CMMC Certification Timeline: Month-by-Month Guide
Timeline matters. Formal enforcement is expected by November 2026 under DFARS 252.204-7021, but contracts are being awarded right now with CMMC requirements. Starting early gives you options; waiting compresses everything and increases risk.
Month-by-month overview
| Period | Milestone |
|---|---|
| Month 0–1 | Scoping & gap assessment |
| Month 1–3 | Remediation planning & quick wins |
| Month 3–9 | Implementing controls |
| Month 6–12 | Documentation: SSP, POA&M, policies |
| Month 9–15 | Pre-assessment readiness review |
| Month 12–18 | Formal C3PAO assessment |
Month 0–1: Scoping and gap assessment
Identify what you need to protect. Map systems, data flows, and whether CUI is present. Determine which networks and sites fall in scope. The DoD CMMC Resources page has official scoping guidance.
Month 1–3: Remediation planning
Prioritize controls with the biggest risk reduction. Establish MFA, backups, logging, and quick wins that unblock later work.
Month 3–9: Implementing controls
Access management, incident response playbooks, configuration management, vulnerability management, and secure remote access. Controls must align to NIST SP 800-171.
Month 6–12: Documentation
Draft and finalize your System Security Plan (SSP), Plan of Action and Milestones (POA&M), policies, and procedures. Evidence collection starts here. Your NIST 800-171 score must be submitted to SPRS and reflect your actual control implementation.
Month 9–15: Pre-assessment readiness
Internal review or RPO-led readiness assessment. Address remaining gaps and validate evidence against NIST SP 800-171 controls.
Month 12–18: Formal C3PAO assessment
Engage a Cyber AB-authorized C3PAO for the official Level 2 assessment. Fieldwork may be remote or on-site. Findings must be resolved for certification. See How to Choose the Right CMMC Consultant before you commit to an assessor.
What makes timelines shorter (or longer)
- Shorter: Narrow scope, documented IT, existing MFA/logging, leadership buy-in.
- Longer: Unclear data flows, legacy systems, no documentation, limited staff availability, waiting for C3PAO slots.
Starting now puts you ahead of ~70% of contractors. Calendars for C3PAO assessments fill months in advance.
See our CMMC cost breakdown to understand what each phase costs. Ready to start? Check your readiness now →
Found this useful?
Get the CMMC Readiness Checklist — free
15 questions to understand your compliance exposure before you talk to a single vendor.
Ready to get started?
15 minutes. We'll tell you exactly where you stand on CMMC and what your next step should be.
Get in TouchFree. Available to US-based defense contractors.