CMMC Certification Timeline

A realistic phase-by-phase timeline for achieving CMMC 2.0 certification, including preparation checklists and time estimates by level. Updated 26 March 2026.

Timeline by Level

Level 12 - 5 months

1Gap Assessment1 - 2 wks
2SSP Development1 - 2 wks
3Remediation4 - 12 wks
4Internal Validation1 wk
5Self-Assessment + SPRS1 - 2 wks

Level 29 - 20 months

1Gap Assessment4 - 8 wks
2SSP Development3 - 6 wks
3Remediation3 - 12 mo
4Internal Validation2 - 4 wks
5C3PAO Assessment2 - 6 mo
6SPRS Submission1 - 2 wks

Level 324 - 48 months

1Gap Assessment8 - 16 wks
2SSP Development6 - 12 wks
3Remediation6 - 24 mo
4Mock Assessment4 - 8 wks
5DIBCAC Assessment6 - 12 mo
6SPRS Submission1 - 2 wks

Phase-by-Phase Breakdown

Phase 1

Scoping and Gap Assessment

4 - 8 weeks

typical duration

Define the assessment boundary (which systems handle FCI or CUI), identify all assets in scope, and conduct a detailed gap analysis against the target level requirements.

Level 1 Timeline

1 - 2 weeks

Level 2 Timeline

4 - 8 weeks

Level 3 Timeline

8 - 16 weeks

Key Tasks

+Define system boundary and data flow diagrams
+Inventory all hardware, software, and cloud services in scope
+Map CUI flows and storage locations
+Conduct gap analysis against target practice set
+Score current SPRS self-assessment
+Document findings in a gap report
+Estimate remediation cost and effort

Typical cost: $8,000 - $60,000

Performed by: Internal IT + Registered Practitioner (RP) or C3PAO

Phase 2

System Security Plan Development

3 - 6 weeks

typical duration

Create or update the System Security Plan (SSP) to document how each practice is implemented. The SSP is a formal artefact reviewed during assessment and must be accurate and complete.

Level 1 Timeline

1 - 2 weeks

Level 2 Timeline

3 - 6 weeks

Level 3 Timeline

6 - 12 weeks

Key Tasks

+Document system description and boundary
+Write practice-by-practice implementation statements
+Identify responsible parties for each control
+Document inherited controls (cloud provider, MSP)
+Create or update policies and procedures
+Draft Plan of Action and Milestones (POA&M) for gaps
+Obtain senior official review and sign-off

Typical cost: $5,000 - $25,000

Performed by: Internal security team + Registered Practitioner (RP)

Phase 3

Remediation and Implementation

3 - 12 months

typical duration

Implement technical, operational, and management controls to close gaps identified in Phase 1. This is typically the most expensive phase and the longest.

Level 1 Timeline

1 - 3 months

Level 2 Timeline

3 - 12 months

Level 3 Timeline

6 - 24 months

Key Tasks

+Deploy Multi-Factor Authentication (MFA) across all users
+Implement endpoint detection and response (EDR)
+Configure SIEM for log aggregation and alerting (Level 2+)
+Segment networks to isolate CUI-processing systems
+Apply encryption at rest and in transit
+Update patch management processes and tooling
+Implement privileged access management (PAM)
+Conduct role-based security awareness training
+Establish incident response procedures and test them
+Deploy vulnerability scanning and remediate findings

Typical cost: $30,000 - $1,500,000

Performed by: IT team, MSP, or MSSP

Phase 4

Internal Validation (Mock Assessment)

2 - 4 weeks

typical duration

Before engaging a C3PAO, conduct a thorough internal review or hire a Registered Practitioner to perform a mock assessment. This reduces expensive rework during the formal assessment.

Level 1 Timeline

1 week

Level 2 Timeline

2 - 4 weeks

Level 3 Timeline

4 - 8 weeks

Key Tasks

+Test all controls against assessment objectives
+Gather and organise evidence for each practice
+Interview key personnel on their role in each control
+Conduct tabletop incident response exercise
+Review and update SSP against current state
+Close any remaining high-priority POA&M items
+Prepare evidence folders for assessor review

Typical cost: $10,000 - $40,000

Performed by: Internal team or Registered Practitioner (RP)

Phase 5

C3PAO or DIBCAC Assessment

2 - 6 months

typical duration

For Level 2, engage an accredited C3PAO for the formal third-party assessment. The C3PAO reviews documentation, interviews staff, and tests controls. For Level 3, DIBCAC conducts the assessment directly.

Level 1 Timeline

N/A (self-assessment)

Level 2 Timeline

2 - 6 months

Level 3 Timeline

6 - 12 months

Key Tasks

+Select and contract a C3PAO (see our Assessors guide)
+Provide all requested documentation upfront
+Schedule and complete document review phase
+Participate in on-site or virtual interview sessions
+Respond to assessor questions and requests
+Address any deficiencies identified during assessment
+Review and approve final assessment report

Typical cost: $30,000 - $200,000+

Performed by: C3PAO (Level 2) or DIBCAC (Level 3)

Phase 6

SPRS Submission and Ongoing Compliance

Ongoing

typical duration

Submit results to the Supplier Performance Risk System (SPRS) and maintain compliance. Continuous monitoring, annual affirmations, and re-assessments are required.

Level 1 Timeline

Annual

Level 2 Timeline

Triennial assessment + annual affirmation

Level 3 Timeline

Triennial assessment + annual affirmation

Key Tasks

+Submit assessment score and affirmation to SPRS
+Maintain continuous monitoring programme
+Report significant changes to assessor
+Conduct annual affirmation by senior official
+Address new vulnerabilities and emerging threats
+Schedule triennial re-assessment in advance
+Train new employees on security awareness

Typical cost: $5,000 - $120,000/yr

Performed by: Internal CISO / compliance team

Pre-Assessment Readiness Checklist

Complete these items before engaging a C3PAO to reduce costly rework during the formal assessment.

Documentation

oSystem Security Plan (SSP) completed and signed
oNetwork diagrams and data flow diagrams current
oCUI inventory and handling procedures documented
oIncident response plan written and tested
oConfiguration management baseline documented
oUser access review completed and documented
oPolicies for all 14 NIST 800-171 domains in place

Technical Controls

oMFA enforced for all privileged and remote access
oEndpoint detection and response (EDR) deployed
oVulnerability scanning running on regular schedule
oPatch management process implemented and current
oSIEM or log aggregation operational (Level 2+)
oNetwork segmentation isolating CUI systems
oEncryption at rest for all CUI storage
oEncryption in transit (TLS 1.2+) enforced
oPrivileged access management (PAM) implemented

People and Process

oAll employees completed security awareness training
oRole-based training completed by privileged users
oIncident response tabletop exercise conducted
oThird-party vendor risk assessments completed
oBackground screening procedures in place
oTermination procedures for access revocation documented
oSenior official identified for SPRS affirmation

Assessment Readiness

oEvidence folder prepared for each practice domain
oPOA&M reviewed and high-priority items closed
oMock assessment or internal audit completed
oC3PAO selected and engagement letter signed
oStaff briefed on assessment process and roles
oSPRS account access confirmed

Tips for Staying on Schedule

1.Start with a realistic gap assessment before setting an assessment date. Contractors who rush to assessment without adequate preparation face expensive re-assessments.
2.Book C3PAO capacity early. Top-tier assessors have 6 to 12 month backlogs. Begin the vendor selection process during Phase 2, not Phase 4.
3.Prioritise MFA and SIEM implementations first. These are the most common reasons for assessment delays and POA&M findings.
4.Assign a dedicated CMMC project manager. Assessments that lack a single accountable owner consistently take longer and cost more.
5.Budget for a mock assessment. Spending $10k to $40k on an internal audit before the C3PAO engagement typically saves significantly more in assessment rework fees.