 business days afterward — if additional evidence shows it’s actually MET, the change doesn’t undercut other requirements already scored MET, and the final Assessment Findings Report hasn’t been delivered yet. Source: 32 CFR 170.17. Second, the Cyber AB’s published process runs in phases — preliminary contracting, pre-assessment, assessment, findings and reporting, and final status or POA&M closeout — not on a fixed-day schedule.

The honest answer on the “assessor shortage”

The capacity numbers are real, and they’re tight. According to Cyber AB Town Hall briefings in early 2026, there were on the order of ~100 authorized C3PAOs and roughly ~750 credentialed assessors (CCAs), against a Defense Industrial Base where tens of thousands of companies will eventually need Level 2. By that reporting, only around ~1,000 organizations had achieved Level 2 certification — keeping DIB readiness near 1%. Industry reporting through early-to-mid 2026 described C3PAOs booking six to nine months out, with some waitlists exceeding a year, while nearer-term scheduling was reported in the 4-to-12-week range. Confirm current counts at the live Cyber AB Marketplace and lead times with the C3PAO directly. See also how to find an authorized C3PAO.

DCR editorial analysis: based on reported assessor counts and monthly certification throughput, the binding constraint right now looks at least as much like DIB readiness as assessor availability. With several hundred credentialed assessors and only a few hundred certifications issued per month, there appears to be more assessor capacity than there are companies showing up ready to be assessed.In plain terms: the contractors who stall usually aren’t stuck waiting for an assessor — they’re stuck finishing their SSP and evidence.

One current-events note: as of April 2026, ISACA fully assumed the CAICO role— administering the assessor and instructor credentials (CCP, CCA, Lead CCA, and the instructor track) — while the Cyber AB continues to run the Marketplace and C3PAO accreditation. If you’re vetting an assessor, the Marketplace is still the only ground truth for who’s authorized or accredited.

What a C3PAO cannot promise you:No C3PAO can guarantee you’ll pass. Neither the Cyber AB nor DoD is a party to the private contract between you and your assessor, and a legitimate assessment agreement won’t include guarantees or bonuses tied to a certification outcome. Any provider implying a guaranteed pass is a provider to walk away from.

What if you only earn Conditional CMMC status?

A Level 2 assessment has three possible outcomes, and only two of them keep you moving: a perfect score earns Final status, a near-passing score with eligible gaps earns Conditional status, and anything below the bar means no certification for that result. Conditional status gives you a 180-day window to finish the job — it is not a way to defer serious control gaps.

Outcome	What triggers it	What happens next
Final Level 2 (C3PAO)	A perfect implementation (score of 110)	You're certified; the three-year clock starts
Conditional Level 2 (C3PAO)	A weighted score of at least 80% with only POA&M-eligible items still open	You get 180 days to close every POA&M item and pass a closeout assessment to reach Final
No certification	Below the threshold, or any requirement that can't go on a POA&M is NOT MET	No Conditional status or POA&M path is available for that result; you're ineligible for applicable awards until you achieve a passing status

Not everything can be deferred. Generally only requirements worth 1 point can be deferred — per the POA&M eligibility rules in 32 CFR 170.21(a)(2). If a high-value control is NOT MET, a POA&M won’t save the assessment. And if you don’t close the POA&M within 180 days, the Conditional status expires and reverts to no status— there’s no extension, no second Conditional period.

A slow closeout quietly shortens your certification. When there’s a POA&M, the rule starts your three-year recertification clock from the Conditional status date — not the date you finish. So if you use all 180 days to close out, you’ve spent half a year of your three-year validity before you even hold Final status, leaving roughly 2.5 years of full certification before you re-assess. Verified against 32 CFR 170.16 and 170.17. Close POA&Ms fast, or you’re shopping for your next assessment sooner than you think.

How long is CMMC certification valid once you have it?

A Final Level 2 or Level 3 certification is valid for three years, with an annual affirmation of continued compliance required in between; Final Level 1 is an annual cycle, and Conditional statuses are time-limited to 180 days.

Status	Cycle	Annual affirmation?	Source
Final Level 1 (Self)	Annual	Yes	32 CFR 170.15
Final Level 2 (Self)	3 years	Yes	32 CFR 170.16
Final Level 2 (C3PAO)	3 years	Yes	32 CFR 170.17
Final Level 3 (DIBCAC)	3 years	Yes	32 CFR 170.18
Conditional Level 2 or 3	180 days	Yes	32 CFR 170.21

We pulled the current text of DFARS 252.204-7021 on June 15, 2026. It requires you to have — and maintain, for the life of the contract — a current CMMC statusat the required level or higher for every system that processes, stores, or transmits FCI or CUI. What “current” means by status type:

Conditional Level 2 or 3: not older than 180 days, with no change in compliance since the conditional status date and a current affirmation.
Final Level 1 (Self): not older than 1 year.
Final Level 2 or 3: not older than 3 years.
Affirmation of continuous compliance: not older than 1 year, at every level.

“Valid for three years” does not mean “ignore it for three years.” Affirmations are annual. Scope changes, a security incident, or an acquisition can force an earlier re-assessment. And a new contract can name a different level or assessment type than the one you hold. Treat the certificate as a living status in SPRS, not a framed diploma.

Do you have enough time? Phase timing and how to plan backward

Plan backward from your actual solicitation, award, option-year, or prime flow-down date — not from a generic timeline. Phase 1 began November 10, 2025, and Phase 2 begins November 10, 2026 — when a Level 2 (C3PAO) requirement starts appearing as a condition of award for applicable contracts. See our CMMC deadlines 2026 and CMMC phases guides for the full timeline.

Phase	Begins	What it adds (per 32 CFR 170.3)
Phase 1	Nov 10, 2025	Level 1 (Self) or Level 2 (Self) as a condition of award. DoD may require Level 2 (C3PAO) instead, at its discretion.
Phase 2 ▲	Nov 10, 2026	Adds Level 2 (C3PAO) as a condition of award for applicable contracts — though DoD may delay it to an option period. DoD may also include Level 3 (DIBCAC) at its discretion.
Phase 3	Nov 10, 2027	Level 2 (C3PAO) for all applicable contracts, as a condition of award and to exercise an option period. Adds Level 3 (DIBCAC) as a condition of award.
Phase 4	Nov 10, 2028	Full implementation — CMMC requirements in all applicable solicitations and contracts, including option periods on contracts awarded before Phase 4.

Phase 1 is not a grace period. Contracting officers can already require a Level 2 (C3PAO) certification right now where a program calls for it. The phased rollout limits how broadly DoD applies the requirement; it does not stop any individual solicitation from demanding it today. If a prime is driving your deadline, see our CMMC flow-down requirements guide.

Work backward from your date

If your deadline is…	Level 1 (Self)	Level 2 (Self)	Level 2 (C3PAO)	What to do now
30 days out	Possible only if already mature	Risky	Usually not realistic	Confirm the requirement today; don't guess
90 days out	Possible if scoped	Possible if mature	Only if already ready and scheduled	Run a readiness validation immediately
6 months out	Realistic for many	Realistic if partial maturity	Possible if mature/partial and you've started the C3PAO conversation	Lock scope and evidence
12 months out	Realistic	Realistic	Realistic for many partial-maturity orgs	Build a controlled, resourced program
18 months out	Realistic	Realistic	Realistic for most serious programs	Use the runway to reduce scope and cost

Can you get CMMC certified faster?

You can compress a CMMC timeline legitimately — by narrowing scope, using a properly designed enclave, fixing evidence gaps early, and starting assessor conversations before the last minute — but you cannot shortcut the actual requirements, fabricate evidence, or lean on a POA&M for gaps that aren’t eligible.The fast contractors aren’t cutting corners; they’re sequencing the work intelligently and keeping scope small.

The legitimate accelerators

Shrink the CUI footprint. Fewer systems and users in scope means less to implement and less to assess. Bad scoping backfires — do it carefully.
Use a real enclave. A well-designed CUI enclave concentrates handling and can cut enterprise-wide remediation. It still needs an SSP, a responsibility matrix, and evidence — buying the enclave is not the same as being ready. See GCC High and CMMC enclave options.
Start evidence collection on day one. “We do this” is worth nothing without an artifact. Build the library as you remediate, not after.
Pick the right provider category first. Paying the wrong party first is the most common money-and-time waste.
Get in the C3PAO queue early. It removes the market-clock surprise. Just don’t book a formal assessment before your evidence is real.

The one hard truth we owe you

If you’re a cold-start company that needs a Level 2 (C3PAO) certification, your CUI is uncontrolled, your SSP and evidence don’t exist yet, and your deadline is inside 90 days — no ethical provider can turn that into a certified pass in time for that specific award. Anyone who says otherwise is selling you a story.

But “too late for thisaward” is not “too late for the business.” You may still be able to confirm the exact requirement (it might allow a self-assessment), reduce scope to make the work smaller, preserve your subcontracting options, and build a credible readiness plan that puts you in front of the next solicitation — with an assessor slot already reserved.

If your deadline is tight, don’t guess the provider type.

Tell us your level, CUI scope, and timeline. We’ll help you figure out whether your first call should be a readiness partner, a managed-services or enclave provider, or — if you’re genuinely assessment-ready — a C3PAO. No pressure, no obligation. Please don’t submit CUI or sensitive contract documents.

Get matched with source-checked provider options →

Which provider should you call first?

The right first provider depends entirely on what’s blocking your timeline — and for most contractors, a C3PAO is not the first call.If you don’t know your scope, you need a readiness advisor. If your controls are weak, you need implementation help. If CUI is sprawling, you need an enclave strategy. A C3PAO is the right first call only when your SSP and evidence are solid and your contract requires a third-party assessment.

Your situation	First category to consider	Why	What not to do
You don't know your level or where CUI lives	Readiness advisor / RPO / vCISO	You need scoping and path clarity first	Don't buy a platform before you've scoped
You know it's Level 2 but controls are weak	CMMC-focused MSP / MSSP / readiness provider	You need implementation and evidence	Don't book an assessment to "force" readiness
CUI is scattered across email, files, endpoints, vendors	CUI enclave / secure collaboration / GCC High provider	Scope reduction can save real time and cost	Don't assume the enclave equals certification
SSP and evidence exist; gaps are small	Authorized/accredited C3PAO	You may be ready to assess	Don't ignore conflict-of-interest boundaries
Your evidence workflow is chaos	GRC / evidence-management software	It manages artifacts and POA&M tracking	Don't use software as a substitute for controls
Level 3 is in play	Advanced readiness + the DIBCAC path	Level 3 requires a Final Level 2 first	Don't treat Level 3 as a first project

One independence rule worth stating plainly: the firm that prepares you generally cannot also be the C3PAO that assesses you for that same engagement. Under the Cyber AB’s rules, a C3PAO has to identify, document, and mitigate conflicts of interest — and if a conflict can’t be sufficiently mitigated, the C3PAO can’t proceed. Keep readiness/implementation and formal assessment appropriately separated. See our CMMC provider categories guide.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. See our Editorial Standards and Corrections Policy.

Not sure which category comes first?

Tell us your level, scope, and timeline, and we’ll match you with source-checked provider options in the category that fits your bottleneck — readiness, enclave, software, or assessment. Before we make an introduction, we check the provider’s role and current Cyber AB Marketplace status. Please don’t submit CUI or sensitive contract documents.

Get matched with source-checked CMMC options →

Your first 30 days: the plan we’d run

If your CMMC deadline is real, the first month should confirm the requirement, define scope, establish your current maturity, find the bottleneck, and pick the right provider category. Get those five things right and the rest of the project has a spine.

Days	Action	Output
1–3	Read the solicitation / flow-down language	Your required level and assessment type
1–7	Confirm FCI vs. CUI	A data-classification starting point
3–10	Identify systems, users, ESPs, CSPs	A draft assessment scope
7–14	Pull your current SPRS / NIST 800-171 score	Your baseline maturity
10–20	Run a 110-requirement gap review (if Level 2)	A prioritized gap list
15–25	Build or repair the SSP outline	A real documentation path
20–30	Decide the provider category	Readiness / MSP / MSSP / enclave / GRC / C3PAO
30	Write the leadership timeline memo	A go/no-go and a budget request

Two templates to save you a blank page

For your CEO, board, or CFO:

“Based on our current understanding, our likely CMMC path is [level / assessment type]. Our planning estimate is [X–Y months], with the biggest timeline risk being [scope / evidence / remediation / C3PAO scheduling]. Our recommended first move is to [confirm scope / complete the gap assessment / engage a readiness provider / start a C3PAO conversation]. This is a planning estimate, not a certification guarantee, and the assessor calendar is a real constraint we’re managing now.”

For your prime contractor or contracting officer (when the assessment type is unclear):

“We’re validating our CMMC path and assessment type for [contract / solicitation]. To plan accurately, can you confirm the required level and whether the contract requires a Level 2 self-assessment or a Level 2 C3PAO assessment, plus the timing expectation? The difference can change our timeline by months, and we want to be ready on your schedule.”

Before you sign with any C3PAO, ask:

Are you currently authorized or accredited in the Cyber AB Marketplace? (Verify it yourself — don’t take “almost certified” or “candidate” as a yes.)
What scope assumptions are you making, and what evidence package do you expect before kickoff?
Who will be the Lead CCA on our assessment?
What’s your current scheduling lead time? (Confirm directly — this changes constantly.)
How do you handle Conditional status and the 180-day POA&M closeout?
What conflict-of-interest boundaries apply given who prepared us?

What we actually verified for this guide

This page separates sourced regulatory facts from our editorial planning estimates, and we want you to see the line.

Last verified: June 15, 2026. Next scheduled review: September 2026, or sooner if DoD, NIST, the Cyber AB, or DFARS guidance changes.

What we checked	Source	Status
CMMC Program rule effective date (Dec 16, 2024)	Federal Register / 32 CFR Part 170	Verified — primary
DFARS CMMC acquisition rule effective date (Nov 10, 2025)	Federal Register / 48 CFR final rule	Verified — primary
Four-phase rollout + option-period nuance	32 CFR 170.3	Verified — primary
Level 1 baseline = FAR 52.204-21 (15 requirements)	FAR 52.204-21 / 32 CFR 170.14	Verified — primary
Level 2 baseline = NIST SP 800-171 Rev. 2 (110 requirements)	NIST CSRC / 32 CFR 170.14	Verified — primary
Level 3 = Final Level 2 first + 24 from NIST SP 800-172	NIST CSRC / 32 CFR 170.18	Verified — primary
3-year cycle, annual affirmation, 180-day closeout, 10-day re-eval	32 CFR 170.16 / 170.17 / 170.21	Verified — primary
"Current status" definition by status type	DFARS 252.204-7021 (eCFR / Acquisition.gov)	Verified — primary
Condition of award; current status + affirmation in SPRS	DFARS 252.204-7025	Verified — primary
C3PAO / CCA / certification counts (~100 / ~750 / ~1,000)	Cyber AB Town Hall reporting, early 2026	Point-in-time market data — confirm at live Cyber AB Marketplace
C3PAO scheduling lead times	Industry reporting, early–mid 2026	Directional market data — verify with each C3PAO
"Readiness is the binding constraint"	DCR editorial analysis of the figures above	Editorial conclusion, not a regulation-stated fact

If you want to read the rules yourself, start with 32 CFR Part 170, the CMMC Program Final Rule, the assessment-cycle sections at 170.16, 170.17, and 170.18, and the contract clause at DFARS 252.204-7021.

CMMC certification timeline: frequently asked questions

How long does CMMC certification take?: CMMC certification timing depends on your level and assessment type. Level 1 (Self) can take a few weeks to a couple of months, Level 2 (Self) commonly takes three to six months, Level 2 (C3PAO) typically takes 6 to 18 months for most contractors, and Level 3 (DIBCAC) requires a Final Level 2 (C3PAO) status first and runs longer. The assessment itself is only a few days; readiness is where most of the time goes.
How long does CMMC Level 2 certification take?: For Level 2 with a C3PAO assessment, most contractors should plan 6 to 18 months from scoping through readiness, evidence preparation, scheduling, the assessment, and any 180-day POA&M closeout. A mature, well-scoped organization may reach assessment in three to six months, while a cold-start company handling CUI may need nine to eighteen-plus months. Level 2 maps to all 110 requirements in NIST SP 800-171 Revision 2.
How long does a CMMC audit take?: The active C3PAO assessment is often measured in days — practitioners commonly report 3 to 5 business days for a small-to-mid-size scope — while the full engagement spans a few weeks once you count scheduling, document submission, the assessment days, and the final report. Neither 32 CFR Part 170 nor the Cyber AB assessment process fixes a number of days; both define phases, and larger scopes take longer.
Can you get CMMC certified in 90 days?: Ninety days can be realistic for a mature Level 1 path or a mature Level 2 (Self) path, and occasionally for Level 2 (C3PAO) if the organization is already assessment-ready and has a slot reserved. It is generally not realistic for a cold-start Level 2 (C3PAO) contractor handling CUI with no SSP or evidence in place. The first step is always to confirm the required level, scope, evidence maturity, and assessment type.
How long is CMMC certification valid?: A Final Level 2 or Level 3 CMMC certification is valid for three years, with an annual affirmation of continued compliance required in between; Final Level 1 is an annual cycle, and a Conditional status is limited to 180 days. Under DFARS 252.204-7021, the contractor must maintain a current CMMC status at the required level — defined by status type — for the duration of the contract.
Does using a POA&M extend or shorten my CMMC certification?: A Plan of Action and Milestones (POA&M) can support Conditional status only where the remaining items are eligible and the weighted score is at least 80%, and it must be closed out within 180 days. It does not extend your certification — because the three-year recertification clock starts from the Conditional status date, using the full 180 days leaves roughly 2.5 years of full certification before re-assessment. Level 1 does not permit POA&Ms at all.
Is CMMC based on NIST SP 800-171 Rev. 2 or Rev. 3?: Current CMMC Level 2 under 32 CFR Part 170 maps to NIST SP 800-171 Revision 2. Revision 3 was finalized in May 2024 but has not been adopted into the CMMC framework; until DoD amends the rule, Revision 2 remains the controlling baseline. Do not build your program against Rev. 3 unless and until the rule changes.
Do you need CMMC before contract award?: It depends on the solicitation, the contract clause, the rollout phase, and the required level. DFARS 252.204-7025 makes a current CMMC status (plus a current affirmation in SPRS) a condition of eligibility for award. During Phase 1, many contracts require a Level 1 or Level 2 self-assessment, while a Level 2 (C3PAO) requirement can already appear where a program calls for it.
Can our MSP also be our C3PAO?: Generally not for the same engagement. Under the Cyber AB's rules, a C3PAO must identify, document, and mitigate conflicts of interest, and it can't proceed with an assessment if a conflict can't be sufficiently mitigated — so a firm that prepared you usually can't also assess that same work. Verify each provider's role and independence before engaging, and be cautious of anyone implying their consultant can also certify you.
How early should we schedule a C3PAO?: Start C3PAO conversations once your scope and readiness path are credible, but don't treat a scheduled assessment as a substitute for finishing the work. Because assessors have commonly been booking months out, the slot is part of your timeline — reserve it before you're fully done. Confirm current lead times directly with authorized or accredited C3PAOs, since availability changes constantly.
Does buying GCC High or a CUI enclave make us CMMC certified faster?: A properly designed enclave or a government cloud like GCC High can reduce or stabilize your CUI scope, which can shorten the timeline — but it does not by itself create CMMC status. You still need correct scoping, control implementation, an SSP that matches reality, evidence, a shared-responsibility matrix, and the required assessment path. The architecture is a means to a smaller scope, not a substitute for the work.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Please do not submit CUI, export-controlled files, drawings, source code, sensitive contract attachments, or controlled technical information through this form.