The Clock Is Running
CMMC is not arriving someday—it is already here. The final rule went into effect December 16, 2024, and the phased rollout is underway. For the vast majority of defense contractors handling Controlled Unclassified Information (CUI), the date that matters is November 10, 2026: the start of Phase 2, when third-party C3PAO assessments become required in applicable contracts.
Understanding the timeline is not academic. It determines when your organization must be assessment-ready, how long you have to remediate gaps, and whether you can even get on a C3PAO's schedule in time.
The Four-Phase Rollout
The CMMC final rule takes effect. DoD begins including CMMC Level 1 self-assessment requirements and select Level 2 self-assessment requirements in applicable contracts. Contractors must complete self-assessments and submit affirmation through the Supplier Performance Risk System (SPRS).
ActiveDoD begins requiring CMMC Level 2 certification assessments conducted by authorized C3PAOs for applicable contracts involving CUI. This is the critical milestone for the defense industrial base. Contractors without certification cannot compete for these contracts.
Critical DeadlineCMMC Level 3 requirements begin appearing in contracts for the highest-priority programs. Level 3 assessments are conducted by DIBCAC (Defense Industrial Base Cybersecurity Assessment Center), not C3PAOs. Applies to a smaller subset of contractors handling the most sensitive CUI.
PlannedCMMC requirements included in all applicable DoD contracts. Full enforcement across the defense industrial base. No new contracts awarded to non-certified organizations where CMMC is required.
PlannedThe Assessment Timeline Reality
Contractors frequently underestimate the time required to go from "we should start" to "we are certified." The numbers tell the story:
Preparation: 6–12 months. This includes gap analysis, remediation of technical controls, documentation creation (SSP, POA&M, policies, procedures), personnel training, and evidence collection. Organizations with significant gaps—which is most of them—are on the longer end of that range.
Assessment: 4–8 weeks. The formal C3PAO assessment involves pre-assessment planning, document review, on-site inspection, personnel interviews, and findings adjudication. Complex organizations or those with multiple enclaves take longer.
POA&M resolution: up to 180 days. If the assessment identifies non-critical findings, contractors may receive conditional certification with a Plan of Action & Milestones. Those milestones must be closed within 180 days, or certification is revoked.
The C3PAO Bottleneck
This is the factor most contractors overlook. There are approximately 80 authorized C3PAOs to serve an estimated 16,000+ companies that will need Level 2 certification. The math is stark:
16,000 companies. ~80 C3PAOs. Even if each C3PAO conducted 10 assessments per year—an optimistic estimate given the depth of Level 2 assessments—that is 800 assessments annually. At that rate, it would take 20 years to assess the entire backlog. The C3PAO ecosystem is growing, but not fast enough to eliminate the bottleneck before Phase 2.
What this means in practice:
- Scheduling lead times are growing. C3PAOs are already booking months in advance. Waiting until mid-2026 to schedule an assessment may mean missing the Phase 2 window entirely.
- Prepared organizations get priority. C3PAOs prefer to assess organizations that are ready. If your gap analysis shows significant deficiencies, most assessors will recommend you remediate before scheduling.
- Cost increases with demand. Assessment pricing is market-driven. As the deadline approaches and availability shrinks, expect prices to rise.
What You Should Be Doing Now
If you are reading this article, the time for planning is over. The time for action is now. Here is what the timeline demands:
- Immediately: Conduct a gap analysis against all 110 NIST SP 800-171 practices. You cannot build a remediation plan without knowing the scope of the problem.
- Within 30 days: Have a remediation roadmap with clear milestones working backward from the November 2026 deadline.
- Within 90 days: Begin implementing technical controls and drafting core documentation (SSP, policies, procedures).
- Within 6 months: Complete remediation and begin internal readiness reviews. Contact C3PAOs to begin scheduling discussions.
- 9–12 months before deadline: Finalize evidence packages and conduct a pre-assessment readiness review.
The cost of delay is not linear. Every month of inaction compresses the remaining timeline and increases the risk of missing the Phase 2 window. Organizations that miss the deadline face a simple consequence: they cannot compete for contracts that require CMMC Level 2. For many defense contractors, that means losing their primary revenue stream.
If You Have Not Started, You Are Already Behind
This is not alarmism. It is arithmetic. The median preparation time is 9 months. The Phase 2 deadline is fixed. The C3PAO capacity is constrained. Every week of delay makes the path to certification narrower and more expensive.
The contractors who will be certified on time are the ones who started six months ago. The contractors who start today can still make it—but with less margin for error and less flexibility in scheduling. The contractors who wait until 2026 are playing a losing hand.
Know Where You Stand
Our Quick-Start Assessment gives you a clear picture of your current readiness against all 110 NIST 800-171 practices—and a remediation roadmap that works backward from the deadline.